Reed Smith LLP

Reed Smith Client Alerts

Privacy Rules Under Title V of Gramm-Leach Proposed

Subscribe
Home Perspectives Privacy Rules Under Title V of Gramm-Leach Proposed

The Office of the Comptroller of Currency ("OCC"), Federal Reserve Board ("Fed"), Federal Deposit Insurance Corporation ("FDIC") and Office of Thrift Supervision ("OTS") (collectively, the "Agencies") have published proposed privacy rules ("Proposed Privacy Rules") implementing Subtitle A of Title V ("Title V") of the Gramm-Leach-Bliley Act of 1999 ("Gramm-Leach"). Title V addresses the right of financial institutions to share customer financial information and the corresponding right of consumers to protect the confidentiality of that information. Title V was enacted on November 12, 1999, and takes effect 6 months following the adoption of the Proposed Privacy Rules, which must be adopted by no later than May 12, 2000. Comments on the Proposed Privacy Rules must be received by the Agencies by no later than March 31, 2000.

The Proposed Privacy Rules would clarify and expound upon the requirements imposed by Title V. The Proposed Privacy Rules are identical in most respects to the provisions in Title V, except for the definitions of "nonpublic personal information," "personally identifiable financial information" and "publicly available information." The National Credit Union Administration, Federal Trade Commission and Securities and Exchange Commission also are expected to issue proposed privacy rules comparable to the Proposed Privacy Rules.

The following is a brief summary of Title V and the Proposed Privacy Rules.


Summary of Title V and the Proposed Privacy Rules

Scope

  • Title V generally imposes upon every "financial institution" an affirmative and continuing obligation to protect the confidentiality of its customers’ "nonpublic personal information."

è The Proposed Privacy Rules would apply only to nonpublic personal information about consumers who obtain financial products or services from financial institutions for personal, family or household purposes. The Proposed Privacy Rules would not apply to information about businesses or business purpose transactions.

  • Title V defines "financial institution" to include any institution the business of which is engaging in activities that are permissible for "financial holding companies," which are permitted by Gramm-Leach to engage in a broad variety of activities, including banking, insurance and securities activities.

è The Proposed Privacy Rules would define "financial institution" to include any institution that engages in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956.

  • Title V defines "nonpublic personal information" to include personally identifiable financial information (excluding publicly available information, and lists, descriptions or other groupings of consumers derived without using nonpublic personal information) which (1) is provided by a consumer to a financial institution or (2) results from a transaction with the consumer of any service performed for the consumer or (3) is otherwise obtained by the financial institution.

è The Proposed Privacy Rules present two alternatives for the definition of "nonpublic personal information" based on differences in the definitions of "personally identifiable financial information" and "nonpublic personal information." One definition generally would exclude information actually obtained from a publicly available source; the second definition generally would exclude information which could (but need not) have been obtained from a publicly available source.


Initial and Annual Disclosure of Privacy Policies

  • Title V requires a financial institution, prior to disclosing any nonpublic personal information to a nonaffiliated third party, to provide the consumer with a clear and conspicuous disclosure of its privacy policies at the time of establishing a customer relationship with the consumer (i.e., the initial disclosure) and not less than annually during the continuation of such customer relationship (i.e., the annual disclosure). In so doing, the disclosure requirements in Title V differentiate between "customers" and "consumers."

è The Proposed Privacy Rules would define a "consumer" to be an individual who obtains from a financial institution financial products or services for a personal, family or household purpose. A "customer" would be defined as essentially a consumer who has a "customer relationship" with a financial institution. With respect to consumers who never become customers of a financial institution, the Proposed Privacy Rules would make clear that the financial institution need not provide any notice to the consumers unless the financial institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties outside any of the available exceptions (see discussion of exceptions below).

è With respect to customers, the Proposed Privacy Rules would require that financial institutions disclose, at the time they first establish the customer relationship, and not less than annually during the continuation of the customer relationship, their policies and practices with respect to (1) disclosing nonpublic personal information of customers and former customers to affiliates and nonaffiliated third parties (including, for current customers, the categories of information that may be disclosed) and (2) protecting from disclosure the nonpublic personal information of consumers.

è The Proposed Privacy Rules would clarify that, for purposes of the initial privacy policy notice, a customer relationship is established when the financial institution and consumer enter into a continuing relationship; isolated transactions or repeated transactions at an ATM owned by a financial institution would not constitute a continuing relationship.

è The Proposed Privacy Rules would clarify that the annual privacy policy notices need not be given to customers with whom a financial institution no longer has a continuing relationship (such as when a loan is paid in full or charged-off, when assets are sold without retaining servicing rights, or when a financial institution has not communicated with the customer, except for the annual privacy policy notice, within a period of 12 consecutive months).

è The Proposed Privacy Rules also would clarify that both the initial and annual privacy policy notices must (1) be clear and conspicuous, (2) be provided in writing, or if the consumer agrees, electronically (no oral notices), such that each recipient can reasonably be expected to receive actual notice (e.g., by hand delivery, mailing a copy to customer’s last known address, or email if the customer receives a financial product electronically and agrees to such form of communication), (3) accurately reflect the privacy policies of the financial institution as of the time the notices are provided, and (4) contain the following information:

(a) categories of nonpublic personal information that a financial institution may collect according to the source of the information;

(b) categories of nonpublic personal information that a financial institution may disclose according to source, with examples of the content of the information;

(c) categories of affiliates and nonaffiliated third-parties to whom a financial institution discloses nonpublic personal information by types or lines of business;

(d) information on the policies and practices of the financial institution with respect to sharing information concerning former customers with affiliates and nonaffiliated third-parties;

(e) if the financial institution discloses nonpublic personal information to third parties pursuant to the joint marketing exception (see discussion of exemptions below), a separate description of the categories of information that are disclosed and the categories of third parties providing the services;

(f) an explanation of the customer’s "opt-out" right (see discussion of opt-out right below), including the methods available to exercise that right;

(g) any disclosures that a financial institution makes pursuant to Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (relating to affiliate opt-out disclosures); and

(h) information on the financial institution’s policies and practices with respect to protecting the confidentiality, security and integrity of nonpublic personal information.


Non-Disclosure Requirements

  • Under Title V, a financial institution is prohibited from disclosing, directly or through any affiliate, to a nonaffiliated third party any nonpublic personal information (1) unless the institution has provided the customer with a notice indicating that such information may be disclosed to such third party and giving the customer an opportunity to "opt" for non-disclosure (i.e., "opt out") and (2) (although not explicitly stated in the law) the customer has not elected to opt out.

è The Proposed Privacy Rules would clarify that the "opt-out" requirement applies whether or not the consumer establishes a customer relationship with the financial institution and that a consumer must be given a reasonable opportunity to "opt out." For isolated transactions, the opportunity would be considered reasonable if the consumer must decide as part of the transaction whether or not to opt out. For notices that are mailed, the consumer would need to be given at least 30 days to make the "opt-out" election. The Proposed Privacy Rules also would make clear that the financial institution need not provide any "opt-out" notice to the consumer unless the financial institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties outside any of the available exceptions (see discussion of exceptions below).

è The Proposed Privacy Rules would require that an "opt-out" notice must (1) be clear and conspicuous, (2) accurately explain the right to "opt out," (3) inform the consumer that the financial institution may disclose nonpublic financial information (identified by category of information) to nonaffiliated third parties (identified by category of third parties), (4) state that the consumer has the right to "opt out," and (5) provide the consumer with a reasonable means by which to "opt out" (e.g., check boxes, self-addressed stamped reply forms, or email addresses). The "opt-out" notices also would be able to be provided on the same form as the initial and annual privacy policy notices.

è The Proposed Privacy Rules would clarify that a financial institution that changes its disclosure policies must provide a revised notice and a new opportunity to "opt out" in writing, or, if the consumer agrees, in electronic form; and that a consumer "opt out" is effective until revoked by the consumer in writing, or, if the consumer agrees, in electronic form.

è Significantly, the Proposed Privacy Rules also would provide that the consumer’s right to "opt out" never expires, and that the consumer always would have the right to "opt out." If a consumer does not initially exercise the "opt-out" right but later does exercise it, a financial institution would be permitted to continue to disclose nonpublic personal information about that consumer to nonaffiliated third parties for the period of time necessary to implement the consumer’s opt-out election.


Joint Marketing Exception to Non-Disclosure Requirement

  • Under Title V, a consumer does not have the right to "opt out," and the nondisclosure requirement does not apply, where (1) a financial institution provides nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution (including marketing of the financial institution’s own products or services or financial products offered pursuant to joint marketing agreements between two or more financial institutions), (2) the financial institution fully discloses such arrangement to the consumer, and (3) the financial institution enters into a contractual agreement with the nonaffiliated third party obligating the third party to maintain the confidentiality of the information.

è The Proposed Privacy Rules would clarify that for the above exception to apply, the financial institution must (1) provide the initial privacy policy notice (which should include a description of the categories of information disclosed and the categories of third parties providing services under a joint marketing arrangement), and (2) enter into a contractual agreement with the third-party service provider (which may be a joint marketing agreement) that (a) requires the third party service provider to maintain the confidentiality of the information to at least the same extent that the financial institution must maintain that confidentiality under the Proposed Privacy Rules, and (b) limits the third party’s use of the information solely to the purposes for which the information was disclosed or as otherwise permitted by the Proposed Privacy Rules.


Other Exceptions to Non-Disclosure Requirements

  • Title V also exempts from non-disclosure and "opt-out" requirements consumer information that: (1) is necessary to effect or enforce a consumer-requested or consumer-initiated transaction; (2) is needed to protect the confidentiality of the institution’s records pertaining to the individual or to prevent fraud; (3) is given to a person holding a legal or beneficial interest relating to the consumer, to persons acting in a fiduciary capacity on behalf of the consumer, to insurance rate advisory organizations or to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act; (4) is required or permitted to be given in accordance with the Right to Financial Privacy Act of 1978, or to comply with any federal, state or local laws; or (5) is disclosed in connection with a proposed merger or acquisition of a business and concerns solely consumers of such business. A financial institution also may obtain the consumer’s consent to the disclosure of nonpublic personal information about that consumer to nonaffiliated third parties.

è The Proposed Privacy Rules would clarify many of the above exceptions contained in Title V. For example, the Proposed Privacy Rules would define "necessary to effect, administer or enforce a transaction" as that term is used in the first of the above exceptions in Title V.

Enforcement

  • The requirements in Title V are to be enforced by the financial institution’s federal functional regulator, if it has one (i.e., the Agencies, the National Credit Union Administration, Treasury and the SEC), or its state insurance authorities (in the case of insurance companies), or, for all other entities, the Federal Trade Commission. A violation of Title V will be considered a violation of the law administered by the relevant agency and subject the violator to the penalties prescribed under that law.

è The Proposed Privacy Rules would not deal with enforcement of the requirements of Title V and the Proposed Privacy Rules.


Interrelationship with State Law and the FCRA

  • Title V supersedes state law only to the extent the state law is "inconsistent" with Title V. A state law, however, is not "inconsistent" with Title V if the state law affords "greater protection" to the consumer than does Title V. Title V also explicitly indicates that, except for three conforming amendments set forth in Section 506, it generally is not intended to modify, limit or supersede any of the provisions of the FCRA.

è The Proposed Privacy Rules similarly would provide (1) that they should not be construed as superseding, altering or affecting any state law, except to the extent such state law is inconsistent, and then only to the extent of the inconsistency, and that a state law will not be considered inconsistent if it affords greater protection to any consumer than Title V, and (2) that they should not be construed to modify, limit or supersede the operation of the FCRA.


Proposed Effective Date

  • Title V provides that, except for Sections 504 (dealing with the regulatory authority and rulemaking) and Section 506 (dealing with amendments to the FCRA), it is to take effect 6 months after the date on which the final privacy rules are promulgated, unless a later date is specified in such final privacy rules. Title V requires that the final privacy rules be promulgated by May 12, 2000.

è The Proposed Privacy Rules contemplate an effective date for the final privacy rules and Title V of November 13, 2000 for financial institutions covered by the Proposed Privacy Rules.

è The Proposed Privacy Rules also would provide that, no later than 30 days after the effective date of the final privacy rules, a financial institution must provide an initial privacy policy notice to all consumers who were customers of the financial institution on the effective date.

Agencies Invite Comments

In the preamble to the Proposed Privacy Rules, in addition to comments of the Proposed Privacy Rules as a whole, the Agencies invited comments on the following specific issues, among others:

  • Whether including examples in the rules is useful and suggestions on additional or different examples that may be helpful in illustrating compliance with the rule.

  • On the two alternatives for the definition of "nonpublic personal information," and whether either definition would cover information about a consumer that contain no indicators of a consumer’s identity (e.g., aggregate information concerning a loan portfolio).

  • On the definition of "personally identifiable information."

  • Whether information should be viewed as publicly available if it could be obtained (rather than actually being obtained) from government records, widely distributed media or legally required disclosures to the general public, and what information is appropriately considered publicly available, particularly in the context of information available over the Internet.

  • Who should receive an initial privacy policy notice where there is more than one party to an account.

  • On the regulatory burden of providing the initial privacy policy notices and on the methods financial institutions anticipate using to provide the notices.

  • Whether there should be exceptions to the requirement that financial institutions provide the initial privacy policy notice at the time of the creation of a customer relationship.

  • Whether the examples provided in the Proposed Privacy Rules as to when a customer relationship is terminated are adequate.

  • On the regulatory burden of providing the annual notices and on the methods financial institutions anticipate using to provide the notices.

  • On how the "opt-out" right should apply in the case of joint accounts.

  • On whether 30 days is a reasonable opportunity to "opt out" in the case of "opt-out" notices sent by mail, and whether an example in the context of transactions conducted using an electronic medium would be helpful.

  • On the likely burden of complying with the requirement to provide "opt-out" notices, the methods financial institutions anticipate using to deliver the "opt-out" notices, and the approximate number of "opt-out" notices they expect to deliver and process.

  • Whether the privacy rules should require a financial institution to take steps to assure itself that a product being jointly marketed and the other participants in a joint marketing agreement do not present undue risks for the financial institution, and whether additional requirements regarding the joint marketing exception should be promulgated.

  • Whether safeguards should be added regarding the consumer consent exception to the notice requirements contained in Title V to minimize the potential for consumer confusion.

  • Whether 30 days after the effective date is enough time to permit a financial institution to deliver the required initial privacy notices.

Practical Problems Posed by Title V

What may make Title V and the privacy rules problematic for lenders and servicers (and others affected by its provisions) is not so much the requirement that a financial institution disclose its privacy policies and permit customers to "opt out" of disclosure of nonaffiliated third parties, but how to ensure adherence to those policies. Financial institutions will need to take the following steps, among others:

  • Gain an intimate understanding of their current practices regarding obtaining and sharing customer information.

  • Develop an understanding of the requirements of Title V and the privacy rules.

  • Determine whether the privacy laws of any applicable jurisdictions impose stricter standards on dissemination of customer information such that they would not be preempted by Title V and the privacy rules.

  • Develop compliance programs designed to bring their practices in line with the applicable legal requirements (whether they be Title V and the privacy rules or more stringent state law requirements).

  • Test the compliance programs to ensure that controls are adequate, "opt-out" elections are being handled properly, etc.

Conclusion

Given that the comment period on the Proposed Privacy Rules ends on March 31, and that the contemplated effective date for Title V and the final privacy rules is November 13, 2000, the wiser course of action is to become familiar with Title V and the Proposed Privacy Rules now, so that your organization may plan and be in a position to comply with the privacy requirements. The Reed Smith lawyers named below can assist you with this effort. We can provide you with a copy of Title V, the Proposed Privacy Rules, more detailed analysis and strategic planning services upon request.