Contrary to popular belief, financial advisors must send privacy notices by July 1 to their individual clients. Richard Cortese, vice president of consulting for National Regulatory Services in Lakeville, Conn., says too many advisors think because they don't share personal information, they needn't bother. Wrong.
"All advisors are affected," Cortese says.
Under the Gramm-Leach-Bliley Act of 1999, July 1 is the deadline by which financial institutions must notify customers of the types of personal, nonpublic information they collect.
They also must disclose the types of businesses that might get this information. This privacy notice must be issued annually and when a consumer opens a new account at a financial institution after July 1. "If they (advisors) have individual customers or clients getting personal services or household services, they have to send notices," says Hunter Jones, assistant director for the Securities and Exchange Commission's Division of Investment Management. Besides advisors, the law covers banks, savings and loans, credit unions, insurance companies and securities firms. It also may include many retailers and car dealers who extend credit.
"The rule's most rigorous requirements focus on folks who share information with nonaffiliated third parties," Cortese says. "Those folks, before they can do that, have to provide an opt-out notice giving (clients) the opportunity to opt out of non-affiliated third-party information-sharing arrangements.
"But even if you're not sharing information, you're still required to provide a notice both initially and annually," Cortese adds. The notice, he says, must describe the type of nonpublic information you collect from your clients and the kinds of nonpublic information that you may disclose-even through affiliates.
The Securities and Exchange Commission rule, Regulation S-P, covers SEC-registered firms. The SEC also had published Responses to Questions about Regulation S-P, aimed largely at registered investment advisors. The Q&A was to be posted at its Web site, www.sec.gov. State-registered firms are covered by the Federal Trade Commission's privacy rules, Cortese says. There also is a possibility that other state privacy laws, if they are stricter than federal rules, may apply.
Cortese urges advisors who have not complied with Gramm-Leach-Bliley to do so immediately:
Assess your information practices. Position yourself to represent accurately your privacy policies in these notices. Determine the extent to which information disclosures to third parties fall under exemptions or will trigger "opt-out" notices to clients.
Determine whether any of your present practices are prohibited under the law. For example, Cortese says, the rules prohibit firms from disclosing account numbers or any other kinds of access numbers orcodes to nonaffiliated third parties for use in telemarketing, direct mail or electronic-mail marketing. Stop any such practices immediately, he suggests.
Evaluate measures to protect security and confidentiality of client information. Look at many areas, including access to the firm's database and network, whether files are maintained in secure locations, the ability of intruders to obtain client information in unmonitored work areas and how you would weather a calamity, such as a flood or power outage.
Develop a mechanism for identifying affected customers. Make sure that notices are mailed to those people before July 1 and that you have mechanisms for triggering mailings to new customers, as well as annual notices going forward.
Ken Baebel, assistant director of the FDIC's Division of Compliance and Consumer Affairs, says the new privacy-notice rule gives consumers more privacy protection than they've ever had. Before the rule, financial institutions, in most cases, could share personal financial information without telling their customers.
Now, "if they are sharing information with some nonaffiliated third parties, [clients] are told that and given the right to say, 'No,'" he says.
But law enforcement officers have expressed concerns over the rule.
Massachusetts Assistant Attorney General Pamela Kogut is concerned that once a consumer gets a privacy notice and fails to opt out, the financial institution "can legally share that information." That could happen, even though the Massachusetts Consumer Protection Act might prevent it.
"Proactive consumer groups want to see more rigorous privacy protection," Cortese says. "They want customers to have the right to approve information sharing with affiliates. Some want an opt-in right-written permission [from the consumer] to share information-as opposed to an opt-out right. What's going on is very much of a heightened awareness about privacy. It's a very sexy issue from a political standpoint. There are still deliberations ongoing in Congress and at the state level. This might not be the final word."