RS20185: Privacy Protection for Customer Financial Information

M. Maureen Murphy

Legislative Attorney
American Law Division

Updated January 5, 2001

Summary

Title V of the Gramm-Leach-Bliley Act of 1999 (P.L. 106-102, H.Rept. 106-434) requires financial institutions to provide their customers with notice of their privacy policies, including those relating to sharing of customer information with affiliated entities. It prohibits sharing personally identifiable customer information with non-affiliated third parties and prohibits financial institutions from providing account numbers to non-affiliated third parties for marketing purposes. It requires financial institutions to safeguard the security and confidentiality of customer information. Finally, it delegates rulemaking and enforcement authority to the various functional regulators of financial institutions, that is, the federal banking and security regulators, the Federal Trade Commission, and state insurance regulators. Gramm-Leach-Bliley was enacted in the face of very little federal law directly regulating customer financial data held by financial services providers. Privacy concerns have increasingly been raised by consumers and may be reflected in various legislative developments. The Gramm-Leach-Bliley legislation includes prohibitions on "pretext calling," obtaining financial institution customer information by false pretenses. It also includes a provision that would require financial institutions to permit customers to opt out of sharing, with nonaffiliated third parties, nonpublic personally identifiable information. A provision restricting insurance company disclosure of customer medical, health, and genetic information was deleted in Conference. This report will be updated on the basis of floor action in either House addressing either an amendment to Title V of Gramm-Leach-Bliley or the question of privacy protection for financial institution customer information.

Background

With modern technology's ability to gather and retain data, businesses providing depository, credit, investment, or insurance services have increasingly found ways to take advantage of their large reservoirs of customer information. Not only can they serve their customers better by tailoring services and communications to their preferences, but they can profit from sharing that information with others willing to pay for customer lists or targeted marketing compilations. In the context of consolidations in the financial services world, including those contemplated by financial modernization legislation in the 106^th Congress, the possibility of accessing new customer data bases is one of the calculations made in deciding to acquire or merge with another entity. ⁽¹⁾

While some consumers are pleased with the wider access to information about available services that information sharing among financial services providers offers, others have raised privacy concerns. Individuals are particularly interested in controls on secondary usage. There is the perception that information provided for a specific purpose to one business and used thereafter by another in a completely different context threatens privacy. There is a fear of unanticipated adverse consequences. Information supplied to a creditor or an insurer, for instance, may flow into a prospective employer's file and defeat a job application without the applicant's being able to address the matter.

Legal Landscape

The United States has no general law of financial privacy. The Constitution, itself, has been held to provide no protection against governmental access to financial information turned over to third parties. United States v. Miller, 425 U.S. 435 (1976). This means that although the Fourth Amendment to the United States Constitution requires a search warrant for a government agent to obtain such records as a person's own copies of canceled checks, credit card charges and receipts, loan applications, and stock transfer records, it does not protect the same records when they are held by financial institutions.

State constitutions, statutes, and court decisions may provide greater protection.

Various federal statutes provide a measure of privacy protection for financial records. The Right to Financial Privacy Act, 12 U.S.C. §§ 3401 -3422, sets procedures for federal government access to customer financial records held by financial institutions. The Fair Credit Reporting Act, 15 U.S.C. §§ 1681 to 1681t, establishes standards for collection and permissible purposes for dissemination of data by consumer reporting agencies. It also gives consumers access to their files and the right to correct information therein. The Electronic Funds Transfer Act, 15 U.S.C. §§ 1693a to 1693r, describes the rights and liabilities of consumers using electronic fund transfer systems. Among them is the right to have the financial institution provide them with information as to the circumstances under which information concerning their accounts will be disclosed to third parties. With the passage of the Fair Credit Reporting Act Amendments of 1996, P.L. 104-208, Div. A, Tit. II, Subtitle d, Ch. 1, § 2419, 110 Stat. 3009-452, adding 15 U.S.C.§ 1681t(b)(2), companies may share with other entities certain customer information respecting their transactions and experience with a customer without any notification requirements. Other customer information, such as credit report or application information, may be shared with other companies in the corporate family if the customers are given "clear and conspicuous" notice about the sharing and an opportunity to direct that the information not be shared.

Gramm-Leach-Bliley's Privacy Provisions

Title V of the Gramm-Leach Bliley Act, ⁽²⁾ enacted in 1999, contains the privacy provisions enacted in conjunction with financial modernization legislation. In addition to strengthening the prohibitions on identity fraud and mandating a federal study on information sharing among financial institutions and their affiliates, the legislation requires that federal regulators issue rules that call for financial institutions to establish standards to insure the security and confidentiality of customer records. It prohibits financial institutions from disclosing nonpublic personal information to unaffiliated third parties without providing customers the opportunity to decline to have such information disclosed. Also included are prohibitions on disclosing customer account numbers to unaffiliated third parties for use in telemarketing, direct mail marketing, or other marketing through electronic mail. Under this legislation financial institutions are required to disclose, initially when a customer relationship is established and annually, thereafter, their privacy policies, including their policies with respect to sharing information with affiliates and non-affiliated third parties.

Rules implementing these privacy provisions have been promulgated by the federal banking and securities regulators and are under development by the state insurance regulators. They are effective, on a voluntary basis as of November 13, 2000, and mandatory as of July 1, 2001.Implementing regulations were published by the banking regulators in the Federal Register on June 1, 2000, by the Federal Trade Commission on May 24, and by the SEC on June 29. 65 Fed. Reg. 35162, 33646, and 40334. They became effective on November 13, 2000. Compliance is optional until July 1, 2001. ⁽³⁾ The National Association of Insurance Commissioners (NAIC) approved a model law respecting disclosure of consumer financial and health information intended to guide state legislative efforts in the area. ⁽⁴⁾

These privacy provisions preempt state law except to the extent that the state law provides greater protection to consumers. The Federal Trade Commission, in conjunction with the other federal financial institution regulators, is to make the determination as to whether or not a state law is preempted. The Conference Committee rejected amendments that would have required customers to opt in, i.e., consent, before financial institutions could share customer financial information with either affiliates or third parties.

Privacy issues were discussed at each stage of the legislative process in the House consideration of financial modernization legislation. The House Banking Committee markup of the legislation (H.R. 10, 106^th Cong.) included the rejection of an amendment, offered by Representative Inslee, that would have permitted bank customers to preclude sharing their information with third parties. What was accepted instead and included in the bill as reported by the House Banking Committee (H.Rept. 106-74)were provisions that would: require institutions to disclose their privacy policies, mandate a federal privacy study, and prohibit the sharing health information derived from insurance activities. As reported by the House Commerce Committee, H.R. 10's prohibition against sharing individually identified health information derived from insurance activities would have been extended to include genetic information; customers would have been given the opportunity to opt out of information sharing by their financial institutions; and consumers would have been able to examine, upon request, nonpublic personal information before their financial institution shares or sells such information for consideration to nonaffiliated persons or entities.

Public and Industry Reaction

Prior to enactment of Gramm-Leach-Bliley, there were various indicators of the public's interest in financial privacy as well as industry's efforts to address those concerns. One of the indications of the public's interest in preserving the confidentiality of personal information conveyed to financial service providers was the negative reaction to what became an aborted attempt by the federal banking regulators to promulgate "Know Your Customer" rules. ⁽⁵⁾ These rules would have imposed precisely detailed requirements on banks and other financial institutions to establish profiles of expected financial activity and monitor their customers transactions against these profiles. Even before the Know Your Customer Rules and enactment of Gramm-Leach-Bliley, depository institutions and their regulators have increasingly promoted industry self-regulation as a means of instilling consumer confidence and forestalling comprehensive privacy regulation by state and federal governments. The American Bankers Association, for example, promulgates eight privacy principles for the banking industry, ⁽⁶⁾ and one of the federal banking regulators, the Office of Comptroller of the Currency, issued an advisory letter regarding information sharing. ⁽⁷⁾ It provides models from actual bank notification practices and encourages using the notice requirements as a means of advising customers on information handling practices as a means of enhancing customer confidence and trust.

The regulatory scheme set in place by Gramm-Leach-Bliley will not be operative until July 1, 2001, and it has, therefore, not yet been tested. In a certain sense, however, the debate as to whether information sharing by financial institutions with third parties-outside of their corporate families-should require actual consent rather than an opportunity to opt out continues. Both the Fair Credit Reporting Act and Gramm-Leach-Bliley contain provisions permitting limited and particularized state preemption of federal standards when state laws provide more protection for consumers. The year 2000 saw activity in some state legislatures considering ways to enhance the protections of Gramm-Leach-Bliley, including requiring actual consent-or opt in-before information sharing Only one state, California, enacted more protective legislation. ⁽⁸⁾

Industry sources view having to comply with multiple and inconsistent state regimes as posing excessive regulatory costs, litigation prospects, and liability potential. The validity of their claims may be reflected in a recent position taken by Robert Pitofsky, the Chairman of the Federal Trade Commission, the federal agency charged with making an initial determination as to whether a state privacy law preempts the Fair Credit Reporting Act or Gramm-Leach Bliley's financial privacy provisions. In December, he went on record as potentially favoring legislation geared towards a nationwide financial privacy standard. In the same speech, however, he indicated that he would also consider enactment of legislation that the industry has resisted: requiring financial services providers to obtain customer consent before sharing data, i.e., an opt-in requirement rather than the current opt-out standard. ⁽⁹⁾

The European Union Data Directive

Another incentive for a nationwide standard has been the requirements imposed upon companies doing business in Europe under the European Commission on Data Protection (EU Data Directive), an official act of the European Parliament and Council, dated October 24, 1995 (95/46/EC). This imposes strict privacy guidelines respecting the sharing of customer information and barring transfers, even within the same corporate family, outside of Europe, unless the transfer is to a country having privacy laws affording similar protection as does Europe. The Department of Commerce has negotiated an agreement with the European Union that offers a framework under which US companies may be certified by the Department of Commerce and obtain a safe harbor, thereby continuing data transfers. ⁽¹⁰⁾ To date, the banking industry has not availed itself of this safe harbor, nor has the EU accepted Gramm-Leach-Bliley as one of the safe harbors meeting the Data Directive's requirements. U.S. entities with a presence in Europe, including some of the large bank holding companies, have chosen to draft guidelines and codes of conduct to meet the European standard and to satisfy that standard through separate negotiations.

Legislation

In addition to Gramm-Leach-Bliley, the 106^th Congress had before it various other measures aimed at protecting the privacy of financial information, some of which may well reappear in some form in the 107^th Congress. These included measures to permit customers to prevent their financial institutions from sharing information with affiliated companies, to require companies to permit customers to opt out of such sharing or to opt into any sharing of information, and to require companies to permit customers to review their information and to correct any errors. There is also the possibility that there will be an effort to review the preemption provisions of the affiliate sharing provisions of the Fair Credit Reporting Act as well as those of Gramm-Leach-Bliley.

The Fair Credit Reporting Act specifies that its provisions respecting affiliate sharing of information preempt state law until January 1, 2004. Specifically, subsection (b)(2) of section 624, 15 U.S.C. § 1681t(b)(2), provides a general exception to the FCRA's general rule on preemption. Under that rule, FCRA does not preempt state law, unless the state law is inconsistent, and then it is preempted only to the extent of the inconsistency. ⁽¹¹⁾ An exception to this rule applies to sharing of information among affiliates. ⁽¹²⁾ States may override this exception after January 1, 2004, by implementing or enacting laws providing greater protection to consumers with respect to information sharing among affiliates. ⁽¹³⁾

Gramm-Leach-Bliley, on the other hand, preempts state laws to the extent that they are inconsistent but provides that "a State statute, regulation, order, or interpretation is not inconsistent ... if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection under this subtitle as determined by the Federal Trade Commission...." ⁽¹⁴⁾

States may provide greater protection to consumers than Gramm-Leach-Bliley at any time. The Fair Credit Reporting Act moratorium ends on January 1, 2004. The interaction between these two provisions and the reaction by state legislators and regulators may well be catalysts for Congressional intervention as the 107^th Congress proceeds.

Footnotes

1. ^(back)This report addresses financial privacy issues. For more general information on privacy issues see: CRS Report RL30671 (pdf), Personal Privacy Protection: The Legislative Response, by Harold C. Relyea. A related issue, "Medical Records Confidentiality," is the subject of CRS Issue Brief 98002.

2. ^(back)Pub. L. 106-102, tit. v, 113 Stat. 1338, 1436. 15 U.S.C. §§ 6801 - 6809. For general information on Gramm-Leach-Bliley, see "Major Financial Services Legislation, the Gramm-Leach-Bliley Act (P.L. 106-102): an Overview, F. Jean Wells and William D. Jackson, CRS Report RL30375.

3. ^(back)Federal Register online at http://www.access.gpo.gov/su_docs/aces/aces140.html.

4. ^(back) http://www.naic.org/1news/releases/061100PrivacyWGResolution.htm.

5. ^(back)See CRS Report RS20026, Banking's Proposed 'Know Your Customer' Rules.

6. ^(back)See "Financial Privacy in America: A Review of Consumer Financial Issues," (June 1998). http://www.aba.com/aba/ABANews&Issues/PR_012298pp.asp.

7. ^(back)"Fair Credit Reporting Act," OCC AL 99-3 (March 29, 1999).

8. ^(back)California enacted legislation that requires credit card issuers to provide consumers an opportunity to opt out of information sharing for marketing purposes, includes information sharing with affiliates for marketing purposes, and requires provision of a toll-free telephone number for exercising this right to opt out. 2000 Cal. Stat., ch. 977; 2000 Cal. Adv.Leg. Serv. 977 (Deering).

9. ^(back)"FTC Head Favors Federal Action on Privacy, Says Argument for Preemption Now Stronger," 6 Electronic Commerce & Law Report 7 (January 3, 2001).

10. ^(back)See Department of Commerce website: http://www.ita.doc.gov/HotNowFrameset.html.

11. ^(back)15 U.S.C. § 1681t(a).

12. ^(back)15 U.S.C. § 1681t(b)(2).

13. ^(back)15 U.S.C. § 1681t(d)(2).

14. ^(back)15 U.S.C. §§ 6824(b), Pub. L. 106-102, § 524(b), 113 Stat. 1448.