Wednesday, August 29, 2007

SEC Staff Notes GLB Privacy Concerns with Fund Shareholder Data

By James Hamilton, J.D., LL.M.

In a letter to the Investment Company Institute, SEC staff reminded the industry that a fund’s use or disclosure of rule 22c-2 information for marketing purposes is prohibited under the Gramm-Leach-Bliley Act's privacy rules, unless consumers have been given notice and the opportunity to opt out of this information sharing. The letter, signed by Associate Director Robert Plaze, was prompted by a recent article in the financial press suggesting that funds may use for marketing purposes the shareholder identity and trading information they receive from intermediaries under rule 22c-2.

Rule 22c-2 under the Investment Company Act requires funds to enter into written agreements with their financial intermediaries, including those holding shares through omnibus accounts, under which the intermediaries must agree to provide funds with shareholder identity and transaction information upon request. Under the rule, funds must be able to request and promptly receive shareholder identity and transaction information pursuant to these agreements by October 16, 2007.

Use of this shareholder identity and transaction information for marketing purposes is covered by the privacy provisions of Gramm-Leach-Bliley, which require that investment companies provide consumers with notice and an opportunity to opt out before they are permitted to share their private personal information with non-affiliated third parties. The SEC has said that these disclosures are within the scope of the privacy rules exceptions for processing and servicing transactions at the consumers' request and complying with applicable legal requirements.

This position has two practical consequences, said Mr. Plaze. First, most intermediaries will not have to change their privacy or opt out notices in order to comply with rule 22c-2. The official explained that this is because the privacy rules permit information sharing under the exceptions if financial institutions include in their privacy notices a statement that they make disclosures to other non-affiliated third parties as permitted by law.

Second, it means that funds receiving rule 22c-2 information under the exceptions
are permitted to use or redisclose this information only for purposes of the exception, which does not include marketing purposes, unless permitted under the intermediary's privacy policy. This is because the privacy rules limit the redisclosure and reuse of information received under an exception to the purposes for which the information was received. The privacy rules also contain an example prohibiting the use of information received under the relevant exceptions for marketing purposes.

Thus, unless the intermediaries' privacy policies disclose this information sharing and the consumer has not opted out, investment companies are prohibited from using rule 22c-2 information for marketing purposes under the privacy rules' general. restrictions on sharing nonpublic personal information with nonaffiliated third parties.