Investment Advisers and Investment Funds Subject To Consumer Privacy Regulations Effective July 1, 2001

Originally published in: Investment Management Developments

The GrammLeachBliley Act (the "GLB Act"), which was enacted in 1999, prohibits financial institutions, directly or through their affiliates, from sharing nonpublic personal information about their "consumers" with third parties, unless (1) the institution provides those "consumers" with (a) a notice of the institution’s privacy policies and practices, including a clear and conspicuous notice that nonpublic personal information may be disclosed to nonaffiliated third parties, and (b) a meaningful opportunity to optout of that disclosure, and (2) the consumer has not opted out. The GLB Act directed federal regulators to implement its mandate through the regulation of entities under the respective agencies’ jurisdictions. This article focuses on the impact of the GLB Act on hedge and private equity funds and examines pertinent regulations, primarily those under the Securities and Exchange Commission’s Regulation SP and the Federal Trade Commission’s Privacy of Consumer Financial Information Rule (the "FTC Rule"). The various privacy regulations are substantially similar and will be discussed together as the "Privacy Regulations."

The SEC’s Regulation SP applies to (1) brokerdealers, (2) investment companies, as defined by the Investment Company Act of 1940, and (3) investment advisers registered with the SEC under the Investment Advisers Act of 1940. Regulation SP does not apply to "3(c)(1)" and "3(c)(7)" funds (private investment funds that are excluded from the definition of "investment company" under the Investment Company Act of 1940), or to unregistered investment advisers. However, unregistered funds may fall under the jurisdiction of the privacy rules promulgated by the various banking agencies if they are subsidiaries of a bank or an affiliate of a bank holding company, and unregistered advisers, if they are commodity pool operators, may fall under the privacy rules of the Commodity Futures Trading Commission, to be issued shortly. Furthermore, even if a private investment fund or an unregistered investment adviser is not subject to regulation of either the SEC, the banking agencies or the CFTC, such entities still fall under the "catchall" jurisdiction of the FTC.

The Privacy Regulations require financial institutions to:

• Provide "consumers" and "customers" (a distinction discussed below) with initial notice of the institution’s privacy policy and practices;
• Provide "customers" with annual notice of the institution’s privacy policy and practices;
• Describe in such notices what information the financial institution collects and whether this information is disclosed to affiliates or nonaffiliates;
• If the institution intends to share consumer information with nonaffiliated third parties outside one of the exceptions (discussed below), provide consumers with a clear and conspicuous notice of a right to optout of disclosure of their information to nonaffiliated third parties and a reasonable means of opting out; and
• Disclose procedures used by the financial institution to safeguard customer records and information.

Since the GLB Act was enacted to protect individuals, all notice and optout provisions of the Privacy Regulations apply only to individuals and not business entities. A "consumer" is an individual who obtains from a financial institution services and products for primarily personal, family, or household purposes. An individual investor who opens a personal brokerage account is obtaining a service from a financial institution, and an individual investor who invests in a private investment fund is acquiring a product from a financial institution.

The definition of consumer also includes an individual’s legal representative and holders of individual retirement accounts or arrangements ("IRAs"). Notwithstanding the inclusion of IRAs within the definition of "consumer," distinct legal entities are not "consumers" under the Privacy Regulations: a trust, partnership, or personal corporation that has an account with a financial institution would not be a consumer for purposes of the privacy rules because these entities are not individuals. Furthermore, a beneficiary of a trust or a plan participant in an employee benefit plan is not a "consumer" under the Privacy Regulations.

Because a "financial product or service" is defined to include a financial institution’s evaluation of an application or request to obtain the product or service, a person can become a consumer even if his or her application or request is denied or withdrawn. Thus, consumers include an individual who provides nonpublic personal information when seeking to obtain brokerage or investment advisory services. For example, an investor providing, orally or in writing, nonpublic personal information to the manager of a hedge fund in seeking to invest in the fund would be a consumer of the fund even if the investor ultimately did not, or was not permitted to, invest.

The Privacy Regulations distinguish between "consumers" and "customers" of a financial institution. "Customers" are included in the definition of "consumers," and are those consumers who have a "customer relationship" with a financial institution. "Consumers" become "customers" when they enter into a continuing relationship with the institution, such as when they enter into a written or oral investment advisory contract or buy interests of an investment company in their own names.

The SEC’s release adopting Regulation SP pointed out that a registered investment adviser to a fund, serving under an investment advisory agreement with that fund but not with the fund’s investors, would not have a customer relationship with such investors. Not having a customer relationship, the registered adviser would then not be required to distribute its privacy notices to investors in such fund; however, the SEC’s view might be different where the fund is a limited partnership and the adviser is the general partner of the fund, and, in any event, under the FTC Rules the investor will have a customer relationship with the fund in which it invests and the fund itself will have obligations under the Privacy Regulations.

To be a consumer, an individual need not be a U.S. person. Significantly, Regulation SP applies to any entity under the SEC’s jurisdiction, regardless of whether such entity’s consumers are U.S. persons or nonU.S. persons and regardless of whether such entity conducts its activities through U.S. or nonU.S. offices or branches. By analogy, a financial institution covered by the FTC Rule, such as a hedge fund, would likewise have an obligation to its nonU.S. consumers.

By July 1, 2001, a financial institution must provide to all its customers a "clear and conspicuous" notice that accurately reflects the financial institution’s privacy policies and, if necessary, includes an optout provision. This means that if an optout provision is included in the notice, such notice must be distributed a reasonable period of time, such as 30 days as suggested by the Privacy Regulations, prior to July 1, 2001 to allow for customers to respond to the optout provision.

In addition to providing a notice to existing customers, a privacy notice must be given at the time new customer relationships are first formed.

Each privacy notice must include the following types of information:

• the categories of nonpublic personal information that the financial institution collects;
• the categories of nonpublic personal information that the financial institution discloses;
• the categories of affiliates and nonaffiliated third parties to whom the financial institution may disclose nonpublic personal information;
• information dissemination practices with respect to former customers;
• practices with respect to information disclosed to service providers and joint marketers;
• notice of the customer’s right to optout and provision for a reasonable means of optingout;
• any disclosure that the financial institution may be making under the Fair Credit Reporting Act; and
• a statement reflecting the financial institution’s policies and practices with respect to safeguarding the nonpublic personal information of consumers.

As a practical matter, the initial notice to new "customers" of a hedge fund (as well as to "consumers" – i.e., persons that ultimately do not invest in the fund) may be included in the fund’s subscription documents.

After the initial notice is given, annual notices must be provided to all customers every 12 months. Annual notices need not be given to former customers, that is, once there is no longer a continuing relationship. To the extent a financial institution’s disclosure policies change, the privacy notice must be revised, and the revised notice must be provided to customers and consumers before the institution shares nonpublic personal information in a manner not described in the most recent notice delivered to the customer or consumer.

Initial and annual notices must be provided in writing or, if the consumer or customer agrees, electronically. A sample notice is attached as Exhibit A.

Nonpublic Personal Information

The Privacy Regulations define "nonpublic personal information" to include personally identifiable financial information. "Personally identifiable financial information" would include the identifying and qualifying information typically provided by an investor in subscription documents. Also included would be a consumer list (e.g., a list of select individual investors in a fund) or description or grouping of consumers that is derived using any personally identifiable financial information. The Privacy Regulations exclude publicly available information, except if the information is disclosed in a manner indicating that the individual is the firm’s consumer, which fact is itself personally identifiable financial information.

The Privacy Regulations further require that consumers and customers be provided with a clear and conspicuous notice of the right to optout of any disclosure of nonpublic personal information to nonaffiliated third parties and be provided a meaningful opportunity to optout. Unless the optout right is exercised, the information can be disclosed.

The right to optout applies only to disclosure to nonaffiliated third parties outside of one of the exceptions. Reasonable means of opting out may include via a tollfree telephone number, checkoff boxes, reply forms and, if the consumer agrees to the electronic delivery of information, electronic mail or through the institution’s website. The optout is effective until revoked in writing by the consumer.

If the optout right is not exercised by a consumer or customer and information is provided to nonaffiliated third parties, the ability of the nonaffiliated third party to use or redisclose such information is limited. However, a financial institution generally does not have a duty to monitor a third party’s use of information provided by the financial institution.

Affiliated Investment Advisers.

The financial institution need not provide a consumer or customer with the opportunity to optout of disclosure to affiliates. Generally, the Privacy Regulations define an "affiliate" as any company that controls, is controlled by, or is under common control with the financial institution. Many, if not most, hedge and private equity funds employ an investment adviser that is an affiliate of the general partner or the manager of the fund it is advising. Consequently, private investment funds are typically able to freely share information with their affiliated investment advisers. The rules permit such advisers to use the information for their own purposes, including marketing.

The Privacy Regulations permit disclosures to nonaffiliated third parties under several significant exceptions. If the disclosures are made in connection with processing or servicing transactions authorized by the consumer or necessary to maintain or service the consumer’s or customer’s account, neither notice nor an optout opportunity need be provided. Thus, a fund’s nonaffiliated investment adviser, nonaffiliated administrator or nonaffiliated prime broker would be covered by this exception because these entities are performing services to maintain and service the investor’s interest in the fund as implicitly authorized by the investor. The Privacy Regulations also permit disclosure of nonpublic personal information to legal representatives of the customer and to the financial institution’s own legal representatives, such as its counsel, accountant and auditor. The information received by these nonaffiliated third parties can only be used for the purpose for which it was transmitted. The recipient of the information may in turn disclose such information to its affiliates, or under one of the exceptions permitting disclosure, but, once again, only for the purpose for which the information was originally transmitted. For example, a nonaffiliated investment adviser may receive information from a fund in order to evaluate the customer’s suitability and may, in turn, share that information with its attorney for the same purpose.

The Privacy Regulations also provide some additional categories of permissible disclosures, including those made with the consumer’s consent, in order to comply with federal, state or local laws or for regulatory compliance, and disclosures made to prevent fraud or pursuant to a lawful subpoena.

While a discussion of the full scope of the requirements for joint marketing agreements is outside the scope of this article, the Privacy Regulations permit financial institutions to share information with nonaffiliated third parties without providing the consumer with a right to optout of such disclosure if the third party is providing services, including marketing services, for the benefit of the financial institution. However, to take advantage of this exception, a notice of such agreement must be provided to the consumer before any disclosure takes place. This is in contrast to the exceptions to the disclosure prohibition discussed above where the services were provided for the benefit of the investor. Under those exceptions, neither optout opportunity nor notice to consumers were required.

The joint marketing service agreements may include marketing the financial institution’s products or services (e.g., a placement agent agreement between a private investment fund and a nonaffiliated placement agent), or products or services offered under a joint written marketing agreement with the third party. Under the Privacy Regulations, the financial institution must enter into a contractual agreement with the third party requiring the third party to maintain the confidentiality of the consumer information and must fully disclose to the consumer that the financial institution will provide personal information to the marketing partner.

The GLB Act does not preempt the requirements of the Fair Credit Reporting Act ("FCRA"). Those entities that were previously required to comply with FCRA must continue to do so, and must make FCRA disclosures in their notices to customers. In certain cases, the FCRA requires special notices and optout opportunities even in connection with the sharing of information among affiliates. However, while a full discussion of FCRA and its application is outside the scope of this article, a typical fund will not have obligations under FCRA, because information is shared among fund affiliates only within the scope of the investor’s activities with the fund. The FCRA may come into play where an affiliate of a fund to which an investor’s information is provided intends to use the information to offer products or services unrelated to the purposes for which the information was provided (e.g., to offer insurance products). In such circumstances, the fund should consider providing the information in a way that does not potentially make the information a "consumer report" under FCRA, which would trigger notice and optout requirements. For example, a fund providing information about an investor to an affiliate for use by the affiliate to market other products or services should consider providing the information in the form of a simple list of investors and contact information rather than providing copies of the investor’s subscription documents (which would likely be considered a consumer report).

The Privacy Regulations impose a requirement on financial institutions to disclose procedures the institution uses to safeguard customer records and information. The policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records, protect against any anticipated threats or hazards to the security or integrity of customer records and protect against unauthorized access to or use of customer records that could result in substantial harm or inconvenience to any customer. A financial institution must design and implement these policies and must disclose them to its customers.

Financial institutions that have not provided timely notice and reasonable optout provisions cannot share any nonpublic personal information about their consumers or customers with nonaffiliated third parties until such notice and optout is provided and a reasonable period of time, such as 30 days, has passed for optout rights to be exercised. For types of sharing that are not subject to the optout but are subject to the notice requirements (such as third party service providers and joint marketing agreements), if a financial institution does not deliver the initial Privacy Notice by the July 1, 2001 deadline, such sharing would have to stop on that date. If the financial institution subsequently delivers the privacy notice, it appears that such information sharing may commence. While the GLB Act contains no private right of action, customers may enforce the GLB Act requirements under other causes of action, including those relating to unfair and deceptive practices which can be brought under state laws. Furthermore, regulators may bring enforcement actions against financial institutions under their jurisdiction to the extent generally authorized.

The compliance burden of the Privacy Regulations is not particularly heavy for a typical hedge or private equity fund. If such fund does not make any nonaffiliated third party disclosures outside of GLB Act exceptions, it need not provide any optout mechanism, making its burden even less substantial. After providing its existing customers with privacy notices, the fund that accepts investment by individuals or IRA accounts should consider incorporating the GLB Act required notice disclosures in its subscription documents (so long as such disclosure is made clear and conspicuous). While the fact that information may be shared among the investment adviser, the management company, administrators and prime brokers is not required to be disclosed if made under the "account servicing" exception to the Privacy Regulations, such disclosure is a good idea in light of the heightened sensitivity that regulators are exhibiting to these issues.

If there is any disclosure of a consumer’s or a customer’s nonpublic personal information to other nonaffiliated third parties, the fund adviser must provide optout mechanisms (such as a checkoff box in the subscription documents) for the consumer. Finally, the fund’s or the investment adviser’s information security policies must be briefly described. Inclusion of required disclosures in the subscription documents has the benefit of automatically providing the required notice to "consumers" (those persons who ultimately do not invest in the fund), although, if no third party information disclosure is made, no such notice is actually required. Annual disclosures could be accomplished by enclosing the same disclosures found in the subscription documents (so long as they continue to accurately describe the fund’s privacy policy) with the fund’s performance information at least once a year.

Remember, compliance with the GLB Act becomes mandatory on July 1, 2001