Financial Services Reform Legislation of 1999, the Gramm-Leach-Bliley Act of 1999
Barry A. Abbott, Andre W. Brewster and Charles P. Ortmeyer of Howard, Rice, Nemerovski, Canady, Falk & Rabkin, A Professional Corporation
The privacy provisions in the Gramm-Leach-Bliley Act were controversial, and almost caused the Act to become stalled in the Conference Committee. The provisions are notable in attempting to establish minimum privacy policies that are national in scope, but were nonetheless widely criticized by privacy advocates. In particular, the Act was criticized for not regulating the sharing of information among financial institution affiliates.
The main privacy provisions govern the activities of "financial institutions," which include banks, savings associations, credit unions, broker-dealers, investment companies, investment advisers and insurance companies. The provisions apply to non-bank financial institutions even if they are not affiliated with a bank. Entities subject to the jurisdiction of the Commodities Futures Trading Commission are excluded.
Nonpublic Personal Information.
The Act regulates dissemination to unaffiliated third parties of a consumer's "nonpublic personal information," which is defined generally as "personally identifiable financial information" that the financial institution obtains from a consumer or that results from transactions or services performed for the consumer. The term appears not to encompass (and therefore the Act appears not to restrict the disclosure of) non-segmented customer lists that are not sorted by personally identifiable financial information, but probably does encompass lists of consumers that are "derived" using personally identifiable financial information (such as lists sorted by customer net worth or transactional criteria).
The Act does not prohibit sharing of nonpublic personal information with non-affiliates. The Act allows such disclosures, provided two conditions are satisfied:
§ First, the financial institution must "provide" a clear and conspicuous notice to the consumer at the time of establishing a customer relationship and at least annually thereafter of the financial institution's practices with respect to disclosing nonpublic personal information to non-affiliates and affiliates. The disclosure must address, among other things, the categories of information that may be disclosed, and the manner in which the institution will handle information about former customers. In addition, the disclosure must address the institution's general policies for protecting non-public personal information.
§ Second, the financial institution provides the consumer with the opportunity, "before the time that such information is initially disclosed," to "opt out" by directing the financial institution not to disclose the information to third parties.
With disclosure and notwithstanding a customer "opt-out," nonpublic personal information can be provided to a nonaffiliated third parties that perform marketing or other services for the financial institution or that enter into joint agreements with the financial institution to offer financial products and services. However, the Act requires in these arrangements that there be a contract between the parties containing a confidentiality provision. Non-affiliates that receive nonpublic personal information are generally prohibited from passing the information along to any other person.
The Act provides a long list of circumstances and activities that are excepted from the prohibitions on dissemination of nonpublic personal information. The exceptions include disclosures to the extent necessary to complete transactions or provide services.
A financial institution will no longer be able to disclose an account or credit card number to a nonaffiliated third party (other than a consumer reporting agency) for use in any telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This may limit the ability of third party marketing service providers to sell various products effectively.
The bill gives functional regulators broad authority to promulgate regulations for the industries they regulate, in order to carry out the purposes of Title V. The scope and nature of these regulations is at present unknown. The regulations must be issued in final form within six months of the Act's effective date. Title V of the Act itself generally becomes effective one year after the Act's effective date.
The Act's privacy provisions preempt state law only to the extent there is an inconsistency. The Act specifically preserves state privacy laws to the extent they provide greater protection.
As with most of the financial institution bills enacted by Congress in the last few years, this bill also provides for numerous studies. The one to be conducted in this area is to be conducted by the Treasury Department and is to deal with various aspects of information sharing practices among financial institutions and their affiliates.
The Act deals with the relatively recent phenomenon of people fraudulently attempting to obtain customer information from financial institutions. The Act makes it a felony for any person to obtain or attempt to obtain any customer information from a financial institution by use of false, fictitious or fraudulent statements or forged, counterfeited, lost, stolen, fraudulently obtained or fictitious documents. The Act contains certain specific exemptions for activities conducted by financial institutions in connection with fraud investigations, but these provisions should be reviewed carefully with counsel, as penalties for violating the statute include prison terms up to ten years. Once again, Congress has asked for a report on this subject.
"Consumer" is defined as any individual who obtains financial
products or services for personal, family, or household purposes
and any legal representative of such individual.
The term "financial information" is not defined, but would
presumably include such things as account balances, securities positions,
transactional information, and the like.
The contours of this term will obviously be very important
in determining whether the Act applies to particular marketing programs.
 The Act makes clear that the disclosure may be provided in writing or in electronic form. This would probably allow the disclosure to be made on the institution's website. But query whether notice of the disclosure must be affirmatively "pushed" to the consumer by mail or e-mail? In any event, this provision will very likely compel all financial institutions to post detailed privacy policies on their websites, if they have not done so already.
There are limited exceptions to this prohibition, including one
for private label credit card programs.