After gestating for decades, the Gramm-Leach-Bliley financial modernization law just celebrated its first birthday.
As the old saying goes: "To whom much is given, much is expected."
Since the affected industries certainly gave much in lobbying resources over 20 years, there were great expectations for this law. But the revolutionary changes predicted are either absent or delayed.
With time, many of those predictions - larger financial institutions, cross-industry consolidation, blending of banking and commerce - likely will come true. To date, however, enactment has had an ironic and unexpected consequence: the embrace of federal regulation by certain segments of the insurance industry.
Who would have guessed that the same industry that first fought financial services modernization for fear that it would undermine state regulation, then demanded that Gramm-Leach-Bliley adopt functional regulation, would now be eager to explore an optional system of federal insurance regulation?
Why is this happening, and what did the financial reform law have to do with it? Examining the implementation of its privacy provisions for banks versus insurance companies provides a clue.
Under the law, all financial services entities must notify their consumers of the company's information-sharing practices and allow them to opt out of certain disclosures to nonaffiliated third parties. But Congress scrupulously honored state regulation of insurance and merely encouraged the states to adopt implementing rules for companies and agents. Federal financial regulators were required to adopt uniform rules for federal financial institutions.
By February, six federal agencies had jointly published uniform proposed rules. They reviewed more than 8,000 comments before issuing nearly identical final rules in June. The deadline for compliance by federal depository institutions was extended to July 1, 2001, and the final rule includes sample notices, detailed discussion and examples, and sample disclosure language.
In other words, depository institutions, their holding companies, securities firms, broker-dealers - all financial institutions except insurance companies - had before them uniform final privacy rules and over a year to understand and comply with them.
How and when did the states act? It is almost fair to say that the Florida recount has gone faster and smoother.
First, there is timing. On June 27, the National Association of Insurance Commissioners agreed to follow the lead of federal regulators by extending the privacy compliance date. But so far, just 10 states have realized that intent in a legally significant manner, such as a rule or legislation. Several other state commissioners have issued a bulletin or otherwise re-announced their intent to extend the compliance deadline.
The contrast with the timing of the federal rules is stark and not favorable for state regulators.
The substance of the state privacy rules is similarly muddled.
After considerable debate and delay, last month the NAIC issued a model privacy rule that differs from the federal rules in several significant ways. Under this model, consumers must affirmatively consent, or opt in, before insurers can disclose protected health information. Insurance regulators also expanded the definition of "consumer" to include participants and beneficiaries of group plans and claimants.
Many in the insurance industry oppose the NAIC model because it does not track the federal rules and imposes health information privacy protections that will either conflict with or duplicate existing state laws and future federal regulations. Some insurance commissioners share their concerns.
In fact, the NAIC's incoming president, Terri Vaughan of Iowa, has said her state will exclude the health information component from its proposed rule while she awaits the findings of a privacy task force convened by the state's governor.
The New York State Insurance Department, as usual, did its own thing, adopting a rule that is similar but not identical to either the NAIC model or the federal privacy rules. Some states, such as Ohio, previously adopted an earlier NAIC privacy model law. Those states are likely to amend their laws to meet the new privacy requirements.
Thus, while insurers doing business in those states presumably will end up in the same place - Gramm-Leach-Bliley-compliant - they will have traveled a different route to get there.
Finally, the National Conference of Insurance Legislators is working on its own model privacy law. Surprise - it differs from both the NAIC model and the federal rules. Certainly, some state legislatures will support this model instead of the NAIC's.
Could states have moved more quickly or uniformly? Probably not to any significant degree.
It is virtually impossible to get 50 individual regulators, working under differing state laws, suffering from inadequate resources, and subject to unique political pressures, to do the same thing at the same time, especially with respect to a relatively new and very hot issue like privacy.
Insurance companies, especially those closest to the Gramm-Leach-Bliley deliberations, recognize that functional regulation is inherently dysfunctional when it comes to nimbleness and uniformity. State implementation of the privacy provisions indicates that the Holy Grail of a level playing field has again escaped insurance companies.
As the bankers sing "Happy Birthday" to the Gramm-Leach-Bliley Act and put the finishing touches on their customers' privacy notices, insurance companies are faced with no rule, the NAIC model rule, the state lawmakers' model rule, the New York rule, amendments to existing privacy rules, or some other rule.
These varying approaches impose difficult and costly compliance burdens on companies. Consumers do not benefit from differing state rules. In fact, they will probably be confused by the differences between the privacy notices they get from their bank and from their insurance company.
Is it any surprise some insurance companies are planning to run away from the only regulatory home they have known for the brave new world of uniform federal regulation?
Ms. Polichene is of counsel at the law firm of Baker and Daniels. She works in Indianapolis and Washington.