On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act, which will effect dramatic changes to the financial services industry. Among other provisions, the Act imposes an array of new requirements on financial institutions with respect to customer privacy. The Act emphasizes the affirmative and continuing obligations that financial institutions have to respect the privacy of their customers and to protect the security and confidentiality of non-public personal information of these customers.
Effective Date; Rulemaking
Fifty-one state insurance regulators, four federal banking regulators, the National Credit Union Administration, the Securities and Exchange Commission and the Federal Trade Commission are each given jurisdiction to adopt regulations and enforce the privacy provisions with respect to specified companies. The regulations by federal regulators are supposed to be issued in final form not later than six months after the Act's enactment date - this would require that final regulations be out by May 12, 2000.
The majority of the Act's privacy requirements are to take effect six months after the date on which regulations are required to be issued in final form by the designated federal agencies - or November 12, 2000 - except to the extent that a later date is specified in the regulations.
While the various regulatory authorities are supposed to coordinate in their interpretation of the Act, there is no assurance that uniform answers will be reached with respect to the many questions that arise under the privacy provisions. A single holding company group may be subject to substantially different regulation in this area, depending on which subsidiary company is involved. Furthermore, as noted below, different state privacy laws may also apply.
A Multitude of New Entities Are Covered
The new provisions apply to all "financial institutions" - that is, any institution the business of which is engaging in any activity which is financial in nature or incidental to a financial activity. By definition, an entity engaged in any activity which a bank holding company could do in the new world order may become subject to these requirements. Going forward, as additional activities are deemed to be financial in nature, anyone engaged in that activity could become subject to the privacy requirements whether or not it is owned by a bank holding company.
On its face, the coverage appears to be overly broad. Beyond those activities that are obviously "financial," the definition in the Act also picks up the myriad activities now authorized for financial holding companies - including, for example, travel agencies.
Furthermore, there is uncertainty regarding the level of "financial activity" that is required for a company to become subject to the Act. For example, the new requirements could be deemed to extend to any entity which enters into a debtor/creditor relationship as part of its business, even if such activity is just incidental to its main business, such as a department store offering charge cards to its customers. Alternatively, the language could be construed as applying only to entities which are primarily or exclusively engaged in financial activities.
Types of Customer Information Protected
The privacy obligations apply only to non-public personal information, which is defined to mean personally identifiable financial information obtained by the financial institution. The Act does not specify what types of information are deemed to be "financial," and we expect that the regulators will address this issue in promulgating regulations.
The term "non-public personal information" does not include a list of consumers, and publicly available information pertaining to them, that is derived without using any non-public personal information, but the use of any non-public personal information to develop the list will mean that the list itself is considered non-public personal information. Note that publicly available information, as well as health and employment information, are not covered by the new requirements, although such information may be covered by existing provisions of the federal Fair Credit Reporting Act and any applicable state laws.
Disclosure of Financial Institution's Privacy Policy
The Act requires that a financial institution must provide its customers with clear and conspicuous disclosures outlining its policies and practices with respect to consumer privacy. A financial institution must specifically include disclosure of its policies and practices on: (a) disclosing non-public personal information to affiliates and non-affiliates, including categories of information that may be disclosed; (b) disclosing non-public personal information of past customers; and (c) protecting non-public personal information of consumers. These disclosures must be provided at the time the institution establishes a customer relationship with a consumer, as well as annually during the continuation of the relationship.
On its face, the Act appears to require a financial institution to develop a privacy policy whether or not it obtains covered customer financial information, and even when the financial institution does obtain such information but has no intention of sharing it with third parties. But on this latter point, institutions should note that the concept of sharing is not limited to traditional mailing lists - it includes almost any kind of situation in which access to customer financial information will be given to someone outside of the company. Again, we are hopeful that the required regulations will clarify these types of issues.
Customers' Opportunity to Opt Out of Sharing
With certain exceptions, a financial institution must give its customers the opportunity to opt out of any sharing with non-affiliated third parties of the customers' non-public personal information. Specifically, the Act requires that a financial institution must provide clear and conspicuous disclosures to the consumers advising them that covered information may be disclosed to a third party and explaining how they can exercise their non-disclosure option. The non-disclosure option must be given to the consumers before any covered information is shared with third parties. Issues left for the regulators to resolve by regulation include rules on the form, content, frequency and delivery of opt-out notices.
A number of important exceptions from the opt-out opportunity requirements are included in the Act. These include disclosure of covered information as necessary to effect, administer or enforce a transaction required or authorized by the consumer; disclosure in connection with the servicing or processing of a financial product or service requested or authorized by the consumer; and proposed or actual securitizations, secondary market sales (including sales of servicing rights) or similar transactions.
In addition to the above, disclosures to third parties which perform services for the institution, including marketing of the institution's own products or services, will not be subject to the opt-out provisions, provided that the institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of the information. (Note, however, that these requirements could be material if the institution's obligation to "fully disclose" is interpreted to require specific disclosure of the particular entities to which information will be transferred for such purposes; in this case, the institution may have to provide more than the general privacy policy disclosures discussed above.)
Companies contemplating any type of sharing of covered information should carefully review the many exceptions to determine whether their customers must be given an opportunity to opt out before the proposed sharing takes place.
Protection from Fraudulent Access to Customer Information
The Act contains specific new prohibitions on the use of false pretenses to obtain any information maintained by or for a financial institution which is derived from the customer's relationship with the financial institution. Violators of these provisions may be subject to criminal penalties.
State Law Requirements
The Act's privacy requirements will only supersede state law or authority relating to customer privacy to the extent that such state authority is inconsistent with the new federal requirements. Note that a state authority will not be deemed to be inconsistent with the federal requirements if the state authority provides greater protection to the customer.
The above summary addresses only some of the more significant provisions of the new privacy requirements. There are a number of other requirements, however, which will be of interest and/or importance to covered financial institutions. For further information, please feel free to contact us.
Please also read our other Updates on the Gramm-Leach-Bliley Act:
- The Gramm-Leach-Bliley Act: What's In It for the Insurance Industry
- The Gramm-Leach-Bliley Act: What's In It for the Investment Management Industry
- The Gramm-Leach-Bliley Act: What's In It for Banks and Thrifts
- SBICs After Gramm-Leach-Bliley
ENDNOTES
1. Sharing of customer financial information with affiliated entities is not covered by the Act's opt-out provisions, but customers may have opt-out rights with respect to sharing with affiliates under existing provisions of the federal Fair Credit Reporting Act and state law. While the Act's opt-out provisions only apply to sharing with non-affiliated third parties, note that the company's privacy policy disclosures must include information on the company's policies and practices on disclosing of information to
Copyright 2000 Pepper Hamilton LLP | Disclaimer