There is a new headache and expense coming for mutual fund companies this year - privacy compliance.

Federal banking regulators and the SEC are drafting regulations that will require mutual fund companies and other financial institutions to take new, expensive steps to safeguard the privacy of their investors' personal information. The new rules - which could be proposed as early as next month - are expected to require most fund companies and financial services firms to notify investors in writing annually about companies' privacy policies.

Companies also must tell investors that they have the right to "opt out" - to choose not to have their personal information revealed to other, unrelated companies for marketing purposes. The regulations are the result of legislation Congress passed last year.

Some fund companies already are revamping their systems in anticipation of the new requirements, which will go into effect in November. At the Bank One Investment Management Group of Columbus, Ohio, for example, executives have begun rejiggering their record-keeping systems so that they can readily track who receives notices and who opts out, said Carter McDowell, director of compliance for the Bank One Investment Management Group. It is too early to tell how much the changes will cost, McDowell said.

The new rules, however, are sure to generate a great deal of correspondence between financial institutions and their customers, McDowell and other mutual fund executives and lawyers said in recent interviews.

"It's being referred to as the blizzard of 2000," McDowell said of the new notice requirements. "Every financial institution in the U.S. is going to have to touch every customer ... with some sort of paper."

The new rules are a result of the federal legislation that repealed the Glass-Steagall Act. The Gramm-Leach-Bliley Act of 1999 requires that financial institutions such as mutual funds give clients the right not to have their personal financial information shared with others. The SEC and banking regulators must adopt new regulations by May to implement the new law.

With respect to privacy policies, fund executives and lawyers have expressed hope that financial institutions could make the information available orally or through general publication in a newspaper and on a website. It appears that will not be sufficient.

According to a copy of the draft of the regulations obtained by Mutual Fund Market News, mutual fund companies would have to mail copies of their privacy policies to shareholders or send the policy by electronic mail to those shareholders that provide an electronic mail address. The proposal specifically prohibits companies from using oral notice to satisfy the new requirements. The regulations, which only are in draft form, will be revised before they are proposed, according to people familiar with the matter.

The SEC is working on the proposed privacy regulations with other agencies, said John Heine, an SEC spokesperson. The timetable for making the proposal is unclear, he said. He declined to comment further.

Expenses and logistics are not the only effects of the new rules that trouble mutual fund executives and lawyers. Some expressed concern that failure to comply with the new rules will subject their companies both to action by federal regulators and potential class action suits from the plaintiff's bar.

The Gramm-Leach-Bliley law does not give investors the right to sue under federal law, lawyers said. Nevertheless, lawyers and financial firm executives fear that if their clients or companies violate federal law, plaintiffs' lawyers will file state court class action suits alleging violations of state consumer protection laws. Plaintiffs' lawyers may then point to alleged violations of the federal law as evidence that companies' business practices were unfair, lawyers and fund executives said.

"That concerns us," said Joseph Carrier, director of compliance for T. Rowe Price Associates of Baltimore, Md. of the prospect of state court suits.

The Gramm-Leach-Bliley law also permits states to make even stronger personal privacy laws than Congress. Compliance problems will escalate if states take that course, Carrier said. Fund companies will then be forced either to follow privacy practices that vary for customers in different states or follow the most stringent state law and adapt its provisions to all investors nationwide, Carrier said.

The new regulations will mark an evolution for the privacy issue as it is managed inside financial firms, said David Roderer, a lawyer in the Washington, D.C. office of Goodwin, Procter & Hoar LLP of Boston. Previously, the marketing department often played the key role in oversight of details about how customer data was shared with non-affiliates. Now, oversight of privacy issues will be viewed primarily as a compliance issue, monitored and governed by a firm's legal department, Roderer said.

Historically, some financial institutions have taken customer information and sold it to others. That practice has been rare in the mutual fund industry, Roderer and mutual fund company executives said.

Nevertheless, fund firms, while not selling the information, have sometimes made it available to other companies who then market their products to fund investors. For example, a fund company may offer shareholders life or health insurance through an affiliate or a joint venture, said McDowell of Bank One. The firm may then agree to share customer information with, for example, an unaffiliated eye glass provider who can offer investors products at reduced prices, McDowell said.

Because of such arrangements, the new rules are likely to create more record-keeping and compliance work at companies with several subsidiaries that offer a range of financial products rather than just funds, McDowell and other executives said.

Subscribe Now

Access to premium content including in-depth coverage of mutual funds, hedge funds, 401(K)s, 529 plans, and more.

3-Week Free Trial

Insight and analysis into the management, marketing, operations and technology of the asset management industry.