TITLE V--PRIVACY
Subtitle A--Disclosure of Nonpublic Personal Information
Sec. 501. Protection of nonpublic personal information.
Sec. 502. Obligations with respect to disclosures of personal information.
Sec. 503. Disclosure of institution privacy policy.
Sec. 504. Rulemaking.
Sec. 505. Enforcement.
Sec. 506. Protection of Fair Credit Reporting Act.
Sec. 507. Relation to State laws.
Sec. 508. Study of information sharing among financial affiliates.
Sec. 509. Definitions.
Sec. 510. Effective date.
Subtitle B--Fraudulent Access to Financial Information
Sec. 521. Privacy protection for customer information of financial institutions.
Sec. 522. Administrative enforcement.
Sec. 523. Criminal penalty.
Sec. 524. Relation to State laws.
Sec. 525. Agency guidance.
Sec. 526. Reports.
Sec. 527. Definitions.
TITLE V--PRIVACY
Subtitle A--Disclosure of Nonpublic Personal Information
SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
(a) PRIVACY OBLIGATION POLICY- It is the policy
of the Congress that each financial institution has an affirmative and
continuing obligation to respect
the privacy of its customers and to protect
the security and confidentiality of those customers' nonpublic personal
information.
(b) FINANCIAL INSTITUTIONS SAFEGUARDS- In furtherance
of the policy in subsection (a), each agency or authority described in
section 505(a) shall
establish appropriate standards for the financial
institutions subject to their jurisdiction relating to administrative,
technical, and physical safeguards--
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect
against unauthorized access to or use of such records or information which
could result in substantial harm or inconvenience to any
customer.
SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION.
(a) NOTICE REQUIREMENTS- Except as otherwise
provided in this subtitle, a financial institution may not, directly or
through any affiliate, disclose to a
nonaffiliated third party any nonpublic personal
information, unless such financial institution provides or has provided
to the consumer a notice that complies
with section 503.
(b) OPT OUT-
(1) IN GENERAL- A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless--
(A) such financial institution clearly and conspicuously discloses to the
consumer, in writing or in electronic form or other form permitted by the
regulations prescribed under section 504, that such information may be
disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such information
is initially disclosed, to direct that such information not be
disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.
(2) EXCEPTION-
This subsection shall not prevent a financial institution from providing
nonpublic personal information to a nonaffiliated third party to
perform services
for or functions on behalf of the financial institution, including marketing
of the financial institution's own products or services, or
financial products
or services offered pursuant to joint agreements between two or more financial
institutions that comply with the requirements imposed
by the regulations
prescribed under section 504, if the financial institution fully discloses
the providing of such information and enters into a contractual
agreement with
the third party that requires the third party to maintain the confidentiality
of such information.
(c) LIMITS ON REUSE OF INFORMATION- Except
as otherwise provided in this subtitle, a nonaffiliated third party that
receives from a financial
institution nonpublic personal information
under this section shall not, directly or through an affiliate of such
receiving third party, disclose such information to
any other person that is a nonaffiliated third
party of both the financial institution and such receiving third party,
unless such disclosure would be lawful if made
directly to such other person by the financial
institution.
(d) LIMITATIONS ON THE SHARING OF ACCOUNT NUMBER
INFORMATION FOR MARKETING PURPOSES- A financial institution shall not
disclose, other than to a consumer reporting
agency, an account number or similar form of access number or access code
for a credit card account, deposit
account, or transaction account of a consumer
to any nonaffiliated third party for use in telemarketing, direct mail
marketing, or other marketing through
electronic mail to the consumer.
(e) GENERAL EXCEPTIONS- Subsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information--
(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with--
(A) servicing or processing a financial product or service requested or authorized by the consumer;
(B) maintaining or servicing the consumer's account with the financial
institution, or with another entity as part of a private label credit card
program or other extension of credit on behalf of such entity; or
(C) a proposed or actual securitization, secondary market sale (including
sales of servicing rights), or similar transaction related to a transaction
of
the consumer;
(2) with the consent or at the direction of the consumer;
(3)(A) to protect
the confidentiality or security of the financial institution's records
pertaining to the consumer, the service or product, or the transaction
therein; (B)
to protect against or prevent actual or potential fraud, unauthorized transactions,
claims, or other liability; (C) for required institutional risk
control, or
for resolving customer disputes or inquiries; (D) to persons holding a
legal or beneficial interest relating to the consumer; or (E) to persons
acting in a
fiduciary or representative capacity on behalf of the consumer;
(4) to provide
information to insurance rate advisory organizations, guaranty funds or
agencies, applicable rating agencies of the financial institution,
persons assessing
the institution's compliance with industry standards, and the institution's
attorneys, accountants, and auditors;
(5) to the extent
specifically permitted or required under other provisions of law and in
accordance with the Right to Financial Privacy Act of 1978, to
law enforcement
agencies (including a Federal functional regulator, the Secretary of the
Treasury with respect to subchapter II of chapter 53 of title 31,
United States
Code, and chapter 2 of title I of Public Law 91-508 (12 U.S.C. 1951-1959),
a State insurance authority, or the Federal Trade
Commission),
self-regulatory organizations, or for an investigation on a matter related
to public safety;
(6)(A) to a consumer
reporting agency in accordance with the Fair Credit Reporting Act, or (B)
from a consumer report reported by a consumer
reporting agency;
(7) in connection
with a proposed or actual sale, merger, transfer, or exchange of all or
a portion of a business or operating unit if the disclosure of
nonpublic personal
information concerns solely consumers of such business or unit; or
(8) to comply
with Federal, State, or local laws, rules, and other applicable legal requirements;
to comply with a properly authorized civil, criminal, or
regulatory investigation
or subpoena or summons by Federal, State, or local authorities; or to respond
to judicial process or government regulatory
authorities
having jurisdiction over the financial institution for examination, compliance,
or other purposes as authorized by law.
SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY.
(a) DISCLOSURE REQUIRED- At the time of establishing
a customer relationship with a consumer and not less than annually during
the continuation of such
relationship, a financial institution shall
provide a clear and conspicuous disclosure to such consumer, in writing
or in electronic form or other form permitted by
the regulations prescribed under section 504,
of such financial institution's policies and practices with respect to--
(1) disclosing
nonpublic personal information to affiliates and nonaffiliated third parties,
consistent with section 502, including the categories of
information
that may be disclosed;
(2) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and
(3) protecting the nonpublic personal information of consumers.
Such disclosures shall be made in accordance with the regulations prescribed under section 504.
(b) INFORMATION TO BE INCLUDED- The disclosure required by subsection (a) shall include--
(1) the policies
and practices of the institution with respect to disclosing nonpublic personal
information to nonaffiliated third parties, other than agents of
the institution,
consistent with section 502 of this subtitle, and including--
(A) the categories of persons to whom the information is or may be disclosed,
other than the persons to whom the information may be provided
pursuant to section 502(e); and
(B) the policies and practices of the institution with respect to disclosing
of nonpublic personal information of persons who have ceased to be
customers of the financial institution;
(2) the categories of nonpublic personal information that are collected by the financial institution;
(3) the policies
that the institution maintains to protect the confidentiality and security
of nonpublic personal information in accordance with section 501;
and
(4) the disclosures required, if any, under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act.
SEC. 504. RULEMAKING.
(a) REGULATORY AUTHORITY-
(1) RULEMAKING-
The Federal banking agencies, the National Credit Union Administration,
the Secretary of the Treasury, the Securities and
Exchange Commission,
and the Federal Trade Commission shall each prescribe, after consultation
as appropriate with representatives of State
insurance authorities
designated by the National Association of Insurance Commissioners, such
regulations as may be necessary to carry out the
purposes of
this subtitle with respect to the financial institutions subject to their
jurisdiction under section 505.
(2) COORDINATION,
CONSISTENCY, AND COMPARABILITY- Each of the agencies and authorities required
under paragraph (1) to
prescribe regulations
shall consult and coordinate with the other such agencies and authorities
for the purposes of assuring, to the extent possible, that
the regulations
prescribed by each such agency and authority are consistent and comparable
with the regulations prescribed by the other such agencies
and authorities.
(3) PROCEDURES
AND DEADLINE- Such regulations shall be prescribed in accordance with applicable
requirements of title 5, United States
Code, and shall
be issued in final form not later than 6 months after the date of the enactment
of this Act.
(b) AUTHORITY TO GRANT EXCEPTIONS- The regulations
prescribed under subsection (a) may include such additional exceptions
to subsections (a)
through (d) of section 502 as are deemed consistent
with the purposes of this subtitle.
SEC. 505. ENFORCEMENT.
(a) IN GENERAL- This subtitle and the regulations
prescribed thereunder shall be enforced by the Federal functional regulators,
the State insurance
authorities, and the Federal Trade Commission
with respect to financial institutions and other persons subject to their
jurisdiction under applicable law, as
follows:
(1) Under section 8 of the Federal Deposit Insurance Act, in the case of--
(A) national banks, Federal branches and Federal agencies of foreign banks,
and any subsidiaries of such entities (except brokers, dealers,
persons providing insurance, investment companies, and investment advisers),
by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks),
branches and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by foreign banks,
organizations operating under section 25 or 25A of the Federal Reserve
Act, and bank holding companies and their nonbank subsidiaries or
affiliates (except brokers, dealers, persons providing insurance, investment
companies, and investment advisers), by the Board of Governors of
the Federal Reserve System;
(C) banks insured by the Federal Deposit Insurance Corporation (other than
members of the Federal Reserve System), insured State branches
of foreign banks, and any subsidiaries of such entities (except brokers,
dealers, persons providing insurance, investment companies, and
investment advisers), by the Board of Directors of the Federal Deposit
Insurance Corporation; and
(D) savings associations the deposits of which are insured by the Federal
Deposit Insurance Corporation, and any subsidiaries of such savings
associations (except brokers, dealers, persons providing insurance, investment
companies, and investment advisers), by the Director of the Office
of Thrift Supervision.
(2) Under the
Federal Credit Union Act, by the Board of the National Credit Union Administration
with respect to any federally insured credit union,
and any subsidiaries
of such an entity.
(3) Under the Securities Exchange Act of 1934, by the Securities and Exchange Commission with respect to any broker or dealer.
(4) Under the Investment Company Act of 1940, by the Securities and Exchange Commission with respect to investment companies.
(5) Under the
Investment Advisers Act of 1940, by the Securities and Exchange Commission
with respect to investment advisers registered with the
Commission under
such Act.
(6) Under State
insurance law, in the case of any person engaged in providing insurance,
by the applicable State insurance authority of the State in
which the person
is domiciled, subject to section 104 of this Act.
(7) Under the
Federal Trade Commission Act, by the Federal Trade Commission for any other
financial institution or other person that is not subject to
the jurisdiction
of any agency or authority under paragraphs (1) through (6) of this subsection.
(b) ENFORCEMENT OF SECTION 501-
(1) IN GENERAL-
Except as provided in paragraph (2), the agencies and authorities described
in subsection (a) shall implement the standards
prescribed under
section 501(b) in the same manner, to the extent practicable, as standards
prescribed pursuant to section 39(a) of the Federal Deposit
Insurance Act
are implemented pursuant to such section.
(2) EXCEPTION-
The agencies and authorities described in paragraphs (3), (4), (5), (6),
and (7) of subsection (a) shall implement the standards
prescribed under
section 501(b) by rule with respect to the financial institutions and other
persons subject to their respective jurisdictions under
subsection (a).
(c) ABSENCE OF STATE ACTION- If a State insurance
authority fails to adopt regulations to carry out this subtitle, such State
shall not be eligible to
override, pursuant to section 47(g)(2)(B)(iii)
of the Federal Deposit Insurance Act, the insurance customer protection
regulations prescribed by a Federal
banking agency under section 47(a) of such
Act.
(d) DEFINITIONS- The terms used in subsection
(a)(1) that are not defined in this subtitle or otherwise defined in section
3(s) of the Federal Deposit
Insurance Act shall have the same meaning
as given in section 1(b) of the International Banking Act of 1978.
SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.
(a) AMENDMENT- Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is amended--
(1) in subsection (d), by striking everything following the end of the second sentence; and
(2) by striking subsection (e) and inserting the following:
`(e) REGULATORY AUTHORITY-
`(1) The Federal
banking agencies referred to in paragraphs (1) and (2) of subsection (b)
shall jointly prescribe such regulations as necessary to carry
out the purposes
of this Act with respect to any persons identified under paragraphs (1)
and (2) of subsection (b), and the Board of Governors of the
Federal Reserve
System shall have authority to prescribe regulations consistent with such
joint regulations with respect to bank holding companies and
affiliates (other
than depository institutions and consumer reporting agencies) of such holding
companies.
`(2) The Board
of the National Credit Union Administration shall prescribe such regulations
as necessary to carry out the purposes of this Act with
respect to any
persons identified under paragraph (3) of subsection (b).'.
(b) CONFORMING AMENDMENT- Section 621(a) of the Fair Credit Reporting Act (15 U.S.C. 1681s(a)) is amended by striking paragraph (4).
(c) RELATION TO OTHER PROVISIONS- Except for
the amendments made by subsections (a) and (b), nothing in this title shall
be construed to modify,
limit, or supersede the operation of the Fair
Credit Reporting Act, and no inference shall be drawn on the basis of the
provisions of this title regarding whether
information is transaction or experience information
under section 603 of such Act.
SEC. 507. RELATION TO STATE LAWS.
(a) IN GENERAL- This subtitle and the amendments
made by this subtitle shall not be construed as superseding, altering,
or affecting any statute, regulation,
order, or interpretation in effect in any
State, except to the extent that such statute, regulation, order, or interpretation
is inconsistent with the provisions of this
subtitle, and then only to the extent of the
inconsistency.
(b) GREATER PROTECTION UNDER STATE LAW- For
purposes of this section, a State statute, regulation, order, or interpretation
is not inconsistent
with the provisions of this subtitle if the
protection such statute, regulation, order, or interpretation affords any
person is greater than the protection provided
under this subtitle and the amendments made
by this subtitle, as determined by the Federal Trade Commission, after
consultation with the agency or authority
with jurisdiction under section 505(a) of
either the person that initiated the complaint or that is the subject of
the complaint, on its own motion or upon the
petition of any interested party.
SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.
(a) IN GENERAL- The Secretary of the Treasury,
in conjunction with the Federal functional regulators and the Federal Trade
Commission, shall conduct a
study of information sharing practices among
financial institutions and their affiliates. Such study shall include--
(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
(2) the extent and adequacy of security protections for such information;
(3) the potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of such sharing of information;
(5) the potential benefits for customers of such sharing of information;
(6) the adequacy of existing laws to protect customer privacy;
(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
(8) the feasibility
of different approaches, including opt-out and opt-in, to permit customers
to direct that confidential information not be shared with
affiliates and
nonaffiliated third parties; and
(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
(b) CONSULTATION- The Secretary shall consult
with representatives of State insurance authorities designated by the National
Association of Insurance
Commissioners, and also with financial services
industry, consumer organizations and privacy groups, and other representatives
of the general public, in
formulating and conducting the study required
by subsection (a).
(c) REPORT- On or before January 1, 2002, the
Secretary shall submit a report to the Congress containing the findings
and conclusions of the study required
under subsection (a), together with such recommendations
for legislative or administrative action as may be appropriate.
SEC. 509. DEFINITIONS.
As used in this subtitle:
(1) FEDERAL BANKING
AGENCY- The term `Federal banking agency' has the same meaning as given
in section 3 of the Federal Deposit
Insurance Act.
(2) FEDERAL FUNCTIONAL REGULATOR- The term `Federal functional regulator' means--
(A) the Board of Governors of the Federal Reserve System;
(B) the Office of the Comptroller of the Currency;
(C) the Board of Directors of the Federal Deposit Insurance Corporation;
(D) the Director of the Office of Thrift Supervision;
(E) the National Credit Union Administration Board; and
(F) the Securities and Exchange Commission.
(3) FINANCIAL INSTITUTION-
(A) IN GENERAL- The term `financial institution' means any institution
the business of which is engaging in financial activities as described
in
section 4(k) of the Bank Holding Company Act of 1956.
(B) PERSONS SUBJECT TO CFTC REGULATION- Notwithstanding subparagraph (A),
the term `financial institution' does not include any
person or entity with respect to any financial activity that is subject
to the jurisdiction of the Commodity Futures Trading Commission under the
Commodity Exchange Act.
(C) FARM CREDIT INSTITUTIONS- Notwithstanding subparagraph (A), the term
`financial institution' does not include the Federal
Agricultural Mortgage Corporation or any entity chartered and operating
under the Farm Credit Act of 1971.
(D) OTHER SECONDARY MARKET INSTITUTIONS- Notwithstanding subparagraph (A),
the term `financial institution' does not include
institutions chartered by Congress specifically to engage in transactions
described in section 502(e)(1)(C), as long as such institutions do not
sell
or transfer nonpublic personal information to a nonaffiliated third party.
(4) NONPUBLIC PERSONAL INFORMATION-
(A) The term `nonpublic personal information' means personally identifiable financial information--
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
(iii) otherwise obtained by the financial institution.
(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 504.
(C) Notwithstanding subparagraph (B), such term--
(i) shall include any list, description, or other grouping of consumers
(and publicly available information pertaining to them) that is derived
using any nonpublic personal information other than publicly available
information; but
(ii) shall not include any list, description, or other grouping of consumers
(and publicly available information pertaining to them) that is
derived without using any nonpublic personal information.
(5) NONAFFILIATED
THIRD PARTY- The term `nonaffiliated third party' means any entity that
is not an affiliate of, or related by common
ownership or
affiliated by corporate control with, the financial institution, but does
not include a joint employee of such institution.
(6) AFFILIATE- The term `affiliate' means any company that controls, is controlled by, or is under common control with another company.
(7) NECESSARY TO EFFECT, ADMINISTER, OR ENFORCE- The term `as necessary to effect, administer, or enforce the transaction' means--
(A) the disclosure is required, or is a usual, appropriate, or acceptable
method, to carry out the transaction or the product or service business
of
which the transaction is a part, and record or service or maintain the
consumer's account in the ordinary course of providing the financial service
or financial product, or to administer or service benefits or claims relating
to the transaction or the product or service business of which it is a
part, and includes--
(i) providing the consumer or the consumer's agent or broker with a confirmation,
statement, or other record of the transaction, or
information on the status or value of the financial service or financial
product; and
(ii) the accrual or recognition of incentives or bonuses associated with
the transaction that are provided by the financial institution or any
other party;
(B) the disclosure is required, or is one of the lawful or appropriate
methods, to enforce the rights of the financial institution or of other
persons
engaged in carrying out the financial transaction, or providing the product
or service;
(C) the disclosure is required, or is a usual, appropriate, or acceptable
method, for insurance underwriting at the consumer's request or for
reinsurance purposes, or for any of the following purposes as they relate
to a consumer's insurance: Account administration, reporting,
investigating, or preventing fraud or material misrepresentation, processing
premium payments, processing insurance claims, administering
insurance benefits (including utilization review activities), participating
in research projects, or as otherwise required or specifically permitted
by
Federal or State law; or
(D) the disclosure is required, or is a usual, appropriate or acceptable method, in connection with--
(i) the authorization, settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or
otherwise paid using a debit, credit or other payment card, check, or account
number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
(8) STATE INSURANCE
AUTHORITY- The term `State insurance authority' means, in the case of any
person engaged in providing insurance, the
State insurance
authority of the State in which the person is domiciled.
(9) CONSUMER-
The term `consumer' means an individual who obtains, from a financial institution,
financial products or services which are to be used
primarily for
personal, family, or household purposes, and also means the legal representative
of such an individual.
(10) JOINT AGREEMENT-
The term `joint agreement' means a formal written contract pursuant to
which two or more financial institutions jointly
offer, endorse,
or sponsor a financial product or service, and as may be further defined
in the regulations prescribed under section 504.
(11) CUSTOMER
RELATIONSHIP- The term `time of establishing a customer relationship' shall
be defined by the regulations prescribed under
section 504,
and shall, in the case of a financial institution engaged in extending
credit directly to consumers to finance purchases of goods or services,
mean the time
of establishing the credit relationship with the consumer.
SEC. 510. EFFECTIVE DATE.
This subtitle shall take effect 6 months after the date on which rules are required to be prescribed under section 504(a)(3), except--
(1) to the extent that a later date is specified in the rules prescribed under section 504; and
(2) that sections 504 and 506 shall be effective upon enactment.
Subtitle B--Fraudulent Access to Financial Information
SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.
(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION
BY FALSE PRETENSES- It shall be a violation of this subtitle for any person
to
obtain or attempt to obtain, or cause to be
disclosed or attempt to cause to be disclosed to any person, customer information
of a financial institution relating to
another person--
(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
(3) by providing
any document to an officer, employee, or agent of a financial institution,
knowing that the document is forged, counterfeit, lost, or
stolen, was
fraudulently obtained, or contains a false, fictitious, or fraudulent statement
or representation.
(b) PROHIBITION ON SOLICITATION OF A PERSON
TO OBTAIN CUSTOMER INFORMATION FROM FINANCIAL INSTITUTION
UNDER FALSE PRETENSES- It shall be a violation
of this subtitle to request a person to obtain customer information of
a financial institution, knowing that
the person will obtain, or attempt to obtain,
the information from the institution in any manner described in subsection
(a).
(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES-
No provision of this section shall be construed so as to prevent any action
by a law
enforcement agency, or any officer, employee,
or agent of such agency, to obtain customer information of a financial
institution in connection with the
performance of the official duties of the
agency.
(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS
IN CERTAIN CASES- No provision of this section shall be construed so as
to prevent
any financial institution, or any officer,
employee, or agent of a financial institution, from obtaining customer
information of such financial institution in the course
of--
(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;
(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or
(3) recovering
customer information of the financial institution which was obtained or
received by another person in any manner described in subsection
(a) or (b).
(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS
FOR INVESTIGATION OF INSURANCE FRAUD- No provision of this section shall
be construed so as to prevent any insurance
institution, or any officer, employee, or agency of an insurance institution,
from obtaining information as part of an
insurance investigation into criminal activity,
fraud, material misrepresentation, or material nondisclosure that is authorized
for such institution under State law,
regulation, interpretation, or order.
(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER
INFORMATION OF FINANCIAL INSTITUTIONS- No provision of this section
shall be construed so as to prevent any person
from obtaining customer information of a financial institution that otherwise
is available as a public record filed
pursuant to the securities laws (as defined
in section 3(a)(47) of the Securities Exchange Act of 1934).
(g) NONAPPLICABILITY TO COLLECTION OF CHILD
SUPPORT JUDGMENTS- No provision of this section shall be construed to prevent
any
State-licensed private investigator, or any
officer, employee, or agent of such private investigator, from obtaining
customer information of a financial institution,
to the extent reasonably necessary to collect
child support from a person adjudged to have been delinquent in his or
her obligations by a Federal or State
court, and to the extent that such action
by a State-licensed private investigator is not unlawful under any other
Federal or State law or regulation, and has
been authorized by an order or judgment of
a court of competent jurisdiction.
SEC. 522. ADMINISTRATIVE ENFORCEMENT.
(a) ENFORCEMENT BY FEDERAL TRADE COMMISSION-
Except as provided in subsection (b), compliance with this subtitle shall
be enforced by the
Federal Trade Commission in the same manner
and with the same power and authority as the Commission has under the Fair
Debt Collection Practices Act to
enforce compliance with such Act.
(b) ENFORCEMENT BY OTHER AGENCIES IN CERTAIN CASES-
(1) IN GENERAL- Compliance with this subtitle shall be enforced under--
(A) section 8 of the Federal Deposit Insurance Act, in the case of--
(i) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the Comptroller of the Currency;
(ii) member banks of the Federal Reserve System (other than national banks),
branches and agencies of foreign banks (other than Federal
branches, Federal agencies, and insured State branches of foreign banks),
commercial lending companies owned or controlled by foreign
banks, and organizations operating under section 25 or 25A of the Federal
Reserve Act, by the Board;
(iii) banks insured by the Federal Deposit Insurance Corporation (other
than members of the Federal Reserve System and national
nonmember banks) and insured State branches of foreign banks, by the Board
of Directors of the Federal Deposit Insurance Corporation;
and
(iv) savings associations the deposits of which are insured by the Federal
Deposit Insurance Corporation, by the Director of the Office of
Thrift Supervision; and
(B) the Federal Credit Union Act, by the Administrator of the National Credit Union Administration with respect to any Federal credit union.
(2) VIOLATIONS
OF THIS SUBTITLE TREATED AS VIOLATIONS OF OTHER LAWS- For the purpose of
the exercise by any agency
referred to
in paragraph (1) of its powers under any Act referred to in that paragraph,
a violation of this subtitle shall be deemed to be a violation of a
requirement
imposed under that Act. In addition to its powers under any provision of
law specifically referred to in paragraph (1), each of the agencies
referred to
in that paragraph may exercise, for the purpose of enforcing compliance
with this subtitle, any other authority conferred on such agency by
law.
SEC. 523. CRIMINAL PENALTY.
(a) IN GENERAL- Whoever knowingly and intentionally
violates, or knowingly and intentionally attempts to violate, section 521
shall be fined in accordance
with title 18, United States Code, or imprisoned
for not more than 5 years, or both.
(b) ENHANCED PENALTY FOR AGGRAVATED CASES-
Whoever violates, or attempts to violate, section 521 while violating another
law of the United
States or as part of a pattern of any illegal
activity involving more than $100,000 in a 12-month period shall be fined
twice the amount provided in subsection
(b)(3) or (c)(3) (as the case may be) of section
3571 of title 18, United States Code, imprisoned for not more than 10 years,
or both.
SEC. 524. RELATION TO STATE LAWS.
(a) IN GENERAL- This subtitle shall not be
construed as superseding, altering, or affecting the statutes, regulations,
orders, or interpretations in effect in any
State, except to the extent that such statutes,
regulations, orders, or interpretations are inconsistent with the provisions
of this subtitle, and then only to the
extent of the inconsistency.
(b) GREATER PROTECTION UNDER STATE LAW- For
purposes of this section, a State statute, regulation, order, or interpretation
is not inconsistent
with the provisions of this subtitle if the
protection such statute, regulation, order, or interpretation affords any
person is greater than the protection provided
under this subtitle as determined by the Federal
Trade Commission, after consultation with the agency or authority with
jurisdiction under section 522 of either
the person that initiated the complaint or
that is the subject of the complaint, on its own motion or upon the petition
of any interested party.
SEC. 525. AGENCY GUIDANCE.
In furtherance of the objectives of this subtitle,
each Federal banking agency (as defined in section 3(z) of the Federal
Deposit Insurance Act), the National
Credit Union Administration, and the Securities
and Exchange Commission or self-regulatory organizations, as appropriate,
shall review regulations and
guidelines applicable to financial institutions
under their respective jurisdictions and shall prescribe such revisions
to such regulations and guidelines as may be
necessary to ensure that such financial institutions
have policies, procedures, and controls in place to prevent the unauthorized
disclosure of customer financial
information and to deter and detect activities
proscribed under section 521.
SEC. 526. REPORTS.
(a) REPORT TO THE CONGRESS- Before the end
of the 18-month period beginning on the date of the enactment of this Act,
the Comptroller General, in
consultation with the Federal Trade Commission,
Federal banking agencies, the National Credit Union Administration, the
Securities and Exchange
Commission, appropriate Federal law enforcement
agencies, and appropriate State insurance regulators, shall submit to the
Congress a report on the
following:
(1) The efficacy
and adequacy of the remedies provided in this subtitle in addressing attempts
to obtain financial information by fraudulent means or by
false pretenses.
(2) Any recommendations
for additional legislative or regulatory action to address threats to the
privacy of financial information created by attempts to
obtain information
by fraudulent means or false pretenses.
(b) ANNUAL REPORT BY ADMINISTERING AGENCIES-
The Federal Trade Commission and the Attorney General shall submit to Congress
an annual
report on number and disposition of all enforcement
actions taken pursuant to this subtitle.
SEC. 527. DEFINITIONS.
For purposes of this subtitle, the following definitions shall apply:
(1) CUSTOMER-
The term `customer' means, with respect to a financial institution, any
person (or authorized representative of a person) to whom the
financial institution
provides a product or service, including that of acting as a fiduciary.
(2) CUSTOMER
INFORMATION OF A FINANCIAL INSTITUTION- The term `customer information
of a financial institution' means any
information
maintained by or for a financial institution which is derived from the
relationship between the financial institution and a customer of the
financial institution
and is identified with the customer.
(3) DOCUMENT- The term `document' means any information in any form.
(4) FINANCIAL INSTITUTION-
(A) IN GENERAL- The term `financial institution' means any institution
engaged in the business of providing financial services to customers who
maintain a credit, deposit, trust, or other financial account or relationship
with the institution.
(B) CERTAIN FINANCIAL INSTITUTIONS SPECIFICALLY INCLUDED- The term `financial
institution' includes any depository
institution (as defined in section 19(b)(1)(A) of the Federal Reserve Act),
any broker or dealer, any investment adviser or investment company,
any insurance company, any loan or finance company, any credit card issuer
or operator of a credit card system, and any consumer reporting
agency that compiles and maintains files on consumers on a nationwide basis
(as defined in section 603(p) of the Consumer Credit Protection
Act).
(C) SECURITIES INSTITUTIONS- For purposes of subparagraph (B)--
(i) the terms `broker' and `dealer' have the same meanings as given in section 3 of the Securities Exchange Act of 1934 (15 U.S.C. 78c);
(ii) the term `investment adviser' has the same meaning as given in section
202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C.
80b-2(a)); and
(iii) the term `investment company' has the same meaning as given in section
3 of the Investment Company Act of 1940 (15 U.S.C.
80a-3).
(D) CERTAIN PERSONS AND ENTITIES SPECIFICALLY EXCLUDED- The term `financial
institution' does not include any person or
entity with respect to any financial activity that is subject to the jurisdiction
of the Commodity Futures Trading Commission under the Commodity
Exchange Act and does not include the Federal Agricultural Mortgage Corporation
or any entity chartered and operating under the Farm Credit
Act of 1971.
(E) FURTHER DEFINITION BY REGULATION- The Federal Trade Commission, after
consultation with Federal banking agencies and the
Securities and Exchange Commission, may prescribe regulations clarifying
or describing the types of institutions which shall be treated as financial
institutions for purposes of this subtitle.