Financial transactions can now be conducted in the blink of an eye. But the technology that has made us so efficient is also raising serious privacy concerns. The media is flooded with stories of businesses engaging in covert information gathering, hackers stealing individual credit card numbers and instances of consumer profiling. People are concerned their private financial information may be getting into the wrong hands.
Congress has responded with Title V of the Financial Services Modernization Act, legislation that provides for greater protection of an individual�s financial privacy. The Federal Trade Commission recently issued rules implementing Title V. Although Title V was enacted over a year ago and the FTC rules are several months old, many companies are still unaware of what they must do to comply with it or even that the new law applies to them.
The Financial Services Modernization Act
Title V of The Financial Services Modernization Act, also referred to as the Gramm-Leach-Bliley Act, is designed to protect the security and confidentiality of nonpublic personal information provided to financial institutions by consumers. This includes social security numbers, addresses, dates of birth and other personal information provided to financial institutions or otherwise obtained by financial institutions. The law also covers any list, description or grouping of information derived in part from nonpublic personal information and not entirely from publicly available information, an email list for example.
Title V protects the financial privacy of consumers rather than businesses. A consumer is defined as an individual who obtains a product or service from a financial institution used primarily for personal, family or household purposes. If a company�s customers use its services for something other than these purposes, then it would not be required to follow the law�s privacy standards.
The scope of the institutions effected by the law is extremely broad. The Act applies to �financial institutions� or any institution in the financial services business such as banks, lenders, financial advisors, brokerages, securities dealers as well as any other entities that engage in activities �financial in nature.� As a result, non-traditional financial institutions such as those that provide financial data processing and transmission services must also comply. A list of activities considered �financial in nature� can be found at: www.ftc.gov/os/2000/05/65fr33645.pdf.
Security for consumers�private information must be provided
First and foremost, Title V requires that a financial institution ensure the security and confidentiality of the consumer�s records and information. This provision requires a financial institution to guard against anticipated threats or hazards to the security or integrity of such records and prevent unauthorized access to or use of such records or information to prevent harm or inconvenience to the consumer. Although the law does not specify exactly what security measures must be taken, this generally includes some form of encryption and/or firewalls on a financial institution�s servers.
Title V requires a privacy notice to the consumer
The more complicated and lesser known requirement of Title V is that financial institutions need to notify consumers if they intend to disclose their nonpublic personal information to a non-affiliated third party. This must be provided both at the time of establishing the customer relationship and annually, as long as the relationship exists. A non-affiliated third party is any entity that is not related by common ownership or by corporate control with the financial institution. The financial institution must give notice to the consumer when the financial institution collects the nonpublic personal information and when it discloses the consumer�s nonpublic personal information to an affiliated third party.
The notice required by Title V must be clear, conspicuous and include:
� The categories of information a financial institution may collect.
� The categories of information a financial institution may disclose.
� The categories of affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information that does not meet one of the exceptions under Title V.
� The financial institution�s policies on sharing information about former customers; the categories of nonpublic personal information disclosed pursuant to contracts with nonaffiliated third parties.
� The consumer�s right to opt out of the disclosure personal information to nonaffiliated third parties.
� The financial institution�s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Exceptions to the notice requirement
Title V provides exceptions to the above notice requirements when disclosures are part of the course of doing business. In general, a financial institution may disclose nonpublic personal information if it is:
� Necessary in processing a transaction, financial product or service requested or authorized by the consumer.
� To maintain or service the consumer�s account.
� At the direction of the consumer.
� To protect the confidentiality or security of the consumer�s records or transactions.
� To protect against fraud and unauthorized transactions.
� To resolve consumer disputes.
� To persons or companies that hold a legal or beneficial interest relating to the consumer.
In addition, Title V provides that a financial institution may disclose a consumer�s nonpublic personal information to a nonaffiliated third party who performs a service on behalf of the financial institution. However, the financial institution must have a contract with the nonaffiliated third party that requires them to maintain the confidentiality of the nonpublic personal information. Title V then prohibits the nonaffiliated third party from directly or indirectly disclosing the information to any other person not affiliated with the financial institution.
Consumers are entitled to choice when it comes to their private information Under Title V, a financial institution must provide a consumer the opportunity to choose to prohibit the disclosure of their nonpublic personal information before the financial institution may disclose it to a third party. The type of choice contained in the Act is commonly referred to as �opt-out.� In the opt-out privacy model, an individual�s personal information is collected without consent and the individual must act to prevent the use and disclosure of the information. The opt-out model is the least stringent of the three privacy choice methods. The others, opt-in and double opt-in, require the individual�s affirmative consent before an institution can disclose that individual�s personal information to third parties.
When providing the consumer with an opportunity to opt-out, the institution must inform the consumer about; what categories of nonpublic personal information may be disclosed; the categories of nonaffiliated third parties to whom the nonpublic personal information may be disclosed; and provide the consumer with reasonable means to exercise this nondisclosure option.
Reasonable means may include check-off boxes in a prominent position in a form with the opt-out notice, toll-free telephone numbers, email addresses and Web forms. The financial institution must comply with the consumer�s disclosure choice as soon as reasonably possible.
Enforcement
Title V is jointly enforced by the Federal Trade Commission, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Super-vision, the Secretary of the Treasury, the National Credit Union Administration, the Securities and Exchange Commission and the State insurance authorities.
These regulatory authorities will enforce those financial institutions that are subject to their jurisdiction under applicable law. Penalty for violation would depend on which regulatory authority the entity falls under.
The public has cried out for federal legislation to protect its financial privacy. Congress has responded with Title V of the Financial Services Modernization Act. In light of Title V, companies must evaluate whether it is engaged in activities of a �financial nature.� If so, they may be required to take steps to comply with the Act.
Henry Cooper is an associate with Seiden, Alder, Rothman, Petosa & Matthewman, P.A., a full-service litigation law firm with offices in Miami, Boca Raton and West Palm Beach, Florida. The firm specializes in technology law, with a particular emphasis on the representation of financial institutions. Mr. Cooper welcomes questions and comments regarding the above and can be contacted at hcooper@seidenlaw.com or at 561-416-0170. The full text of the Financial Services Modernization Act is available at http://
www.senate.gov/~banking/conf/confrpt.htm.