Much public attention has focused on two provisions of the new financial modernization law that amend the Fair Credit Reporting Act.
First, the reform law amends the credit reporting act to direct federal banking agencies - the Federal Reserve Board, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Federal Deposit Insurance Corp. - to jointly issue "such regulations as necessary to carry out the purposes" of the credit reporting act. The joint regulations are to apply to all banks and thrifts regulated by these agencies. In addition, Fair Credit Reporting Act rules issued by the Fed will apply to all nonbank entities within a bank holding company.
Second, the reform law's privacy title deletes a provision that had restricted the ability of federal banking agencies to examine compliance with the credit reporting act. Under the old provision, such an examination could be done only in response to a complaint. Then if a violation were found, the authority of the agency to monitor compliance was limited to the next two regularly scheduled examinations. With the repeal of this provision (effective on the date of enactment), the banking agencies now have the same authority to examine a depository institution for compliance with the Fair Credit Reporting Act as they have to monitor its compliance with all other federal consumer protection laws.A less-prominent provision is far more important to understanding the privacy title's relationship to the credit reporting act. It states simply that, with the exception of these two amendments, the privacy title does not modify, limit, or supersede any provision of the credit reporting act.
Thus, other than the two privacy-title amendments, the Fair Credit Reporting Act applies just as it did before reform. When structuring information-sharing arrangements with nonaffiliated third parties, financial institutions must consider the application of both the privacy title and the credit reporting law to these arrangements. In particular, though the privacy title permits a financial institution to share nonpublic personal information with nonaffiliated third parties - so long as it complies with the title's notice and opt-out requirements - the credit reporting act's applicable provisions could nonetheless restrict communication of that information.
For instance, a financial institution could be deemed to be a consumer reporting agency if it shares with a nonaffiliated third party information relating to a consumer's creditworthiness, credit capacity, or other characteristics identified in the credit reporting act for use in making credit, insurance, or other eligibility decisions about the consumer. That would be true even if, as required by the privacy title, the consumer has been given notice of that sharing and has not opted out.
Furthermore, the credit reporting act's affiliate-information-sharing notice and opt-out requirements remain in force. If anything, the importance of this notification is underscored by the privacy title's requirement that the affiliate-sharing notification, if applicable, be included in the financial institution's privacy-policy notice mandated by the privacy title.This turns the one-time affiliate-sharing notice requirement into an annual obligation.
Otherwise, though the privacy title adds notice and opt-out requirements for sharing nonpublic personal information with nonaffiliated third parties, the credit reporting act's notice and opt-out rules continue to govern the sharing of nonexperience information with affiliated entities.
Notably, the privacy title's explicit statement of the credit reporting act's continuing authority and the focus of the title's requirements on the sharing of information with nonaffiliated third parties confirm the supremacy of the act over the sharing of information among affiliated companies.
In other words, the act continues to govern the sharing of information among affiliated companies, and its authority is completely unaffected by the privacy title. This preserves one of the principal benefits of the financial modernization bill to consumers and institutions alike: the ability of affiliated companies to share information more efficiently and effectively for cross-marketing purposes.
Turning to the privacy title's relationship to state law, there has been much discussion about the meaning of section 507, which delineates this relationship. It is clear that section 507 is not, as some have asserted, a mandate for states to enact privacy laws. This section merely provides that a state may enact a law that gives "greater protection" to consumers than the reform law does.
The Federal Trade Commission, in consultation with the appropriate privacy title regulators, is authorized to determine whether a state law provides greater protection. The commission is expected to establish a formal mechanism for making such determinations, though no such mechanism is required by the law.
In addition, section 507, by its own terms, applies only to the provisions of the privacy title. Thus, a state is given the ability to impose additional requirements on the sharing by financial institutions of customer information with nonaffiliated third parties.This is consistent with numerous other federal laws that give states an opportunity, where appropriate, to enact consumer protections in addition to those established by federal law.
However, the flip side of the explicit statutory language is that the section does not apply to any provision of federal law other than the privacy title. Because the latter imposes no obligation with respect to the sharing of information among affiliated companies, section 507 does not modify or supersede federal law on affiliate information-sharing. This is underscored by the explicit statement that, other than the two credit reporting act amendments described above, the title does not modify or supersede existing provisions of the act, including its preemption of state laws related to affiliate information sharing.
This important point was the subject of a colloquy between Sen. Phil Gramm and Sen. Connie Mack during floor debate on what became the Gramm-Leach-Bliley Act. This colloquy explains that section 507 applies only to the amendments in the privacy title and is not to be construed to apply to any provision of law other than the title. As an example, it explains that since the privacy title does not affect laws on the disclosure of information among affiliated entities, it in no way supersedes or alters the affiliate-sharing provisions of the credit reporting act or that law's preemption of state laws related to affiliate information-sharing.The privacy title requires federal regulators to do the most extensive study ever of the information-sharing practices of financial institutions. The Treasury secretary - in conjunction with federal banking agencies, the Securities and Exchange Commission, and the Federal Trade Commission - must do a comprehensive study of information-sharing by financial institutions with both affiliates and nonaffiliated third parties.
The law also directs the agencies, in preparing and conducting the study, to consult with representatives of state insurance regulators, the financial services industry, consumer advocacy organizations, privacy groups, and other representatives of the general public.
This wide-ranging study must, among other things, consider:
- Both the benefits and risks to consumers, financial institutions, and their affiliates of the sharing of customer information.
- The purposes for sharing such information with affiliates and nonaffiliated third parties.
- The laws' adequacy for protecting consumer privacy.
- The feasibility of different approaches (including opt-in mechanisms) to permit customers to exercise control over information-sharing by institutions with their affiliates and with nonaffiliated third parties.
The information-sharing study, including any recommendation for legislative or administrative actions, must be submitted to Congress no later than Jan. 1, 2002.It is no secret that interest in consumer privacy issues remains high on Capitol Hill and among policymakers elsewhere in Washington. Within days of the financial modernization legislation's passage, several bills were introduced in Congress to expand the privacy title's requirements.
Nonetheless, it is expected that Congress will defer consideration of any significant additional financial-privacy-related legislation until the study mandated by the statute is completed.
Given both the expected usefulness of this study and the numerous statements by Federal Reserve Board Chairman Alan Greenspan and others about the importance of information-sharing to consumers, the financial services industry, and the U.S. economy as a whole, states also may wish to defer action on privacy proposals until the federal study is complete and the effect of such state initiatives can be more fully understood.The authors are lawyers in the Washington office of Morrison & Foerster LLP. This article is the last of four on how the financial modernization law has changed the privacy-regulation landscape.