GRAMM-LEACH-BLILEY ACT

Public Law 106-102 106th Congress

TITLE V--PRIVACY

Subtitle A--Disclosure of Nonpublic Personal InformationSEC. 501. NOTE: 15 USC 6801. PROTECTION OF NONPUBLIC PERSONALINFORMATION.

(a) Privacy Obligation Policy.--It is the policy of the Congress that eachfinancial institution has an affirmative and continuing obligation torespect the privacy of its customers and to protect the security andconfidentiality of those customers' nonpublic personal information.

(b) Financial Institutions Safeguards.--In furtherance of the policy insubsection (a), each agency or authority described  in section 505(a)shall establish appropriate standards for the financial institutions subjectto their jurisdiction relating to administrative, technical, and physicalsafeguards--

(1) to insure the security and confidentiality of customerrecords and information;

(2) to protect against any anticipated threats or hazards tothe security or integrity of such records; and

(3) to protect against unauthorized access to or use of suchrecords or information which could result in substantial harmor inconvenience to any customer.

SEC. 502. OBLIGATIONS NOTE: 15 USC 6802. WITH RESPECT TODISCLOSURES OF PERSONAL INFORMATION.

(a) Notice Requirements.--Except as otherwise provided in this subtitle,a financial institution may not, directly or through any affiliate, discloseto a nonaffiliated third party any nonpublic personal information, unlesssuch financial institution provides or has provided to the consumer anotice that complies with section 503.

(b) Opt Out.--(1) In general.--A financial institution may not disclosenonpublic personal information to a nonaffiliated third partyunless--

(A) such financial institution clearly andconspicuously discloses to the consumer, inwriting or in electronic form or other formpermitted by the regulations prescribed undersection 504, that such information may bedisclosed to such third party;

(B) the consumer is given the opportunity, beforethe time that such information is initiallydisclosed, to direct that such information not bedisclosed to such third party; and

(C) the consumer is given an explanation of howthe consumer can exercise that nondisclosureoption.

(2) Exception.--This subsection shall not prevent a financialinstitution from providing nonpublic personal information to anonaffiliated third party to perform services for or functionson behalf of the financial institution, including marketing ofthe financial institution's own products or services, orfinancial products or services offered pursuant to jointagreements between two or more financial institutions thatcomply with the requirements imposed by the regulationsprescribed under section 504, if the financial institution fullydiscloses the providing of such information and enters into acontractual agreement with the third party that requires thethird party to maintain the confidentiality of such information.

(c) Limits on Reuse of Information.--Except as otherwise provided in thissubtitle, a nonaffiliated third party that receives from a financialinstitution nonpublic personal information under this section shall not,directly or through an affiliate of such receiving third party, disclose suchinformation to any other person that is a nonaffiliated third party of boththe financial institution and such receiving third party, unless suchdisclosure would be lawful if made directly to such other person by thefinancial institution.

(d) Limitations on the Sharing of Account Number Information forMarketing Purposes.--A financial institution shall not disclose, other thanto a consumer reporting agency, an account number or similar form ofaccess number or access code for a credit card account, depositaccount, or transaction account of a consumer to any nonaffiliated thirdparty for use in telemarketing, direct mail marketing, or other marketingthrough electronic mail to the consumer.

(e) General Exceptions.--Subsections (a) and (b) shall not prohibit thedisclosure of nonpublic personal information--

(1) as necessary to effect, administer, or enforce atransaction requested or authorized by the consumer, or inconnection with--

(A) servicing or processing a financial product orservice requested or authorized by theconsumer;

(B) maintaining or servicing the consumer'saccount with the financial institution, or withanother entity as part of a private label creditcard program or other extension of credit onbehalf of such entity; or

(C) a proposed or actual securitization,secondary market sale (including sales ofservicing rights), or similar transaction related toa transaction of the consumer;

(2) with the consent or at the direction of the consumer;

(3)(A) to protect the confidentiality or security of thefinancial institution's records pertaining to theconsumer, the service or product, or thetransaction therein;

(B) to protect against or prevent actual orpotential fraud, unauthorized transactions,claims, or other liability;

(C) for required institutional risk control, or forresolving customer disputes or inquiries;

(D) to persons holding a legal or beneficialinterest relating to the consumer; or

(E) to persons acting in a fiduciary orrepresentative capacity on behalf of theconsumer;

(4) to provide information to insurance rate advisoryorganizations, guaranty funds or agencies, applicable ratingagencies of the financial institution, persons assessing theinstitution's compliance with industry standards, and theinstitution's attorneys, accountants, and auditors;

(5) to the extent specifically permitted or required underother provisions of law and in accordance with the Right toFinancial Privacy Act of 1978, to law enforcement agencies(including a Federal functional regulator, the Secretary of theTreasury with respect to subchapter II of chapter 53 of title31, United States Code, and chapter 2 of title I of Public Law91-508 (12 U.S.C. 1951-1959), a State insurance authority,or the Federal Trade Commission), self-regulatoryorganizations, or for an investigation on a matter related topublic safety;

(6)(A) to a consumer reporting agency inaccordance with the Fair Credit Reporting Act, or

(B) from a consumer report reported by aconsumer reporting agency;

(7) in connection with a proposed or actual sale, merger,transfer, or exchange of all or a portion of a business oroperating unit if the disclosure of nonpublic personalinformation concerns solely consumers of such business orunit; or

(8) to comply with Federal, State, or local laws, rules, andother applicable legal requirements; to comply with aproperly authorized civil, criminal, or regulatory investigationor subpoena or summons by Federal, State, or localauthorities; or to respond to judicial process or governmentregulatory authorities having jurisdiction over the financialinstitution for examination, compliance, or other purposes asauthorized by law.

SEC. 503. NOTE: 15 USC 6803. DISCLOSURE OF INSTITUTION PRIVACYPOLICY.

(a) Disclosure Required.--At the time of establishing a customerrelationship with a consumer and not less than annually during thecontinuation of such relationship, a financial institution shall provide aclear and conspicuous disclosure to such consumer, in writing or inelectronic form or other form permitted by the regulations prescribedunder section 504, of such financial institution's policies and practiceswith respect to--

(1) disclosing nonpublic personal information to affiliates andnonaffiliated third parties, consistent with section 502,including the categories of information that may bedisclosed;

(2) disclosing nonpublic personal information of persons whohave ceased to be customers of the financial institution; and

(3) protecting the nonpublic personal information ofconsumers. Such disclosures shall be made in accordancewith the regulations prescribed under section 504. (b)Information To Be Included.--The disclosure required bysubsection (a) shall include--

(1) the policies and practices of the institutionwith respect to disclosing nonpublic personalinformation to nonaffiliated third parties, otherthan agents of the institution, consistent with

section 502 of this subtitle, and including--(A) the categories of persons towhom the information is or may bedisclosed, other than the persons towhom the information may beprovided pursuant to section 502(e);and

(B) the policies and practices of theinstitution with respect to disclosingof nonpublic personal information ofpersons who have ceased to becustomers of the financial institution;

(2) the categories of nonpublic personalinformation that are collected by the financialinstitution;

(3) the policies that the institution maintains toprotect the confidentiality and security ofnonpublic personal information in accordancewith section 501; and

(4) the disclosures required, if any, under section603(d)(2)(A)(iii) of the Fair Credit Reporting Act.SEC. 504. NOTE: 15 USC 6804. RULEMAKING.

(a) Regulatory Authority.--(1) Rulemaking.--TheFederal bankingagencies, the NationalCredit UnionAdministration, theSecretary of theTreasury, the Securitiesand ExchangeCommission, and theFederal TradeCommission shall eachprescribe, afterconsultation asappropriate withrepresentatives of Stateinsurance authoritiesdesignated by theNational Association ofInsuranceCommissioners, such

regulations as may benecessary to carry outthe purposes of thissubtitle with respect tothe financial institutionssubject to theirjurisdiction under section505.

(2) Coordination,consistency, andcomparability.--Each ofthe agencies andauthorities required underparagraph (1) toprescribe regulationsshall consult andcoordinate with [[Page113 STAT. 1440]] theother such agencies andauthorities for thepurposes of assuring, tothe extent possible, thatthe regulationsprescribed by each suchagency and authority areconsistent andcomparable with theregulations prescribed bythe other such agenciesand authorities.

(3) Procedures anddeadline.--Suchregulations shall beprescribed in accordancewith applicablerequirements of title 5,United States Code, andshall be issued in finalform not later than 6months after the date ofthe enactment of this Act.(b) Authority To GrantExceptions.--Theregulations prescribed

under subsection (a) mayinclude such additionalexceptions tosubsections (a) through(d) of section 502 as aredeemed consistent withthe purposes of thissubtitle.

SEC. 505. NOTE: 15 USC 6805. ENFORCEMENT.(a) In General.--This subtitle and the regulations prescribed thereundershall be enforced by the Federal functional regulators, the Stateinsurance authorities, and the Federal Trade Commission with respectto financial institutions and other persons subject to their jurisdictionunder applicable law, as follows:

(1) Under section 8 of the Federal Deposit Insurance Act, inthe case of--

(A) national banks, Federal branches andFederal agencies of foreign banks, and anysubsidiaries of such entities (except brokers,dealers, persons providing insurance,investment companies, and investmentadvisers), by the Office of the Comptroller of theCurrency;

(B) member banks of the Federal ReserveSystem (other than national banks), branchesand agencies of foreign banks (other thanFederal branches, Federal agencies, andinsured State branches of foreign banks),commercial lending companies owned orcontrolled by foreign banks, organizationsoperating under section 25 or 25A of the FederalReserve Act, and bank holding companies andtheir nonbank subsidiaries or affiliates (exceptbrokers, dealers, persons providing insurance,investment companies, and investmentadvisers), by the Board of Governors of theFederal Reserve System;

(C) banks insured by the Federal DepositInsurance Corporation (other than members ofthe Federal Reserve System), insured Statebranches of foreign banks, and any subsidiariesof such entities (except brokers, dealers,persons providing insurance, investment

companies, and investment advisers), by theBoard of Directors of the Federal DepositInsurance Corporation; and

(D) savings associations the deposits of whichare insured by the Federal Deposit InsuranceCorporation, and any subsidiaries of suchsavings associations (except brokers, dealers,persons providing insurance, investmentcompanies, and investment advisers), by theDirector of the Office of Thrift Supervision.

(2) Under the Federal Credit Union Act, by the Board of theNational Credit Union Administration with respect to anyfederally insured credit union, and any subsidiaries of suchan entity.

(3) Under the Securities Exchange Act of 1934, by theSecurities and Exchange Commission with respect to anybroker or dealer.

(4) Under the Investment Company Act of 1940, by theSecurities and Exchange Commission with respect toinvestment companies.

(5) Under the Investment Advisers Act of 1940, by theSecurities and Exchange Commission with respect toinvestment advisers registered with the Commission undersuch Act.

(6) Under State insurance law, in the case of any personengaged in providing insurance, by the applicable Stateinsurance authority of the State in which the person isdomiciled, subject to section 104 of this Act.

(7) Under the Federal Trade Commission Act, by theFederal Trade Commission for any other financial institutionor other person that is not subject to the jurisdiction of anyagency or authority under paragraphs (1) through (6) of thissubsection.

(b) Enforcement of Section 501.--(1) In general.--Except as provided in paragraph (2), theagencies and authorities described in subsection (a) shallimplement the standards prescribed under section 501(b) inthe same manner, to the extent practicable, as standardsprescribed pursuant to section 39(a) of the Federal DepositInsurance Act are implemented pursuant to such section.

(2) Exception.--The agencies and authorities described inparagraphs (3), (4), (5), (6), and (7) of subsection (a) shallimplement the standards prescribed under section 501(b) byrule with respect to the financial institutions and otherpersons subject to their respective jurisdictions undersubsection (a).

(c) Absence of State Action.--If a State insurance authority fails to adoptregulations to carry out this subtitle, such State shall not be eligible tooverride, pursuant to section 47(g)(2)(B)(iii) of the Federal DepositInsurance Act, the insurance customer protection regulations prescribedby a Federal banking agency under section 47(a) of such Act.

(d) Definitions.--The terms used in subsection (a)(1) that are not definedin this subtitle or otherwise defined in section 3(s) of the Federal DepositInsurance Act shall have the same meaning as given in section 1(b) ofthe International Banking Act of 1978.

SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT. (a) Amendment.--Section 621 of the Fair Credit Reporting Act (15U.S.C. 1681s) is amended--

(1) in subsection (d), by striking everything following the endof the second sentence; and

(2) by striking subsection (e) and inserting the following: ``(e)Regulatory Authority.-- ``(1) The Federal banking agenciesreferred to in paragraphs (1) and (2) of subsection (b) shalljointly prescribe such regulations as necessary to carry outthe purposes of this Act with respect to any personsidentified under paragraphs (1) and (2) of subsection (b),and the Board of Governors of the Federal Reserve Systemshall have authority to prescribe regulations consistent withsuch joint regulations with respect to bank holdingcompanies and affiliates (other than depository institutionsand consumer reporting agencies) of such holdingcompanies. ``(2) The Board of the National Credit UnionAdministration shall prescribe such regulations as necessaryto carry out the purposes of this Act with respect to anypersons identified under paragraph (3) of subsection (b).''.

 (b) Conforming Amendment.--Section 621(a) of the Fair CreditReporting Act (15 U.S.C. 1681s(a)) is amended by striking paragraph(4).

(c) Relation NOTE: 15 USC 6806. to Other Provisions.--Except for theamendments made by subsections (a) and (b), nothing in this title shallbe construed to modify, limit, or supersede the operation of the FairCredit Reporting Act, and no inference shall be drawn on the basis of

the provisions of this title regarding whether information is transaction orexperience information under section 603 of such Act.

SEC. 507. NOTE: 15 USC 6807. RELATION TO STATE LAWS.(a) In General.--This subtitle and the amendments made by this subtitleshall not be construed as superseding, altering, or affecting any statute,regulation, order, or interpretation in effect in any State, except to theextent that such statute, regulation, order, or interpretation isinconsistent with the provisions of this subtitle, and then only to theextent of the inconsistency.

(b) Greater Protection Under State Law.--For purposes of this section, aState statute, regulation, order, or interpretation is not inconsistent withthe provisions of this subtitle if the protection such statute, regulation,order, or interpretation affords any person is greater than the protectionprovided under this subtitle and the amendments made by this subtitle,as determined by the Federal Trade Commission, after consultation withthe agency or authority with jurisdiction under section 505(a) of eitherthe person that initiated the complaint or that is the subject of thecomplaint, on its own motion or upon the petition of any interested party.

SEC. 508. STUDY NOTE: 15 USC 6808. OF INFORMATION SHARING AMONGFINANCIAL AFFILIATES.

(a) In General.--The Secretary of the Treasury, in conjunction with theFederal functional regulators and the Federal Trade Commission, shallconduct a study of information sharing practices among financialinstitutions and their affiliates. Such study shall include--

(1) the purposes for the sharing of confidential customerinformation with affiliates or with nonaffiliated third parties;

(2) the extent and adequacy of security protections for suchinformation;

(3) the potential risks for customer privacy of such sharing ofinformation;

(4) the potential benefits for financial institutions andaffiliates of such sharing of information;

(5) the potential benefits for customers of such sharing ofinformation;

(6) the adequacy of existing laws to protect customerprivacy;

(7) the adequacy of financial institution privacy policy andprivacy rights disclosure under existing law;

(8) the feasibility of different approaches, including opt- out

and opt-in, to permit customers to direct that confidentialinformation not be shared with affiliates and nonaffiliatedthird parties; and

(9) the feasibility of restricting sharing of information forspecific uses or of permitting customers to direct the usesfor which information may be shared.

(b) Consultation.--The Secretary shall consult with representatives ofState insurance authorities designated by the National Association ofInsurance Commissioners, and also with financial services industry,consumer organizations and privacy groups, and other representativesof the general public, in formulating and conducting the study requiredby subsection (a).

(c) Report.--On NOTE: Deadline. or before January 1, 2002, theSecretary shall submit a report to the Congress containing the findingsand conclusions of the study required under subsection (a), togetherwith such recommendations for legislative or administrative action asmay be appropriate.

SEC. 509. NOTE: 15 USC 6809. DEFINITIONS. As used in this subtitle:(1) Federal banking agency.--The term ``Federal banking agency'' hasthe same meaning as given in section 3 of the Federal DepositInsurance Act.

(2) Federal functional regulator.--The term ``Federal functionalregulator'' means--

(A) the Board of Governors of the Federal Reserve System;

(B) the Office of the Comptroller of the Currency;

(C) the Board of Directors of the Federal Deposit InsuranceCorporation;

(D) the Director of the Office of Thrift Supervision;

(E) the National Credit Union Administration Board; and

(F) the Securities and Exchange Commission.(3) Financial institution.--

(A) In general.--The term ``financial institution'' means anyinstitution the business of which is engaging in financialactivities as described in section 4(k) of the Bank HoldingCompany Act of 1956.

(B) Persons subject to cftc regulation.-- Notwithstandingsubparagraph (A), the term ``financial institution'' does notinclude any person or entity with respect to any financial

activity that is subject to the jurisdiction of the CommodityFutures Trading Commission under the CommodityExchange Act.

(C) Farm credit institutions.--Notwithstanding subparagraph(A), the term ``financial institution'' does not include theFederal Agricultural Mortgage Corporation or any entitychartered and operating under the Farm Credit Act of 1971.

(D) Other secondary market institutions.-- Notwithstandingsubparagraph (A), the term ``financial institution'' does notinclude institutions chartered by Congress specifically toengage in transactions described in section 502(e)(1)(C), aslong as such institutions do not sell or transfer nonpublicpersonal information to a nonaffiliated third party.

(4) Nonpublic personal information.--(A) The term ``nonpublic personal information'' meanspersonally identifiable financial information--

(i) provided by a consumer to a financialinstitution;

(ii) resulting from any transaction with theconsumer or any service performed for theconsumer; or

(iii) otherwise obtained by the financialinstitution.

(B) Such term does not include publicly availableinformation, as such term is defined by the regulationsprescribed under section 504. (C) Notwithstandingsubparagraph (B), such term--

(i) shall include any list, description, or othergrouping of consumers (and publicly availableinformation pertaining to them) that is derivedusing any nonpublic personal information otherthan publicly available information; but

(ii) shall not include any list, description, or othergrouping of consumers (and publicly availableinformation pertaining to them) that is derivedwithout using any nonpublic personalinformation.

(5) Nonaffiliated third party.--The term ``nonaffiliated third party'' meansany entity that is not an affiliate of, or related by common ownership oraffiliated by corporate control with, the financial institution, but does notinclude a joint employee of such institution.

(6) Affiliate.--The term ``affiliate'' means any company that controls, iscontrolled by, or is under common control with another company.

(7) Necessary to effect, administer, or enforce.--The term ``asnecessary to effect, administer, or enforce the transaction'' means--

(A) the disclosure is required, or is a usual, appropriate, oracceptable method, to carry out the transaction or theproduct or service business of which the transaction is apart, and record or service or maintain the consumer'saccount in the ordinary course of providing the financialservice or financial product, or to administer or servicebenefits or claims relating to the transaction or the productor service business of which it is a part, and includes--

(i) providing the consumer or the consumer'sagent or broker with a confirmation, statement,or other record of the transaction, or informationon the status or value of the financial service orfinancial product; and

(ii) the accrual or recognition of incentives orbonuses associated with the transaction that areprovided by the financial institution or any otherparty;

(B) the disclosure is required, or is one of the lawful orappropriate methods, to enforce the rights of the financialinstitution or of other persons engaged in carrying out thefinancial transaction, or providing the product or service;

(C) the disclosure is required, or is a usual, appropriate, oracceptable method, for insurance underwriting at theconsumer's request or for reinsurance purposes, or for anyof the following purposes as they relate to a consumer'sinsurance: Account administration, reporting, investigating,or preventing fraud or material misrepresentation,processing premium payments, processing insuranceclaims, administering insurance benefits (including utilizationreview activities), participating in research projects, or asotherwise required or specifically permitted by Federal orState law; or

(D) the disclosure is required, or is a usual, appropriate oracceptable method, in connection with--

(i) the authorization, settlement, billing,processing, clearing, transferring, reconciling, orcollection of amounts charged, debited, orotherwise paid using a debit, credit or other

payment card, check, or account number, or byother payment means;

(ii) the transfer of receivables, accounts orinterests therein; or

(iii) the audit of debit, credit or other paymentinformation.

(8) State insurance authority.--The term ``State insurance authority''means, in the case of any person engaged in providing insurance, theState insurance authority of the State in which the person is domiciled.

(9) Consumer.--The term ``consumer'' means an individual who obtains,from a financial institution, financial products or services which are to beused primarily for personal, family, or household purposes, and alsomeans the legal representative of such an individual.

(10) Joint agreement.--The term ``joint agreement'' means a formalwritten contract pursuant to which two or more financial institutionsjointly offer, endorse, or sponsor a financial product or service, and asmay be further defined in the regulations prescribed under section 504.

(11) Customer NOTE: Regulations. relationship.--The term ``time ofestablishing a customer relationship'' shall be defined by the regulationsprescribed under section 504, and shall, in the case of a financialinstitution engaged in extending credit directly to consumers to financepurchases of goods or services, mean the time of establishing the creditrelationship with the consumer.

SEC. 510. NOTE: 15 USC 6801 note. EFFECTIVE DATE. This subtitle shall takeeffect 6 months after the date on which rules are required to be prescribed undersection 504(a)(3), except--

(1) to the extent that a later date is specified in the rules prescribedunder section 504; and

(2) that sections 504 and 506 shall be effective upon enactment.Subtitle B--Fraudulent Access to Financial Information

SEC. 521. PRIVACY NOTE: 15 USC 6821. PROTECTION FOR CUSTOMERINFORMATION OF FINANCIAL INSTITUTIONS. ]

(a) Prohibition on Obtaining Customer Information by FalsePretenses.--It shall be a violation of this subtitle for any person to obtainor attempt to obtain, or cause to be disclosed or attempt to cause to bedisclosed to any person, customer information of a financial institutionrelating to another person--

(1) by making a false, fictitious, or fraudulent statement orrepresentation to an officer, employee, or agent of afinancial institution;

(2) by making a false, fictitious, or fraudulent statement orrepresentation to a customer of a financial institution; or

(3) by providing any document to an officer, employee, oragent of a financial institution, knowing that the document isforged, counterfeit, lost, or stolen, was fraudulently obtained,or contains a false, fictitious, or fraudulent statement orrepresentation.

(b) Prohibition on Solicitation of a Person To Obtain CustomerInformation From Financial Institution Under False Pretenses.--It shallbe a violation of this subtitle to request a person to obtain customerinformation of a financial institution, knowing that the person will obtain,or attempt to obtain, the information from the institution in any mannerdescribed in subsection (a).

(c) Nonapplicability to Law Enforcement Agencies.--No provision of thissection shall be construed so as to prevent any action by a lawenforcement agency, or any officer, employee, or agent of such agency,to obtain customer information of a financial institution in connectionwith the performance of the official duties of the agency.

(d) Nonapplicability to Financial Institutions in Certain Cases.--Noprovision of this section shall be construed so as to prevent anyfinancial institution, or any officer, employee, or agent of a financialinstitution, from obtaining customer information of such financialinstitution in the course of--

(1) testing the security procedures or systems of suchinstitution for maintaining the confidentiality of customerinformation;

(2) investigating allegations of misconduct or negligence onthe part of any officer, employee, or agent of the financialinstitution; or

(3) recovering customer information of the financialinstitution which was obtained or received by another personin any manner described in subsection (a) or (b).

(e) Nonapplicability to Insurance Institutions for Investigation ofInsurance Fraud.--No provision of this section shall be construed so asto prevent any insurance institution, or any officer, employee, or agencyof an insurance institution, from obtaining information as part of aninsurance investigation into criminal activity, fraud, materialmisrepresentation, or material nondisclosure that is authorized for suchinstitution under State law, regulation, interpretation, or order.

(f) Nonapplicability to Certain Types of Customer Information ofFinancial Institutions.--No provision of this section shall be construed so

as to prevent any person from obtaining customer information of afinancial institution that otherwise is available as a public record filedpursuant to the securities laws (as defined in section 3(a)(47) of theSecurities Exchange Act of 1934).

(g) Nonapplicability to Collection of Child Support Judgments.--Noprovision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of suchprivate investigator, from obtaining customer information of a financialinstitution, to the extent reasonably necessary to collect child supportfrom a person adjudged to have been delinquent in his or herobligations by a Federal or State court, and to the extent that suchaction by a State-licensed private investigator is not unlawful under anyother Federal or State law or regulation, and has been authorized by anorder or judgment of a court of competent jurisdiction.

SEC. 522. NOTE: 15 USC 6822. ADMINISTRATIVE ENFORCEMENT.(a) Enforcement by Federal Trade Commission.--Except as provided insubsection (b), compliance with this subtitle shall be enforced by theFederal Trade Commission in the same manner and with the samepower and authority as the Commission has under the Fair DebtCollection Practices Act to enforce compliance with such Act.

(b) Enforcement by Other Agencies in Certain Cases.--(1) In general.--Compliance with this subtitle shall beenforced under--

(A) section 8 of the Federal Deposit InsuranceAct, in the case of--

(i) national banks, and Federalbranches and Federal agencies offoreign banks, by the Office of theComptroller of the Currency;

(ii) member banks of the FederalReserve System (other than nationalbanks), branches and agencies offoreign banks (other than Federalbranches, Federal agencies, andinsured State branches of foreignbanks), commercial lendingcompanies owned or controlled byforeign banks, and organizationsoperating under section 25 or 25A ofthe Federal Reserve Act, by theBoard;

(iii) banks insured by the Federal

Deposit Insurance Corporation (otherthan members of the FederalReserve System and nationalnonmember banks) and insuredState branches of foreign banks, bythe Board of Directors of the FederalDeposit Insurance Corporation; and

(iv) savings associations the depositsof which are insured by the FederalDeposit Insurance Corporation, bythe Director of the Office of ThriftSupervision; and

(B) the Federal Credit Union Act, by theAdministrator of the National Credit UnionAdministration with respect to any Federal creditunion.

(2) Violations of this subtitle treated as violations of otherlaws.--For the purpose of the exercise by any agencyreferred to in paragraph (1) of its powers under any Actreferred to in that paragraph, a violation of this subtitle shallbe deemed to be a violation of a requirement imposed underthat Act. In addition to its powers under any provision of lawspecifically referred to in paragraph (1), each of theagencies referred to in that paragraph may exercise, for thepurpose of enforcing compliance with this subtitle, any otherauthority conferred on such agency by law.

SEC. 523. NOTE: 15 USC 6823. CRIMINAL PENALTY.(a) In General.--Whoever knowingly and intentionally violates, orknowingly and intentionally attempts to violate, section 521 shall befined in accordance with title 18, United States Code, or imprisoned fornot more than 5 years, or both.

(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, orattempts to violate, section 521 while violating another law of the UnitedStates or as part of a pattern of any illegal activity involving more than$100,000 in a 12-month period shall be fined twice the amount providedin subsection (b)(3) or (c)(3) (as the case may be) of section 3571 oftitle 18, United States Code, imprisoned for not more than 10 years, orboth.

SEC. 524. NOTE: 15 USC 6824. RELATION TO STATE LAWS.(a) In General.--This subtitle shall not be construed as superseding,altering, or affecting the statutes, regulations, orders, or interpretationsin effect in any State, except to the extent that such statutes,regulations, orders, or interpretations are inconsistent with the

provisions of this subtitle, and then only to the extent of theinconsistency.

(b) Greater Protection Under State Law.--For purposes of this section, aState statute, regulation, order, or interpretation is not inconsistent withthe provisions of this subtitle if the protection such statute, regulation,order, or interpretation affords any person is greater than the protectionprovided under this subtitle as determined by the Federal TradeCommission, after consultation with the agency or authority withjurisdiction under section 522 of either the person that initiated thecomplaint or that is the subject of the complaint, on its own motion orupon the petition of any interested party.

SEC. 525. NOTE: 15 USC 6825. AGENCY GUIDANCE. In furtherance of theobjectives of this subtitle, each Federal banking agency (as defined in section 3(z)of the Federal Deposit Insurance Act), the National Credit Union Administration, andthe Securities and Exchange Commission or self-regulatory organizations, asappropriate, shall review regulations and guidelines applicable to financialinstitutions under their respective jurisdictions and shall prescribe such revisions tosuch regulations and guidelines as may be necessary to ensure that such financialinstitutions have policies, procedures, and controls in place to prevent theunauthorized disclosure of customer financial information and to deter and detectactivities proscribed under section 521. SEC. 526. NOTE: 15 USC 6826.REPORTS.

(a) Report to the Congress.--Before the end of the 18-month periodbeginning on the date of the enactment of this Act, the ComptrollerGeneral, in consultation with the Federal Trade Commission, Federalbanking agencies, the National Credit Union  Administration, theSecurities and Exchange Commission, appropriate Federal lawenforcement agencies, and appropriate State insurance regulators, shallsubmit to the Congress a report on the following:

(1) The efficacy and adequacy of the remedies provided inthis subtitle in addressing attempts to obtain financialinformation by fraudulent means or by false pretenses.

(2) Any recommendations for additional legislative orregulatory action to address threats to the privacy offinancial information created by attempts to obtaininformation by fraudulent means or false pretenses. (b)Annual Report by Administering Agencies.--The FederalTrade Commission and the Attorney General shall submit toCongress an annual report on number and disposition of allenforcement actions taken pursuant to this subtitle.

SEC. 527. NOTE: 15 USC 6827. DEFINITIONS. For purposes of this subtitle, thefollowing definitions shall apply:

(1) Customer.--The term ``customer'' means, with respect to a financial

institution, any person (or authorized representative of a person) towhom the financial institution provides a product or service, includingthat of acting as a fiduciary.

(2) Customer information of a financial institution.--The term ``customerinformation of a financial institution'' means any information maintainedby or for a financial institution which is derived from the relationshipbetween the financial institution and a customer of the financialinstitution and is identified with the customer.

(3) Document.--The term ``document'' means any information in anyform.

(4) Financial institution.--(A) In general.--The term ``financial institution'' means anyinstitution engaged in the business of providing financialservices to customers who maintain a credit, deposit, trust,or other financial account or relationship with the institution.

(B) Certain financial institutions specifically included.--Theterm ``financial institution'' includes any depository institution(as defined in section 19(b)(1)(A) of the Federal ReserveAct), any broker or dealer, any investment adviser orinvestment company, any insurance company, any loan orfinance company, any credit card issuer or operator of acredit card system, and any consumer reporting agency thatcompiles and maintains files on consumers on a nationwidebasis (as defined in section 603(p) of the Consumer CreditProtection Act).

(C) Securities institutions.--For purposes of subparagraph(B)-- (i) the terms ``broker'' and ``dealer'' have the samemeanings as given in section 3 of the Securities ExchangeAct of 1934 (15 U.S.C. 78c); (ii) the term ``investmentadviser'' has the same meaning as given in section202(a)(11) of the Investment Advisers Act of 1940 (15U.S.C. 80b- 2(a)); and [[Page 113 STAT. 1450]] (iii) the term``investment company'' has the same meaning as given insection 3 of the Investment Company Act of 1940 (15 U.S.C.80a-3).

(D) Certain persons and entities specifically excluded.--Theterm ``financial institution'' does not include any person orentity with respect to any financial activity that is subject tothe jurisdiction of the Commodity Futures TradingCommission under the Commodity Exchange Act and doesnot include the Federal Agricultural Mortgage Corporation orany entity chartered and operating under the Farm Credit

Act of 1971.

(E) Further definition by regulation.--The Federal TradeCommission, after consultation with Federal bankingagencies and the Securities and Exchange Commission,may prescribe regulations clarifying or describing the typesof institutions which shall be treated as financial institutionsfor purposes of this subtitle.

GRAMM-LEACH-BLILEY ACT

Public Law 106-102 106th Congress

An Act To enhance competition in the financial services industry by providing a prudentialframework for the affiliation of banks, securities firms, insurance companies, and other financialservice providers, and for other purposes. NOTE: Nov. 12, 1999 - [S. 900] Be it enacted by theSenate and House of Representatives of the United States of America in Congress NOTE:Gramm-Leach- Bliley Act. assembled, SEC. 103.

FINANCIAL ACTIVITIES.

(a) In General.--Section 4 of the Bank Holding Company Act of 1956 (12 U.S.C. 1843) isamended by adding at the end the following new subsections:

``(k) Engaging in Activities That Are Financial in Nature.--``(1) In general.--Notwithstanding subsection (a), a financial holdingcompany may engage in any activity, and may acquire and retain theshares of any company engaged in any activity, that the Board, inaccordance with paragraph (2), determines (by regulation or order)--

``(A) to be financial in nature or incidental to such financialactivity; or

``(B) is complementary to a financial activity and does notpose a substantial risk to the safety or soundness ofdepository institutions or the financial system generally.

``(2) Coordination between the board and the secretary of thetreasury.--

``(A) Proposals raised before the board.--``(i) Consultation.-- The NOTE: Notification.Board shall notify the Secretary of the Treasuryof, and consult with the Secretary of theTreasury concerning, any request, proposal, orapplication under this subsection for adetermination of whether an activity is financialin nature or incidental to a financial activity.

``(ii) Treasury view.-- The NOTE: Deadline.Board shall not determine that any activity is

financial in nature or incidental to a financialactivity under this subsection if the Secretary ofthe Treasury notifies the Board in writing, notlater than 30 days after the date of receipt of thenotice described in clause (i) (or such longerperiod as the Board determines to beappropriate under the circumstances) that theSecretary of the Treasury believes that theactivity is not financial in nature or incidental to afinancial activity or is not otherwise permissibleunder this section.

``(B) Proposals raised by the treasury.--``(i) Treasury recommendation.--The Secretaryof the Treasury may, at any time, recommend inwriting that the Board find an activity to befinancial in nature or incidental to a financialactivity.

``(ii) Time NOTE: Deadline. Notification. periodfor board action.--Not later than 30 days after thedate of receipt of a written recommendation fromthe Secretary of the Treasury under clause (i) (orsuch longer period as the Secretary of theTreasury and the Board determine to beappropriate under the circumstances), the Boardshall determine whether to initiate a publicrulemaking proposing that the recommendedactivity be found to be financial in nature orincidental to a financial activity under thissubsection, and shall notify the Secretary of theTreasury in writing of the determination of theBoard and, if the Board determines not to seekpublic comment on the proposal, the reasons forthat determination.

``(3) Factors to be considered.--In determining whether an activity isfinancial in nature or incidental to a financial activity, the Board shalltake into account--

``(A) the purposes of this Act and the Gramm-Leach- BlileyAct;

``(B) changes or reasonably expected changes in themarketplace in which financial holding companies compete;

``(C) changes or reasonably expected changes in thetechnology for delivering financial services; and

``(D) whether such activity is necessary or appropriate toallow a financial holding company and the affiliates of afinancial holding company to--

``(i) compete effectively with any companyseeking to provide financial services in theUnited States;

``(ii) efficiently deliver information and servicesthat are financial in nature through the use oftechnological means, including any applicationnecessary to protect the security or efficacy ofsystems for the transmission of data or financialtransactions; and

``(iii) offer customers any available or emergingtechnological means for using financial servicesor for the document imaging of data.

``(4) Activities that are financial in nature.--For purposes of thissubsection, the following activities shall be considered to be financial innature:

``(A) Lending, exchanging, transferring, investing for others,or safeguarding money or securities.

``(B) Insuring, guaranteeing, or indemnifying against loss,harm, damage, illness, disability, or death, or providing andissuing annuities, and acting as principal, agent, or brokerfor purposes of the foregoing, in any State.

``(C) Providing financial, investment, or economic advisoryservices, including advising an investment company (asdefined in section 3 of the Investment Company Act of1940).

``(D) Issuing or selling instruments representing interests inpools of assets permissible for a bank to hold directly.

``(E) Underwriting, dealing in, or making a market insecurities.

``(F) Engaging in any activity that the Board has determined,by order or regulation that is in effect on the date of theenactment of the Gramm-Leach-Bliley Act, to be so closelyrelated to banking or managing or controlling banks as to bea proper incident thereto (subject to the same terms andconditions contained in such order or regulation, unlessmodified by the Board).

``(G) Engaging, in the United States, in any activity that--

``(i) a bank holding company may engage inoutside of the United States; and [[Page 113STAT. 1344]]

``(ii) the Board has determined, underregulations prescribed or interpretations issuedpursuant to subsection (c)(13) (as in effect onthe day before the date of the enactment of theGramm-Leach-Bliley Act) to be usual inconnection with the transaction of banking orother financial operations abroad.

``(H) Directly or indirectly acquiring or controlling, whether asprincipal, on behalf of 1 or more entities (including entities,other than a depository institution or subsidiary of adepository institution, that the bank holding companycontrols), or otherwise, shares, assets, or ownershipinterests (including debt or equity securities, partnershipinterests, trust certificates, or other instruments representingownership) of a company or other entity, whether or notconstituting control of such company or entity, engaged inany activity not authorized pursuant to this section if--

``(i) the shares, assets, or ownership interestsare not acquired or held by a depositoryinstitution or subsidiary of a depositoryinstitution;

``(ii) such shares, assets, or ownership interestsare acquired and held by--

``(I) a securities affiliate or an affiliatethereof; or

``(II) an affiliate of an insurancecompany described in subparagraph(I)(ii) that provides investment adviceto an insurance company and isregistered pursuant to the InvestmentAdvisers Act of 1940, or an affiliate ofsuch investment adviser; as part of abona fide underwriting or merchantor investment banking activity,including investment activitiesengaged in for the purpose ofappreciation and ultimate resale ordisposition of the investment;

``(iii) such shares, assets, or ownership interestsare held for a period of time to enable the sale or

disposition thereof on a reasonable basisconsistent with the financial viability of theactivities described in clause (ii); and

``(iv) during the period such shares, assets, orownership interests are held, the bank holdingcompany does not routinely manage or operatesuch company or entity except as may benecessary or required to obtain a reasonablereturn on investment upon resale or disposition.

``(I) Directly or indirectly acquiring or controlling, whether asprincipal, on behalf of 1 or more entities (including entities,other than a depository institution or subsidiary of adepository institution, that the bank holding companycontrols) or otherwise, shares, assets, or ownershipinterests (including debt or equity securities, partnershipinterests, trust certificates or other instruments representingownership) of a company or other entity, whether or notconstituting control of such company or entity, engaged inany activity not authorized pursuant to this section if--

``(i) the shares, assets, or ownership interestsare not acquired or held by a depositoryinstitution or a subsidiary of a depositoryinstitution;

``(ii) such shares, assets, or ownership interestsare acquired and held by an insurance companythat is predominantly engaged in underwritinglife, accident and health, or property andcasualty insurance (other than credit-relatedinsurance) or providing and issuing annuities;

``(iii) such shares, assets, or ownership interestsrepresent an investment made in the ordinarycourse of business of such insurance companyin accordance with relevant State law governingsuch investments; and

``(iv) during the period such shares, assets, orownership interests are held, the bank holdingcompany does not routinely manage or operatesuch company except as may be necessary orrequired to obtain a reasonable return oninvestment.

``(5) Actions required.--``(A) In NOTE: Regulations. general.--The Board shall, by

regulation or order, define, consistent with the purposes ofthis Act, the activities described in subparagraph (B) asfinancial in nature, and the extent to which such activitiesare financial in nature or incidental to a financial activity.

``(B) Activities.--The activities described in thissubparagraph are as follows:

``(i) Lending, exchanging, transferring, investingfor others, or safeguarding financial assets otherthan money or securities.

``(ii) Providing any device or otherinstrumentality for transferring money or otherfinancial assets.

``(iii) Arranging, effecting, or facilitating financialtransactions for the account of third parties.

``(6) Required notification.--``(A) In NOTE: Deadline. general.--A financial holdingcompany that acquires any company or commences anyactivity pursuant to this subsection shall provide writtennotice to the Board describing the activity commenced orconducted by the company acquired not later than 30calendar days after commencing the activity orconsummating the acquisition, as the case may be.

``(B) Approval not required for certain financialactivities.--Except as provided in subsection (j) with regardto the acquisition of a savings association, a financialholding company may commence any activity, or acquireany company, pursuant to paragraph (4) or any regulationprescribed or order issued under paragraph (5), without priorapproval of the Board.

``(7) Merchant banking activities.--``(A) Joint regulations.--The Board and the Secretary of theTreasury may issue such regulations implementingparagraph (4)(H), including limitations on transactionsbetween depository institutions and companies controlledpursuant to such paragraph, as the Board and the Secretaryjointly deem appropriate to assure compliance with thepurposes and prevent evasions of this Act and theGramm-Leach-Bliley Act and to protect depositoryinstitutions.

``(B) Sunset of restrictions on merchant banking activities offinancial subsidiaries.--The restrictions contained in

paragraph (4)(H) on the ownership and control of shares,assets, or ownership interests by or on behalf of a subsidiaryof a depository institution shall not apply to a financialsubsidiary (as defined in section 5136A of the RevisedStatutes of the United States) of a bank, if the Board and theSecretary of the Treasury jointly authorize financialsubsidiaries of banks to engage in merchant bankingactivities pursuant to section 122 of the Gramm-Leach-BlileyAct.