Application of the Gramm-Leach-Bliley Act to Colorado Registered Investment Advisors
A common question for state registered investment advisors is regarding their responsibilities for maintaining the privacy of their hedge fund investors. Many state securities divisions provide notice on their website regarding the applicability of the Gramm-Leach-Bliley Act to the manager’s investment advisory activities. The Colorado Securities Division, which has a savvy and knowledgeable staff, has provided Colorado investment advisers with an overview of their responsibilities with regard to “non-public personal information.” In general most hedge funds do not have a need to disclose the “non-public personal information” of their investors to outside parties, but if a hedge fund manager does need to disclose such information to third parties, then the manager should discuss this in greater detail with his hedge fund attorney.
Please contact us if you would like to establish a Colorado hedge fund or investment advisory firm. We are also available to answer any questions on the following article. Other related hedge fund law articles include:
The following notice can be found here.
Investment Adviser Privacy Requirements
TO: Colorado Licensed Investment Adviser Firms
RE: Privacy Notices To Be Sent to Clients
FROM: Fred J. Joseph, Securities Commissioner
DATE: May 30, 2001
On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (GLBA). GLBA eliminated legal barriers between the securities, insurance, and banking industries, but retains the oversight roles of federal and state agencies within their particular areas of expertise. One of the major components of GLBA is the creation of new privacy laws and regulations for federal covered advisers and state-licensed advisers. The new privacy requirements adopted by the Federal Trade Commission (“FTC”) governing state-licensed investment advisers went into effect on November 13, 2000, and compliance will be mandatory on July 1, 2001.
As Securities Commissioner, I am providing this document to you and other investment advisers licensed in Colorado to assist you in complying with the new privacy laws. It is designed to make you aware of the new regulatory requirements, which are footnoted throughout this document, and to help you think through potential civil liabilities for failure to develop and implement privacy policies and practices. It is not legal advice. You may want to consult an attorney regarding the applicability of GLBA’s privacy provisions to you.
Summary of GLBA
GLBA’s new privacy laws regulate what you are allowed to do with the confidential personal information that you collect in connection with your investment advisory activities. Specifically, these provisions govern how you collect, use, and maintain this personal information and under what circumstances you may share it with someone else. The law requires that you adopt written policies for handling confidential personal information and that you properly distribute those written policies.
In general, GLBA prohibits you from sharing an individual’s confidential information with non-affiliated third parties, unless:
- You tell the individual that you may share the information with others;
- You give the individual the opportunity to tell you not to share the information; and
- The individual does not tell you to keep the information confidential (i.e., the individual does not “opt out” of disclosure to third parties).
The following is a more in-depth discussion of the new regulatory requirements.
Some definitions are in order, so that you can decide which people, and what information you obtained from or about those people, are included in the concept of confidential personal information.
GLBA distinguishes between a customer and a consumer. A customer is a person with whom you have developed a continuing relationship to provide products or services to be used for primarily personal, family, or household purposes. A customer would not include a person who met with someone from your firm, but then decided not to establish a business relationship with your firm. So we can distinguish the difference between the two types, we will call the latter person a consumer.
Non-public personal information (“NPI”) is any personal information that cannot be found in public sources. Publicly available information would be details available from federal, state, or local government records; widely distributed media (such as telephone directories or newspapers); or information disclosed to the public as required by federal, state, or local law. NPI is usually obtained directly from the individual. It includes such details as the person’s date of birth, social security number, financial account numbers and balances, sources and amounts of income, credit card numbers, information obtained about visitors to your Internet web site, and sometimes could include home addresses and telephone numbers.
An affiliate is a company that controls, is controlled by, or is under common control with your firm. A non-affiliated third party is any person or entity other than your firm, your employee, or an affiliate.
Opt-out is a concept requiring you to give consumers and customers notice that NPI may be disclosed to third parties. It includes giving them the chance to “opt out” of such disclosure and telling them how to exercise that right.
A joint marketer is a person or company who markets your products or services under a joint agreement with one or more financial institutions. A service provider is a person or company who assists your firm in administering, processing, or servicing a customer’s account.
Under GLBA, each investment adviser must give its customers either a full notice or simplified notice of the firm’s privacy policies. In addition, your firm may be required to give consumers a limited type of notice called a “short form initial notice.” In order to determine which notice requirements apply to your firm, you should answer the following questions:
- What NPI does your firm possess?
- Who are your customers?
- Who are your consumers?
- What are your current information sharing practices?
The answers to these questions will help you determine which of the following types of notice is needed. The flowchart is Attachment 1, which is attached to this document, may also assist you in making this determination.
1. Notice to Consumers
A. When Consumer NPI Is Not Disclosed (No Notice):
B. When Consumer NPI Is Disclosed (Short Form Initial Notice):
2. Notice to Customers
A. When Customer NPI Is Not Disclosed (Simplified Notice):
You may provide a simplified notice to customers if you neither disclose nor reserve the right to disclose their NPI to any third party, including affiliates as well as non-affiliates. You may also use a simplified notice if you do disclose or reserve the right to disclose NPI to third parties, but only if the disclosure is permitted under the exceptions described in the “Opt Out Rights and Procedures” section below. The simplified notice should include: (1) the categories of NPI you do collect; (2) your policies and practices intended to protect the confidentiality, security, and integrity of NPI in your office (i.e., your “safeguarding” procedures); (3) your statement that you do not disclose and do not reserve the right to disclose NPI; and (4) your statement that you will make disclosures to non-affiliated third parties only as permitted by law.
B. When Customer NPI Is Disclosed (Full Notice):
You must provide a more comprehensive notice to customers if you disclose or reserve the right to disclose their NPI to any third party, including affiliates as well as non-affiliates, unless the disclosure is permitted under the exceptions described in the “Opt Out Rights and Procedures” section below. This notice must disclose your firm’s policies and practices about the following:
- What confidential information you may collect from or about a person;
- What confidential information you may disclose to other entities;
- The categories of non-affiliated third parties to which your firm may disclose confidential information;
- What your policy is on sharing information about former customers;
- What categories of confidential information your firm discloses under agreements with third party service providers (such as a broker-dealer or a sub-adviser);
- An explanation of a person’s right to opt out of having confidential information disclosed to non-affiliated third parties, and what the person needs to do to opt out.
- Your office policies and practices intended to protect the confidentiality, security, and integrity of confidential information (i.e., your “safeguarding” procedures), including in general terms who is authorized to have access to this information.
- Notices required under the Fair Credit Reporting Act, if applicable.
Opt Out Rights and Procedures
With each short form or full notice, you must provide a reasonable way for a person to prevent your firm from disclosing NPI to non-affiliated third parties. This process is called “opting out.” Reasonable methods would include (1) a separate reply form, or a portion of the full notice that can be separated, with check-off boxes; (2) an electronic means to opt out such as through e-mail or through your firm’s web site, if the person has agreed to receive your full notice electronically; or (3) a toll free telephone number that persons can use to call to opt out. It would not be considered reasonable to require a person to write their own letter to opt out.
There are no opt out rights for any disclosures of NPI you make to service providers or joint marketers, but you must disclose the nature of any information to be shared with a service provider or joint marketer and must enter into contractual arrangements to require the third party to maintain confidentiality of the information. The opt out rights also do not apply to disclosure of confidential information in the following circumstances:
- When the consumer or customer has consented to, and has not revoked, the disclosure;
- For resolving consumer or customer disputes or inquiries;
- To persons holding a legal or beneficial interest relating to the consumer or customer;
- To persons acting in a fiduciary or representative capacity on behalf of the consumer or customer;
- To provide information to agencies assessing your firm’s compliance with industry standards, and to your attorneys, accountants, and auditors;
- In connection with a proposed or actual sale or merger of your firm;
- To respond to a regulator’s examination of your firm; or
- To comply with a civil, criminal, or regulatory investigation by federal, state, or local authorities.
You must provide the notice to a customer not later than the time you establish that on-going relationship, unless this would cause a delay in the customer obtaining your services and the customer agrees to accept the notice at a later date. (For example, a new consumer gives you enough information over the telephone to establish a customer relationship and wants you to execute a transaction immediately.) For any person who is already your customer, you must provide the notice prior to disclosing any NPI, but no later than July 1, 2001.
You must provide the notice to a consumer before you disclose any NPI about the consumer to any non-affiliated third party. But, if the only non-affiliated third parties who would receive information from you are among those in the Exceptions discussed above, you are not required to provide any notice.
Policy Changes and Annual Updates
Finally, you must annually provide (not just offer) your privacy notice to customers. You can define when the 12-consecutive-month year starts, but you must be consistent in applying it to all your customers. (For example, if you define a year as a calendar year, for a customer who opens an account on any day of year 1, you must provide the annual notice to that customer by December 31 of year 2.)
You are not required to provide the notice to persons who no longer are your customers. You are also not required to provide annual notices to persons who have previously requested that you not send them any information about the customer relationship, so long as your current privacy notice is available to that customer.
The following clauses are samples only. Additional illustrations of sample clauses may be found in the rules cited in the footnotes. WARNING: YOU MUST BE SURE THAT ANY STATEMENT YOU MAKE IS ACCURATE.
If you do not disclose information outside of the Exceptions:
“We do not disclose any confidential personal information about our customers or former customers to anyone, except as permitted by law.”
To describe the categories of information you may disclose:
“We may disclose the following kinds of confidential personal information about you:
- Information we receive from you on applications or other forms, such as [provide illustrative examples, such as “your name, address, assets, and income”]
- Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as “your account balance, investing history, and parties to transactions”]”
To describe the categories of parties to whom you disclose information:
“We may disclose confidential personal information about you to the following types of third parties:
- Financial service providers, such as [provide illustrative examples, such as “mortgage bankers, securities broker-dealers, and insurance agents”]
- Non-financial companies, such as [provide illustrative examples, such as “direct marketers, airlines, and publishers”]
- Others, such as [provide illustrative examples, such as “non-profit organizations”]”
“We may also disclose confidential personal information about you to non-affiliated third parties as permitted by law.”
To describe disclosure to service providers or joint marketers:
“We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with which we have joint marketing agreements:
- Information we receive from you on applications or other forms, such as [provide illustrations, such as those described above]
- Information about your transactions with us, our affiliates, or others, such as [provide illustrations, such as those described above]”
(NOTE: your customer must receive notice, but has no right to opt out of disclosure.)
To explain the opt out right:
“If you prefer that we not disclose confidential personal information about you to non-affiliated third parties, you may opt out of those disclosures; that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to non-affiliated third parties, you may [describe a reasonable means of opting out, such as “call the following toll free number: (insert number)”]”
To describe your policies and practices concerning protecting confidentiality:
“We restrict access to confidential personal information about you to [provide an appropriate description, such as “those employees who need to know that information to provide products or services to you.”] We maintain physical, electronic, and procedural safeguards to comply with federal standards to guard your confidential personal information.”
SEC vs. FTC Rules
While the Securities and Exchange Commission (“SEC”) has privacy jurisdiction over large investment adviser firms, the Federal Trade Commission (“FTC”) has privacy jurisdiction over investment advisers not registered with the SEC. The FTC has acknowledged that an investment adviser’s compliance with the sample clauses in the SEC rules will equate to compliance with the FTC rules. Rules cited herein by footnotes are to both SEC and FTC regulations.
You may learn more about the rules and requirements by visiting these agencies on-line. For the SEC rules, go to http://www.sec.gov/rules/final/34-42974.htm. For the FTC rules, go to http://www.ftc.gov/os/2000/05/65fr33645.pdf.
** HFLB Note: Footnotes have been omitted