SEC Offers Flexibility in Final Privacy Rules
July 3, 2000
The SEC's final privacy regulation substantially departs from its initial proposal and allows fund companies to issue shorter, more general privacy statements than they originally would have had to, industry attorneys said.
The final version of the SEC's privacy regulations was issued June 22. The Financial Modernization Act of 1999 required regulators to develop guidelines concerning the sharing of customer information between financial services institutions and non-affiliates.
The SEC conceded on one of the most sensitive issues to fund companies, said Bob Grohowski, assistant counsel at the Investment Company Institute. That was the possibility of requiring fund companies to provide details of all of the business arrangements they have with non-affiliated parties, Grohowski said.
Given the complexity of fund structures, shareholder services and even the process of placing a trade, if fund companies had been required to describe all of these procedures, their privacy disclosures might have been unduly confusing and overwhelming to shareholders, Grohowski said.
The SEC's final privacy regulation instead allows fund companies to explain, in general and succinct terms, the types of third-party companies with which they work to manage shareholder accounts and how they ask those third-parties to protect customer information, industry attorneys said.
The final rule also gives much more latitude to fund companies than the original proposal in determining how to deliver these privacy statements - whether as stand-alone documents, in fund prospectuses or in shareholder statements, Grohowski said.
"They took pains to minimize privacy disclosure . . . and offer an appropriate level of flexibility," Grohowski said.
"The regulators came to the privacy issue with a great deal of openness and succeeded in a very tough balancing act between ardent consumer groups and investment firms," said Kim Aaron, senior manager of financial services at KPMG LLP of Montvale, N.J.
Nonetheless, the new privacy regulation is likely to affect all mutual fund complexes because of the numerous arrangements they have with non-affiliated, back-office and shareholder service companies, including transfer agents and custodians, said Geoffrey Kenyon, a partner with Goodwin, Procter & Hoar of Boston. Such affiliations also include distributor and nominee arrangements through which other entities may hold fund shares, Kenyon said.
As of July 1, 2001, the new privacy regulation will require all investment companies, including fund companies, to send notices of their privacy policies and practices to new customers and then annually. The regulation also prevents fund companies from sharing certain personal information about customers with non-affiliated third parties, unless a customer expressly allows it. Fund companies must ask each customer whether he wants to opt in or out of such information sharing.
The SEC received a total of 115 comment letters about its new privacy rules, including one from the Investment Company Institute.
The ICI asked the SEC to permit fund companies to send only one privacy notice to a household with more than one shareholder, as a means of reducing mailing costs. (MFMN 4/17/00) This would also limit the amount of information that fund companies already send to shareholders, wrote Craig Tyle, the ICI's general counsel, in a letter to the SEC.
The SEC responded to the ICI's request by allowing one privacy notification to go to a household if that household has already agreed to receive a single prospectus and annual report. Grohowski said the ICI was satisfied with the compromise.
As a result of other comment letters, the SEC decided to use a narrower definition of the "non-public" personal information which fund companies may not share with non-affiliated third parties, industry attorneys said.
The SEC's initial privacy proposal deemed information to be "publicly available" only if a financial institution actually obtained it from a public source. The final rule will allow a fund company to treat certain information as public if the company "reasonably believes that the information is lawfully made available to the general public," according to the regulation.
The SEC's final regulation also clarifies the difference between a consumer and a customer. The SEC said that a customer generally has an ongoing relationship with a fund company and a consumer has an isolated, one-time experience.
However, in some cases, a consumer who engages in a one-time transaction can be considered a customer, the SEC said. Because it is not always clear when a consumer becomes a customer, the SEC said it would give fund companies discretion in deciding for themselves when the transition from consumer to customer occurs, according to the new regulation.
The SEC also responded to requests that it allow initial notices of firms' privacy procedures to be sent when a customer relationship is established, not before.
Also, in response to requests that the effective date of the new rules be extended, the new rules will take effect Nov. 13 and the SEC will require fund companies to be fully compliant as of July 1, 2001.
The SEC estimates the new privacy regulation will cost investment companies more than $80 million at the outset to draft privacy notices. After that, the cost of updating and mailing privacy notices each year will run about $2.6 million annually, the SEC said.
The ICI will offer a one-day seminar on privacy compliance for members and non-members Sept. 28 in Washington, Grohowski said.