Bankers may have a magic bullet in the battle with states over financial privacy laws.
The Fair Credit Reporting Act bars states, until Jan. 1, 2004, from restricting how a bank shares customer information within its corporate family. A 1996 change to the Fair Credit law permitted banks to share information from loan applications and credit bureau reports with affiliates, as long as they notify customers first and give them an opportunity to block, or opt out of, marketing efforts.
"Any state attempt to restrict information transfers among corporate affiliates is contrary to law and congressional intent, and is unenforceable," the high-powered law firm Covington & Burling wrote in a note to clients.
But privacy hawks contend that Fair Credit is trumped by the Sarbanes amendment to the Gramm-Leach-Bliley Act; that amendment gives state legislatures the right to adopt tougher privacy measures.
"It is very clear that, through the Sarbanes amendment, Congress gave states authority to do the rest of the job: pass strong laws to protect consumer privacy and go after affiliate sharing," said Edmund Mierzwinski, consumer program director at the Public Interest Research Group. "What else could the Sarbanes amendment have possibly meant?"
Which side is right? The question is likely to end up in federal court.
"There are reasonable minds presenting arguments on both sides. Until some court decides, you aren't going to get a definitive answer," said the American Bankers Association's senior federal counsel, Nessa Feddis.
David Medine, the Federal Trade Commission's assistant director for financial practices, agreed.
"It's an untested provision in the courts, which is why there is room for arguments on both sides," he said in an interview last week.
Gramm-Leach-Bliley requires banks, among others, to disclose their privacy practices to customers at least once a year and grants customers the opportunity to block their banks from sharing their data with third parties. Federal regulators are writing implementing rules, which are expected to take effect in November.
Sen. Paul Sarbanes, D-Md., wanted tougher restrictions and succeeded in pushing through an amendment that lets states enact the most stringent privacy laws.
States could still enact laws toughening limits on information sharing with third parties. For example, a state could require a bank to get a customer's written permission before sharing data with unaffiliated companies.
Nearly half the states are weighing the issue. California is one of the few that has drafted bills that would require banks to get a customer's permission before sharing his data with an affiliate or a third party.
The California Attorney General's office contends the Sarbanes amendment trumps Fair Credit.
"We don't think the Fair Credit Reporting Act preempts states from acting," California Deputy Attorney General Susan Henrichsen said in an interview Thursday. "The Fair Credit Reporting Act regulates consumer credit reporting. If information doesn't constitute a consumer credit report or application, it is not governed by the act and not governed by its preemption provisions."
A federal regulatory agency lawyer, who spoke on the condition of anonymity, disagreed.
"The preemption provision of the FCRA goes to the exchange of information among affiliates. The information is not limited to consumer reports," the attorney said. "Therefore, we believe that any state requirement [prohibiting information sharing among affiliates] would be preempted by the FCRA, unless it was enacted after Jan. 1, 2004."
Gilbert Schwartz, a former regulatory lawyer and now a partner at Schwartz & Ballen here, was equally adamant.
"It's pretty clear the courts would strike down a restrictive state law," he said. "Gramm-Leach-Bliley doesn't say it preempts the FCRA. In fact, it doesn't say anything at all about a state passing laws that are more restrictive than the FCRA."
