Gramm-Leach-Bliley Act & Qualified Plans

[Guest T C Farnam]

Kirk or anyone else monitioring this board - have you seen anything granting a blanket exemption from "Privacy Notices" under GLB to qualified plans ?

It seems to us that all 401(k) plans MIGHT be covered by these rules, and it seems VERY likely that any plan which is obtaining financial information to support applications for loans and hardship distributions could be covered.

Thanks for your thoughts.

TCF

[Kirk Maldonado]

Sorry Tom, but I can't help you on this one.

[Guest jdw]

The FTC regs implemeting Gramm-Leach-Bliley arguably exclude plan participants from the class of persons getting privacy notices. Notices go to "consumers" or "customers." Customers are consumers you have an on-going relationship with. The definition of consumer is "an individual who obtains or has obtained a financial product or service from you that is to ge used primarily for personal, family, or household purposes, or that individual's legal representative." 16 CFR 313.3(e)(1).

A qualified retirement plan is not obtained by an individual participant, but the plan sponsor. Even if the sponsor is an individual (a sole proprietor, for example), the product obtained is not being used primarily for family or household purposes, but rather for business purposes.

The FTC received comments on this issue in response to the proposed regs. Commenters argued that persons who were beneficiaries of qualified plans do not have a direct relationship with the financial service provider, and therefore the plan or the plan sponsor should be the "customer." The FTC apparently agreed, and amended the regs. See the discussion in the FTC regs (5/24/2000 Federal Register, pages 33651-2).

The wording they used in the example in the actual regs doesn't go quite as far as the commentary, focusing on trusts, trustees and fiduciaries and ignoring non-trustee or fiduciary service providers. See 313.3(e)(2)(viii) of the final regs.

In any event, the definition of "consumer" seems enough to exclude participants in qualified plans from getting notices from a financial services provider supporting the plan. Whether they are owed notices by others is another question.

[Guest T C Farnam]

Let's try again. My question is NOT related to whether the financial institutions providing services to a qualified plan need to issue privacy notices to the plan's participants.

The real question is whether the PLAN, in the process of obtaining financial information to support granting of a loan from the plan or approving a hardship distribution, becomes a "financial institution" under the FTC regulations.

If the Plan becomes an FI, does the participant who is asked to provide the financial information get the notices?

And by the way, what's the penalty for failure to provide the privacy notice???

TCF

[Guest jdw]

no, the plan does not need to give a privacy notice. The privacy regs requires "financial institutions" to give notices (313.4(a); "you" defined in 313.3(q) as a financial institution).

"financial institutions" are defined in 313.3(k)(1)as "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956." The definition goes on to say that the financial activities must be "significant."

There are several examples of what a financial instituion is; none of which closely resemble a retirement plan. See 313.3(k)(2)(i)-(xii). 313.3(k)(3) then gives examples of who is NOT a financial institution, including entities that engage in financial activities but not at significant levels (iv).

Although some plan activites are "financial services" subject to the Bank Holding Company Act (eg, plan loans), those are probably not "the business of which" the plan is created for, and they probably are not significant as a portion of the plan assets or activities.

Finally, the regulation's scope is aimed at a "financial institution if its business is engaging in a financial activity described in the Bank Holding Company Act", which incorporates a long list of Federal reserve regulations If your plan has not already been complying with the Bank Holding Company Act, it doesn't need to start now.

[Guest T C Farnam]

While I personally like your reasoning, it seems to be dependent on whether the Plan is engaging in significant financial activities.

We understand the FTC has specifically held that accountants and attorneys engaged in providing individuals with tax advice are considered "financial institutions" for purposes of these regulations. They would seem to us to be further from the general sense of that term than a Plan which is engaged in making loans.

Last but not least, what's the downside risk of NOT issuing these privacy act notices?

TCF