NASD Regulation Requests Comment On Proposed Rule Governing Use And Release Of Customer Confidential Financial Information

Comment Period Expires: April 30, 1997

Executive Summary

NASD Regulation, Inc. (NASD Regulation^SM) requests comment on new NASD^®Rule 3121 that would govern a member's use and release of customer confidential financial information. The Rule would apply to all members that use or release confidential financial information regarding customers who are natural persons. The Rule contains requirements applicable to the use of confidential financial information that is obtained from a business affiliate and to the release of such information to any third party, whether affiliated or unaffiliated. The Rule also includes a definition of confidential financial information and business affiliate.

Questions concerning this Request For Comment should be directed to R. Clark Hooper, Senior Vice President, Office of Disclosure and Investor Protection, NASD Regulation, at (202) 728-8325; or Mary N. Revell, Assistant General Counsel, Office of General Counsel, NASD Regulation, at (202) 728-8203.

Background

On December 28, 1995, the NASD filed with the Securities and Exchange Commission (SEC) a proposed rule change that specifies requirements for broker/dealer conduct on the premises of a financial institution (proposed bank broker/ dealer rule).¹ The purpose of the proposed bank broker/dealer rule was to address concerns about customer confusion over the distinction between the insured products of financial institutions and the uninsured securities products of broker/ dealers operating on the premises of financial institutions and to provide a regulatory framework for regulating broker/dealer activities.

The SEC published the proposed bank broker/dealer rule in the Federal Register on March 22, 1996, requesting comments by May 21, 1996.² The SEC received 87 comments on the proposal, most of which raised objections to a provision in the proposed rule that would have prohibited bank broker/dealers from using customer confidential financial information provided by the financial institution unless prior written approval had been granted by the customer to release the information. Many of the commenters believed that any such restriction should apply to the entire industry, not only to bank broker/ dealers. As a result, the provision restricting the use of confidential financial information has been deleted from the proposed bank broker/ dealer rule, and is being proposed as a rule that would apply to all NASD members.

Description

Proposed new Rule 3121 would govern the use and release of confidential financial information of customers who are natural persons. The Rule would apply to all members that use customer confidential financial information that is obtained from a business affiliate, including financial institutions, insurance companies, finance companies, and to members who release customer confidential financial information to any third party, whether affiliated or unaffiliated. The Rule does not apply to the release of information to a regulatory authority with jurisdiction over the member or pursuant to court process or to the sharing of information pursuant to clearing, custodial, or transfer arrangements with member firms.

The Rule includes definitions of confidential financial information and business affiliate. Confidential financial information is defined as customer financial information other than lists of customer names, addresses, and telephone numbers, or information that can be obtained from unaffiliated credit bureaus or similar companies in the ordinary course of business. The term business affiliate is defined as a person with whom the member maintains a control relationship or has a contractual arrangement for the purpose of servicing customers. This definition thus includes entities that maintain "networking" arrangements with member firms but no other type of corporate affiliation. Comment is requested on whether the definition of business affiliate accurately speciies the universe of persons that should be subject to the "negative consent" provisions of the Rule, described below.

Paragraph (a) of the Rule would require that before releasing confidential financial information to a person other than a business affiliate, a member must clearly and conspicuously disclose that the information may be released and that the customer has the right to object to its release. Following such disclosure, the member would be required to obtain the written consent of the customer. The requirements of paragraph (a) would be triggered, for example, when a member sells a customer list to an unaffiliated entity.

Where information is released to business affiliates, members would be required by paragraph (b) to provide customers with the same disclosures described above. The customer then must be provided with a meaningful opportunity to object to the release of the information, and the information may not be released if an objection is received. The requirements of this paragraph would apply, for example, when a member shares such information with an affiliated insurance or mortgage company.

Commenters should consider as a factor in evaluating the usefulness of the proposed disclosures that such information may be available from sources other than the member and that a customer's objection to the member's release of information therefore will not necessarily protect the confidentiality of the information.

Paragraph (c) of the Rule would prohibit the use by a member of confidential financial information that is provided to it by a business affiliate unless the member determines that the affiliate complied with the requirements set out in paragraph (b) or the member itself complies with those requirements. This paragraph would apply, for example, to the use by a member of confidential financial information provided by a financial institution with which it has a networking arrangement to provide securities services to the customers of the financial institution. While not required by the Rule, members also should consider informing customers that this information may be used to make investment recommendations.

Releasing information to business affiliates is treated differently from releasing it to other persons to reflect the different expectations that customers may have with respect to the sharing of confidential information. In addition, in might not be feasible to require affirmative written consent in every case, particularly where such information is maintained by a member and an affiliate in a central database. Thus, where information is being released to an affiliate, and customers normally expect or even desire that such information be shared for purposes of receiving various financial services from the same source, the Rule requires firms to provide disclosure and an opportunity for a customer to object to the release before information may be shared. On the other hand, where information is being shared with a person other than an affiliate, and customers may not expect or desire that information will be shared, the Rule requires that a firm obtain written customer consent as well as providing disclosure.

The required disclosure must be made to both new and existing customers: disclosure may be made to new customers at the time the account is opened and to existing clients through the mail or appropriate electronic media.³ Comment is requested on whether the Rule should be applied prospectively to only new customers. Disclosure may be made by any entity that initially obtains the confidential information, and other entities, including broker/ dealers, should be able to rely on the other entity's compliance with required disclosures. Comment is requested on whether the required disclosure should be provided in the account-opening document or whether it should be provided in a separate document.

Only one consent to the use or release of a particular customer's confidential financial information should be required. Also, written consent to the release of confidential financial information to a person other than an affiliate or an objection to the release or use of such information may be made through appropriate electronic media.⁴ In any event, each customer would have to be provided a reasonable period of time in which to express his or her right to object before information could be shared with affiliates.

The recently enacted amendments to the Fair Credit Reporting Act (FCRA), 15 U.S.C. Section 1681 et seq., also address the use and release of confidential financial information. The FCRA regulates the consumer reporting industry by imposing certain restrictions and requirements on consumer reporting agencies. Any entity, including a broker/dealer, that accumulates and disseminates certain consumer information may be subject to the FCRA. In particular, an entity that provides so-called "non-experience information" (e.g., information contained in credit applications or reports from credit bureaus, demographic firms, or other third parties) to a non-affiliate could be considered a consumer reporting agency and might be required to comply with FCRA requirements. On the other hand, an entity may share without limitation "experience information" (i.e., information derived from transactions or experiences with the consumer) with both affiliates and non-affiliates without becoming subject to the FCRA. In addition, as a result of recent amendments to the FCRA, members of the same corporate family now may share non-experience consumer information without becoming subject to FCRA requirements. In particular, the amendments allow affiliates to share non-experience information, either directly or through a central database, so long as it is clearly and conspicuously disclosed to the consumer that information may be shared among the affiliates, and the consumer is given an opportunity, before the information is initially communicated, to opt out of the sharing arrangement.

The proposed Rule applies generally to the use and release of the type of information referred to in the FCRA as "experience information." While the FCRA allows for the unrestricted sharing of such information, NASD Regulation preliminarily believes that customer protection concerns dictate that more stringent standards should apply to member firms before they may release or use customer confidential financial information. Thus, the Rule goes further than the FCRA in imposing specific requirements on member firms that share such information with affiliates or non-affiliates.

Request For Comment

The NASD encourages all interested parties to comment on the proposed new Rule 3121. Comments should be mailed to:

Joan Conley
Office of the Corporate Secretary
NASD Regulation, Inc.
1735 K Street, NW
Washington, DC 20006-1500

or e-mailed to:
[email protected].

Comments must be received by April 30, 1997. Before becoming effective, any rule change developed as a result of comments received must be adopted by the NASD Regulation Board of Directors, may be reviewed by the NASD Board of Governors, and must be approved by the SEC.

Text Of Proposed Rule

(Note: All language is new.)

3121. Use and Release of Confidential Financial Information

Endnotes

¹ File No. SR-NASD-95-63.

² Release No. 34-36980; 61 FR 11913.

³ The SEC recently issued guidelines on the use of electronic media by broker/dealers and others for delivery of information required by SEC rules. See Release No. 33-7288; 34-37182; IC-21945; IA-1562 (May 9, 1996), 61 FR 24644 (May 15, 1996).

⁴Id.