Difference between revisions of "Gramm Leach Bliley Act"

113 Stat.-1341 GrammLeach Bliley Act 1999 (Financial Modernization Act and Privacy of Consumer)

Text of Law

TITLE V-PRIVACY-SUBTITLE A-Sec. 501 and etc. :

SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION. (a) NOTICE REQUIREMENTS.—Except as otherwise provided in this subtitle, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 503.

(b) OPT OUT.—

(1) IN GENERAL.—A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—

(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be disclosed to such third party;

(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and

(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.

(2) EXCEPTION.—This subsection shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution’s own products or services, or financial products or services offered pursuant to joint agreements between two or more financial institutions that comply with the requirements imposed by the regulations prescribed under section 504, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.

(c) LIMITS ON REUSE OF INFORMATION.—Except as otherwise provided in this subtitle, a nonaffiliated third party that receives from a financial institution nonpublic personal information under this section shall not, directly or through an affiliate of such receiving third party, disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other person by the financial institution.

(d) LIMITATIONS ON THE SHARING OF ACCOUNT NUMBER INFORMATION FOR MARKETING PURPOSES.—A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

(e) GENERAL EXCEPTIONS.—Subsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information—

(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with—

(A) servicing or processing a financial product or service requested or authorized by the consumer;

(B) maintaining or servicing the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or

(C) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer; (2) with the consent or at the direction of the consumer;

(3)(A) to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service or product, or the transaction therein; (B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (C) for required institutional risk control, or for resolving customer disputes or inquiries; (D) to persons holding a legal or beneficial interest relating to the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;

(4) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors; (5) to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies (including a Federal functional regulator, the Secretary of the Treasury with respect to subchapter II of chapter 53 of title 31, United States Code, and chapter 2 of title I of Public Law 91–508 (12 U.S.C. 1951–1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

(6)(A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act, or (B) from a consumer report reported by a consumer reporting agency;

(7) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or

(8) to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.

SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY. (a) DISCLOSURE REQUIRED.—At the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, of such financial institution’s policies and practices with respect to—

(1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed;

(2) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and

(3) protecting the nonpublic personal information of consumers. Such disclosures shall be made in accordance with the regulations prescribed under section 504.

(b) INFORMATION TO BE INCLUDED.—The disclosure required by subsection (a) shall include—

(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 502 of this subtitle, and including—

(A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 502(e); and

(B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution;

(2) the categories of nonpublic personal information that are collected by the financial institution;

(3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501; and (4) the disclosures required, if any, under section

603(d)(2)(A)(iii) of the Fair Credit Reporting Act.

SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.

(a) AMENDMENT.—Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is amended—

(1) in subsection (d), by striking everything following the end of the second sentence; and

(2) by striking subsection (e) and inserting the following: ‘‘(e) REGULATORY AUTHORITY.—

‘‘(1) The Federal banking agencies referred to in paragraphs (1) and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraphs (1) and

(2) of subsection (b), and the Board of Governors of the Federal Reserve System shall have authority to prescribe regulations consistent with such joint regulations with respect to bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies.

‘‘(2) The Board of the National Credit Union Administration shall prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraph (3) of subsection (b).’’.

(b) CONFORMING AMENDMENT.—Section 621(a) of the Fair Credit Reporting Act (15 U.S.C. 1681s(a)) is amended by striking paragraph (4).

(c) RELATION TO OTHER PROVISIONS.—Except for the amendments made by subsections (a) and (b), nothing in this title shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act, and no inference shall be drawn on the basis of the provisions of this title regarding whether information is transaction or experience information under section 603 of such Act.

SEC. 507. RELATION TO STATE LAWS.

(a) IN GENERAL.—This subtitle and the amendments made by this subtitle shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.

(b) GREATER PROTECTION UNDER STATE LAW. —For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subtitle and the amendments made by this subtitle, as determined by the Federal Trade Commission, after consultation with the agency or authority with jurisdiction under section 505(a) of either the person that initiated the complaint or that is the subject of the complaint, on its own motion or upon the petition of any interested party.

SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.

(a) IN GENERAL.—The Secretary of the Treasury, in conjunction with the Federal functional regulators and the Federal Trade Commission, shall conduct a study of information sharing practices among financial institutions and their affiliates. Such study shall include—

(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;

(2) the extent and adequacy of security protections for such information;

(3) the potential risks for customer privacy of such sharing of information;

(4) the potential benefits for financial institutions and affiliates of such sharing of information;

(5) the potential benefits for customers of such sharing of information;

(6) the adequacy of existing laws to protect customer privacy;

(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;

(8) the feasibility of different approaches, including optout and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and

(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.

(b) CONSULTATION.—The Secretary shall consult with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, and also with financial services industry, consumer organizations and privacy groups, and other representatives of the general public, in formulating and conducting the study required by subsection (a).

(c) REPORT.—On or before January 1, 2002, the Secretary shall submit a report to the Congress containing the findings and conclusions of the study required under subsection (a), together with such recommendations for legislative or administrative action as may be appropriate.

Subtitle B-

SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.

(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY FALSE PRETENSES.—It shall be a violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person—

(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;

(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or

(3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.

(b) PROHIBITION ON SOLICITATION OF A PERSON TO OBTAIN CUSTOMER INFORMATION FROM FINANCIAL INSTITUTION UNDER FALSE PRETENSES.—It shall be a violation of this subtitle to request a person to obtain customer information of a financial institution, knowing that the person will obtain, or attempt to obtain, the information from the institution in any manner described in subsection (a).

(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES.—No provision of this section shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, to obtain customer information of a financial institution in connection with the performance of the official duties of the agency.

(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS IN CERTAIN CASES.—No provision of this section shall be construed so as to prevent any financial institution, or any officer, employee, or agent of a financial institution, from obtaining customer information of such financial institution in the course of—

(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;

(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or

(3) recovering customer information of the financial institution which was obtained or received by another person in any manner described in subsection (a) or (b).

(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS FOR INVESTIGATION OF INSURANCE FRAUD.—No provision of this section shall be construed so as to prevent any insurance institution, or any officer, employee, or agency of an insurance institution, from obtaining information as part of an insurance investigation into criminal activity, fraud, material misrepresentation, or material nondisclosure that is authorized for such institution under State law, regulation, interpretation, or order.

(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.—No provision of this section shall be construed so as to prevent any person from obtaining customer information of a financial institution that otherwise is available as a public record filed pursuant to the securities laws (as defined in section 3(a)(47) of the Securities Exchange Act of 1934).

(g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS.—No provision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.SEC. 522. ADMINISTRATIVE ENFORCEMENT. (a) ENFORCEMENT BY FEDERAL TRADE COMMISSION.—Except as provided in subsection (b), compliance with this subtitle shall be enforced by the Federal Trade Commission in the same manner and with the same power and authority as the Commission has under the Fair Debt Collection Practices Act to enforce compliance with such Act.

(b) ENFORCEMENT BY OTHER AGENCIES IN CERTAIN CASES.—

(1) IN GENERAL.—Compliance with this subtitle shall be enforced under—

(A) section 8 of the Federal Deposit Insurance Act, in the case of—

(i) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;

(ii) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act, by the Board;

(iii) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System and national nonmember banks) and insured State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance Corporation; and

(iv) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, by the Director of the Office of Thrift Supervision; and

(B) the Federal Credit Union Act, by the Administrator of the National Credit Union Administration with respect to any Federal credit union.

(2) VIOLATIONS OF THIS SUBTITLE TREATED AS VIOLATIONS OF OTHER LAWS.—For the purpose of the exercise by any agency referred to in paragraph (1) of its powers under any Act referred to in that paragraph, a violation of this subtitle shall be deemed to be a violation of a requirement imposed under that Act. In addition to its powers under any provision of law specifically referred to in paragraph (1), each of the agencies referred to in that paragraph may exercise, for the purpose of enforcing compliance with this subtitle, any other authority conferred on such agency by law.SEC. 524. RELATION TO STATE LAWS.

(a) IN GENERAL.—This subtitle shall not be construed as superseding, altering, or affecting the statutes, regulations, orders, or interpretations in effect in any State, except to the extent that such statutes, regulations, orders, or interpretations are inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.

(b) GREATER PROTECTION UNDER STATE LAW.—For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subtitle as determined by the Federal Trade Commission, after consultation with the agency or authority with jurisdiction under section 522 of either the person that initiated the complaint or that is the subject of the complaint, on its own motion or upon the petition of any interested party.

SEC. 525. AGENCY GUIDANCE.

In furtherance of the objectives of this subtitle, each Federal banking agency (as defined in section 3(z) of the Federal Deposit Insurance Act), the National Credit Union Administration, and the Securities and Exchange Commission or self-regulatory organizations, as appropriate, shall review regulations and guidelines applicable to financial institutions under their respective jurisdictions and shall prescribe such revisions to such regulations and guidelines as may be necessary to ensure that such financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect activities proscribed under section 521.

Related harms under the Solove Taxonomy:

Scope of Law Financial Institution