Early Action Urged on Privacy Compliance
March 19, 2001
NEW YORK - If mutual fund companies have not already taken action to comply with new privacy regulations, now is the time to do so, according to Gene Gohlke, associate director of the office of compliance and inspections at the Securities and Exchange Commission. Gohlke spoke about the focus of current SEC fund inspections at the National Investment Company Service Association's East Coast regional meeting here earlier this month.
The regulation with which fund companies must comply - Regulation S-P - relating to the privacy of consumer financial information, was adopted by the SEC in June. (MFMN 7/3/00) The rule became effective in November, however compliance is not mandatory until July 1 of this year. The regulations implement the requirements of the Gramm-Leach-Bliley Act, enacted in November 1999. That act required the SEC and other federal agencies to adopt rules implementing restrictions and notice requirements on financial institutions in disclosing consumers' nonpublic personal information, according to the SEC's final rule.
"Under the Gramm-Leach-Bliley Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose non-public personal information about a consumer to non-affiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure," according to the rule. It also requires that standards for protecting that information be instituted. Regulation S-P implements these rules for investment companies.
"There's a lot of work that needs to be done in order to become compliant," said Gohlke. Most fund companies have implemented procedures and are on the right track, but some are lagging behind, he said.
"Companies have to look at inventory, basically figure out what is the personal private information," he said.
That might be more difficult than it seems because of some of the nonspecific definitions the rule uses relating to non-public personal information. For instance, the SEC originally debated whether the definition of publicly-available information should include information that could be obtained from a public source or only information that actually was obtained from a public source, according to the Investment Company Institute of Washington, D.C. The final rule uses neither standard and leaves it for the financial institution to decide if any given information is legally made available to the general public, according to the rule. That leaves more work for financial institutions, according to Gohlke.
After that assessment is made, companies have to figure out how that information is being used, not only by themselves internally, but also by non-affiliated third parties, according to Gohlke.
"Some firms seem to be surprised once they take that inventory about what they have and how it's used," said Gohlke. "You have to look at not only if it comes in the door, but then how it's used. Do you share it for marketing? Do you sell it? How is it maintained, by the firm or by parties that get it from the firm? Is it in a secure facility?"
Another reason companies should already be taking action to comply with the rule is that they can continue to share non-public personal information with third parties if they send out initial privacy and opt-out notices before July 1, according to the rule.
"It's necessary, at least by July 1, but really should be finished well before, to get the notice out to consumers about what information the firm collects and what it does with it," said Gohlke. "It's particularly important that if a company shares information, consumers must be given the opportunity to opt-out of the process by July 1." If companies get these notices out to shareholders with reasonable' time to allow shareholders to opt-out before July 1, they can continue to share the information, according to the rule.
Companies should really appoint one main person, if they have not already done so, whose responsibility it is to ensure compliance with the rule, according to Gohlke.
"Having other people involved is ok, but one person should be ultimately responsible so that at least one person can make sure the resources are in line, enough attention is being paid to complying with the rule, and the opt-outs are going out," he said.