Two weeks ago we discussed key definitions and substantive requirements, including the basic requirements that a financial institution must fulfill, such as the opt-out opportunity, before it may disclose nonpublic personal information to nonaffiliated third parties. Today we examine key exceptions to these requirements and review other substantive obligations in the Gramm-Leach-Bliley Act's privacy title.
This title includes a number of exceptions to the notice and opt-out requirements, demonstrating Congress' desire to balance consumer privacy against the obvious need of financial institutions to share information in order to operate efficiently and protect themselves from risks posed by customers and others.
For instance, notice and opt-out need not be given in connection with the disclosure of information to third-party processors or other entities to which a financial institution outsources its servicing functions or which otherwise help the financial institution with banking activities. This exception applies to information transmitted to agents and servicing organizations for any purpose - including the institution's account maintenance, statement, and customer service functions - and even to transmission of the institution's own marketing offers, so long as the third-party entity is serving for or on behalf of the financial institution itself.
Consistent with traditional legal treatment, such an agent is viewed as an extension of the financial institution itself rather than as a separate entity. Of course, the third-party processor or servicer is subject to all the confidentiality requirements that apply to the financial institution.
The notice and opt-out requirements also do not apply to information sharing in connection with an institution's marketing of financial products or services that meet requirements specified in the law.
First, these financial products or services must be offered under so-called "joint agreements" between two or more financial institutions and must meet any additional requirement that may be imposed by rules issued under the law.
Second, the financial institution must enter into an agreement with the receiving third party that requires the latter to "maintain the confidentiality" of the information; confidentiality agreements that meet current industry standards should fulfill this requirement.
Finally, the financial institution must "fully disclose" to the customer the transmission of information under the joint marketing arrangement. The most reasonable reading of this phrase is that it requires the same "clear and conspicuous" notice as that otherwise required under the law for disclosure of the institution's mandated privacy policy. This clear and conspicuous standard also is the traditional Federal Reserve Board approach for consumer disclosures required under the Truth in Lending Act and other key consumer protection laws.
Of course, this exception and its related requirements assume that nonpublic personal information actually is disclosed by the financial institution to the other entity in the marketing arrangement. Instead, a financial institution should be able to conduct marketing activities with no disclosure of customer information and, thus, free of the various requirements.
For example, the institution itself or its agent should be able to send the marketing information directly to its customers on behalf of the other entity, giving those customers the ability to respond directly to that third-party entity if they are interested in the product or service being offered. Since there is no disclosure of information by the financial institution to the third-party entity, the requirements of the law should never come into play.
The privacy title states several other exceptions to dual-notice obligations. For instance, these dual requirements do not apply to the sharing of nonpublic personal information with nonaffiliated third parties if the sharing is necessary to effect, administer, or enforce a transaction requested or authorized by the customer. This exception includes, for example, information needed to permit participants in a financial institution's payment system to process or administer a payment by check, credit card, or debit card.
Similarly, the law's dual-notice obligations do not apply where the disclosure of nonpublic personal information to nonaffiliated third parties is with the consent of, or at the direction of, the customer. This exception should permit financial institutions to obtain the informed consent of their customers (for example, by a clear and conspicuous notice of such sharing above a signature line) to information-sharing in cobranding or affinity relationships.
Likewise, neither the privacy policy nor the notice and opt-out requirements apply to the disclosure of customer information by a financial institution in connection with so-called private-label programs. In a private-label program, a retailer or other seller of goods or services outsources its credit functions by having a nonaffiliated financial institution offer credit to the seller's customers in connection with purchases at the seller, instead of the seller supplying those functions either itself or within its corporate family. This exception is intended to establish parity of treatment, for legal purposes, between sellers that choose such outsourcing arrangements and sellers that offer such credit operations themselves.
Two other exceptions to dual-notice obligations are:
- They do not apply to third-party sharing of customer information that is undertaken for fraud or risk control or is done in order to resolve customer disputes or inquires.
- Also, disclosures to credit bureaus; to government agencies permitted under the Right to Financial Privacy Act; or in connection with portfolio sales, mergers of institutions, and similar commercial transactions are exempt.
Another substantive privacy provision prohibits a financial institution from disclosing an account number "or similar form of access number or access code" to a consumer credit card, deposit, or transaction account to nonaffiliated third parties for use in telemarketing, direct mail marketing, or electronic mail marketing. This is intended to address concerns that have arisen recently about the ability of telemarketers and other unrelated third parties to gain direct access to a person's transaction account without his or her knowledge.The one exception to this prohibition is providing account numbers to credit bureaus. However, the prohibition, by its terms, is limited to the disclosure of account numbers and access codes for marketing purposes. It should not apply where an institution discloses such information after marketing has been concluded to insure that the resulting transaction amount is posted to the correct account.
The privacy title's legislative history suggests that account numbers can be transmitted for covered purposes if they are scrambled or encrypted. Then the numbers are meaningless to the recipient and cannot be used for account access until decoded by the financial institution, after marketing has been concluded. In this regard, the bill's accompanying Statement of Managers - and a colloquy involving Senators Gramm, Bennett, and Hagel during floor debate - encourages regulators to clarify that the disclosure of account numbers in encrypted form is permitted where needed to service or process customer-authorized transactions.
Once a nonaffiliated third party gets nonpublic personal information from a financial institution, the privacy title permits it to share that information with its affiliates or with an affiliate of the financial institution. The third party may not disclose the information, directly or through an affiliate, to any other entity, unless that disclosure would be "lawful" if made directly by the financial institution.
For example, a third-party processor or another unrelated company that properly receives customer account information from a financial institution is subject to these "onward-transfer" restrictions and could not further disclose the information to nonaffiliated entities unless the financial institution itself could have disclosed the information to such entities.
Finally, the privacy title authorizes federal regulators to prescribe additional exceptions to the privacy policy and notice and opt-out requirements, as well as to the account number prohibition and onward-transfer restrictions. These and other rulemaking and enforcement provisions of the title will be discussed in the next article in this series. The authors are lawyers in the Washington office of Morrison & Forester LLP. This is the second of four articles on the financial modernization law's privacy provisions.
