United States: New Proposed Financial Privacy Rules - What Isn’t A Financial Institution?

On February 24, the Federal Trade Commission released draft regulations under the Gramm-Leach-Bliley Act that would require financial institutions to provide notice of their privacy practices to customers (and would restrict the ability of these institutions to disclose personal information about consumers to nonaffiliated third parties). Because "financial institutions" are defined extremely broadly under the proposed regulations, many categories of businesses may be surprised to find themselves covered by these notice, opt-out, and disclosure requirements.

Background. On November 12, 1999, the Gramm-Leach-Bliley Act became law. In general, the law was designed to permit banks, securities firms, and insurance companies to merge with each other and to offer a broad array of financial products to consumers, notwithstanding a variety of legal restrictions that had been designed decades ago to keep these industries separate. As Congress considered the ramifications of allowing combinations among firms in these largely separate industries, the issue of financial privacy took a central place in the debate. The result was the addition of Title V to the Act ("Disclosure of Nonpublic Personal Information"), designed to protect the financial privacy of consumers by (a) limiting the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and (b) requiring a financial institution to disclose to all of its customers the institution’s privacy policies and practices involving both affiliates and non-affiliates.

At the time the Act was passed, many businesses assumed that these privacy protections would apply only to traditional financial institutions - like banks, brokers, and insurers. But the financial institutions at the center of the debate over the Act had successfully insisted on including in the Act broad definitions of the kinds of financial activities in which their newly created financial holding companies could lawfully engage. When the same definitions of activities deemed to be "financial in nature or incidental to such financial activity" were transposed into the new Title V, the result was a privacy law that could be read as applicable to a broad range of activities outside the traditional fields of banking, securities, and insurance.

Timing. On February 2, the various federal banking agencies proposed rules to implement the Act’s privacy provisions for institutions under their jurisdiction. On February 24, the Federal Trade Commission proposed a similar set of rules that will apply to non-banks subject to the general jurisdiction of the FTC under the Federal Trade Commission Act. Comments on the proposed rules from all the agencies are due March 31, and final rules will be put in place later this year. (The draft rules are available at http:// www.ftc.gov/os/ 2000/02/glbrulemaking.pdf.)

Importantly, the proposed rules (like the Act itself) do not preempt state law unless the law is "inconsistent" with the rules. If a state enacts a statute or regulation that affords consumers greater protection than the proposed rules, it will not be considered inconsistent with the rules and will not be preempted.

What’s really going on here? As a tradeoff for allowing banks, insurance companies, and securities firms to affiliate with each other, Congress required that consumer financial information be treated with in-creased care by firms wielding these new, broader powers. In order to ensure a level playing field, traditional "financial" institutions have insisted that competitors be subjected to the same new regulatory burdens they will face, lest they be placed at a competitive disadvantage in exercising the new powers they have won. The FTC, thus, is riding a whirlwind: it must create, on a very tight schedule, a new regulatory scheme that sweeps broadly enough to satisfy traditional financial institutions, while not crippling the operations of entities that were previously not subject to the types of regulatory constraints that have always applied to banks, securities firms, and insurers.

Who is covered by the proposed rules? The notice and disclosure requirements of the proposed rules apply to information about individuals who obtain from a "financial institution" a "financial product or service" to be used for personal, family, or household purposes. The threshold question, therefore, is whether a particular entity is a "financial institution." Under the Act, that term is used extremely broadly to mean "any institution the business of which is engaging in financial activities..." Because "financial activities" can, subject to Federal Reserve Board regulations yet to be written, include everything from lending money and extending credit to selling money orders, from providing insurance to providing courier services for banking instruments, and from underwriting securities to operating a travel agency "in connection with financial services" (and facilitating all of these services), the privacy provisions of the Act could theoretically be stretched to cover some activities of virtually every business in the country that supplies products or services to consumers.

The FTC has suggested an exception to the Act’s coverage. The FTC’s proposed rules adopt, without significant comment or restriction, the broad outlines of the definition of "financial institution" used in the Act. To deal with the open-ended nature of this definition, the pending proposal includes a limitation of the new rules to entities that are "significantly engaged" in a financial activity. The FTC, in providing an example of what "significantly engaged" may mean, states: "Thus, a retail business that issues its own credit card directly to consumers is a financial institution engaged in the extension of credit, but a retail business that merely establishes lay-away or deferred payment plans is not a financial institution." This example doesn’t explain how transactions that fall somewhere between issuance of a credit card and establishment of a lay-away plan will be treated, and the FTC has invited comments as to whether and how "significantly engaged" should be defined. More generally, the FTC has invited comments on the application of its proposed rules to nontraditional financial institutions.

If you’re ultimately found to be a financial institution, what would you have to do? Financial institutions are required under the proposed rules to provide "clear and conspicuous" notice of their privacy practices to (a) any "consumer" whose nonpublic information the institution wants to disclose to a nonaffiliated third party, and (b) anyone who will become a "customer" (at the time they actually become a customer). Notices can be provided in electronic form (as opposed to hard copy form) only if the consumer or customer agrees. Apparently, if the financial services in question are provided electronically, this consent can be obtained by requiring a clickwrap acknowledgment that the disclosures were received as part of the electronic ordering process.

Although the distinction between "consumers" and "customers" is not intuitive, the general idea behind the regulations is that institutions should provide notice and a reasonable opportunity to opt out for people whose financial information the institutions disclose to nonaffiliated third parties (whether or not there is an ongoing customer relationship between the people and the institution), and that institutions have special ongoing disclosure obligations only to a smaller group of people - the subset of consumers with whom they have continuing relationships of some sort.

Thus, the moment when an initial notice is required differs depending on whether the consumer actually becomes a customer of the financial institution.

• An initial notice of privacy practices has to be provided by financial institutions to "consumers" before the institution discloses any personally identifiable financial information about the consumer to any nonaffiliated third party. Examples of "consumers" include people who apply to the institution for credit or loans for personal, family, or household purposes (even if they never obtain any credit), or people who provide personal information to the institution in connection with obtaining financial, investment, or economic advisory services. The transaction need not be consummated for this obligation to exist. For example, names and addresses of persons who return a post-paid card received in a direct mail solicitation to receive more information about a financial or insurance product would be protected "personally identifiable information" under the proposed regulations. (You don’t have to provide this initial notice if you never disclose any personally identifiable financial information about the consumer to any nonaffiliated third party.)
• If the consumer becomes a customer, the notice should be provided at the time of establishing the customer relationship - whether or not the institution discloses information about that customer to nonaffiliated third parties. In addition to the initial notice, financial institutions must provide annual notices to customers.

Customers are defined as (a) anyone who is seeking a financial product or service from you to be used primarily for personal, family, or house-hold purposes (in other words, a "consumer") who (b) has a continuing relationship with you. A continuing relationship requires some ongoing series of transactions, such as having a deposit account, having a loan from you, or entering into a lease of personal property with you. An isolated transaction (such as withdrawing cash from your ATM or purchasing a money order from you) does not create a "customer" relationship requiring notice.

All customers are also consumers, but not all consumers are necessarily customers.

Is someone who obtains a payment plan from a retailer for purchase of a single good a "customer"? The answer is ambiguous, as the rules are currently drafted.

What do these notices need to include? The initial and annual notices required by the proposed rules will need to include, among other things:

• the categories of nonpublic information that you collect;
• the categories of nonpublic personal information that you disclose;
• the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information;
• the categories of nonpublic personal information that you disclose;
• explanation of the right to opt out of disclosure, including the methods by which that right may be exercised; and your policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information.
• What if you have "consumers" who never become customers? Unless the financial institution discloses personally identifiable financial information about a consumer to nonaffiliated third parties, the institution is not required to provide any notices to the consumer.

What if you have "customers" but don’t disclose nonpublic information about them to nonaffiliated third parties? Under the proposed rules, even if you don’t disclose personally identifiable financial information about consumers to nonaffiliated third parties, if you have "customers" you must provide them with initial and annual notices meeting the requirements of the rules.

Stay tuned. Given the many categories of nontraditional "financial institutions" that may be covered by the proposed regulations (and the vagueness of the Commission’s "significantly engaged" limitation), it is likely that there will be a great deal of controversy and confusion surrounding the draft rules. Companies that are unsure of their coverage under the rules should seek legal advice and may want to consider filing comments with the FTC.