Privacy rules for financial institutions take effect
You may be getting less junk mail and fewer telemarketing calls after July 1 thanks to some new regulations covering financial institutions.
Title V, Subtitle A of the Gramm-Leach-Bliley Act (“the Act”), signed into law on Nov. 12, 1999, deals with the handling of nonpublic personal information of customers of financial institutions. The provision requires financial institutions to inform customers about the institution’s privacy policy, and if the institution shares nonpublic information about customers with third parties, the customer has the right to opt out or prevent the financial institution from doing so.
Because privacy notices must be issued by July 1, customers may have already received them in droves — the average household will receive between 20 and 45 — and tossed them into the garbage. Financial institutions must provide notices every year to customers (and upon the opening of new accounts), so they annually have the chance to opt-out of information-sharing arrangements financial institutions have with third-party companies.
And, if you happened to have chucked your privacy notices out with the rest of the trash and you don’t want to have the information released, you can call your financial institution and tell it to remove your name from any sort of list it would provide to third-party companies, according to attorney Jim Sheriff of Godfrey & Kahn.
As with most new regulations, the impact of the privacy policy is not known until regulators start going over financial institutions’ procedures. Another problem is the definition of terms like “nonpublic personal information” and “financial institution.”
Nonpublic personal information is the type of information not readily available in a telephone directory, explains Phil Hadamik, a compliance manager with Wipfli CPAs & Consultants. Hadamik spent 18 years as a federal bank regulator before working for the firm.
“Financial institutions” may include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers and travel agents. Any business engaged in activities that are financial in nature or incidental to financial activities may be subject to the provisions of the act.
A problem may occur when companies that do not consider themselves “financial institutions” in the normal course of business are covered by the new regulations. The Federal Trade Commission covers all non-regulated entities that are affected by the privacy notification rules like department stores that have a credit card program or accounting firms that provide individual tax planning advice. Other businesses that may be affected are law firms (tax planning, real estate closings) and travel agencies that sell traveler’s checks.
“So if you do those sorts of things and are significantly engaged (in those activities), then under the FTC’s view of their privacy regulations, you are a financial institution — odd as that seems to the layman,” says Sheriff, “and therefore would have to give privacy notices by July 1 to all of your customers and then annually thereafter.”
Sheriff points out that the FTC has not defined what “significantly engaged” means. And requiring law firms — bound by ethical standards for client confidentiality — to send the notices, has caused a stir in the legal profession, Sheriff says.
Hadamik believes federal regulators will go easy on financial institutions initially as the regulators take the law and put it into practice, better defining things as they go. As for the “Mom-and-Pop shops” unaware of the requirement, Sheriff doesn’t expect the FTC to come down hard on them for noncompliance. But the FTC may make an example of a business that is significantly engaged in the listed activities and shares nonpublic personal information without providing the required notification.
The next step for privacy legislation is starting to heat up because Democrats in Congress are leaning toward an “opt-in” approach to information sharing among affiliated companies. The act regulates the sharing of information with non-affiliated, third-party companies. The financial services industry and Republicans view the sharing of information between related companies as a value-added service for their customers.
Ironically, the intent of the act was to encourage mergers between banks, insurance companies and others in the financial services industry, but in almost two years since its enactment, very few have taken place, according to Sheriff.
July 6, 2001 Small Business Times, Milwaukee