HR 3320 IH
106th CONGRESS
1st Session
H. R. 3320
To amend the privacy provisions of the Gramm-Leach-Bliley
Act.
IN THE HOUSE OF REPRESENTATIVES
November 10, 1999
Mr. MARKEY (for himself, Mr. BARTON of Texas, Mr. DINGELL, Mr. CAMPBELL, Mr.
LUTHER, Mr. WAXMAN, Mr. KUCINICH, Mr. HINCHEY, Ms. ESCHOO, Ms. LEE, Ms. RIVERS,
Ms. SCHAKOWSKY, Ms. BALDWIN, Ms. ROYBAL-ALLARD, Mr. LEWIS of Georgia, Mr.
TIERNEY, Mr. KILDEE, Mr. OBEY, Mrs. MEEK of Florida, Mr. EVANS, Mr. JACKSON of
Illinois, Ms. WOOLSEY, and Mr. BARRETT of Wisconsin) introduced the following
bill; which was referred to the Committee on Banking and Financial Services, and
in addition to the Committee on Commerce, for a period to be subsequently
determined by the Speaker, in each case for consideration of such provisions as
fall within the jurisdiction of the committee concerned
A BILL
To amend the privacy provisions of the Gramm-Leach-Bliley
Act.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Consumer's Right to Financial Privacy
Act'.
SEC. 2. AMENDMENT.
Title V of the Gramm-Leach-Bliley Act is amended to read as follows:
`TITLE V--PRIVACY OF CONSUMER INFORMATION
`Subtitle A--Disclosure of Nonpublic Personal Information
`SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
`(a) PRIVACY OBLIGATION POLICY- It is the policy of the Congress that each
financial institution has an affirmative and continuing obligation to respect
the privacy of its customers and to protect the security and confidentiality
of those customers' nonpublic personal information.
`(b) FINANCIAL INSTITUTIONS SAFEGUARDS- In furtherance of the policy in
subsection (a), each agency or authority described in section 504(a) shall
establish by rule or order appropriate standards for the financial
institutions subject to their jurisdiction, and the Commission shall establish
such standards for any financial institutions not subject to such
jurisdiction, relating to administrative, technical, and physical
safeguards--
`(1) to insure the security and confidentiality of customer records and
information;
`(2) to protect against any anticipated threats or hazards to the
security or integrity of such records; and
`(3) to protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to any
customer.
`SEC. 502. OBLIGATIONS WITH RESPECT TO PERSONAL INFORMATION.
`(a) GENERAL REQUIREMENTS- Except as otherwise provided in this subtitle,
a financial institution may not, directly or through any affiliate, disclose
or make an unrelated use of any nonpublic personal information collected by
the financial institution in connection with any transaction with a consumer
in any financial product or any financial service, unless such financial
institution provides or has provided to the consumer a notice that complies
with section 503 and the rules thereunder.
`(b) OPT-IN REQUIRED FOR INFORMATION TRANSFERS-
`(1) AFFIRMATIVE CONSENT REQUIRED- Each agency or authority described in
section 504(a) shall by rule prohibit a financial institution that is
subject to its jurisdiction from making available any nonpublic personal
information to any affiliate or other person that is not an employee or
agent of the institution, unless the consumer to whom the information
pertains--
`(A) has affirmatively consented in accordance with such rule to the
transfer of such information; and
`(B) has not withdrawn the consent.
`(2) FLEXIBILITY OF FORM- A financial institution may, in complying with
paragraph (1), present the opportunity to consent in a clear and conspicuous
manner that permits the consumer to consent--
`(A)(i) with respect to both affiliates and nonaffiliated
persons;
`(ii) separately with respect to affiliates generally and
nonaffiliated persons generally; or
`(iii) separately with respect to specified affiliates and
nonaffiliated persons; and
`(B) separately with respect to specified financial and nonfinancial
products and services that may be offered to the consumer.
`(3) DENIAL OF SERVICE PROHIBITED- The rule prescribed pursuant to
paragraph (1) shall prohibit a financial institution from denying any
consumer a financial product or a financial service for
the refusal by the consumer to grant the consent required by such rule.
`(c) ACCESS TO AND CORRECTION OF INFORMATION VENDED TO THIRD PARTIES-
`(1) RULE REQUIRED- Each agency or authority described in section 504(a)
shall by rule require a financial institution that is subject to its
jurisdiction and that makes available nonpublic personal information
collected by the financial institution to any person or entity other than an
employee or agent of such institution to afford that consumer--
`(A) the opportunity to examine, upon request, all nonpublic personal
information that was so made available; and
`(B) the opportunity to dispute the accuracy of any of such
information, and to present evidence thereon.
`(d) LIMITATIONS ON THE SHARING OF ACCOUNT NUMBER INFORMATION FOR
MARKETING PURPOSES- A financial institution shall not disclose an account
number or similar form of access number or access code for a credit card
account, deposit account, or transaction account of a consumer to any
affiliate or any nonaffiliated third party for use in telemarketing, direct
mail marketing, or other marketing through electronic mail or other electronic
means to the consumer.
`(e) LIMITS ON REUSE OF INFORMATION- Except as otherwise provided in this
subtitle, an affiliate or a nonaffiliated third party that receives from a
financial institution nonpublic personal information under this section shall
not, directly or through an affiliate of such receiving third party, disclose
such information to any other person that is an affiliate or a nonaffiliated
third party of both the financial institution and such receiving third party,
unless such disclosure would be lawful if made directly to such other person
by the financial institution.
`(f) GENERAL EXCEPTIONS- Subsections (a) and (b) shall not prohibit the
disclosure of nonpublic personal information--
`(1) as necessary to effect, administer, or enforce a transaction
requested or authorized by the consumer, or in connection with--
`(A) servicing or processing a financial product or service requested
or authorized by the consumer;
`(B) maintaining or servicing the consumer's account with the
financial institution; or
`(C) a proposed or actual securitization, secondary market sale
(including sales of servicing rights), or similar transaction related to a
transaction of the consumer;
`(2) with the consent or at the direction of the consumer;
`(3)(A) to protect the confidentiality or security of the financial
institution's records pertaining to the consumer, the service or product, or
the transaction therein; (B) to protect against or prevent actual or
potential fraud, unauthorized transactions, claims, or other liability; (C)
for required institutional risk control, or for resolving customer disputes
or inquiries; (D) to persons holding a legal or beneficial interest relating
to the consumer; or (E) to persons acting in a fiduciary or representative
capacity on behalf of the consumer;
`(4) to provide information to insurance rate advisory organizations,
guaranty funds or agencies, applicable rating agencies of the financial
institution, and the institution's attorneys, accountants, and
auditors;
`(5) to the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial Privacy Act
of 1978, to law enforcement agencies (including a Federal functional
regulator, the Secretary of the Treasury with respect to subchapter II of
chapter 53 of title 31, United States Code, and chapter 2 of title I of
Public Law 91-508 (12 U.S.C. 1951-1959), a State insurance authority, or the
Federal Trade Commission), self-regulatory organizations, or for an
investigation on a matter related to public safety;
`(6)(A) to a consumer reporting agency in accordance with the Fair
Credit Reporting Act, or (B) from a consumer report reported by a consumer
reporting agency in accordance with the Fair Credit Reporting Act;
`(7) in connection with a proposed or actual sale, merger, transfer, or
exchange of all or a portion of a business or operating unit if the
disclosure of nonpublic personal information concerns solely consumers of
such business or unit; or
`(8) to comply with Federal, State, or local laws, rules, and other
applicable legal requirements; to comply with a properly authorized civil,
criminal, or regulatory investigation or subpoena or summons by Federal,
State, or local authorities; or to respond to judicial process or government
regulatory authorities having jurisdiction over the financial
institution
for examination, compliance, or other purposes as authorized by law.
`SEC. 503. NOTICE CONCERNING DISCLOSING INFORMATION.
`(a) RULE REQUIRED- Each agency or authority described in section 504(a)
shall prescribe rules in accordance with this section to prohibit unfair and
deceptive acts or practices in connection with the disclosing of nonpublic
personal information or with making unrelated uses of such information. Such
rules shall require any financial institution, through the use of a form that
complies with the rules prescribed under subsection (b), to clearly and
conspicuously disclose to the consumer at the time of establishing a customer
relationship with a consumer and not less than annually during the
continuation of such relationship--
`(1) the categories of nonpublic personal information that are collected
by the financial institution;
`(2) the practices and policies of the financial institution with
respect to disclosing nonpublic personal information, or making unrelated
uses of such information, including--
`(A) the categories of persons to whom the information is or may be
disclosed or who may be permitted to make unrelated uses of such
information, other than the persons to whom the information must be
provided to effect, administer, or enforce the transaction; and
`(B) the practices and policies of the institution with respect to
disclosing or making unrelated uses of nonpublic personal information of
persons who have ceased to be customers of the financial
institution;
`(3) the policies that the institution maintains to protect the
confidentiality and security of nonpublic personal information;
`(4) the practices and policies of the institution with respect to
providing consumers the opportunity to examine and dispute information
pursuant to the rule prescribed under section 502(c); and
`(5) the right of the consumer under such section to examine, upon
request, the nonpublic personal information, to dispute the accuracy of any
of such information, and to present evidence thereon.
`(b) DESIGN OF NOTICE REQUIREMENTS- In prescribing the form of a notice
for purposes of subsection (a), each agency or authority described in section
504(a) shall ensure that consumers are provided a clear and conspicuous
disclosure that permits them to compare differences in the measures that the
financial institution takes, and the policies that the institution has
established, to protect the consumer's privacy as compared to the measures
taken and the policies established by other financial institutions. Such form
shall specifically identify the rights the institution affords consumers to
grant or deny consent to (1) the disclosing of nonpublic personal information
for any purpose other than as required in order to effect, administer, or
enforce the consumer's transaction, or (2) the making of an unrelated use of
such information.
`(c) ADDITIONAL CONTENTS OF RULES; EXEMPTIVE RULES- Each agency or
authority described in section 504(a) shall, by rule, and may by order--
`(1) specify the disclosures and uses of information which, for purposes
of this subtitle and the rules prescribed thereunder, may be treated as
necessary to effect, administer, or enforce a consumer's transaction with
respect to a variety of financial services and financial products;
`(2) specify timing requirements with respect to notices to new and
existing customers, which shall not require notices more frequently than
annually unless there has been a change in the information required to be
disclosed pursuant to subsection (a); and
`(3) provide, consistent with the purposes of this subtitle, exemptions
or temporary waivers to, or delayed effective dates for, any requirement of
this subtitle or the rules prescribed thereunder.
`SEC. 504. ENFORCEMENT.
`(a) IN GENERAL- This subtitle and the rules prescribed thereunder shall
be enforced by the Federal functional regulators, the State insurance
authorities, and the Federal Trade Commission with respect to financial
institutions and other persons subject to their jurisdiction under applicable
law, as follows:
`(1) Under section 8 of the Federal Deposit Insurance Act, in the case
of--
`(A) national banks, Federal branches and Federal agencies of foreign
banks by the Office of the Comptroller of the Currency;
`(B) member banks of the Federal Reserve System (other than national
banks), branches and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by foreign banks,
organizations operating under section 25 or 25A of the Federal Reserve
Act, bank holding companies by the Board of Governors of the Federal
Reserve System;
`(C) banks insured by the Federal Deposit Insurance Corporation (other
than members of the Federal Reserve System), insured State branches of
foreign banks by the Board of Directors of the Federal Deposit Insurance
Corporation; and
`(D) savings association the deposits of which are insured by the
Federal Deposit Insurance Corporation by the Director of the Office of
Thrift Supervision.
`(2) Under the Federal Credit Union Act, by the Administrator of the
National Credit Union Administration with respect to any Federal or state
chartered credit union.
`(3) Under the Securities Exchange Act of 1934, by the Securities and
Exchange Commission with respect to any broker-dealer.
`(4) Under the Investment Company Act of 1940, by the Securities and
Exchange Commission with respect to investment companies.
`(5) Under the Investment Advisers Act of 1940, by the Securities and
Exchange Commission
with respect to investment advisers registered with the Commission under such
Act.
`(6) Under the Federal Home Loan Bank Act, by the Federal Housing
Finance Board with respect to Federal home loan banks.
`(7) In the case of any person engaged in providing insurance, by the
State insurance authority, if that State has elected to become a
participating State, notwithstanding any of the limitations of section 104
of the Gramm-Leach-Bliley Act.
`(8) Under the Federal Trade Commission Act, by the Federal Trade
Commission for--
`(A) any other financial institution (other than a person engaged in
providing insurance) or any other person that is not subject to the
jurisdiction of any agency or authority under paragraphs (1) through (6)
of this subsection; and
`(B) any person engaged in providing insurance who is domiciled in a
State that does not elect to become a participating State.
`(b) ENFORCEMENT OF SECTION 501-
`(1) IN GENERAL- Except as provided in paragraph (2), the agencies and
authorities described in subsection (a) shall implement the standards
prescribed under section 501(b) in the same manner, to the extent
practicable, as standards prescribed pursuant to subsection (a) of section
39 of the Federal Deposit Insurance Act are implemented pursuant to such
section.
`(2) EXCEPTION- The agencies and authorities described in paragraphs
(3), (4), (5), (7), and (8) of subsection (a) shall implement the standards
prescribed under section 501(b) by rule with respect to the financial
institutions subject to their respective jurisdictions under subsection
(a).
`(c) STATE ACTION FOR VIOLATIONS-
`(1) AUTHORITY OF STATES- In addition to such other remedies as are
provided under State law, if the chief law enforcement officer of a State,
or an official or agency designated by a State, has reason to believe that
any person has violated or is violating this subtitle or a rule prescribed
under this subtitle, other than section 501 or a rule prescribed under such
section, the State--
`(A) may bring an action to enjoin such violation in any appropriate
United States district court or in any other court of competent
jurisdiction; and
`(B) may bring an action on behalf of the residents of the State to
enforce compliance with such rule, to obtain damages, restitution, or
other compensation on behalf of residents of such State, or to obtain such
further and other relief as the court may deem appropriate.
`(2) RIGHTS OF FEDERAL REGULATORS-
`(A) PRIOR NOTICE- The State shall serve prior written notice of any
action under paragraph (1) upon the Federal Trade Commission and provide
the Federal Trade Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in which case the State
shall serve such notice immediately upon instituting such action.
`(B) RIGHT TO INTERVENE- The Federal Trade Commission shall transmit
the notice received under subparagraph (A) to the agency or authority that
has jurisdiction of the subject of the complaint, and such agency or
authority shall have the right--
`(i) to intervene in an action under paragraph (1);
`(ii) upon so intervening, to be heard on all matters arising
therein;
`(iii) to remove the action to the appropriate United States
district court; and
`(iv) to file petitions for appeal.
`(3) INVESTIGATORY POWERS- For purposes of bringing any action under
this subsection, no provision of this subsection shall be construed as
preventing the chief law enforcement officer, or an official or agency
designated by a State, from exercising the powers conferred on the chief law
enforcement officer or such official by the laws of such State to conduct
investigations or to administer oaths or affirmations or to compel the
attendance of witnesses or the production of documentary and other
evidence.
`(4) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION PENDING- If a
Federal agency or authority has instituted a civil action for a violation of
this subtitle, no State may, during the pendency of such action, bring an
action under this section against any defendant named in the complaint of
the Federal agency or authority or such agency for any violation of this
subtitle that is alleged in that complaint.
`(d) DEFINITIONS- The terms used in subsection (a)(1) that are not defined
in this subtitle or otherwise defined in section 3(s) of the Federal Deposit
Insurance Act shall have the meaning given to them in section 1(b) of the
International Banking Act of 1978.
`SEC. 505. FAIR CREDIT REPORTING ACT AMENDMENT.
`(a) AMENDMENT- Section 621 of the Fair Credit Reporting Act (15 U.S.C.
1681s) is amended--
`(1) in subsection (d), by striking everything following the end of the
second sentence; and
`(2) by striking subsection (e) and inserting in lieu thereof the
following:
` `(e) REGULATORY AUTHORITY-
` `(1) The Federal banking agencies referred to in paragraphs (1) and
(2) of subsection (b) shall jointly prescribe such regulations as necessary
to carry out the
purposes of this Act with respect to any persons identified under paragraphs
(1) and (2) of subsection (b).
` `(2) The Administrator of the National Credit Union Administration
shall prescribe such regulations as necessary to carry out the purposes of
this Act with respect to any persons identified under paragraph (3) of
subsection (b).
` `(3) The Federal Trade Commission shall prescribe such regulations as
necessary to carry out the purposes of this Act with respect to any persons
identified under subsection (a).'.
`(b) RELATION TO OTHER PROVISIONS- Except for the amendment made by this
section, nothing in this title shall be construed to modify, limit, or
supersede the operation of the Fair Credit Reporting Act, and no inference
shall be drawn on the basis of the provisions of this title regarding whether
information is transaction or experience information under section 603 of such
Act.
`SEC. 506. STATE ELECTION TO PARTICIPATE.
`(a) REGULATIONS- The Secretary of the Treasury may promulgate such
regulations as may be necessary to establish the procedures governing whether
the election required under section 504(a)(7) has been made.
`(b) DEADLINE- The deadline for a State to elect to become a participating
state is the first day of the first calendar quarter beginning after the close
of the first legislative session of the State legislature that begins on or
after the date the regulations required by section 504(a) are issued in final
form. For purposes of the previous sentence, in the case of a State that has a
2-year legislative session, each year of such session shall be deemed to be a
separate regular session of the State legislature.
`SEC. 507. RELATION TO STATE LAWS.
`(a) IN GENERAL- This subtitle shall not be construed as superseding,
altering, or affecting the statutes, regulations, orders, or interpretations
in effect in any State, except to the extent that such statutes, regulations,
orders, or interpretations are inconsistent with the provisions of this
subtitle, and then only to the extent of the inconsistency.
`(b) GREATER PROTECTION UNDER STATE LAW- For purposes of this section, a
State statute, regulation, order, or interpretation is not inconsistent with
the provisions of this subtitle if the protection such statute, regulation,
order, or interpretation affords any person is greater than the protection
provided under this subtitle as determined by the Commission or a Federal
functional regulator, on its own motion or upon the petition of any interested
party.
`SEC. 508. DEFINITIONS.
`As used in this subtitle:
`(1) COMMISSION- The term `Commission' means the Federal Trade
Commission.
`(2) FEDERAL FUNCTIONAL REGULATOR- The term `Federal functional
regulator' means--
`(A) the Board of Governors of the Federal Reserve System;
`(B) the Office of the Comptroller of the Currency;
`(C) the Board of Directors of the Federal Deposit Insurance
Corporation;
`(D) the Director of the Office of Thrift Supervision;
`(E) the National Credit Union Administration Board; and
`(F) the Securities and Exchange Commission.
`(3) FINANCIAL INSTITUTION- The term `financial institution' means any
institution the business of which is engaging in financial activities or
activities that are incidental or complementary to financial activities, as
determined under section 4(k) of the Bank Holding Company Act of 1956.
`(4) NONPUBLIC PERSONAL INFORMATION-
`(A) The term `nonpublic personal information' means personally
identifiable financial information--
`(i) provided by a consumer to a financial institution;
`(ii) resulting from any transaction with the consumer or the
service performed for the consumer; or
`(iii) otherwise obtained by the financial institution.
`(B) Such term does not include publicly available information, as
such term is defined by the regulations prescribed under section
504.
`(C) Notwithstanding subparagraph (B), such term--
(i) shall include any list, description, or other grouping of
consumers (and publicly available information pertaining to them) that
is derived using any personally identifiable information other than
publicly available information; but
`(ii) shall not include any list, description, or other grouping of
consumers (and publicly available information pertaining to them) that
is derived without using any nonpublic personal information.
`(5) DIRECTORY INFORMATION- The term `publicly available directory
information' means subscriber list information required to be made available
for publication pursuant to section 222(e) of the Communications Act of 1934
(47 U.S.C. 222(3)).
`(6) UNRELATED USE- The term `unrelated use', when used with respect to
information collected by the financial institution in connection with any
transaction with a consumer in any financial product or any financial
service, means any use other than a use that is necessary to effect,
administer, or enforce such transaction.
`(7) AFFILIATE- The term `affiliate' means any company that controls, is
controlled by, or is under common control with another company.
`(8) NONAFFILIATED THIRD PARTY- The term `nonaffiliated third party'
means any entity that is not an affiliate of, or related by common ownership
or affiliated by corporate control with, the financial institution, but does
not include a joint employee of such institution.
`(9) NECESSARY TO EFFECT, ADMINISTER, OR ENFORCE- The disclosing or use
of nonpublic personal information shall be treated as necessary to effect or
administer a transaction with a consumer if the disclosing or use--
`(A) is required, or is a usual, appropriate, or acceptable method, to
carry out the transaction or the product or service business of which the
transaction is a part, and record or service or maintain the consumer's
account in the ordinary course of providing the financial
service or financial product, or to administer or service benefits or claims
relating to the transaction or the product or service business of which it is a
part, and includes--
`(i) providing the consumer or the consumer's agent or broker with a
confirmation, statement, or other record of the transaction, or
information on the status or value of the financial service or financial
product; and
`(ii) the accrual or recognition of incentives or bonuses associated
with the transaction that are provided by the financial institution or
any other party;
`(B) is required, or is one of the lawful or appropriate methods, to
enforce the rights of the financial institution or of other persons
engaged in carrying out the financial transaction, or providing the
product or service;
`(C) is required, or is a usual, appropriate, or acceptable method,
for insurance underwriting at the consumer's request or for reinsurance
purposes, or for any of the following purposes as they relate to a
consumer's insurance: account administration, reporting, investigating, or
preventing fraud or material misrepresentation, processing premium
payments, processing insurance claims, administering insurance benefits
(including utilization review activities), participating in research
projects, or as otherwise required or specifically permitted by Federal or
State law; or
`(D) the disclosure is required, or is a usual, appropriate or
acceptable method, in connection with--
`(i) the authorization, settlement, billing, processing, clearing,
transferring, reconciling, or collection of amounts charged, debited, or
otherwise paid using a debit, credit or other payment card, check, or
account number, or by other payment means;
`(ii) the transfer of receivables, accounts or interests therein;
or
`(iii) the audit of debit, credit or other payment
information.
Each agency or authority described in section 504(a) shall, consistent
with the purposes of this subtitle, prescribe by rule actions that shall, in
a variety of financial services, and with respect to a variety of financial
products, be treated as necessary to effect, administer, or enforce a
financial transaction.
`(10) FINANCIAL SERVICES; FINANCIAL PRODUCTS; TRANSACTION; RELATED
TRANSACTION- Each agency or authority described in section 504(a) shall,
consistent with the purposes of this subtitle, prescribe by rule definitions
of the terms `financial services', `financial products', `transaction',
`related transaction', and `unrelated third party' for purposes of this
subtitle.
`(11) STATE INSURANCE AUTHORITY- The term `State insurance authority'
means, in the case of any person engaged in providing insurance, the State
insurance authority of the State in which the person is domiciled.
`(12) CONSUMER- The term `consumer' means an individual who obtains,
from a financial institution, financial products or services which are to be
used primarily for personal, family, or household purposes, and also means
the legal representative of such an individual.
`(13) CUSTOMER RELATIONSHIP- The term `time of establishing a customer
relationship' shall be defined by the regulations prescribed under section
504.
`SEC. 509. EFFECTIVE DATE.
`This subtitle shall take effect 6 months after the date on which rules
are required to be prescribed under section 504(a)(3), except--
`(1) to the extent that a later date is specified in the rules
prescribed under section 504; and
`(2) that sections 504 and 506 shall be effective upon enactment.
`Subtitle B--Fraudulent Access to Financial Information
`SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL
INSTITUTIONS.
`(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY FALSE PRETENSES- It
shall be a violation of this subtitle for any person to obtain or attempt to
obtain, or cause to be disclosed or attempt to cause to be disclosed to any
person, customer information of a financial institution relating to another
person--
`(1) by making a false, fictitious, or fraudulent statement or
representation to an officer, employee, or agent of a financial
institution;
`(2) by making a false, fictitious, or fraudulent statement or
representation to a customer of a financial institution; or
`(3) by providing any document to an officer, employee, or agent of a
financial institution, knowing that the document is forged, counterfeit,
lost, or stolen, was fraudulently obtained, or contains a false, fictitious,
or fraudulent statement or representation.
`(b) PROHIBITION ON SOLICITATION OF A PERSON TO OBTAIN CUSTOMER
INFORMATION FROM FINANCIAL INSTITUTION UNDER FALSE PRETENSES- It shall be a
violation of this subtitle to request a person to obtain customer information
of a financial institution, knowing that the person will obtain, or attempt to
obtain, the information from the institution in any manner described in
subsection (a).
`(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES- No provision of this
section shall be construed so as to prevent any action by a law enforcement
agency, or any officer, employee, or agent of such agency, to obtain customer
information of a financial institution in connection with the performance of
the official duties of the agency.
`(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS IN CERTAIN CASES- No
provision of this section shall be construed so as to prevent any financial
institution, or any officer, employee, or agent of a financial institution,
from obtaining customer information of such financial institution in the
course of--
`(1) testing the security procedures or systems of such institution for
maintaining the confidentiality of customer information;
`(2) investigating allegations of misconduct or negligence on the part
of any officer, employee, or agent of the financial institution; or
`(3) recovering customer information of the financial institution which
was obtained or received by another person in any manner described in
subsection (a) or (b).
`(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS FOR INVESTIGATION OF
INSURANCE FRAUD- No provision of this section shall be construed so as to
prevent any insurance institution, or any officer, employee, or agency of an
insurance institution, from obtaining information as part of an insurance
investigation into criminal activity, fraud, material misrepresentation, or
material nondisclosure that is authorized for such institution under State
law, regulation, interpretation, or order.
`(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER INFORMATION OF
FINANCIAL INSTITUTIONS- No provision of this section shall be construed so as
to prevent any person from obtaining customer information of a financial
institution that otherwise is available as a public record filed pursuant to
the securities laws (as defined in section 3(a)(47) of the Securities Exchange
Act of 1934).
`SEC. 522. ADMINISTRATIVE ENFORCEMENT.
`(a) ENFORCEMENT BY FEDERAL TRADE COMMISSION- Compliance with this
subtitle shall be enforced by the Federal Trade Commission in the same manner
and with the same power and authority as the Commission has under the title
VIII, the Fair Debt Collection Practices Act, to enforce compliance with such
title.
`(b) NOTICE OF ACTIONS- The Federal Trade Commission shall--
`(1) notify the Securities and Exchange Commission whenever the Federal
Trade Commission initiates an investigation with respect to a financial
institution subject to regulation by the Securities and Exchange
Commission;
`(2) notify the Federal banking agency (as defined in section 3(z) of
the Federal Deposit Insurance Act) whenever the Commission initiates an
investigation with respect to a financial institution subject to regulation
by such Federal banking agency; and
`(3) notify the appropriate State insurance regulator whenever the
Commission initiates an investigation with respect to a financial
institution subject to regulation by such regulator.
`(c) STATE ACTION FOR VIOLATIONS-
`(1) AUTHORITY OF STATES- In addition to such other remedies as are
provided under State law, if the chief law enforcement officer of a State,
or an official or agency designated by a State, has reason to believe that
any person has violated or is violating this subtitle, the State--
`(A) may bring an action to enjoin such violation in any appropriate
United States district court or in any other court of competent
jurisdiction;
`(B) may bring an action on behalf of the residents of the State to
recover damages of not more than $1,000 for each violation; and
`(C) in the case of any successful action under subparagraph (A) or
(B), shall be awarded the costs of the action and reasonable attorney fees
as determined by the court.
`(2) RIGHTS OF FEDERAL REGULATORS-
`(A) PRIOR NOTICE- The State shall serve prior written notice of any
action under paragraph (1) upon the Federal Trade Commission and provide
the Federal Trade Commission with a copy of its complaint, except in any
case in which such prior notice is not feasible, in which case the State
shall serve such notice immediately upon instituting such action.
`(B) RIGHT TO INTERVENE- The Federal Trade Commission shall have the
right--
`(i) to intervene in an action under paragraph (1);
`(ii) upon so intervening, to be heard on all matters arising
therein;
`(iii) to remove the action to the appropriate United States
district court; and
`(iv) to file petitions for appeal.
`(3) INVESTIGATORY POWERS- For purposes of bringing any action under
this subsection, no provision of this subsection shall be construed as
preventing the chief law enforcement officer, or an official or agency
designated by a State, from exercising the powers conferred on the chief law
enforcement officer or such official by the laws of such State to conduct
investigations or to administer oaths or affirmations or to compel the
attendance of witnesses or the production of documentary and other
evidence.
`(4) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION PENDING- If the
Federal Trade Commission has instituted a civil action for a violation of
this subtitle, no State may, during the pendency of such action, bring an
action under this section against any defendant named in the complaint of
the Federal Trade Commission or such agency for any violation of this
subtitle that is alleged in that complaint.
`SEC. 523. CRIMINAL PENALTY.
`(a) IN GENERAL- Whoever knowingly and intentionally violates, or
knowingly and intentionally attempts to violate, section 521 shall be fined in
accordance with title 18, United States Code, or imprisoned for not more than
5 years, or both.
`(b) ENHANCED PENALTY FOR AGGRAVATED CASES- Whoever violates, or attempts
to violate, section 521 while violating another law of the United States or as
part of a pattern of any illegal activity involving more than $100,000 in a
12-month period shall be fined twice the amount provided in subsection (b)(3)
or (c)(3) (as the case may be) of section 3571 of title 18, United States
Code, imprisoned for not more than 10 years, or both.
`SEC. 524. RELATION TO STATE LAWS.
`(a) IN GENERAL- This subtitle shall not be construed as superseding,
altering, or affecting the statutes, regulations, orders, or interpretations
in effect in any State, except to the extent that such statutes, regulations,
orders, or interpretations are inconsistent with the provisions of this
subtitle, and then only to the extent of the inconsistency.
`(b) GREATER PROTECTION UNDER STATE LAW- For purposes of this section, a
State statute, regulation, order, or interpretation is not inconsistent with
the provisions of this subtitle if the protection such statute, regulation,
order, or interpretation affords any person is greater than the protection
provided under this subtitle as determined by the Commission, on its own
motion or upon the petition of any interested party.
`SEC. 525. AGENCY GUIDANCE.
`In furtherance of the objectives of this subtitle, each Federal banking
agency (as defined in section 3(z) of the Federal Deposit Insurance Act) and
the Securities and Exchange Commission or self-regulatory organizations, as
appropriate, shall review regulations and guidelines applicable to financial
institutions under their respective jurisdictions and shall prescribe such
revisions to such regulations and guidelines as may be necessary to ensure
that such financial institutions have policies, procedures, and controls in
place to prevent the unauthorized disclosure of customer financial information
and to deter and detect activities proscribed under section 521.
`SEC. 526. REPORTS.
`(a) REPORT TO THE CONGRESS- Before the end of the 18-month period
beginning on the date of the enactment of this Act, the Comptroller General,
in consultation with the Federal Trade Commission, Federal banking agencies,
the Securities and Exchange Commission, appropriate Federal law enforcement
agencies, and appropriate State insurance regulators, shall submit to the
Congress a report on the following:
`(1) The efficacy and adequacy of the remedies provided in this subtitle
in addressing attempts to obtain financial information by fraudulent means
or by false pretenses.
`(2) Any recommendations for additional legislative or regulatory action
to address threats to the privacy of financial information created by
attempts to obtain information by fraudulent means or false pretenses.
`(b) ANNUAL REPORT BY ADMINISTERING AGENCIES- The Federal Trade Commission
and the Attorney General shall submit to Congress an annual report on number
and disposition of all enforcement actions taken pursuant to this subtitle.
`SEC. 527. DEFINITIONS.
`For purposes of this subtitle, the following definitions shall apply:
`(1) CUSTOMER- The term `customer' means, with respect to a financial
institution, any person (or authorized representative of a person) to whom
the financial institution provides a product or service, including that of
acting as a fiduciary.
`(2) CUSTOMER INFORMATION OF A FINANCIAL INSTITUTION- The term `customer
information of a financial institution' means any information maintained by
or for a financial institution which is derived from the relationship
between the financial institution and a customer of the financial
institution and is identified with the customer.
`(3) DOCUMENT- The term `document' means any information in any
form.
`(4) FINANCIAL INSTITUTION-
`(A) IN GENERAL- The term `financial institution' means any
institution engaged in the business of providing financial services to
customers who maintain a credit, deposit, trust, or other financial
account or relationship with the institution.
`(B) CERTAIN FINANCIAL INSTITUTIONS SPECIFICALLY INCLUDED- The term
`financial institution' includes any depository institution (as defined in
section 19(b)(1)(A) of the Federal Reserve Act), any broker or dealer, any
investment adviser or investment company, any insurance company, any loan
or finance company, any credit card issuer or operator of a credit card
system, and any consumer reporting agency that compiles and maintains
files on consumers on a nationwide basis (as defined in section
603(p)).
`(C) SECURITIES INSTITUTIONS- For purposes of subparagraph
(B)--
`(i) the terms `broker' and `dealer' have the meanings provided in
section 3 of the Securities Exchange Act of 1934 (15 U.S.C.
78c);
`(ii) the term `investment adviser' has the meaning provided in
section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C.
80b-2(a)); and
`(iii) the term `investment company' has the meaning provided in
section 3 of the Investment Company Act of 1940 (15 U.S.C.
80a-3).
`(D) FURTHER DEFINITION BY REGULATION- The Federal Trade Commission,
after consultation with Federal banking agencies and the Securities and
Exchange Commission, may prescribe regulations clarifying or describing
the types of institutions which shall be treated as financial institutions
for purposes of this subtitle.
END