The Gramm-Leach-Bliley Act of 1999: GLB Act Sets New Privacy Standards
Editor's Note: This is the third in a series of articles on selected parts of the Gramm-Leach-Bliley Act of 1999. This article deals with privacy issues. For a more complete history of this Act, including a summary of the unitary thrift loophole issue, please see the December issue of Independent Banker magazine.
Disclosure of Information Sharing Practices
The new law imposes an "affirmative and continuing" obligation on institutions to respect and protect the privacy of their customers. The privacy requirements apply not only to banks, but to all institutions dealing in financial products and services. The law defines a "financial institution" for privacy purposes as "any institution the business of which is engaging in financial activities or activities that are incidental to financial activities as described in section 4(k) of the Bank Holding Company Act of 1956." This would include banks, thrifts, credit unions, broker-dealers, mutual funds, insurance companies and agents, finance companies, and any other non-bank entities offering financial products.
"Consumer" under Title V is defined as "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual."
"Nonpublic personal information" under Title V means "personally identifiable financial information * i) provided by a consumer to a financial institution; ii) resulting from any transaction with the consumer or the service performed for the consumer; or iii) otherwise obtained by the financial institution." It does not include information publicly available (as defined by the regulators), unless it is publicly available information contained in "any list, description, or other grouping of consumers. . . that is derived using any personally identifiable information other than publicly available information."
Notice and Opt-Out
Institutions must provide, at least on an annual basis, "clear and conspicuous" notice of their policies and procedures for protecting customers' nonpublic personal information. Institutions also must give customers an opportunity to "opt-out" before disclosing nonpublic personal information to an unaffiliated third party, with certain exceptions including third party "outsourcers" that perform functions on behalf of the institution, and for offering financial products and services under a "joint agreement" between financial institutions. Also, joint employees of the institution are not considered unaffiliated third parties.
Small Bank Concerns
During consideration of this bill in Congress, the ICBA expressed concerns that the "opt-out" requirement, which applies to the sharing of information with unaffiliated third parties but not with affiliates, was discriminatory towards smaller banks. Most community banks rely on third parties to conduct everyday business activities, while most larger banks offer products through affiliates that would not be subject to "opt-out." We asked the Conferees to take this into account in determining which third parties would be covered by the "opt-out" option. We achieved some additional carve-outs.
The conference report accompanying the GLB Act stated: "The Conferees wish to ensure that small financial institutions are not placed at a competitive disadvantage by a statutory regime that permits certain information to be shared freely within an affiliate structure while limiting the ability to share that same information with nonaffiliated third parties. Accordingly, in prescribing regulations pursuant to this subtitle, the agencies and authorities. . . should take into consideration any adverse competitive effects upon smaller commercial banks, thrifts and credit unions."
In addition to this advisory to the regulators, Title V of the GLB Act includes a list of exceptions to the notice and "opt-out" requirement, including -- as necessary to effect, administer or enforce a transaction or service an account; for asset securitization or secondary market sales; with the customer's consent; to protect against fraud; to law enforcement agencies (as permitted by law) to comply with federal, state or local law; to consumer reporting agencies (e.g., credit bureaus); to the bank's attorneys, accountants and auditors; and in connection with the sale or merger of all or a portion of the bank.
In addition, customers may not opt-out of information sharing to third parties made in connection with a written agreement between financial institutions to jointly offer, endorse or sponsor financial products and services, provided that the institution discloses the arrangement to its customers, and the third party agrees to "maintain the confidentiality of such information."
The agencies may also provide for additional exceptions by regulation.
Ban Against Sharing Account Numbers
The GLB Act contains a flat prohibition against disclosing account numbers to nonaffiliated parties for telemarketing, direct mail marketing, or electronic mail marketing, even with the consent of the customer (except that account numbers may be shared with credit bureaus).
Pretext Calling Prohibited
The GLB Act makes it illegal, with certain exceptions, to obtain, or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed, customer information from a financial institution through fraudulent or deceptive means, such as misrepresenting the identity of the person requesting the information to try to trick the institution into disclosing the information. Exceptions include certain law enforcement activities, for banks testing security procedures or investigating allegations of employee misconduct, for insurance companies and agents investigating fraud or misconduct, and for licensed private investigators authorized by the court to help collect delinquent child support payments.
Violations of these provisions are punishable by fines and up to five years in prison, although there is no private right of action or enforcement by state attorneys general. The authority for enforcing this provision of the new law rests with the Federal Trade Commission (FTC), the federal banking agencies, and the National Credit Union Administration, depending on which agency has jurisdiction over the financial institution.
No State Law Pre-emption
The new law states that the privacy provisions under Title V of the GLB Act do not supercede any state statute or regulation, except when a state statute or regulation is inconsistent with federal provisions. A state statute or regulation is not inconsistent with federal provisions if it affords greater protection than the federal provisions, the law says. This means that if state law affords greater consumer protections than federal law in the area of third party information sharing, the state law will supercede federal law. Many states are expected to take a close look at privacy issues next year.
Security Standards and Other Regulations
The GLB Act requires Federal banking regulators, the Treasury Department, the SEC and the FTC, in consultation with state insurance regulators, to establish standards to ensure the physical security and confidentiality of a customer's financial records, and to protect against unauthorized access to such records. These agencies are also authorized to write regulations to implement the disclosure and "opt-out" requirements of the law. Each agency is to conduct its own rulemaking procedure, but they are required to consult and coordinate with one another and make their regulations "consistent and comparable."
Increased Regulatory Burden on Small Banks
The GLB Act will impose new administrative and regulatory burdens on community banks. But the extent and severity of these burdens will not be known until the regulators publish new rules and standards for compliance with the new law, which are due in May, 2000. In the meantime, we urge community bankers to get a head start by analyzing how their banks share information and by developing written privacy policies if they are not already in place.