July 6, 1998
Ms. Jane Coffin
Office of International Affairs
National Telecommunications and Information
14th Street and Constitution
Washington, D.C. 20230
Dear Ms. Coffin:
The Securities Industry Association (SIA) is pleased to respond to the Department of Commerce’s request for comment on the staff discussion paper, "Elements of Effective Self Regulation for Protection of Privacy." We appreciate this opportunity to comment on key privacy issues as they relate to the securities industry. A comprehensive discussion of these issues is included in our study entitled, "Privacy Protection in the United States Securities Industry." This study is attached and we ask that it be included in the comment record.
SIA has been engaged in a dialogue concerning online privacy with representatives from the Administration, the Department of Commerce, and others since the release of the Administration’s paper, "A Framework for Global Electronic Commerce," in July 1997. In response to many of the specific questions that arose in the course of our discussions, SIA coordinated an exhaustive study of the securities industry regulatory and business structures to determine whether the existing framework provides sufficient privacy protection to customers.
SIA presented its findings at the Department of Commerce "Privacy Summit" on June 24, 1998. Our study concluded that given the comprehensive regulatory structure of the securities industry, and the broad common law agency duties to which industry members are subject, there is no need to impose new privacy standards on the industry. The existing regulation and self regulation of the securities industry, with its broad prohibitions and regulatory flexibility, and the self-interest of its members have protected, and will continue to protect, customers’ privacy.
The best proof of this is customers’ confidence in and enthusiasm for online trading. Indeed, the number of Internet brokers has jumped from none in 1994 to 72 today. The number of online brokerage accounts is estimated at more than 5 million today, and online sales of financial services are expected to rise from $1.2 billion in 1997 to an estimated $5 billion in 2001. This year, an estimated 30 percent of all retail trades will be entered over the Internet.
The securities industry has to maintain the highest degree of trust with our customers in order to continue to do business with them. The industry is subject to a vigorous regulatory structure designed to ensure investors’ privacy and the security of their data. We look forward to continuing this dialogue with the government to ensure that this review does not impede our customers’ ability to use technology most effectively.
Marc E. Lackritz
PRIVACY PROTECTION IN THE UNITED STATES SECURITIES INDUSTRY
SECURITIES INDUSTRY ASSOCIATION
1401 Eye Street, N.W.
Washington, D.C. 20005
PROTECTION OF PRIVACY IN THE U.S. SECURITIES INDUSTRY
The securities industry successfully balances its need for sensitive information to serve its customers with privacy concerns. A wide array of common law principles and regulations imposes on the industry duties not to abuse private information with which it is entrusted and provides adequate means to redress any violations of those duties. Just as important, however, no industry member could thrive for long should it gain a reputation for abusing confidential information.
Given the breadth of its current regulatory regime and its history of, and self-interest in, protecting the privacy of investors, the industry believes proposals to impose uniform privacy standards throughout the private sector are premature. Such a "one-size-fits-all" monolithic approach would stifle the flow of information, which the securities industry needs to function. It would also impede creative business innovations that are designed to benefit customers.
The securities industry is governed by a broad framework of common law principles, state and federal statutes, Securities and Exchange Commission ("SEC") rules, and self-regulatory organization ("SRO") rules that prohibit the improper use of private information. Although this framework generally does not dictate specific rules concerning privacy, abuses of private information would be captured by many existing principles, statutes, and rules, and these provisions are reflected in members' practices. Violations of the provisions, moreover, could give rise to private civil liability, government enforcement action, or even criminal liability. In this connection, it is important to note that, unlike some other industries, securities SROs maintain examination and oversight staffs and are fully capable of sanctioning, and have sanctioned, firms for non-compliance with rules concerning the misuse of confidential information.
Furthermore, the intense competition in the securities industry ensures that firms will not misuse private information. Privacy protection is an important dimension on which securities firms compete. A firm that fails to protect its customers' privacy and gains a reputation for doing so will soon find its business has been damaged. In addition, because the identity of, and information about, its customers is a critical asset of any securities firm, it is very unlikely that an industry member would disclose private information that could be used by a competitor.
Finally, the SIA supports efforts by its members to increase awareness among customers about privacy issues and is currently exploring ways in which it could promote customer awareness on an industry-wide basis. Increased customer awareness would further competition among industry members to adopt privacy policies that accord with customers' wishes and prominently disclose those policies.
The Securities Industry Association ("SIA")1/ appreciates the opportunity to participate in the ongoing dialogue concerning privacy. The securities industry has long recognized that ensuring the privacy of investors is crucial to protecting investors and maintaining fair and orderly markets. That is particularly so given the new challenges that the securities industry, along with others, faces in addressing the rapid increase in electronic commerce.
The securities industry has a long history of successfully balancing its need for sensitive information to serve its customers with privacy concerns. A wide array of common law principles and regulations (both general requirements and securities industry-specific mandates) imposes on the industry duties to protect private information with which it is entrusted and provides adequate means to redress any violations of those duties. Just as important, however, is that investor confidence is the keystone of the industry's business. In light of its reliance on repeat business, no industry member could thrive for long should it gain a reputation for abusing confidential information.
Given the breadth of its current regulatory regime and its history of, and self-interest in, protecting the privacy of investors, the industry believes proposals to impose uniform privacy standards throughout the private sector are premature. Such a "one-size-fits-all" monolithic approach would stifle the flow of information, which the securities industry needs to function, and impede creative business innovations intended to benefit its customers. The securities industry further believes it would be improper, and severely detrimental to the industry and its customers, for the European Union or its member countries to apply its Data Protection Directive2/ in a way that would effectively deny U.S. securities firms access to crucial data emanating from member countries. The unique, highly complex, and changing nature of privacy issues in the securities industry (especially given rapidly increasing electronic commerce) lends itself best to industry-specific solutions and the extensive, yet flexible, regulatory regime now in place. Rigid privacy standards of general application would deprive customers of useful services and impose unnecessary costs.
The Securities Industry's Regulatory and Business Structure Protects Privacy
A. Regulatory Framework
The U.S. securities industry is comprehensively regulated with a view toward complete disclosure of material information, the protection of investors, and the maintenance of fair and orderly markets. A framework of constitutional and common law principles, state and federal statutes, Securities and Exchange Commission rules, and self-regulatory organization ("SRO") rules prohibits the improper use of private information. Although this framework generally does not dictate specific rules concerning privacy, abuses of private information would be captured by many of the existing principles, statutes, and rules. These provisions are also reflected in the firms' own practices. Violations of the provisions, moreover, could give rise to private civil liability, government enforcement action, or even criminal liability.
Privacy protection is a fundamental and longstanding value in this country. Indeed, when specific concerns or regulatory gaps have been identified, Congress has enacted legislation. The Privacy Act of 19743/ and the Fair Credit Reporting Act are two examples. Similarly, the courts long have recognized tort actions for invasion of privacy.4/ This is not the proper forum, however, to expound on general notions of privacy. Rather, we examine those principles, statutes, and SRO rules that would most directly reach misuse of private information in the securities industry.
1. Common Law Agency Duties
The agency duties owed by members of the securities industry to their customers provide very significant proscriptions against the misuse of confidential information. A securities firm owes its customers duties of loyalty and care.5/ Violations of those duties with respect to customer privacy could subject firms to civil liability, including customer class actions.
The duty of loyalty requires a securities firm to abstain from conflicts of interests and, most importantly, put the interests of the investor ahead of its own.6/ Thus, a firm that intentionally discloses, or otherwise makes use of, a customer's confidential information to benefit itself at the expense of the customer may violate its agency duties to the client and face liability for any resulting damages.7/
The duty of care requires a securities firm to act with reasonable care when serving investors.8/ Thus, a securities firm that negligently discloses confidential information about an investor might be liable to that investor for any resulting damages.
2. Federal and State Securities Laws and Regulations
Certain abuses of confidential information entrusted to a securities firm by a client could give rise to violations of the securities laws and SEC regulations. For example, a firm, or affiliated person, that uses material, non-public information taken from a customer (without consent) to trade securities on its own behalf would be subject to civil liability, SEC enforcement action, and/or criminal liability. Liability would be grounded in, among other provisions, Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder (which prohibit fraud and misrepresentation).9/ Furthermore, so-called state "blue sky" laws parallel these and other provisions of the federal securities laws that could apply to abuse of confidential information.
3. SRO Rules
The rules of the National Association of Securities Dealers-Regulation ("NASD-R") and other SROs include many provisions that would reach misuse of confidential information by their members or affiliated persons. Most generally, NASD-R Conduct Rule 2110 provides, "[a] member, in the conduct of his business shall observe high standards of commercial honor and just and equitable principles of trade." This general provision would reach unauthorized disclosure, or other misuses, of confidential information benefiting a securities firm at the expense of an investor.10/ Other SROs maintain similar rules that would reach abuses of confidential information by their members.11/
Other more specific rules would reach certain types of misuse of confidential information. For example, NASD-R Conduct Rule 2110-3 prohibits members from misusing confidential information concerning investor orders to "frontrun" buy or sell orders on behalf of investors. Similarly, NASD-R Conduct Rule 3210 prohibits members acting in the capacity of paying agent, transfer agent, trustee, or in any similar capacity that receive information about the ownership of securities from using such information to solicit purchases, sales, or exchange except at the issuer's request.
The SROs, unlike many industry associations, have authority and maintain staff to investigate and sanction violations of their rules. SRO rule violations may therefore lead to substantial penalties.
4. Fair Credit Reporting Act
The Fair Credit Reporting Act ("FCRA")12/ restricts the use and transfer of confidential financial information (e.g., data pertaining to an individual's credit capacity or credit worthiness, including customer lists that reflect on a consumer's credit capacity). Although it focuses on the activities of credit reporting agencies, the FCRA covers any individual or entity that collects or communicates information covered by the Act, and therefore reaches the use of such information by members of the securities industry. Violations of the FCRA are enforced by federal and state agencies and through civil litigation. Recent amendments to the FCRA address the transfer of covered information among affiliated companies. The FCRA requires that "it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such [affiliates] and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that the information not be communicated among such persons."13/
B. Business Structure
Wholly apart from the regulatory sanctions that misuse of private information may bring, it is in the self-interest of industry members to avoid such abuses. Members face fierce competition in all sectors of the securities industry. That has two very important implications for privacy protection.
First, privacy protection is an important dimension on which securities firms compete. A firm that fails to protect its customers' privacy and gains a reputation for doing so will soon find that its business has been damaged. Therefore, securities firms seek to ensure that they do not disclose private client information in ways that would injure, or even annoy, their clients. Their customer relationships are simply too valuable to risk through confidentiality breaches. Thus, in the context of privacy, the market punishes such breaches.
The importance of maintaining a reputation for protecting privacy is especially great in light of the recent media attention devoted to privacy concerns. Any serious lapse in privacy protection is likely to result in substantial negative publicity. At the same time, increased consciousness about privacy concerns among customers will lead many to scrutinize carefully the privacy policies of securities firms before choosing one with which to do business. This scrutiny, in turn, has caused (and will continue to cause) firms to examine their privacy policies to determine if modifications are appropriate.
Second, given the intensely competitive nature of the securities industry, it is very unlikely that an industry member would disclose private information that could be used by a competitor. The identity of, and information about, its customers is a critical asset of any securities firm. Thus, a firm has a strong incentive to ensure that its competitors do not obtain an advantage by gaining access to information about the firm's customers.
The Securities Regulatory Structure is Responsive to Changing Customer Expectations.
The core privacy protections in the U.S. securities industry are embodied in the industry’s overall regulatory framework. Nevertheless, the SEC and the securities industry have demonstrated the flexibility and will to respond to specific privacy issues and concerns as they arise. The SEC and SROs have addressed these issues on several occasions when promulgating regulations that might bear on privacy issues. Furthermore, SROs take seriously the supervision of privacy issues and regularly review their rules to enhance privacy assurance. This is demonstrated by the NASD-R's recently proposed general confidentiality rule that would apply to all its members. 14/ In addition, individual firms regularly adopt internal policies designed to offer their customers protections that are above and beyond any regulatory requirements, simply as matter of good customer relations.
The regulation of the use of electronic media to deliver information required under the securities laws and the regulation of "cold calling" to market securities are examples of specific areas in which the SEC and SROs have addressed privacy concerns involving customers and potential customers. In its interpretive release on the use of electronic media, the SEC noted that the securities laws often require broker-dealers, transfer agents, and investment advisers to deliver information about personal financial matters.15/ In that connection, the SEC made clear that securities firms "should take reasonable precautions to ensure the integrity, confidentiality, and security of that information, regardless of whether it is delivered through electronic means or in paper form."16/ Protections for personal financial information sent by electronic media must be tailored to that medium.17/ Accordingly, securities firms have adopted policies to ensure that privacy is protected, whether the firm receives or sends information electronically or through a more traditional medium.
Indeed, the SEC noted the importance of privacy concerns under the federal securities laws in evaluating SRO rules regarding the use of electronic media to satisfy members' delivery obligations. Specifically, in approving New York Stock Exchange rules concerning these matters, the SEC expressly stated that: "[T]he proposed rule change benefits the public, because it not only allows customers easy and efficient access to account documentation, but also requires an evaluation of systems and procedures to ensure that the privacy of personal information is maintained."18/
The SEC also has responded to privacy concerns raised by the practice of brokers and dealers cold-calling to market securities. Under the Telemarketing and Consumer Fraud Abuse Prevention Act of 1994,19/ the Federal Trade Commission adopted detailed regulations ("FTC Rules") to prohibit deceptive and abusive telemarketing acts and practices. The FTC Rules, among other things, (1) require the maintenance of "do-not-call" lists and procedures; (2) prohibit abusive, annoying, or harassing calls; (3) place restrictions on the timing of calls; and (4) require the telemarketer to identify himself, the company he works for, and the purpose of the call. The FTC required the SEC either to promulgate rules itself or require the SROs to promulgate rules substantially similar to the FTC rules, unless the SEC determined either that the rules were not necessary or that existing rules already provided the same protections The SEC delegated the promulgation of new rules to the SROs.20/ Every major SRO has created rules, or offered interpretations of existing rules, that bring their regulations into substantial conformance with the FTC Rules.21/
The securities industry is continually evaluating whether there is a need for new rules concerning privacy and will not hesitate to act if it determines that new rules are needed in addition to existing privacy protections. That is well illustrated by the consideration that the NASD-R is giving to adopting a rule governing the use and release of customer financial information.22/ With a few exceptions, proposed NASD-R Rule 3121 would apply to all NASD-R members that use or release confidential financial information regarding customers who are natural persons.
The proposed rule addresses three different scenarios: (1) the release of information to a person other than a business affiliate; (2) the release of information to a business affiliate; and (3) the use of information received from an affiliate. The rule would require members to disclose to customers certain information about the member's use of customer data, and, depending on the type of information, obtain consent from the customer or provide the customer a meaningful opportunity to object to disclosure. Furthermore, members would be prohibited from using information obtained from a business affiliate unless the member determines that the affiliate has complied with the rule's requirements or the member, itself, complies with those requirements.
The proposed rule, which arose from a review of banks' securities activities rather than from any reports of privacy abuses by NASD members, remains under review by the NASD-R. Whether or not the NASD-R will adopt the rule depends on the comment letters received from members, a subsequent assessment of the necessity and utility of the rule, and approval by the SEC. Whether the NASD-R ultimately adopts this particular proposed rule or not, the industry will continue to explore whether there is a need to supplement existing privacy protections with new rules.
Individual firms, moreover, have begun to create policies that address the privacy concerns of their customers. On its Online Application Instructions, for example, Charles Schwab states that the information on the application "will be used solely by Charles Schwab and will not be given to any outside marketing firms."23/ In addition, Charles Schwab educates investors about its privacy policies through a privacy practices statement, which is accessible by hyperlink from its homepage on the Worldwide Web.
Customers expect a high degree of trust from securities firms, and firms govern themselves accordingly. Firms must maintain customer privacy to ensure that other firms do not obtain a competitive advantage by providing better service in this area. Put simply, individual firms have an incentive to maintain customer privacy that may exceed any possible industry regulations. That incentive has become even stronger with the advent of widespread electronic commerce. To compete effectively for business in the new, electronic medium, firms must give customers (who may initially be reluctant to share information electronically) confidence that their private information will be used only for proper purposes.
The SIA supports efforts by its members to increase awareness among customers about privacy issues and is currently exploring ways in which it could promote customer awareness on an industrywide basis. Increased customer awareness would further competition among industry members to adopt privacy policies that accord with customers' wishes and prominently disclose those policies.
In brief, securities firms currently are subject to a regulatory structure, both governmental and self-regulatory, that is capable of ensuring that investors are aware of privacy considerations, data is secure and data integrity is maintained in a manner that provides customers with access to the information and the ability to hold firms accountable for data usage. Furthermore, the oversight framework ensures that existing privacy protections are both effective and enforceable. In this regard, it is important to note that, unlike some other industries, securities SROs maintain examination and oversight staffs and are fully capable of sanctioning, and have sanctioned, firms for non-compliance with these requirements.
Securities Firms Use Confidential Information for Legitimate Purposes that Benefit Investors.
The securities industry has long gathered information about its customers to use in serving them. For example, securities firms must gather financial information concerning their clients to satisfy SRO "suitability" rules. Those rules require that firms recommending securities transactions to retail customers have a reasonable basis for recommending the transaction based on information disclosed by the customer.24/ Thus, firms routinely gather financial information about their customers to satisfy that obligation, including information about the customer's financial and tax status, investment holdings, and investment objectives. Because they regularly gather private information about their customers for this and other purposes, firms maintain internal policies to ensure that information with which they are entrusted is not misused. That there is no significant history of privacy abuses in the securities industry speaks to the effectiveness of those internal policies and the regulatory and competitive framework discussed above. Furthermore, the success of the current system -- along with the advantages of privacy policies tailored to individual firms' needs -- explains why the securities industry has thus far not adopted an industry-wide privacy code.
Given the rapid consolidation within the securities industry, many companies participate in several lines of financial business. These companies routinely share information concerning a particular customer among affiliated entities that also serve or may begin to serve that customer. The purpose of such information sharing is to provide better service and offer opportunities to the customer. Customers who come to a diversified financial firm generally expect to receive and/or be offered services from affiliates of the firm. Indeed, many investors come to diversified firms precisely because such firms provide the investor with opportunities to benefit from the synergies and efficiencies of an integrated firm.25/
Sharing of information among affiliated entities is not improper because it does not raise the specter that information would be used to benefit the securities firm at the expense of the investor. The following examples will illustrate the benefits obtainable through information sharing.
• An asset management firm may introduce customers to an affiliated broker-dealer for the execution of a securities trade. The broker-dealer would then need to obtain information about the customer from the asset management firm. By obtaining the information directly from its affiliated asset management firm, the broker-dealer is able to avoid the administrative costs and needless delays associated with contacting the client directly. The savings may be passed on to investors in the form of lower fees and commissions.
• Conversely, a broker-dealer firm may provide financial information about a potential client to an affiliated asset management firm. Such an information exchange would promote efficiency by eliminating the need for the asset management firm to obtain the information directly from the customer.
Moreover, precluding such information sharing among affiliates could cause securities firms difficulty in meeting regulatory requirements. For example, Congress has recognized the potential risks that a broker-dealer may face from the activities of affiliated companies. In the Market Reform Act of 1990,26/ Congress granted the SEC authority to obtain from a broker-dealer information about affiliated companies. The temporary risk assessment rules that the SEC adopted under this authority contemplate that broker-dealers will use information from all available sources to assess their financial exposure.
It makes sense to permit the industry's existing regulatory infrastructure to address any abuses that might arise from sharing of private information, rather than to impose rigid privacy standards. Should there arise a need for regulation to address a particular practice, as explained earlier, the existing infrastructure provides the means to enact new rules through statute, SEC rulemaking, or industry self-regulation.
The U.S. Government Should Oppose Attempts By the European Union to Export its Privacy Directive.
Because the privacy of investors in the United States is protected through a broad regulatory scheme rather than highly specific rules, there is a possibility that the European Union ("E.U."), or its member countries, might construe its Data Protection Directive ("Directive")27/ to prohibit transfer of "personal data" from member countries to the United States. Because, as explained above, the industry's mechanisms for protecting consumer privacy are more than adequate, such a construction is wholly unnecessary to protect the privacy interests of citizens of E.U. member countries. Accordingly, the U.S. Government should oppose vigorously any attempt by the E.U. or its member countries to deny U.S. securities firms access to personal data.
Under Article 25(1) of the Directive, member countries are responsible to ensure that personal data are not transferred to a third (i.e., non-E.U.) country unless "the third country in question ensures an adequate level of protection." Although Article 25(2) provides some general guidance concerning the determination whether a third country "ensures an adequate level of protection," it remains unclear exactly how the E.U. or its member countries will make that determination. Nonetheless, a recent paper prepared by the Directive's Article 29 "Working Party ," which coordinates implementation of the Directive and advises the Commission (which can adopt binding measures as needed), suggests that the Commission may apply a high standard for adequate protection abroad, especially when the third country has not enacted an omnibus law similar to the Directive.28/
Although the industry is not subject to an E.U.-style code setting forth specific privacy procedures, the regulatory framework governing the industry and the competitive pressures on its members ensure the protection of confidential information. Thus, there are no grounds for the E.U. or its member countries to deny the U.S. securities industry access to personal data, and the U.S. Government should oppose any efforts by the E.U. or its member countries to do so.
The comprehensive regulatory structure of the securities industry and the self-interest of industry members in protecting their clients' privacy mean that there is no need to impose one-size-fits-all privacy standards on the industry. The existing regulation of the securities industry, with its broad prohibitions and regulatory flexibility, and the self-interest of its members have protected (and will continue to protect) the privacy of consumers. Furthermore, the regulatory structure provides a mechanism for the enactment of new privacy rules if necessary. Not only are uniform privacy standards unnecessary, they would raise the costs to securities firms associated with proper and efficient business practices that benefit both them and their customers thereby raising customer costs with no compensating benefit. All this being so, the SIA opposes the imposition of uniform privacy standards on the securities industry. Furthermore, the U.S. Government should vigorously oppose any effort by the European Union to deny the U.S. securities industry access to data emanating from member countries because the industry does not have in place uniform privacy standards similar to the Directive.