Order Code RS20185
Updated April 16, 2003
CRS Report for Congress
Received through the CRS Web
Privacy Protection for
Customer Financial Information
M. Maureen Murphy
Legislative Attorney
American Law Division
Summary
Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) (P.L. 106-102, H.Rept.
106-434) requires financial institutions to provide their customers with notice of their
privacy policies. It prohibits financial institutions from sharing nonpublic personally
identifiable customer information with non-affiliated third parties without giving
consumers an opportunity to opt out and prohibits financial institutions from providing
account numbers to non-affiliated third parties for marketing purposes. It requires
financial institutions to safeguard the security and confidentiality of customer
information. Finally, it delegates rulemaking and enforcement authority to the federal
banking and security regulators, the Federal Trade Commission, and state insurance
regulators. In the 108th Congress, H.R. 1766 would give preemptive effect to the
Gramm-Leach-Bliley privacy provisions and would make permanent certain Fair Credit
Reporting Act preemptions of state law relative to information sharing among affiliates.
S. 660 would make the Fair Credit Reporting Act preemptions permanent but would not
affect Gramm-Leach-Bliley. This report will be updated to reflect action on major
legislation. For further information see CRS Report RS21427, Financial Privacy Laws
Affecting Sharing of Customer Information Among Affiliated Institutions, and CRS
Report RL31758, Financial Privacy: The Economics of Opt-In vs Opt-Out.
Background. With modern technology’s ability to gather and retain data, financial
services businesses have increasingly found ways to take advantage of their large
reservoirs of customer information. Not only can they serve their customers better by
tailoring services and communications to their preferences, but they can profit from
sharing that information with others willing to pay for customer lists or targeted marketing
compilations.1 While some consumers are pleased with the wider access to information
about available services that information sharing among financial services providers
1 This report addresses financial privacy issues. For more general information on privacy issues
see: CRS Report RL30671, Personal Privacy Protection: The Legislative Response, by Harold
C. Relyea.
Congressional Research Service ˜ The Library of Congress
CRS-2
offers, others have raised privacy concerns. Individuals are particularly interested in
controls on secondary usage. The United States has no general law of financial privacy.
The Constitution, itself, has been held to provide no protection against governmental
access to financial information turned over to third parties. United States v. Miller, 425
U.S. 435 (1976). This means that although the Fourth Amendment to the United States
Constitution requires a search warrant for a law enforcement agent to obtain such records
as a person’s own copies of canceled checks, credit card charges and receipts, loan
applications, and stock transfer records, it does not protect the same records when they
are held by financial institutions. State constitutions and laws may provide greater
protection.2
Various federal statutes provide a measure of privacy protection for financial records.
The Right to Financial Privacy Act, 12 U.S.C. §§ 3401 -3422, sets procedures for federal
government access to customer financial records held by financial institutions. The Fair
Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681 to 1681t, establishes standards for
collection and permissible purposes for dissemination of data by consumer reporting
agencies. It also gives consumers access to their files and the right to correct information
therein. The Electronic Funds Transfer Act, 15 U.S.C. §§ 1693a to 1693r, describes the
rights and liabilities of consumers using electronic fund transfer systems. Among them
is the right to have the financial institution provide them with information as to the
circumstances under which information concerning their accounts will be disclosed to
third parties. With the passage of the Fair Credit Reporting Act Amendments of 1996,
P.L. 104-208, Div. A, Tit. II, Subtitle d, Ch. 1, § 2419, 110 Stat. 3009-452, adding 15
U.S.C.§ 1681t(b)(2), companies may share with other entities certain customer
information respecting their transactions and experience with a customer without any
notification requirements. Other customer information, such as credit report or
application information, may be shared with other companies in the corporate family if
the customers are given “clear and conspicuous” notice about the sharing and an
opportunity to direct that the information not be shared.
Gramm-Leach-Bliley’s Privacy Provisions. Title V of the Gramm-Leach
Bliley Act (GLBA)3 contains the privacy provisions enacted in conjunction with financial
modernization legislation. In addition to strengthening the prohibitions on identity fraud
and mandating a federal study on information sharing among financial institutions and
their affiliates, the legislation requires that federal regulators issue rules that call for
financial institutions to establish standards to insure the security and confidentiality of
customer records. It prohibits financial institutions from disclosing nonpublic personal
information to unaffiliated third parties without providing customers the opportunity to
decline to have such information disclosed. Also included are prohibitions on disclosing
customer account numbers to unaffiliated third parties for use in telemarketing, direct
mail marketing, or other marketing through electronic mail. Under this legislation
financial institutions are required to disclose, initially when a customer relationship is
2 Local ordinances in San Mateo County and Daly City, California requiring customer
affirmative permission for a financial institution to share personal data are the subject of a lawsuit
brought by Wells Fargo Co. and Bank of America Corp. in September 2002.
3 P.L. 106-102, tit. v, 113 Stat. 1338, 1436. 15 U.S.C. §§ 6801 - 6809. For general information
on Gramm-Leach-Bliley, see CRS Report RL30375, Major Financial Services Legislation, the
Gramm-Leach-Bliley Act (P.L. 106-102): an Overview, by F. Jean Wells and William D. Jackson.
CRS-3
established and annually, thereafter, their privacy policies, including their policies with
respect to sharing information with affiliates and non-affiliated third parties.
Rules implementing these privacy provisions have been promulgated by the federal
banking and securities regulators. Implementing regulations were published by the
banking regulators in the Federal Register on June 1, 2000, by the Federal Trade
Commission on May 24, and by the SEC on June 29. 65 Fed. Reg. 35162, 33646, and
40334.4 They became effective on November 13, 2000; and information may be shared
thereafter provided the necessary steps have been taken by the financial institutions. See
FTC regulations at [http://www.ftc.gov/privacy/glbact/index.html]. Consumers may opt
out at any time. Identity theft and pretext calling guidelines were issued to banks on April
6, 2001. [http://www.federalreserve.gov/boarddocs/SRLetters/2001/sr0111.htm].
Insurance industry compliance has been handled on a state-by-state basis by the
appropriate state authority. The National Association of Insurance Commissioners
(NAIC) approved a model law respecting disclosure of consumer financial and health
information intended to guide state legislative efforts in the area.5
These privacy provisions preempt state law except to the extent that the state law
provides greater protection to consumers. The Federal Trade Commission, in conjunction
with the other federal financial institution regulators, is to make the determination as to
whether or not a state law is preempted. The Conference Committee rejected
amendments that would have required customers to opt in, i.e., consent, before financial
institutions could share customer financial information with either affiliates or third
parties. Privacy issues were discussed at each stage of the legislative process in the House
consideration of financial modernization legislation. The House Banking Committee
markup of the legislation (H.R. 10, 106th Cong.) included the rejection of an amendment,
offered by Representative Inslee, that would have permitted bank customers to preclude
sharing their information with third parties. What was accepted instead and included in
the bill as reported by the House Banking Committee (H.Rept. 106-74)were provisions
that would: require institutions to disclose their privacy policies, mandate a federal
privacy study, and prohibit the sharing health information derived from insurance
activities. As reported by the House Commerce Committee, H.R. 10's prohibition against
sharing individually identified health information derived from insurance activities would
have been extended to include genetic information; customers would have been given the
opportunity to opt out of information sharing by their financial institutions; and
consumers would have been able to examine, upon request, nonpublic personal
information before their financial institution shares or sells such information for
consideration to nonaffiliated persons or entities.
Public and Industry Reaction. One of the indications of the public’s interest
in preserving the confidentiality of personal information conveyed to financial service
providers was the negative reaction to what became an aborted attempt by the federal
4 Federal Register online at [http://www.access.gpo.gov/su_docs/aces/aces140.html].
5 [http://www.naic.org/1news/releases]
CRS-4
banking regulators to promulgate “Know Your Customer” rules.6 These rules would have
imposed precisely detailed requirements on banks and other financial institutions to
establish profiles of expected financial activity and monitor their customers transactions
against these profiles. Even before the Know Your Customer Rules and enactment of
Gramm-Leach-Bliley, depository institutions and their regulators have increasingly
promoted industry self-regulation as a means of instilling consumer confidence and
forestalling comprehensive privacy regulation by state and federal governments. The
American Bankers Association, for example, promulgates eight privacy principles for the
banking industry,7 and one of the federal banking regulators, the Office of Comptroller
of the Currency, issued an advisory letter regarding information sharing.8 The regulatory
scheme set in place by Gramm-Leach-Bliley became operative on July 1, 2001. In a
certain sense, the debate as to whether information sharing by financial institutions with
third parties–outside of their corporate families–should require actual consent rather than
an opportunity to opt out continues. Both the FCRA and Gramm-Leach-Bliley contain
provisions permitting limited and particularized state preemption of federal standards
when state laws provide more protection for consumers. The year 2000 saw activity in
some state legislatures considering ways to enhance the protections of Gramm-Leach-
Bliley, including requiring actual consent–or opt in–before information sharing Only one
state, California, enacted more protective legislation.9 Industry sources view having to
comply with multiple and inconsistent state regimes as posing excessive regulatory costs,
litigation prospects, and liability potential. The validity of their claims may be reflected
in a position taken by Robert Pitofsky, former Chairman of the Federal Trade
Commission, in December 2000, when he went on record as potentially favoring
legislation geared towards a nationwide financial privacy standard. In the same speech,
however, he indicated that he would also consider enactment of legislation that the
industry has resisted: requiring financial services providers to obtain customer consent
before sharing data, i.e., an opt-in requirement rather than the current opt-out standard.10
A potential issue is the extent of coverage of Gramm-Leach-Bliley. It covers
“financial institutions” within the meaning of the Bank Holding Company Act. Many
commercial entities that sell or perform services for consumers are not included; some
lawyers and accountants may be included because they perform services designated as
“financial in nature” either by the BHCA, itself, or by the regulators under authority of
that legislation as amended by Gramm-Leach-Bliley. On April 8, 2002, the FTC
determined that lawyers were covered and that it had no authority to grant them an
6 See CRS Report RS20026, Banking’s Proposed ‘Know Your Customer’ Rules.
7 See “Financial Privacy in America: A Review of Consumer Financial Issues,” (June 1998).
[http://www.aba.com].
8 “Fair Credit Reporting Act,” OCC AL 99-3 (March 29, 1999).
9 California enacted legislation that requires credit card issuers to provide consumers an
opportunity to opt out of information sharing for marketing purposes, includes information
sharing with affiliates for marketing purposes, and requires provision of a toll-free telephone
number for exercising this right to opt out. 2000 Cal. Stat., ch. 977; 2000 Cal. Adv.Leg. Serv.
977 (Deering).
10 “FTC Head Favors Federal Action on Privacy, Says Argument for Preemption Now Stronger,”
6 Electronic Commerce & Law Report 7 (January 3, 2001).
CRS-5
exemption; subsequently the New York State Bar Association filed suit.11 H.R. 781,
introduced by Rep. Biggert in the 108th Congress, would exempt attorneys subject to
professional rules of conduct requiring confidentiality from having to comply with the
GLBA provisions.
The European Union Data Directive. Another incentive for a nationwide
standard has been the requirements imposed upon companies doing business in Europe
under the European Commission on Data Protection (EU Data Directive), an official act
of the European Parliament and Council, dated October 24, 1995 (95/46/EC). This
imposes strict privacy guidelines respecting the sharing of customer information and
barring transfers, even within the same corporate family, outside of Europe, unless the
transfer is to a country having privacy laws affording similar protection as does Europe.
Legislation. In the 107th Congress, Title III of P.L. 107-56, the USA PATRIOT
Act, includes various amendments to the anti-money laundering laws and requires closer
scrutiny of accounts held in the name of foreign banks and stricter procedures for
identifying new customers. Various proposals to amend Gramm-Leach-Bliley were
considered, some of which would broaden protection for consumer financial information
by requiring an affirmative opt-in for disclosures of specified sensitive information.
There were also measures to preempt state law and, thereby, prevent states from
establishing more protections than are offered under federal law.
The108th Congress may have an early opportunity to consider the issue of federal
preemption. The Fair Credit Reporting Act provisions on affiliate sharing preempt state
law until January 1, 2004.12 After that date, any state may enact a law that provides
consumers more protection with respect to information sharing among affiliates, provided
the law explicitly states that it is intended to supplement the Fair Credit Reporting Act
provision. 15 U.S.C. § 1681t(d)(2). The financial services industry favors an extension
of federal preemption as a means of continuing the efficiencies in operations and services
that come with broader access to consumer information and avoiding the difficulties of
complying with inconsistent state laws. On the other hand, consumer advocates generally
favor broader protections than offered under federal law, e.g., requiring affirmative
customer consent for sharing information with affiliates. Complicating the matter is the
short time frame, the crowded legislative agenda, and the distinct possibility that raising
this issue will raise broader privacy and Fair Credit Reporting Act issues.
Specifically, the FCRA provisions on affiliate sharing of information preempt state
law until January 1, 2004. Subsection (b)(2) of section 624, 15 U.S.C. § 1681t(b)(2),
provides a general exception to the FCRA’s general rule on preemption. Under that rule,
FCRA does not preempt state law, unless the state law is inconsistent, and then it is
11 [http://www.nysba.org/Content/ContentGroups/News1/Release_attachments/nysbavftc.pdf]
The American Bar Association had also requested an exemption for attorneys on the grounds that
they are subject to stricter confidential requirements under their Code of Professional
Responsibility and because having to send out Gramm-Leach-Bliley privacy notices could
confuse their clients as to that confidentiality.
[http://www.abanet.org/poladv/letters/exec/privacy071001.html].
12 For information on the other aspects of the Fair Credit Reporting Act covered by the
preemptions provision set to expire on January 1, 29004, see CRS Report RS20449, Fair Credit
Reporting Act: Preemption of State Law.
CRS-6
preempted only to the extent of the inconsistency.13 An exception to this rule applies to
sharing of information among affiliates.14 States may override this exception after
January 1, 2004, by enacting laws providing greater protection to consumers with respect
to information sharing among affiliates.15 Gramm-Leach-Bliley, on the other hand,
preempts state laws to the extent that they are inconsistent but provides that “a State
statute, regulation, order, or interpretation is not inconsistent ... if the protection such
statute, regulation, order, or interpretation affords any person is greater than the protection
under this subtitle as determined by the Federal Trade Commission....”16 States may
provide greater protection to consumers than Gramm-Leach-Bliley at any time. The
FCRA moratorium ends on January 1, 2004.
S. 660 (Sen Johnson) would make the FCRA preemptions permanent, thereby
preempting state laws or regulations restricting information sharing among corporate
affiliates.
H.R. 1766 (Reps. Tiberi and Lucas), in addition to making the FCRA preemptions
permanent, would give preemptive effect to GLBA’s provisions respecting disclosure of
nonpublic personal information by financial institutions, effectively establishing a
national standard for disclosure of customer information by financial institutions. It
would prevent states and local governments from imposing additional requirements, such
as an opt-in for information sharing with non-affiliated third parties, more detailed or
more frequent notice requirements, or increased protection for sensitive data.
13 15 U.S.C. § 1681t(a).
14 15 U.S.C. § 1681t(b)(2).
15 15 U.S.C. § 1681t(d)(2).
16 15 U.S.C. §§ 6824(b), Pub. L. 106-102, § 524(b), 113 Stat. 1448.