August 23, 2012
FINANCIAL PRIVACY LAWS
By: Katherine Dwyer, Legislative Analyst II
You asked for an overview of (1) the 1999 federal Gramm-Leach Bliley Act, (2) Connecticut state law on financial privacy, and (3) financial privacy laws in California and Vermont.
The federal Gramm-Leach-Bliley (GLB) Act (15 USC § 6801 et seq.), among other things, limits the circumstances under which financial institutions can disclose nonpublic personal information about customers. It allows disclosing this information for certain business purposes or with the customer's consent. It requires financial institutions to allow customers to “opt-out” of information-sharing arrangements with unaffiliated third parties. The act specifies that a state statute, regulation order or interpretation can provide greater protection.
Connecticut law requires financial institutions to comply with the GLB Act's provisions on customer privacy. It, with several exceptions, prohibits financial institutions from disclosing customer financial records without the customer's authorization.
California adopted legislation with the stated intent of providing residents with greater financial privacy protection than the GLB Act provides. The Financial Information Privacy Act, with limited exceptions, prohibits financial institutions from selling, sharing, transferring, or otherwise disclosing a consumer's nonpublic personal information to or with any nonaffiliated third parties without the consumer's explicit prior consent. It also prohibits a financial institution from disclosing or sharing such information with an affiliate unless (1) the institution has notified the consumer annually in writing that the information may be disclosed to the institution's affiliates and (2) the consumer has not directed the institution not to disclose it. However, the federal Ninth Circuit Court of Appeals ruled that California's legislation is partially preempted by the federal Fair Credit Reporting Act (FCRA).
Vermont law, like Connecticut's, prohibits a financial institution from disclosing customer financial information to anyone without the customer's authorization. However, also like Connecticut, Vermont's law includes numerous exceptions to this prohibition.
We searched laws in all 50 states and were unable to find any legislation that provided significantly greater financial privacy protection than that provided by current Connecticut law and the GLB Act.
The GLB Act requires all financial institutions to disclose to customers their policies and practices for protecting the privacy of nonpublic personal information. The policies must also allow customers to “opt-out” of information-sharing arrangements with nonaffiliated third parties. If a customer opts-out, a financial institution may still provide his or her nonpublic personal information to nonaffiliated third parties to perform functions on the institution's behalf such as marketing products or services. The institution must fully disclose its use of the information and enter into a contract with the third party that requires the third party to keep the information confidential (15 USC § 6802(b)).
The act prohibits financial institutions from disclosing, other than to a consumer reporting agency, an account or access number for a consumer's credit card, deposit, or transaction account to any nonaffiliated third party for marketing purposes (15 USC § 6802(d)).
The act allows the disclosure of nonpublic personal information with the consumer's consent or direction or for the following purposes:
1. to administer or fulfill a transaction requested or authorized by a consumer or related to (a) processing a financial product or service, (b) maintaining a consumer's account, or (c) a proposed or actual securitization or secondary market sale;
2. to (a) protect the security or confidentiality of a consumer's financial records or (b) prevent or protect against actual or potential fraud or other liability;
3. for required institutional risk control;
4. to resolve customer disputes;
5. to provide information to insurance rate advisory organizations, guaranty funds or agencies, rating agencies of financial institutions, people assessing the financial institution's compliance with industry standards;
6. in connection with a proposed or actual sale, merger, transfer, or exchange of all or a part of a business; and
7. to respond to judicial process of government regulatory authorities with jurisdiction over the financial institution for examination, compliance, or other legally authorized purposes.
The act allows disclosure to:
1. people (a) holding a legal or beneficial interest relating to the consumer or (b) acting in a fiduciary capacity;
2. (a) consumer reporting agencies in accordance with the federal FCRA and (b) to the extent specifically allowed or required by law and in accordance with the federal Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or others for public safety investigations.
It also allows disclosure to comply with (1) federal, state, or local laws, rules or other applicable legal requirements; and (2) a properly authorized civil, criminal, or regulatory investigation, subpoena, or summons by a federal, state, or local authority (15 USC § 6802(e)).
The GLB Act specifies that a state statute, regulation, order, or interpretation may provide greater consumer protection (15 USC § 6807(b)).
Connecticut law requires banks, state and federal credit unions, out-of-state banks that maintain a branch in Connecticut, out-of-state trust companies or credit unions that maintain an office in Connecticut, other Connecticut banking law licensees, or any entity subject to the banking commissioner's jurisdiction under Connecticut securities law to comply with the GLB Act provisions that:
1. limit the circumstances under which a financial institution can disclose nonpublic personal information about a consumer to nonaffiliated third parties and
2. require financial institutions to disclose to their customers the institution's financial privacy policies and practices with respect to affiliated and nonaffiliated parties (CGS § 36a-44a).
Connecticut law prohibits financial institutions from disclosing customer financial records without the customer's authorization, unless the records are disclosed in response to a:
1. certificate signed by the administrative or social services commissioner pursuant to an investigation;
2. subpoena, summons, warrant or court order (in most instances, the law requires notice to the customer and an opportunity to object to disclosure, see CGS § 36a-43);
3. judgment creditor's interrogatories or a levying officer's demand;
4. certificate (a) issued by a medical provider or its attorney related to medical assistance in certain circumstances or (b) signed by the veterans' affairs commissioner;
5. grant of consent by an elderly person or his or her representative to a person, department, agency, or commission related to social services; or
6. tax collector's request for information from a financial institution (CGS § 36a-42).
Connecticut's financial privacy statutes allow (1) a financial institution officer, employee or agent or a certified public accountant performing an independent audit to prepare, examine, handle, or maintain financial records in the institution's custody and (2) an official, employee, or agent of a supervisory agency to examine a financial institution's records if doing so is in the scope of his or her duties.
The statutes include several additional exceptions to the confidential treatment of customer records. A financial institution may (1) publish data furnished from customer financial records if the data does not contain customer or account identifying information; (2) make IRS reports or returns; and (3) exchange, in the regular course of business, credit information with another financial institution or commercial enterprise, directly or through a consumer reporting agency.
Additionally, a financial institution may disclose information:
1. permitted under the Uniform Commercial Code concerning the dishonor of a negotiable instrument;
2. in response to a search warrant;
3. in connection with its attempts to preserve its rights or determine its liabilities regarding any funds transfer or any check, draft, money order, or other item drawn by or upon or handled by it for collection or otherwise; or
4. required under applicable state or federal law or authorized by any regulatory or law enforcement agency.
A financial institution may also disclose information to:
1. appropriate federal, state, or local officials about suspected criminal law violations;
2. the Statewide Grievance Committee about lawyers' clients' funds accounts;
3. a check, draft, money order, or other item holder or payee whether or not the item was accepted as payment;
4. a financial institution involved in the collection process whether or not a check, draft, money order, or other item would be paid if presented at the time of the disclosure;
5. an insurance company for a risk assessment in connection with obtaining or maintaining a surety bond or a fraud investigation;
6. a broker-dealer or investment advisor in a contractual networking arrangement with the financial institution, provided the institution clearly and conspicuously discloses to the customer that the information may be shared with the entities and the customer has a reasonable opportunity, to direct that it not be shared;
7. a customer service representative employed by, or otherwise acting as an agent for, both the financial institution and a broker-dealer or investment advisor, provided the broker-dealer or investment advisor is in a contractual networking arrangement;
8. other broker-dealer or investment advisor employees or agents working in a contractual networking arrangement in order to comply with banking laws;
9. an information network for fraud prevention accessed by financial institutions and law enforcement authorities solely to detect or protect against actual or potential fraud or unauthorized transactions; and
10. an identity theft victim under the federal FCRA (CGS § 36a-44).
Any financial institution officer or employee who knowingly and willfully furnishes financial records in violation of these statutes commits a class C misdemeanor (which is punishable by up to three months in prison, up to a $ 500 fine, or both). Any person who knowingly or willfully induces or attempts to induce a financial institution officer to disclose financial records in violation of these statutes also commits a class C misdemeanor.
Financial Information Privacy Act
Under California's Financial Information Privacy Act, with limited exceptions, a financial institution cannot sell, share, transfer, or otherwise disclose a consumer's nonpublic personal information to nonaffiliated third parties without the consumer's explicit prior consent (Cal. Fin. Code § 4052.5).
Additionally, California law prohibits a financial institution from disclosing or sharing a consumer's nonpublic personal information with an affiliate unless the institution has clearly and conspicuously notified the consumer annually in writing that the information may be disclosed to the institution's affiliates and the consumer has not directed the institution not to disclose the information (Cal. Fin. Code § 4053). Certain closely affiliated institutions are exempt from this requirement if both the disclosing and receiving institutions (1) use the same brand; (2) operate within the same line of business (banking, insurance, or securities); and (3) are regulated by the same agency (Cal. Fin. Code § 4053).
American Bankers Association v. Gould
In American Bankers Ass'n v. Gould, 412 F.3d 1081 (9th Cir. 2005), the Ninth District Court of Appeals ruled that the federal FCRA preempts the California law that regulates information sharing between a financial institution and its affiliate.
FCRA, among other things, regulates the use of consumer reports by consumer reporting agencies. It (1) limits the circumstances in which a consumer reporting agency may furnish consumer credit reports, (2) restricts the information that may be included in the reports, and (3) requires consumer report information to be disclosed to consumers who request it (15 USC §§ 1681b, c, & g). Consumer reports are defined as a consumer reporting agency's communication of information about a consumer's credit worthiness, credit capacity, general reputation, personal characteristics, or mode of living that is used to determine the consumer's credit and employment eligibility and for a few other authorized purposes (15 USC § 1681a(d)(1)).
FCRA also includes a preemption clause that states “no requirement or prohibition may be imposed under the laws of any state . . . with respect to the exchange of information among persons affiliated by common ownership or common corporate control . . . ” (15 USC § 1681t(b)(2).
The court determined that FCRA preempted California law to the extent it applies to information shared between affiliates that meets the definition of consumer reports (see above). It returned the case to the lower court to determine whether any portion of the affiliate sharing provisions survived preemption and, if so, whether the surviving portion is severable from the preempted portion (Id. at 1087).
American Bankers Association v. Lockyer
In American Bankers Ass'n v. Lockyer, 541 F.3d 1214 (9th Cir. 2008), the Ninth District Court of Appeals ruled that the (1) preempted application of affiliate sharing provisions in California law was severable and (2) rest of the statute was valid.
The court noted the statute's severability clause provides that if any of the bill's phrases, clauses, sentences, or provisions are preempted, the preempted portion may be severed and the rest of the bill remains valid (Cal. Fin. Code § 4059). The court found that the severability clause also applied to preempted applications of the bill. It therefore narrowed the affiliate-sharing provision to exclude consumer report information as defined in the FCRA (Id. at 1218).
Vermont law prohibits a financial institution and its officers, employees, agents, and directors from disclosing customer financial information to anyone without the customer's authorization (Vt. Stat. Ann. tit. 8, § 10202-3). However, there are numerous exceptions that allow disclosure of information:
1. to the customer after proper identification;
2. authorized by the customer limited to the scope and purpose the customer authorized;
3. to the Office of Child Support Services or a state agency with similar authority; Vermont Student Assistance Corporation, Department of Social Welfare; Vermont Tax Department; and civil or criminal law enforcement authorities for use in the exercise of the authority's duties, or the sharing of information, within an industry network, of suspected criminal activities;
4. to a collection agency and its employees or agents, or any person engaged by the financial institution to help recover an amount owed to the financial institution, if the disclosure pertains to recovering the amount owed;
5. if permitted under the laws governing dishonor of negotiable instruments;
6. if requested (a) for a summons for trustee process or (b) by a subpoena, provided that disclosure cannot be made until 10 days after the financial institution has notified the customer of the information request;
7. if required by court order; and
8. in accordance with the Vermont banking commissioner's rules.
The law allows disclosure of customer financial information among an affiliated financial institution's directors, officers, employees, or agents, provided that the disclosure is limited to information necessary and appropriate to fulfill the person's duties and responsibilities and complies with the Vermont Fair Credit Reporting Act (VFCRA) and federal FCRA. It also allows disclosure of one financial institution's customer financial information to another financial institution in connection with a proposed merger, consolidation, acquisition, or other reorganization transaction, provided that the disclosure complies with the VFCRA and federal FCRA.
Additional exceptions include:
1. financial record preparation, examination, handling, or maintenance by a financial institution officer, employee, or agent;
2. financial record examination by a certified public accountant engaged by the financial institution to perform an independent audit;
3. financial record examination by, or disclosure to, any regulatory agency officer, employee, or agent for use only for that person's professional duties;
4. publication of information derived from financial records if the information cannot be identified to any particular customer, deposit, or account;
5. making of reports, disclosures, or returns required by federal or state law;
6. exchange, in the regular course of business and in compliance with the VFCRA and federal FCRA, of credit information between a financial institution and a credit reporting agency or an account verification service;
7. exchange, in the regular course of business and in compliance with the VFCRA and federal FCRA, of credit information between a financial institution and a mercantile agency, provided the exchange is only to report to third parties on the credit rating and credit worthiness of any business;
8. exchange of loan information that specifically affects a sale, foreclosure, or loan closing, if the exchange is intended to accomplish the sale, foreclosure, or loan closing; and
9. reports or information disclosure to the Department of Disabilities, Aging, and Independent Living.