[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4388 Introduced in House (IH)]







105th CONGRESS
  2d Session
                                H. R. 4388

    To amend the Consumer Credit Protection Act to ensure financial 
        institution privacy protections, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             August 4, 1998

 Mr. LaFalce introduced the following bill; which was referred to the 
              Committee on Banking and Financial Services

_______________________________________________________________________

                                 A BILL


 
    To amend the Consumer Credit Protection Act to ensure financial 
        institution privacy protections, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer Financial Privacy 
Protection Act of 1998''.

SEC. 2. CONSUMER FINANCIAL PRIVACY.

    The Consumer Credit Protection Act (15 U.S.C. 1601 et seq.) is 
amended by adding at the end the following new title:

                 ``TITLE X--CONSUMER FINANCIAL PRIVACY

                    ``CHAPTER 1--GENERAL PROVISIONS

``SEC. 1001. SHORT TITLE.

    ``This chapter may be cited as the `Financial Institution Privacy 
Protection Act'.

``SEC. 1002. DEFINITIONS.

    ``For purposes of this title, the following definitions shall 
apply:
            ``(1) Customer.--The term `customer' has the meaning given 
        to such term in section 1101(5) of the Right to Financial 
        Privacy Act of 1978.
            ``(2) Customers' financial information.--The term 
        `customers' financial information' means any information 
        maintained by a financial institution which is derived from the 
        relationship between the financial institution and a customer 
        of the financial institution and is identifiable to the 
        customer, including account numbers, account balances and other 
        account data, transactional information concerning any account, 
        and codes, passwords, and other means of access to accounts or 
        means to initiate transactions.
            ``(3) Document.--The term `document' means any information 
        in any form.--
            ``(4) Financial institution.--
                    ``(A) In general.--The term `financial institution' 
                means any institution engaged in the business of 
                providing financial services to customers who maintain 
                a credit, deposit, trust, or other financial account or 
                relationship with the institution.
                    ``(B) Certain financial institutions specifically 
                included.--The term `financial institution' includes 
                any depository institution (as defined in section 
                19(b)(1)(A) of the Federal Reserve Act), any broker or 
                dealer in investment securities, any insurance company, 
                any loan or finance company, any investment adviser or 
                investment company, any credit card issuer or operator 
                of a credit card system, and any consumer reporting 
                agency that compiles and maintains files on consumers 
                on a nationwide basis (as defined in section 603(p)).
                    ``(C) Further definition by regulation.--The 
                Federal Trade Commission may prescribe regulations 
                clarifying or describing the types of institutions 
                which shall be treated as financial institutions for 
                purposes of this title.
            ``(5) Financial regulatory agency.--The term `financial 
        regulatory agency' means any Federal banking agency (as defined 
        in section 3(z) of the Federal Deposit Insurance Act, the 
        National Credit Union Administration Board, the Securities and 
        Exchange Commission, the Commodity Futures Trading Commission, 
        the Secretary of the Treasury, and the Federal Trade 
        Commission.
            ``(6) Personal information.--The term `personal 
        information' means any information which is not financial 
        information and is personal to or identifiable with any 
        individual or other person, including any current or former 
        name of the person, any current or former address, telephone 
        number, and e-mail address (including any information relating 
        to any change of name, address, or telephone number) of the 
        person or any member of the person's family (including any 
        ancestor of such person), any Social Security or tax 
        identification number of the person or any member of such 
        person's family, the date of birth of the person or any member 
        of the person's family, and other information which could be 
        used to identify the person.
            ``(7) Record.--The term `record' means any customer 
        personal or financial information or any document, file, film, 
        electronic file, or other instrument used to collect, 
        aggregate, store, identify, or disseminate personal or 
        financial information.

``SEC. 1003. PROTECTION OF FINANCIAL INFORMATION.

    ``(a) In General.--Financial institutions have an affirmative and 
continuing obligation to respect the privacy of their customers and to 
protect the security and confidentiality of customers' financial and 
personal information.
    ``(b) Financial Institution Safeguards.--Pursuant to subsection 
(a), financial institutions shall establish appropriate administrative, 
technical and physical safeguards to insure the security and 
confidentiality of financial and personal records and to protect 
against any anticipated threats or hazards to the security or integrity 
of such records which could result in substantial harm, embarrassment, 
inconvenience, or unfairness to any customer or other persons on whom 
such information is maintained.
    ``(c) Information Collection and Disclosure.--
            ``(1) Collection of only essential customer information.--A 
        financial institution shall collect personal and financial 
        information about a customer only to the extent necessary to 
        facilitate customer-initiated transactions and to administer an 
        ongoing business relationship with the customer, provided that 
        the financial institution reasonably believes that such 
        information will be protected against any disclosure or use 
        that may harm, embarrass, or inconvenience the customer.
            ``(2) Prohibition on disclosures.--A financial institution 
        shall not disclose or provide customer financial or personal 
        information to a third party for their independent use, except 
        to the extent that disclosure of such information--
                    ``(A) is necessary to complete a customer-initiated 
                transaction;
                    ``(B) is requested by the customer and reasonable 
                steps are taken to verify the identity of the customer 
                pursuant to section 1004;
                    ``(C) is required by law by a public agency or 
                court as part of an investigation, subpoena, judgment, 
                or other legal or public proceeding; or
                    ``(D) is disclosed to the customer, with separate 
                and explicit notice identifying the purpose for such 
                disclosure, the customer's right to deny disclosure of 
                such information and the procedures for making such 
                denial, as provided in regulation under section 
                1004(a)(5).

``SEC. 1004. REGULATIONS.

    ``(a) Regulations Required.--The financial regulatory agencies 
shall prescribe uniform regulations to carry out the purposes of this 
chapter.
    ``(b) Safeguards.--Regulations prescribed under this section shall 
require each financial institution (which is subject to such 
regulation) to establish appropriate safeguards to insure the security 
and confidentiality of customer records, including policies and 
procedures to--
            ``(1) assure that customer records are current and accurate 
        and provide for prompt correction of any record or information 
        in response to a customer's inquiry where such customer has 
        reason to believe that the information is incomplete or 
        inaccurate.
            ``(2) limit employee access to financial records and 
        personally identifiable information and to train employees on 
        how to maintain the security and confidentiality of such 
        records and information;
            (3) maintain appropriate security standards and procedures 
        to prevent unauthorized access to consumer identifiers and 
        information, which shall include appropriate procedures for 
        customer identification and verification, including use of 
        customer passwords other than information readily available in 
        the public domain, biometric identifiers, and other technical 
        or electronic security measures;
            ``(4) require that third parties that receive customer 
        information also agree to maintain the confidentiality of 
        customer information; and
            ``(5) provide appropriate disclosure to customers regarding 
        the financial institution's privacy policies and customer 
        privacy rights, which shall include clear and conspicuous 
        disclosure of the following information--
                    ``(A) the type of information to be disclosed to 
                third parties and the purposes for such disclosure;
                    ``(B) the option and procedure available to the 
                customer to prevent such disclosure of information; and
                    ``(C) the procedures for filing a complaint 
                regarding the use of any confidential information 
                disclosed to a third party by the financial 
                institution, including the appropriate telephone 
                numbers for filing a complaint with the financial 
                institution and with Federal and State regulatory 
                agencies.
    ``(c) Model Forms and Disclosures.--The financial regulatory 
agencies shall provide model disclosure statements and clauses, as 
appropriate, to facilitate compliance with the disclosure requirements 
of section 1003(c)(2)(D). A financial institution that properly uses 
the material aspects of the model disclosures shall be deemed to be in 
compliance with the requirement for disclosure under this section.
    ``(d) Effective Dates.--A regulation prescribed under this section 
shall not take effect before the end of the 6-month period beginning on 
the date the regulation is published in final form in the Federal 
Register. A financial regulatory agency may lengthen this period where, 
in its determination, additional time is necessary to permit 
appropriate implementation of security measures by financial 
institutions.

``SEC. 1005. ADMINISTRATIVE ENFORCEMENT.

    ``(a) Enforcement by Federal Trade Commission.--
            ``(1) In general.--Except as provided in subsection (b), 
        compliance with this title shall be enforced under the Federal 
        Trade Commission Act by the Federal Trade Commission.
            ``(2) Violations of this title treated as violations of 
        federal trade commission act.--
                    ``(A) In general.--For the purpose of the exercise 
                by the Federal Trade Commission of the Commission's 
                functions and powers under the Federal Trade Commission 
                Act, any violation of any requirement or prohibition 
                imposed under this title with respect to information 
                brokers shall constitute an unfair or deceptive act or 
                practice in commerce in violation of section 5(a) of 
                the Federal Trade Commission Act.
                    ``(B) Enforcement authority under other law.--All 
                functions and powers of the Federal Trade Commission 
                under the Federal Trade Commission Act shall be 
                available to the Commission to enforce compliance with 
                this title by any person subject to enforcement by the 
                Federal Trade Commission pursuant to this subsection, 
                including the power to enforce the provisions of this 
                title in the same manner as if the violation had been a 
                violation of any Federal Trade Commission trade 
                regulation rule, without regard to whether the person--
                            ``(i) is engaged in commerce; or
                            ``(ii) meets any other jurisdictional tests 
                        in the Federal Trade Commission Act.
                    ``(C) Civil penalties.--Any person violating any of 
                the provisions of this title (other than a person 
                subject to enforcement in accordance with subsection 
                (b)) shall be subject to the penalties and entitled to 
                the privileges and immunities provided in the Federal 
                Trade Commission Act as though the applicable terms and 
                provisions thereof were part of this title.
    ``(b) Enforcement By Other Agencies in Certain Cases.--
            ``(1) In general.--Compliance with this title shall be 
        enforced under--
                    ``(A) section 8 of the Federal Deposit Insurance 
                Act, in the case of--
                            ``(i) national banks, and Federal branches 
                        and Federal agencies of foreign banks, by the 
                        Comptroller of the Currency;
                            ``(ii) member banks of the Federal Reserve 
                        System (other than national banks), branches 
                        and agencies of foreign banks (other than 
Federal branches, Federal agencies, and insured State branches of 
foreign banks), commercial lending companies owned or controlled by 
foreign banks, and organizations operating under section 25 or 25A of 
the Federal Reserve Act, by the Board of Governors of the Federal 
Reserve System;
                            ``(iii) banks insured by the Federal 
                        Deposit Insurance Corporation (other than 
                        members of the Federal Reserve System) and 
                        insured State branches of foreign banks, by the 
                        Board of Directors of the Federal Deposit 
                        Insurance Corporation;
                            ``(iv) savings associations the deposits of 
                        which are insured by the Federal Deposit 
                        Insurance Corporation, by the Director of the 
                        Office of Thrift Supervision;
                    ``(B) the Federal Credit Union Act, by the 
                Administrator of the National Credit Union 
                Administration with respect to any Federal credit 
                union;
                    ``(C) the Farm Credit Act of 1971, by the Farm 
                Credit Administration with respect to any Federal land 
                bank, Federal land bank association, Federal 
                intermediate credit bank, or production credit 
                association
                    ``(D) the securities laws (as defined in section 
                3(a)(47) of the Securities Exchange Act of 1934) by the 
                Securities and Exchange Commission with respect to any 
                person subject to the securities laws; and
                    ``(E) the Commodity Exchange Act, by the Commodity 
                Futures Trading Commission with respect to any person 
                subject to such Act.

``SEC. 1006. CIVIL LIABILITY.

    ``If any person knowingly fails to comply with any requirement of 
this chapter or any regulation issued under this chapter and a customer 
of a financial institution sustains substantial financial injury and 
inconvenience as a result of the disclosure of confidential 
information, such person shall be liable to the customer in an amount 
equal to the sum of--
            ``(1) the greater of--
                    ``(A) any actual damages sustained by the customer 
                as a result of the failure; or
                    ``(B) $500;
            ``(2) such amount of additional damages as the court may 
        allow; and
            ``(3) in the case of any successful action to enforce any 
        liability under this section, the costs of the action together 
        with reasonable attorney's fees as determined by the court.

``SEC. 1007. WAIVER OF RIGHTS.

    ``(a) Waiver of Rights, Remedies, Requirements, and Obligations 
Prohibited.--No writing or other agreement between a financial 
institution and any customer may contain any provision which 
constitutes a waiver of any requirement or obligation under this 
chapter nor a waiver of any right or cause of action created by this 
chapter.
    ``(b) Rule of Construction.--Subsection (a) shall not be construed 
as prohibiting any writing or other agreement between a financial 
institution and a customer which grants to a consumer a more extensive 
right or remedy or greater protection than that contained in or 
required under this chapter.

``SEC. 1008. RELATION TO STATE LAW.

    ``(a) In General.--This chapter shall not be construed as 
annulling, altering, or affecting the laws of any State with respect to 
financial privacy practices, or exempting any person subject to the 
provisions of this title from complying with such State laws, except to 
the extent that those laws are inconsistent with any provision of this 
chapter, and then only to the extent of the inconsistency.
    ``(b) Greater Protection Under State Law.--For purposes of this 
section, a State law is not inconsistent with this title if the 
protection such law affords any consumer is greater than the protection 
provided by this chapter.''.