Mandates that designated regulatory agencies promulgate regulations that: (1) require affirmative consumer consent as a prerequisite to any information sharing by a financial institution; (2) prohibit a financial institution from denying a product or service to a consumer who has denied consent to such information transfer; and (3) require consumer access and opportunity to dispute nonpublic personal information made available by the institution to persons other than its own personnel.
Prohibits a financial institution from disclosing a consumer's access number or code to both an affiliated or nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. (Current law permits such disclosure to affiliates).
Restricts nonpublic personal information received from a financial institution by an affiliate or nonaffiliated third party from being further disclosed to another affiliate or nonaffiliated third party of both the financial institution and such recipient.
Requires designated regulatory agencies to promulgate proscriptions against unfair and deceptive practices in connection with either the disclosure of nonpublic personal information, or with making unrelated uses of that information. Prescribes regulation contents, including a requirement that a financial institution disclose to the consumer: (1) the categories of nonpublic personal information the institution collects; and (2) its practices and policies with respect to disclosing or making unrelated uses of it.
Authorizes the States to enjoin violations of this Act.
Amends the Fair Credit Reporting Act to direct the Federal Trade Commission (FTC) to prescribe implementing regulations with respect to this Act. Authorizes the Secretary of the Treasury to promulgate procedural guidelines governing State election to participate in the enforcement of this Act.
Provides that protection under State law that is greater than the protection accorded under this Act (as determined by either the FTC or a Federal functional regulator) shall not be deemed inconsistent with this Act.
Repeals the exemption granting permission to State-licensed private investigators acting under court authorization to obtain customer information of a financial institution for purposes of collecting child support from a person adjudged delinquent.
Confers enforcement authority upon the States with respect to violations pertaining to fraudulent access to financial information under this Act.
[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 1903 Introduced in Senate (IS)]
106th CONGRESS
1st Session
S. 1903
To amend the privacy provisions of the Gramm-Leach-Bliley Act.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 10, 1999
Mr. Shelby (for himself and Mr. Bryan) introduced the following bill;
which was read twice and referred to the Committee on Banking, Housing,
and Urban Affairs
_______________________________________________________________________
A BILL
To amend the privacy provisions of the Gramm-Leach-Bliley Act.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Consumer's Right to Financial
Privacy Act''.
SEC. 2. AMENDMENT.
Title V of the Gramm-Leach-Bliley Act is amended to read as
follows:
``TITLE V--PRIVACY OF CONSUMER INFORMATION
``Subtitle A--Disclosure of Nonpublic Personal Information
``SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
``(a) Privacy Obligation Policy.--It is the policy of the Congress
that each financial institution has an affirmative and continuing
obligation to respect the privacy of its customers and to protect the
security and confidentiality of those customers' nonpublic personal
information.
``(b) Financial Institutions Safeguards.--In furtherance of the
policy in subsection (a), each agency or authority described in section
504(a) shall establish by rule or order appropriate standards for the
financial institutions subject to their jurisdiction, and the
Commission shall establish such standards for any financial
institutions not subject to such jurisdiction, relating to
administrative, technical, and physical safeguards--
``(1) to insure the security and confidentiality of
customer records and information;
``(2) to protect against any anticipated threats or hazards
to the security or integrity of such records; and
``(3) to protect against unauthorized access to or use of
such records or information which could result in substantial
harm or inconvenience to any customer.
``SEC. 502. OBLIGATIONS WITH RESPECT TO PERSONAL
INFORMATION.
``(a) General Requirements.--Except as otherwise provided in this
subtitle, a financial institution may not, directly or through any
affiliate, disclose or make an unrelated use of any nonpublic personal
information collected by the financial institution in connection with
any transaction with a consumer in any financial product or any
financial service, unless such financial institution provides or has
provided to the consumer a notice that complies with section 503 and
the rules thereunder.
``(b) Opt-In Required for Information Transfers.--
``(1) Affirmative consent required.--Each agency or
authority described in section 504(a) shall by rule prohibit a
financial institution that is subject to its jurisdiction from
making available any nonpublic personal information to any
affiliate or other person that is not an employee or agent of
the institution, unless the consumer to whom the information
pertains--
``(A) has affirmatively consented in accordance
with such rule to the transfer of such information; and
``(B) has not withdrawn the consent.
``(2) Flexibility of form.--A financial institution may, in
complying with paragraph (1), present the opportunity to
consent in a clear and conspicuous manner that permits the
consumer to consent--
``(A)(i) with respect to both affiliates and
nonaffiliated persons;
``(ii) separately with respect to affiliates
generally and nonaffiliated persons generally; or
``(iii) separately with respect to specified
affiliates and nonaffiliated persons; and
``(B) separately with respect to specified
financial and nonfinancial products and services that
may be offered to the consumer.
``(3) Denial of service prohibited.--The rule prescribed
pursuant to paragraph (1) shall prohibit a financial
institution from denying any consumer a financial product or a
financial service for the refusal by the consumer to grant the
consent required by such rule.
``(c) Access to and Correction of Information Vended to Third
Parties.--
``(1) Rule required.--Each agency or authority described in
section 504(a) shall by rule require a financial institution
that is subject to its jurisdiction and that makes available
nonpublic personal information collected by the financial
institution to any person or entity other than an employee or
agent of such institution to afford that consumer--
``(A) the opportunity to examine, upon request, all
nonpublic personal information that was so made
available; and
``(B) the opportunity to dispute the accuracy of
any of such information, and to present evidence
thereon.
``(d) Limitations on the Sharing of Account Number Information for
Marketing Purposes.--A financial institution shall not disclose an
account number or similar form of access number or access code for a
credit card account, deposit account, or transaction account of a
consumer to any affiliate or any nonaffiliated third party for use in
telemarketing, direct mail marketing, or other marketing through
electronic mail or other electronic means to the consumer.
``(e) Limits on Reuse of Information.--Except as otherwise provided
in this subtitle, an affiliate or a nonaffiliated third party that
receives from a financial institution nonpublic personal information
under this section shall not, directly or through an affiliate of such
receiving third party, disclose such information to any other person
that is an affiliate or a nonaffiliated third party of both the
financial institution and such receiving third party, unless such
disclosure would be lawful if made directly to such other person by the
financial institution.
``(f) General Exceptions.--Subsections (a) and (b) shall not
prohibit the disclosure of nonpublic personal information--
``(1) as necessary to effect, administer, or enforce a
transaction requested or authorized by the consumer, or in
connection with--
``(A) servicing or processing a financial product
or service requested or authorized by the consumer;
``(B) maintaining or servicing the consumer's
account with the financial institution; or
``(C) a proposed or actual securitization,
secondary market sale (including sales of servicing
rights), or similar transaction related to a
transaction of the consumer;
``(2) with the consent or at the direction of the consumer;
``(3)(A) to protect the confidentiality or security of the
financial institution's records pertaining to the consumer, the
service or product, or the transaction therein; (B) to protect
against or prevent actual or potential fraud, unauthorized
transactions, claims, or other liability; (C) for required
institutional risk control, or for resolving customer disputes
or inquiries; (D) to persons holding a legal or beneficial
interest relating to the consumer; or (E) to persons acting in
a fiduciary or representative capacity on behalf of the
consumer;
``(4) to provide information to insurance rate advisory
organizations, guaranty funds or agencies, applicable rating
agencies of the financial institution, and the institution's
attorneys, accountants, and auditors;
``(5) to the extent specifically permitted or required
under other provisions of law and in accordance with the Right
to Financial Privacy Act of 1978, to law enforcement agencies
(including a Federal functional regulator, the Secretary of the
Treasury with respect to subchapter II of chapter 53 of title
31, United States Code, and chapter 2 of title I of Public Law
91-508 (12 U.S.C. 1951-1959), a State insurance authority, or
the Federal Trade Commission), self-regulatory organizations,
or for an investigation on a matter related to public safety;
``(6)(A) to a consumer reporting agency in accordance with
the Fair Credit Reporting Act, or (B) from a consumer report
reported by a consumer reporting agency in accordance with the
Fair Credit Reporting Act;
``(7) in connection with a proposed or actual sale, merger,
transfer, or exchange of all or a portion of a business or
operating unit if the disclosure of nonpublic personal
information concerns solely consumers of such business or unit;
or
``(8) to comply with Federal, State, or local laws, rules,
and other applicable legal requirements; to comply with a
properly authorized civil, criminal, or regulatory
investigation or subpoena or summons by Federal, State, or
local authorities; or to respond to judicial process or
government regulatory authorities having jurisdiction over the
financial institution for examination, compliance, or other
purposes as authorized by law.
``SEC. 503. NOTICE CONCERNING DISCLOSING INFORMATION.
``(a) Rule Required.--Each agency or authority described in section
504(a) shall prescribe rules in accordance with this section to
prohibit unfair and deceptive acts or practices in connection with the
disclosing of nonpublic personal information or with making unrelated
uses of such information. Such rules shall require any financial
institution, through the use of a form that complies with the rules
prescribed under subsection (b), to clearly and conspicuously disclose
to the consumer at the time of establishing a customer relationship
with a consumer and not less than annually during the continuation of
such relationship--
``(1) the categories of nonpublic personal information that
are collected by the financial institution;
``(2) the practices and policies of the financial
institution with respect to disclosing nonpublic personal
information, or making unrelated uses of such information,
including--
``(A) the categories of persons to whom the
information is or may be disclosed or who may be
permitted to make unrelated uses of such information,
other than the persons to whom the information must be
provided to effect, administer, or enforce the
transaction; and
``(B) the practices and policies of the institution
with respect to disclosing or making unrelated uses of
nonpublic personal information of persons who have
ceased to be customers of the financial institution;
``(3) the policies that the institution maintains to
protect the confidentiality and security of nonpublic personal
information;
``(4) the practices and policies of the institution with
respect to providing consumers the opportunity to examine and
dispute information pursuant to the rule prescribed under
section 502(c); and
``(5) the right of the consumer under such section to
examine, upon request, the nonpublic personal information, to
dispute the accuracy of any of such information, and to present
evidence thereon.
``(b) Design of Notice Requirements.--In prescribing the form of a
notice for purposes of subsection (a), each agency or authority
described in section 504(a) shall ensure that consumers are provided a
clear and conspicuous disclosure that permits them to compare
differences in the measures that the financial institution takes, and
the policies that the institution has established, to protect the
consumer's privacy as compared to the measures taken and the policies
established by other financial institutions. Such form shall
specifically identify the rights the institution affords consumers to
grant or deny consent to (1) the disclosing of nonpublic personal
information for any purpose other than as required in order to effect,
administer, or enforce the consumer's transaction, or (2) the making of
an unrelated use of such information.
``(c) Additional Contents of Rules; Exemptive Rules.--Each agency
or authority described in section 504(a) shall, by rule, and may by
order--
``(1) specify the disclosures and uses of information
which, for purposes of this subtitle and the rules prescribed
thereunder, may be treated as necessary to effect, administer,
or enforce a consumer's transaction with respect to a variety
of financial services and financial products;
``(2) specify timing requirements with respect to notices
to new and existing customers, which shall not require notices
more frequently than annually unless there has been a change in
the information required to be disclosed pursuant to subsection
(a); and
``(3) provide, consistent with the purposes of this
subtitle, exemptions or temporary waivers to, or delayed
effective dates for, any requirement of this subtitle or the
rules prescribed thereunder.
``SEC. 504. ENFORCEMENT.
``(a) In General.--This subtitle and the rules prescribed
thereunder shall be enforced by the Federal functional regulators, the
State insurance authorities, and the Federal Trade Commission with
respect to financial institutions and other persons subject to their
jurisdiction under applicable law, as follows:
``(1) Under section 8 of the Federal Deposit Insurance Act,
in the case of--
``(A) national banks, Federal branches and Federal
agencies of foreign banks by the Office of the
Comptroller of the Currency;
``(B) member banks of the Federal Reserve System
(other than national banks), branches and agencies of
foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by
foreign banks, organizations operating under section 25
or 25A of the Federal Reserve Act, bank holding
companies by the Board of Governors of the Federal
Reserve System;
``(C) banks insured by the Federal Deposit
Insurance Corporation (other than members of the
Federal Reserve System), insured State branches of
foreign banks by the Board of Directors of the Federal
Deposit Insurance Corporation; and
``(D) savings association the deposits of which are
insured by the Federal Deposit Insurance Corporation by
the Director of the Office of Thrift Supervision.
``(2) Under the Federal Credit Union Act, by the
Administrator of the National Credit Union Administration with
respect to any Federal or state chartered credit union.
``(3) Under the Securities Exchange Act of 1934, by the
Securities and Exchange Commission with respect to any broker-
dealer.
``(4) Under the Investment Company Act of 1940, by the
Securities and Exchange Commission with respect to investment
companies.
``(5) Under the Investment Advisers Act of 1940, by the
Securities and Exchange Commission with respect to investment
advisers registered with the Commission under such Act.
``(6) Under the Federal Home Loan Bank Act, by the Federal
Housing Finance Board with respect to Federal home loan banks.
``(7) In the case of any person engaged in providing
insurance, by the State insurance authority, if that State has
elected to become a participating State, notwithstanding any of
the limitations of section 104 of the Gramm-Leach-Bliley Act.
``(8) Under the Federal Trade Commission Act, by the
Federal Trade Commission for--
``(A) any other financial institution (other than a
person engaged in providing insurance) or any other
person that is not subject to the jurisdiction of any
agency or authority under paragraphs (1) through (6) of
this subsection; and
``(B) any person engaged in providing insurance who
is domiciled in a State that does not elect to become a
participating State.
``(b) Enforcement of Section 501.--
``(1) In general.--Except as provided in paragraph (2), the
agencies and authorities described in subsection (a) shall
implement the standards prescribed under section 501(b) in the
same manner, to the extent practicable, as standards prescribed
pursuant to subsection (a) of section 39 of the Federal Deposit
Insurance Act are implemented pursuant to such section.
``(2) Exception.--The agencies and authorities described in
paragraphs (3), (4), (5), (7), and (8) of subsection (a) shall
implement the standards prescribed under section 501(b) by rule
with respect to the financial institutions subject to their
respective jurisdictions under subsection (a).
``(c) State Action for Violations.--
``(1) Authority of states.--In addition to such other
remedies as are provided under State law, if the chief law
enforcement officer of a State, or an official or agency
designated by a State, has reason to believe that any person
has violated or is violating this subtitle or a rule prescribed
under this subtitle, other than section 501 or a rule
prescribed under such section, the State--
``(A) may bring an action to enjoin such violation
in any appropriate United States district court or in
any other court of competent jurisdiction; and
``(B) may bring an action on behalf of the
residents of the State to enforce compliance with such
rule, to obtain damages, restitution, or other
compensation on behalf of residents of such State, or
to obtain such further and other relief as the court
may deem appropriate.
``(2) Rights of federal regulators.--
``(A) Prior notice.--The State shall serve prior
written notice of any action under paragraph (1) upon
the Federal Trade Commission and provide the Federal
Trade Commission with a copy of its complaint, except
in any case in which such prior notice is not feasible,
in which case the State shall serve such notice
immediately upon instituting such action.
``(B) Right to intervene.--The Federal Trade
Commission shall transmit the notice received under
subparagraph (A) to the agency or authority that has
jurisdiction of the subject of the complaint, and such
agency or authority shall have the right--
``(i) to intervene in an action under
paragraph (1);
``(ii) upon so intervening, to be heard on
all matters arising therein;
``(iii) to remove the action to the
appropriate United States district court; and
``(iv) to file petitions for appeal.
``(3) Investigatory powers.--For purposes of bringing any
action under this subsection, no provision of this subsection
shall be construed as preventing the chief law enforcement
officer, or an official or agency designated by a State, from
exercising the powers conferred on the chief law enforcement
officer or such official by the laws of such State to conduct
investigations or to administer oaths or affirmations or to
compel the attendance of witnesses or the production of
documentary and other evidence.
``(4) Limitation on state action while federal action
pending.--If a Federal agency or authority has instituted a
civil action for a violation of this subtitle, no State may,
during the pendency of such action, bring an action under this
section against any defendant named in the complaint of the
Federal agency or authority or such agency for any violation of
this subtitle that is alleged in that complaint.
``(d) Definitions.--The terms used in subsection (a)(1) that are
not defined in this subtitle or otherwise defined in section 3(s) of
the Federal Deposit Insurance Act shall have the meaning given to them
in section 1(b) of the International Banking Act of 1978.
``SEC. 505. FAIR CREDIT REPORTING ACT AMENDMENT.
``(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15
U.S.C. 1681s) is amended--
``(1) in subsection (d), by striking everything following
the end of the second sentence; and
``(2) by striking subsection (e) and inserting in lieu
thereof the following:
`` `(e) Regulatory Authority.--
`` `(1) The Federal banking agencies referred to in
paragraphs (1) and (2) of subsection (b) shall jointly
prescribe such regulations as necessary to carry out the
purposes of this Act with respect to any persons identified
under paragraphs (1) and (2) of subsection (b).
`` `(2) The Administrator of the National Credit Union
Administration shall prescribe such regulations as necessary to
carry out the purposes of this Act with respect to any persons
identified under paragraph (3) of subsection (b).
`` `(3) The Federal Trade Commission shall prescribe such
regulations as necessary to carry out the purposes of this Act
with respect to any persons identified under subsection (a).'.
``(b) Relation to Other Provisions.--Except for the amendment made
by this section, nothing in this title shall be construed to modify,
limit, or supersede the operation of the Fair Credit Reporting Act, and
no inference shall be drawn on the basis of the provisions of this
title regarding whether information is transaction or experience
information under section 603 of such Act.
``SEC. 506. STATE ELECTION TO PARTICIPATE.
``(a) Regulations.--The Secretary of the Treasury may promulgate
such regulations as may be necessary to establish the procedures
governing whether the election required under section 504(a)(7) has
been made.
``(b) Deadline.--The deadline for a State to elect to become a
participating state is the first day of the first calendar quarter
beginning after the close of the first legislative session of the State
legislature that begins on or after the date the regulations required
by section 504(a) are issued in final form. For purposes of the
previous sentence, in the case of a State that has a 2-year legislative
session, each year of such session shall be deemed to be a separate
regular session of the State legislature.
``SEC. 507. RELATION TO STATE LAWS.
``(a) In General.--This subtitle shall not be construed as
superseding, altering, or affecting the statutes, regulations, orders,
or interpretations in effect in any State, except to the extent that
such statutes, regulations, orders, or interpretations are inconsistent
with the provisions of this subtitle, and then only to the extent of
the inconsistency.
``(b) Greater Protection Under State Law.--For purposes of this
section, a State statute, regulation, order, or interpretation is not
inconsistent with the provisions of this subtitle if the protection
such statute, regulation, order, or interpretation affords any person
is greater than the protection provided under this subtitle as
determined by the Commission or a Federal functional regulator, on its
own motion or upon the petition of any interested party.
``SEC. 508. DEFINITIONS.
``As used in this subtitle:
``(1) Commission.--The term `Commission' means the Federal
Trade Commission.
``(2) Federal functional regulator.--The term `Federal
functional regulator' means--
``(A) the Board of Governors of the Federal Reserve
System;
``(B) the Office of the Comptroller of the
Currency;
``(C) the Board of Directors of the Federal Deposit
Insurance Corporation;
``(D) the Director of the Office of Thrift
Supervision;
``(E) the National Credit Union Administration
Board; and
``(F) the Securities and Exchange Commission.
``(3) Financial institution.--The term `financial
institution' means any institution the business of which is
engaging in financial activities or activities that are
incidental or complementary to financial activities, as
determined under section 4(k) of the Bank Holding Company Act
of 1956.
``(4) Nonpublic personal information.--
``(A) The term `nonpublic personal information'
means personally identifiable financial information--
``(i) provided by a consumer to a financial
institution;
``(ii) resulting from any transaction with
the consumer or the service performed for the
consumer; or
``(iii) otherwise obtained by the financial
institution.
``(B) Such term does not include publicly available
information, as such term is defined by the regulations
prescribed under section 504.
``(C) Notwithstanding subparagraph (B), such term--
(i) shall include any list, description, or
other grouping of consumers (and publicly
available information pertaining to them) that
is derived using any personally identifiable
information other than publicly available
information; but
``(ii) shall not include any list,
description, or other grouping of consumers
(and publicly available information pertaining
to them) that is derived without using any
nonpublic personal information.
``(5) Directory information.--The term `publicly available
directory information' means subscriber list information
required to be made available for publication pursuant to
section 222(e) of the Communications Act of 1934 (47 U.S.C.
222(3)).
``(6) Unrelated use.--The term `unrelated use', when used
with respect to information collected by the financial
institution in connection with any transaction with a consumer
in any financial product or any financial service, means any
use other than a use that is necessary to effect, administer,
or enforce such transaction.
``(7) Affiliate.--The term `affiliate' means any company
that controls, is controlled by, or is under common control
with another company.
``(8) Nonaffiliated third party.--The term `nonaffiliated
third party' means any entity that is not an affiliate of, or
related by common ownership or affiliated by corporate control
with, the financial institution, but does not include a joint
employee of such institution.
``(9) Necessary to effect, administer, or enforce.--The
disclosing or use of nonpublic personal information shall be
treated as necessary to effect or administer a transaction with
a consumer if the disclosing or use--
``(A) is required, or is a usual, appropriate, or
acceptable method, to carry out the transaction or the
product or service business of which the transaction is
a part, and record or service or maintain the
consumer's account in the ordinary course of providing
the financial service or financial product, or to
administer or service benefits or claims relating to
the transaction or the product or service business of
which it is a part, and includes--
``(i) providing the consumer or the
consumer's agent or broker with a confirmation,
statement, or other record of the transaction,
or information on the status or value of the
financial service or financial product; and
``(ii) the accrual or recognition of
incentives or bonuses associated with the
transaction that are provided by the financial
institution or any other party;
``(B) is required, or is one of the lawful or
appropriate methods, to enforce the rights of the
financial institution or of other persons engaged in
carrying out the financial transaction, or providing
the product or service;
``(C) is required, or is a usual, appropriate, or
acceptable method, for insurance underwriting at the
consumer's request or for reinsurance purposes, or for
any of the following purposes as they relate to a
consumer's insurance: account administration,
reporting, investigating, or preventing fraud or
material misrepresentation, processing premium
payments, processing insurance claims, administering
insurance benefits (including utilization review
activities), participating in research projects, or as
otherwise required or specifically permitted by Federal
or State law; or
``(D) the disclosure is required, or is a usual,
appropriate or acceptable method, in connection with--
``(i) the authorization, settlement,
billing, processing, clearing, transferring,
reconciling, or collection of amounts charged,
debited, or otherwise paid using a debit,
credit or other payment card, check, or account
number, or by other payment means;
``(ii) the transfer of receivables,
accounts or interests therein; or
``(iii) the audit of debit, credit or other
payment information.
Each agency or authority described in section 504(a) shall,
consistent with the purposes of this subtitle, prescribe by
rule actions that shall, in a variety of financial services,
and with respect to a variety of financial products, be treated
as necessary to effect, administer, or enforce a financial
transaction.
``(10) Financial services; financial products; transaction;
related transaction.--Each agency or authority described in
section 504(a) shall, consistent with the purposes of this
subtitle, prescribe by rule definitions of the terms `financial
services', `financial products', `transaction', `related
transaction', and `unrelated third party' for purposes of this
subtitle.
``(11) State insurance authority.--The term `State
insurance authority' means, in the case of any person engaged
in providing insurance, the State insurance authority of the
State in which the person is domiciled.
``(12) Consumer.--The term `consumer' means an individual
who obtains, from a financial institution, financial products
or services which are to be used primarily for personal,
family, or household purposes, and also means the legal
representative of such an individual.
``(13) Customer relationship.--The term `time of
establishing a customer relationship' shall be defined by the
regulations prescribed under section 504.
``SEC. 509. EFFECTIVE DATE.
``This subtitle shall take effect 6 months after the date on which
rules are required to be prescribed under section 504(a)(3), except--
``(1) to the extent that a later date is specified in the
rules prescribed under section 504; and
``(2) that sections 504 and 506 shall be effective upon
enactment.
``Subtitle B--Fraudulent Access to Financial Information
``SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL
INSTITUTIONS.
``(a) Prohibition on Obtaining Customer Information by False
Pretenses.--It shall be a violation of this subtitle for any person to
obtain or attempt to obtain, or cause to be disclosed or attempt to
cause to be disclosed to any person, customer information of a
financial institution relating to another person--
``(1) by making a false, fictitious, or fraudulent
statement or representation to an officer, employee, or agent
of a financial institution;
``(2) by making a false, fictitious, or fraudulent
statement or representation to a customer of a financial
institution; or
``(3) by providing any document to an officer, employee, or
agent of a financial institution, knowing that the document is
forged, counterfeit, lost, or stolen, was fraudulently
obtained, or contains a false, fictitious, or fraudulent
statement or representation.
``(b) Prohibition on Solicitation of a Person To Obtain Customer
Information From Financial Institution Under False Pretenses.--It shall
be a violation of this subtitle to request a person to obtain customer
information of a financial institution, knowing that the person will
obtain, or attempt to obtain, the information from the institution in
any manner described in subsection (a).
``(c) Nonapplicability to Law Enforcement Agencies.--No provision
of this section shall be construed so as to prevent any action by a law
enforcement agency, or any officer, employee, or agent of such agency,
to obtain customer information of a financial institution in connection
with the performance of the official duties of the agency.
``(d) Nonapplicability to Financial Institutions in Certain
Cases.--No provision of this section shall be construed so as to
prevent any financial institution, or any officer, employee, or agent
of a financial institution, from obtaining customer information of such
financial institution in the course of--
``(1) testing the security procedures or systems of such
institution for maintaining the confidentiality of customer
information;
``(2) investigating allegations of misconduct or negligence
on the part of any officer, employee, or agent of the financial
institution; or
``(3) recovering customer information of the financial
institution which was obtained or received by another person in
any manner described in subsection (a) or (b).
``(e) Nonapplicability to Insurance Institutions for Investigation
of Insurance Fraud.--No provision of this section shall be construed so
as to prevent any insurance institution, or any officer, employee, or
agency of an insurance institution, from obtaining information as part
of an insurance investigation into criminal activity, fraud, material
misrepresentation, or material nondisclosure that is authorized for
such institution under State law, regulation, interpretation, or order.
``(f) Nonapplicability to Certain Types of Customer Information of
Financial Institutions.--No provision of this section shall be
construed so as to prevent any person from obtaining customer
information of a financial institution that otherwise is available as a
public record filed pursuant to the securities laws (as defined in
section 3(a)(47) of the Securities Exchange Act of 1934).
``SEC. 522. ADMINISTRATIVE ENFORCEMENT.
``(a) Enforcement by Federal Trade Commission.--Compliance with
this subtitle shall be enforced by the Federal Trade Commission in the
same manner and with the same power and authority as the Commission has
under the title VIII, the Fair Debt Collection Practices Act, to
enforce compliance with such title.
``(b) Notice of Actions.--The Federal Trade Commission shall--
``(1) notify the Securities and Exchange Commission
whenever the Federal Trade Commission initiates an
investigation with respect to a financial institution subject
to regulation by the Securities and Exchange Commission;
``(2) notify the Federal banking agency (as defined in
section 3(z) of the Federal Deposit Insurance Act) whenever the
Commission initiates an investigation with respect to a
financial institution subject to regulation by such Federal
banking agency; and
``(3) notify the appropriate State insurance regulator
whenever the Commission initiates an investigation with respect
to a financial institution subject to regulation by such
regulator.
``(c) State Action for Violations.--
``(1) Authority of states.--In addition to such other
remedies as are provided under State law, if the chief law
enforcement officer of a State, or an official or agency
designated by a State, has reason to believe that any person
has violated or is violating this subtitle, the State--
``(A) may bring an action to enjoin such violation
in any appropriate United States district court or in
any other court of competent jurisdiction;
``(B) may bring an action on behalf of the
residents of the State to recover damages of not more
than $1,000 for each violation; and
``(C) in the case of any successful action under
subparagraph (A) or (B), shall be awarded the costs of
the action and reasonable attorney fees as determined
by the court.
``(2) Rights of federal regulators.--
``(A) Prior notice.--The State shall serve prior
written notice of any action under paragraph (1) upon
the Federal Trade Commission and provide the Federal
Trade Commission with a copy of its complaint, except
in any case in which such prior notice is not feasible,
in which case the State shall serve such notice
immediately upon instituting such action.
``(B) Right to intervene.--The Federal Trade
Commission shall have the right--
``(i) to intervene in an action under
paragraph (1);
``(ii) upon so intervening, to be heard on
all matters arising therein;
``(iii) to remove the action to the
appropriate United States district court; and
``(iv) to file petitions for appeal.
``(3) Investigatory powers.--For purposes of bringing any
action under this subsection, no provision of this subsection
shall be construed as preventing the chief law enforcement
officer, or an official or agency designated by a State, from
exercising the powers conferred on the chief law enforcement
officer or such official by the laws of such State to conduct
investigations or to administer oaths or affirmations or to
compel the attendance of witnesses or the production of
documentary and other evidence.
``(4) Limitation on state action while federal action
pending.--If the Federal Trade Commission has instituted a
civil action for a violation of this subtitle, no State may,
during the pendency of such action, bring an action under this
section against any defendant named in the complaint of the
Federal Trade Commission or such agency for any violation of
this subtitle that is alleged in that complaint.
``SEC. 523. CRIMINAL PENALTY.
``(a) In General.--Whoever knowingly and intentionally violates, or
knowingly and intentionally attempts to violate, section 521 shall be
fined in accordance with title 18, United States Code, or imprisoned
for not more than 5 years, or both.
``(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, or
attempts to violate, section 521 while violating another law of the
United States or as part of a pattern of any illegal activity involving
more than $100,000 in a 12-month period shall be fined twice the amount
provided in subsection (b)(3) or (c)(3) (as the case may be) of section
3571 of title 18, United States Code, imprisoned for not more than 10
years, or both.
``SEC. 524. RELATION TO STATE LAWS.
``(a) In General.--This subtitle shall not be construed as
superseding, altering, or affecting the statutes, regulations, orders,
or interpretations in effect in any State, except to the extent that
such statutes, regulations, orders, or interpretations are inconsistent
with the provisions of this subtitle, and then only to the extent of
the inconsistency.
``(b) Greater Protection Under State Law.--For purposes of this
section, a State statute, regulation, order, or interpretation is not
inconsistent with the provisions of this subtitle if the protection
such statute, regulation, order, or interpretation affords any person
is greater than the protection provided under this subtitle as
determined by the Commission, on its own motion or upon the petition of
any interested party.
``SEC. 525. AGENCY GUIDANCE.
``In furtherance of the objectives of this subtitle, each Federal
banking agency (as defined in section 3(z) of the Federal Deposit
Insurance Act) and the Securities and Exchange Commission or self-
regulatory organizations, as appropriate, shall review regulations and
guidelines applicable to financial institutions under their respective
jurisdictions and shall prescribe such revisions to such regulations
and guidelines as may be necessary to ensure that such financial
institutions have policies, procedures, and controls in place to
prevent the unauthorized disclosure of customer financial information
and to deter and detect activities proscribed under section 521.
``SEC. 526. REPORTS.
``(a) Report to the Congress.--Before the end of the 18-month
period beginning on the date of the enactment of this Act, the
Comptroller General, in consultation with the Federal Trade Commission,
Federal banking agencies, the Securities and Exchange Commission,
appropriate Federal law enforcement agencies, and appropriate State
insurance regulators, shall submit to the Congress a report on the
following:
``(1) The efficacy and adequacy of the remedies provided in
this subtitle in addressing attempts to obtain financial
information by fraudulent means or by false pretenses.
``(2) Any recommendations for additional legislative or
regulatory action to address threats to the privacy of
financial information created by attempts to obtain information
by fraudulent means or false pretenses.
``(b) Annual Report by Administering Agencies.--The Federal Trade
Commission and the Attorney General shall submit to Congress an annual
report on number and disposition of all enforcement actions taken
pursuant to this subtitle.
``SEC. 527. DEFINITIONS.
``For purposes of this subtitle, the following definitions shall
apply:
``(1) Customer.--The term `customer' means, with respect to
a financial institution, any person (or authorized
representative of a person) to whom the financial institution
provides a product or service, including that of acting as a
fiduciary.
``(2) Customer information of a financial institution.--The
term ``customer information of a financial institution'' means
any information maintained by or for a financial institution
which is derived from the relationship between the financial
institution and a customer of the financial institution and is
identified with the customer.
``(3) Document.--The term `document' means any information
in any form.
``(4) Financial institution.--
``(A) In general.--The term `financial institution'
means any institution engaged in the business of
providing financial services to customers who maintain
a credit, deposit, trust, or other financial account or
relationship with the institution.
``(B) Certain financial institutions specifically
included.--The term `financial institution' includes
any depository institution (as defined in section
19(b)(1)(A) of the Federal Reserve Act), any broker or
dealer, any investment adviser or investment company,
any insurance company, any loan or finance company, any
credit card issuer or operator of a credit card system,
and any consumer reporting agency that compiles and
maintains files on consumers on a nationwide basis (as
defined in section 603(p)).
``(C) Securities institutions.--For purposes of
subparagraph (B)--
``(i) the terms `broker' and `dealer' have
the meanings provided in section 3 of the
Securities Exchange Act of 1934 (15 U.S.C.
78c);
``(ii) the term `investment adviser' has
the meaning provided in section 202(a)(11) of
the Investment Advisers Act of 1940 (15 U.S.C.
80b-2(a)); and
``(iii) the term `investment company' has
the meaning provided in section 3 of the
Investment Company Act of 1940 (15 U.S.C. 80a-
3).
``(D) Further definition by regulation.--The
Federal Trade Commission, after consultation with
Federal banking agencies and the Securities and
Exchange Commission, may prescribe regulations
clarifying or describing the types of institutions
which shall be treated as financial institutions for
purposes of this subtitle.
<all>
Introduced in Senate
Sponsor introductory remarks on measure. (CR S14547-14551)
Read twice and referred to the Committee on Banking.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line