WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS21427 February 2, 2009 Congressional Research Service Report RS21427 Financial Privacy Laws Affecting Sharing of Customer Information Among Affiliated Institutions M. Maureen Murphy, American Law Division February 23, 2005 Abstract. This report provides an analysis of the current federal law and a description of state laws that appear to provide more consumer protection with respect to the issue of information sharing among affiliates. Order Code RS21427 Updated February 23, 2005 CRS Report for Congress Received through the CRS Web Financial Privacy Laws Affecting Sharing of Customer Information Among Affiliated Institutions M. Maureen Murphy Legislative Attorney American Law Division http://wikileaks.org/wiki/CRS-RS21427 Summary The privacy provisions of the Gramm-Leach-Bliley Act of 1999 (P.L. 106-102) do not permit customers to preclude financial institutions from sharing nonpublic personal information with affiliated companies; they merely require companies to notify their customers of their practices of information sharing with affiliates. Until the Fair Credit Reporting Act (FCRA) was amended in 1996, sharing of such information with affiliates might have subjected a company to being regulated as a credit reporting agency. Under provisions added in 1996, 15 U.S.C. §§ 1681a(d)(2)(A)(ii) and (iii), which preempt inconsistent state law, companies have been permitted to share among their corporate family a broad range of data they have collected on their customers provided they have given the customers the opportunity to preclude, i.e., opt out of, the information sharing. P.L. 108-159 makes these FCRA preemptions permanent and provides a limited opt-out from affiliate sharing of consumer information for the purpose of marketing solicitations. This report will be updated to reflect action on major legislation. For related information see CRS Report RL31758, Financial Privacy: The Economics of Opt-In vs Opt-Out; CRS Report RL31847, The Role of Information in Lending: The Cost of Privacy Restrictions; CRS Report RS21449, Fair Credit Reporting Act: Preemption of State Law; and CRS Report RL32535, Implementation of the Fair and Accurate Transactions (FACT) Act of 2003. Background. Although confidentiality standards for businesses dealing in consumer information have traditionally been a matter of state law, both the Fair Credit Reporting Act of 1970 (FCRA)1 and the privacy title of the Gramm-Leach-Bliley Act of 1999 (GLBA)2 have meant that federal law generally controls the dissemination of 1 P.L. 91-508, tit. VI, §§ 601 et seq.; 88 Stat. 1521;15 U.S.C. §§ 1681 - 1681u. 2 P.L. 106-102, 113 Stat. 1338 (1999). Congressional Research Service ~ The Library of Congress CRS-2 consumer credit information and governs the disclosing and safeguarding of nonpublic personal information held by a wide array of financial institutions.3 GLBA generally prohibits the disclosure of nonpublic personal information on a customer or consumer by financial institutions unless the consumer is given an opportunity to prevent disclosure, i.e., opt-out; but it contains no prohibition on sharing of customer information among affiliates. It requires each financial institution to notify customers of its privacy policies and practices including those related to information sharing with affiliates.4 FCRA prescribes standards that address information collected by businesses that provide information used to determine eligibility of consumers for credit, insurance, or employment. It imposes requirements for accuracy, limits purposes for which such information may be disseminated, allows certain rights for consumer access, and includes civil and criminal penalties for its violation. It generally defines "consumer reports" and limits the purposes and conditions under which "consumer reports" may be furnished by entities that it refers to and regulates as "consumer reporting agencies."5 Apparently, in response to concern that information sharing among affiliated companies might be interpreted as providing consumer reports, thereby subjecting banks, http://wikileaks.org/wiki/CRS-RS21427 insurance companies, and securities firms to all of the obligations imposed upon consumer reporting agencies under the FCRA,6 the FCRA was amended by the Consumer Credit Reporting Reform Act of 1996.7 Under these amendments,8 the FCRA's definition of "consumer report" was amended to exclude communication of transaction and experience information among corporate affiliates and, -- provided the consumer was afforded an opportunity to prevent it, i.e., opt out -- communication of other information 3 "Financial institution" is defined to mean "any institution the business of which is engaging in financial activities as defined under section 103 of GLBA, § 4k [12 U.S.C. §1843(k)] of the Bank Holding Company Act of 1956." Essentially, these include banking, securities, and insurance activities as enumerated in GLBA and other activities found by the Board of Governors of the Federal Reserve Board, with the concurrence of the Secretary of the Treasury, either (1) to be financial in nature or (2) not posing a risk to the safety or soundness of depository institutions or the financial system generally and complementary to a financial activity. There are, however, exceptions for persons subject to regulation by the Commodity Futures Trading Commission under the Commodity Exchange Act, entities chartered under the Farm Credit Act of 1971, and entities engaged in secondary market operations as long as they do not transfer nonpublic personal information to a nonaffiliated third party. 4 15 U.S.C. § 6803. 5 15 U.S.C. § 1681b. See generally, CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities. 6 See, e.g., Joseph L. Seidel, "The Consumer Credit Reporting Reform Act: Information Sharing and Preemption," 2 North Carolina Banking Institute78, 82-83 (1998) (hereinafter, "Seidel"). L. Richard Fischer, Michel F. McEneney, and Clarke D. Camper, "Fair Credit Reporting Act Amendments: Compliance Issues for Banks," 18 ABA Bank Compliance 7 (1997) ( available in LEXIS, BANKNG Library, ARCNWS file). 7 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § §2401 2422,2419, 110 Stat. 3009, 3009-396 to 3009 - 454. 8 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § 2419, 110 Stat. 3009-452, adding 15 U.S.C.§ 1618t(b)(2). CRS-3 concerning the consumer among affiliates.9 Essentially, these provisions permit companies to share with their affiliates certain customer information respecting their transactions and experience with a customer without any notification requirements.10 Other information about their customers, such as credit reports and application information, may not be shared with other companies in the corporate family unless the customers are given "clear and conspicuous" notice about the sharing and an opportunity to direct that the information not be shared.11 FCRA and GLBA Preemption Language. The FCRA preemption of state law regarding affiliate sharing of information, as amended by P.L. 108-159, the Fair and Accurate Credit Transactions Act of 2003 (FACT), is stated in terms of an exception to the rule12 that the FCRA preempts state law only to the extent of the inconsistency. It reads: No requirement or prohibition may be imposed under the laws of any State...(2) with respect to the exchange of information among persons affiliated by common ownership or common corporate control, except that this paragraph shall not apply with respect to subsection (a) or (c)(1) of section 2480e of title 9, Vermont Statutes http://wikileaks.org/wiki/CRS-RS21427 Annotated (as in effect on September 30, 1999)....13 Under the 1996 amendments, the preemptive effect was to last until January 1, 2004, when states would have been able to override the FCRA authorization for interaffiliate sharing of customer information.14 The legislative history shows a Congressional intent to establish a national standard for interaffiliate sharing of information pertinent to the consumer credit industry in the interest of "operational efficiency for industry ... and competitive prices for consumers" in the credit reporting and credit granting [industries 9 15 U.S.C. § 1681a(d)(2)(A). 10 15 U.S.C. § 1681a(d)(2)(A)(ii). Notice is required under GLBA, 15 U.S.C. § 6803, which requires disclosure when the customer relationship is formed and annually thereafter of a financial institution's privacy policies and practices, including those relating disclosures to affiliates. 11 15 U.S.C. § 1681a(d)(2) (A)(iii). 12 The FCRA's general preemption clause reads: Except as provided in subsections (b) and (c) of this section, this subchapter does not annul, alter, affect, or exempt any person subject to the provisions of this subchapter from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency. 15 U.S.C. § 1681t(a). 13 15 U.S.C. § 1681t(2). The Vermont statute prohibits anyone from obtaining a consumer's credit report without consent or a court order. 14 15 U.S.C. § 1681t(d)(2). This specifies that the general exceptions (including that relating to sharing of information among affiliates) to the rule on preemption "do not apply to any provision of State law (including any provision of a State constitution) that -- (A) is enacted after January 1, 2004; (B) states explicitly that the provision is intended to supplement this subchapter [15 U.S.C. §§ 1681 - 1671u, i.e., the FCRA]; and (C) gives greater protection to consumers than is provided under this subchapter." CRS-4 that] are, in many aspects, national in scope."15 The 2003 legislation made the preemptive effect permanent. It also provided that, subject to certain exceptions, affiliated companies may not share customer information for purposes of marketing unless the consumer is provided clear and conspicuous notification that the information may be exchanged for such purposes and an opportunity and a simple method to opt-out. Among the exceptions are solicitations based on: pre-existing business relationships; current employer's employee benefit plan; a consumer's request or authorization; and, state unfair discrimination insurance law requirements. The 2003 amendments require the agencies to conduct regular joint studies of information sharing practices of affiliated companies and make reports to the Congress every three years, with the first report due no later than December 4, 2006. GLBA's prohibitions deal only with sharing of nonpublic personal information by financial institutions with nonaffiliated third parties. There is no direct authorization of sharing such information among affiliated financial institutions. In essence, therefore, GLBA indirectly authorizes interaffiliate sharing of information by a provision disavowing an intent to supercede the FCRA.16 It, therefore, preserves the conditions placed upon interaffiliate sharing of information in the FCRA: (1) that information other http://wikileaks.org/wiki/CRS-RS21427 than experience or transaction information may be shared only upon providing customers an opportunity to opt-out; and (2) state laws may not preempt. This preservation of the FCRA runs counter to GLBA's general preemption provision under which GLBA preempts state laws only to the extent that they provide less protection than GLBA.17 Whether or not a state law provides more protection than GLBA and is not preempted, however, must be determined by the Federal Trade Commission (FTC).18 Generally, state laws that provide more protection than GLBA, e.g., that require a specific form of notice respecting an institution's privacy policy, for example, would not automatically be enforceable, without an FTC determination as required under GLBA19 State Laws. Since enactment of GLBA, there has been considerable activity in state legislatures on financial privacy issues, particularly in terms of making reference to the changes wrought by GLBA. Some states have laws that are more protective of consumer privacy. The California Financial Information Privacy Act of 200320 is one of these. It is the subject of litigation.21 At least six other states, Alaska,22 Connecticut,23 15 See S.Rept. 104-185, 104th Cong., 1st Sess. (1995), reporting on S. 650 in the 104th Congress, the immediate predecessor of the legislation enacted in 1996. The time limitation derived from a manager's amendment offered by Sen. Bryan in an earlier Congress. 140 Cong. Rec. S5027 (May 3, 1993 daily ed.). 16 15 U.S.C. § 6806. 17 15 U.S.C. § 6807. 18 15 U.S.C. § 6807(b). 19 15 U.S.C. § 6807(b). 20 Cal. Fin. Code §§ 4050-4060. 21 See CRS Report RL32626, American Bankers Association v. Lockyer: Whether California's Financial Information Privacy Law Has Been Preempted by the Fair and Accurate Credit (continued...) CRS-5 Illinois,24 Maryland,25 North Dakota,26 and Vermont,27 have current laws that would require an opt-in or in some way hamper the sharing of customer information among affiliates. None of these would, of course, operate to override the FCRA authorization of interaffiliate information sharing. In other states, since GLBA, there have been provisions enacted modifying stringent financial privacy laws to accommodate GLBA.28 Legislative Issues. Although P.L. 108-159 has resolved various issues related to the consumer credit industry and to the problem of identity theft, there are other topics that may be confronted in future sessions of Congress. Privacy advocates favor modifying GLBA to provide more protection for sensitive information; industry representatives are likely to be in favor of federal preemption under GLBA similar to that enacted for FCRA so that there is no prospect of having to comply with an array of state laws when information is shared with non-affiliated third parties. In the 109th Congress, S. 116 (Feinstein) generally requires businesses to provide notice and an opt-out to a consumer before selling or marketing personally identifiable information to affiliates; affirmative consent is in the case of non-affiliated third parties It also includes a prohibition and civil and criminal sanctions for the display, sale, or http://wikileaks.org/wiki/CRS-RS21427 purchase of social security numbers without consent. It also contains provisions aimed at curtailing the sale of individually identifiable health information and a section on driver's license privacy. 21 (...continued) Transactions (FACT) Act, by M. Maureen Murphy. 22 Alaska Stat. § 6.01.028 generally requires customer consent for a financial institution to disclose customer information, with no blanket exception or authorization for sharing information among affiliated companies, although there is permission for sharing with marketing partners. 23 Connecticut Gen. Stat. Anno. §§ 36a-41 to 36a-44 require consent for disclosure by financial institutions, authorize disclosures in various circumstances, but contain no blanket exception for sharing of information among affiliates and place restrictions on sharing of information with broker-dealers. 24 205 Ill. Comp. Stat. 5/48.1, et seq. 25 Md. Code Ann. [Financial Institutions] §§ 1-301, et seq. 26 N.D. Cent. Code §§ 6.08.1-01 to 6-08.1-08 require customer written consent for sharing of information among affiliates. 27 Vermont Stat. Anno. §§ 10201 - 10205 prohibit disclosure of customer financial information by financial institutions except as provided in a list of exceptions, none of which appear to permit interaffiliate sharing of customer information. 28 See, e.g., Florida Stat. §655.059(2)(b). (Amended to that effect in 2001). This states that "nothing...[in the financial privacy statute] shall prohibit a financial institution from disclosing financial information ...as permitted by [GLBA]."