Member Newsletter

Question:
I've heard a lot about the new Privacy Laws that Congress passed last year and I know that the CFTC issued some new rules relating to it, but I'm unclear about the requirements for my IB business as a result. Can you help?

Answer:
The CFTC adopted its financial privacy rules following the enactment of the Commodity Futures Modernization Act of 2000 (CFMA). All of NFA's Members (FCMs, CTAs, CPOs and IBs) are required to comply with the privacy provisions of the Gramm-Leach-Bliley Act. The CFTC was required to issue consumer privacy regulations consistent with and comparable to those adopted by several other government agencies. The Commission's rules can be found on the Commission's web site at www.cftc.gov/files/foia/fedreg01/foi010427a.pdf.

The privacy rules apply to nonpublic personal information about individuals who obtain financial services products for personal, family or household purposes. Nonpublic personal information is generally defined as personally identifiable financial information that is not publicly available. The Commission's rules require firms to notify customers of their privacy policies and firms are also required to provide customers with a notice that instructs customers how to "opt out" of having their information shared with nonaffiliated third parties. Firms must give customers a reasonable amount of time to opt out of disclosures of nonpublic personal information to nonaffiliated parties. Member firms must be in Compliance with the Commission's privacy rules by March 31, 2002. Members who have entered into marketing or other service agreements with non-affiliated third parties before March 31, 2002 will have their existing service agreements grandfathered in and have until March 31, 2003 to ensure the agreement is in compliance with the privacy rules. This exception also applies to third parties that jointly market products for the Member firm and another financial institution.

To assist firms in addressing these federally mandated requirements, NFA will present an audio conference in June 2002 to discuss the CFTC's privacy rules. NFA will post the specific date and time of the conference in the Members' education section of the web site, www.nfa.futures.org. However, to be in compliance by March 31, 2002, member firms must have provided their existing customers with a privacy notice, an opt out notice (if necessary) and a reasonable amount of time to opt out before March 31. Firms must also stop sharing customers' nonpublic personal information with nonaffiliated third parties, if these steps have not been taken, unless the disclosure is under an exception in rule 160.14 or 160.15. Firms must also adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

The privacy rules generally require intermediaries to:

• notify customers of privacy policies at the time the customer relationship is established and annually thereafter

• notify customers of privacy policies before disclosing nonpublic personal information to nonaffiliated third parties

• provide customers with a reasonable opportunity to opt out of disclosures of nonpublic personal information to nonaffiliated third parties

• provide customers with a revised privacy notice and new opt out notice before disclosing a new category of nonpublic personal information or information to a new category of nonaffiliated third party.

The privacy notices must contain specific information, including

• the categories of nonpublic personal information collected

• categories of this information disclosed

• categories of affiliates and nonaffiliated parties to whom the firm will disclose the information

• firm's policies with respect to the information.

These notices must be accurate, clear and conspicuous. If the firm is required to provide an opt out notice to its customers, the notice should specify that the firm can disclose information to a third party, that the customer or consumer can opt out of this disclosure, and the means by which the customer or consumer may exercise their opt out right. The Commission has published a very helpful Financial Privacy Requirements Brochure that can be found on the Commission web site at www.cftc.gov/cftc/cftcfprbrochure.htm.