[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 1903 Introduced in Senate (IS)]







106th CONGRESS
  1st Session
                                S. 1903

     To amend the privacy provisions of the Gramm-Leach-Bliley Act.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 10, 1999

 Mr. Shelby (for himself and Mr. Bryan) introduced the following bill; 
which was read twice and referred to the Committee on Banking, Housing, 
                           and Urban Affairs

_______________________________________________________________________

                                 A BILL


 
     To amend the privacy provisions of the Gramm-Leach-Bliley Act.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Consumer's Right to Financial 
Privacy Act''.

SEC. 2. AMENDMENT.

    Title V of the Gramm-Leach-Bliley Act is amended to read as 
follows:

               ``TITLE V--PRIVACY OF CONSUMER INFORMATION

       ``Subtitle A--Disclosure of Nonpublic Personal Information

``SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.

    ``(a) Privacy Obligation Policy.--It is the policy of the Congress 
that each financial institution has an affirmative and continuing 
obligation to respect the privacy of its customers and to protect the 
security and confidentiality of those customers' nonpublic personal 
information.
    ``(b) Financial Institutions Safeguards.--In furtherance of the 
policy in subsection (a), each agency or authority described in section 
504(a) shall establish by rule or order appropriate standards for the 
financial institutions subject to their jurisdiction, and the 
Commission shall establish such standards for any financial 
institutions not subject to such jurisdiction, relating to 
administrative, technical, and physical safeguards--
            ``(1) to insure the security and confidentiality of 
        customer records and information;
            ``(2) to protect against any anticipated threats or hazards 
        to the security or integrity of such records; and
            ``(3) to protect against unauthorized access to or use of 
        such records or information which could result in substantial 
        harm or inconvenience to any customer.

``SEC. 502. OBLIGATIONS WITH RESPECT TO PERSONAL
              INFORMATION.

    ``(a) General Requirements.--Except as otherwise provided in this 
subtitle, a financial institution may not, directly or through any 
affiliate, disclose or make an unrelated use of any nonpublic personal 
information collected by the financial institution in connection with 
any transaction with a consumer in any financial product or any 
financial service, unless such financial institution provides or has 
provided to the consumer a notice that complies with section 503 and 
the rules thereunder.
    ``(b) Opt-In Required for Information Transfers.--
            ``(1) Affirmative consent required.--Each agency or 
        authority described in section 504(a) shall by rule prohibit a 
        financial institution that is subject to its jurisdiction from 
        making available any nonpublic personal information to any 
        affiliate or other person that is not an employee or agent of 
        the institution, unless the consumer to whom the information 
        pertains--
                    ``(A) has affirmatively consented in accordance 
                with such rule to the transfer of such information; and
                    ``(B) has not withdrawn the consent.
            ``(2) Flexibility of form.--A financial institution may, in 
        complying with paragraph (1), present the opportunity to 
        consent in a clear and conspicuous manner that permits the 
        consumer to consent--
                    ``(A)(i) with respect to both affiliates and 
                nonaffiliated persons;
                    ``(ii) separately with respect to affiliates 
                generally and nonaffiliated persons generally; or
                    ``(iii) separately with respect to specified 
                affiliates and nonaffiliated persons; and
                    ``(B) separately with respect to specified 
                financial and nonfinancial products and services that 
                may be offered to the consumer.
            ``(3) Denial of service prohibited.--The rule prescribed 
        pursuant to paragraph (1) shall prohibit a financial 
        institution from denying any consumer a financial product or a 
        financial service for the refusal by the consumer to grant the 
        consent required by such rule.
    ``(c) Access to and Correction of Information Vended to Third 
Parties.--
            ``(1) Rule required.--Each agency or authority described in 
        section 504(a) shall by rule require a financial institution 
        that is subject to its jurisdiction and that makes available 
        nonpublic personal information collected by the financial 
        institution to any person or entity other than an employee or 
        agent of such institution to afford that consumer--
                    ``(A) the opportunity to examine, upon request, all 
                nonpublic personal information that was so made 
                available; and
                    ``(B) the opportunity to dispute the accuracy of 
                any of such information, and to present evidence 
                thereon.
    ``(d) Limitations on the Sharing of Account Number Information for 
Marketing Purposes.--A financial institution shall not disclose an 
account number or similar form of access number or access code for a 
credit card account, deposit account, or transaction account of a 
consumer to any affiliate or any nonaffiliated third party for use in 
telemarketing, direct mail marketing, or other marketing through 
electronic mail or other electronic means to the consumer.
    ``(e) Limits on Reuse of Information.--Except as otherwise provided 
in this subtitle, an affiliate or a nonaffiliated third party that 
receives from a financial institution nonpublic personal information 
under this section shall not, directly or through an affiliate of such 
receiving third party, disclose such information to any other person 
that is an affiliate or a nonaffiliated third party of both the 
financial institution and such receiving third party, unless such 
disclosure would be lawful if made directly to such other person by the 
financial institution.
    ``(f) General Exceptions.--Subsections (a) and (b) shall not 
prohibit the disclosure of nonpublic personal information--
            ``(1) as necessary to effect, administer, or enforce a 
        transaction requested or authorized by the consumer, or in 
        connection with--
                    ``(A) servicing or processing a financial product 
                or service requested or authorized by the consumer;
                    ``(B) maintaining or servicing the consumer's 
                account with the financial institution; or
                    ``(C) a proposed or actual securitization, 
                secondary market sale (including sales of servicing 
                rights), or similar transaction related to a 
                transaction of the consumer;
            ``(2) with the consent or at the direction of the consumer;
            ``(3)(A) to protect the confidentiality or security of the 
        financial institution's records pertaining to the consumer, the 
        service or product, or the transaction therein; (B) to protect 
        against or prevent actual or potential fraud, unauthorized 
        transactions, claims, or other liability; (C) for required 
        institutional risk control, or for resolving customer disputes 
        or inquiries; (D) to persons holding a legal or beneficial 
        interest relating to the consumer; or (E) to persons acting in 
        a fiduciary or representative capacity on behalf of the 
        consumer;
            ``(4) to provide information to insurance rate advisory 
        organizations, guaranty funds or agencies, applicable rating 
        agencies of the financial institution, and the institution's 
        attorneys, accountants, and auditors;
            ``(5) to the extent specifically permitted or required 
        under other provisions of law and in accordance with the Right 
        to Financial Privacy Act of 1978, to law enforcement agencies 
        (including a Federal functional regulator, the Secretary of the 
        Treasury with respect to subchapter II of chapter 53 of title 
        31, United States Code, and chapter 2 of title I of Public Law 
        91-508 (12 U.S.C. 1951-1959), a State insurance authority, or 
        the Federal Trade Commission), self-regulatory organizations, 
        or for an investigation on a matter related to public safety;
            ``(6)(A) to a consumer reporting agency in accordance with 
        the Fair Credit Reporting Act, or (B) from a consumer report 
        reported by a consumer reporting agency in accordance with the 
        Fair Credit Reporting Act;
            ``(7) in connection with a proposed or actual sale, merger, 
        transfer, or exchange of all or a portion of a business or 
        operating unit if the disclosure of nonpublic personal 
        information concerns solely consumers of such business or unit; 
        or
            ``(8) to comply with Federal, State, or local laws, rules, 
        and other applicable legal requirements; to comply with a 
        properly authorized civil, criminal, or regulatory 
        investigation or subpoena or summons by Federal, State, or 
        local authorities; or to respond to judicial process or 
        government regulatory authorities having jurisdiction over the 
        financial institution for examination, compliance, or other 
        purposes as authorized by law.

``SEC. 503. NOTICE CONCERNING DISCLOSING INFORMATION.

    ``(a) Rule Required.--Each agency or authority described in section 
504(a) shall prescribe rules in accordance with this section to 
prohibit unfair and deceptive acts or practices in connection with the 
disclosing of nonpublic personal information or with making unrelated 
uses of such information. Such rules shall require any financial 
institution, through the use of a form that complies with the rules 
prescribed under subsection (b), to clearly and conspicuously disclose 
to the consumer at the time of establishing a customer relationship 
with a consumer and not less than annually during the continuation of 
such relationship--
            ``(1) the categories of nonpublic personal information that 
        are collected by the financial institution;
            ``(2) the practices and policies of the financial 
        institution with respect to disclosing nonpublic personal 
        information, or making unrelated uses of such information, 
        including--
                    ``(A) the categories of persons to whom the 
                information is or may be disclosed or who may be 
                permitted to make unrelated uses of such information, 
                other than the persons to whom the information must be 
                provided to effect, administer, or enforce the 
                transaction; and
                    ``(B) the practices and policies of the institution 
                with respect to disclosing or making unrelated uses of 
                nonpublic personal information of persons who have 
                ceased to be customers of the financial institution;
            ``(3) the policies that the institution maintains to 
        protect the confidentiality and security of nonpublic personal 
        information;
            ``(4) the practices and policies of the institution with 
        respect to providing consumers the opportunity to examine and 
        dispute information pursuant to the rule prescribed under 
        section 502(c); and
            ``(5) the right of the consumer under such section to 
        examine, upon request, the nonpublic personal information, to 
        dispute the accuracy of any of such information, and to present 
        evidence thereon.
    ``(b) Design of Notice Requirements.--In prescribing the form of a 
notice for purposes of subsection (a), each agency or authority 
described in section 504(a) shall ensure that consumers are provided a 
clear and conspicuous disclosure that permits them to compare 
differences in the measures that the financial institution takes, and 
the policies that the institution has established, to protect the 
consumer's privacy as compared to the measures taken and the policies 
established by other financial institutions. Such form shall 
specifically identify the rights the institution affords consumers to 
grant or deny consent to (1) the disclosing of nonpublic personal 
information for any purpose other than as required in order to effect, 
administer, or enforce the consumer's transaction, or (2) the making of 
an unrelated use of such information.
    ``(c) Additional Contents of Rules; Exemptive Rules.--Each agency 
or authority described in section 504(a) shall, by rule, and may by 
order--
            ``(1) specify the disclosures and uses of information 
        which, for purposes of this subtitle and the rules prescribed 
        thereunder, may be treated as necessary to effect, administer, 
        or enforce a consumer's transaction with respect to a variety 
        of financial services and financial products;
            ``(2) specify timing requirements with respect to notices 
        to new and existing customers, which shall not require notices 
        more frequently than annually unless there has been a change in 
        the information required to be disclosed pursuant to subsection 
        (a); and
            ``(3) provide, consistent with the purposes of this 
        subtitle, exemptions or temporary waivers to, or delayed 
        effective dates for, any requirement of this subtitle or the 
        rules prescribed thereunder.

``SEC. 504. ENFORCEMENT.

    ``(a) In General.--This subtitle and the rules prescribed 
thereunder shall be enforced by the Federal functional regulators, the 
State insurance authorities, and the Federal Trade Commission with 
respect to financial institutions and other persons subject to their 
jurisdiction under applicable law, as follows:
            ``(1) Under section 8 of the Federal Deposit Insurance Act, 
        in the case of--
                    ``(A) national banks, Federal branches and Federal 
                agencies of foreign banks by the Office of the 
                Comptroller of the Currency;
                    ``(B) member banks of the Federal Reserve System 
                (other than national banks), branches and agencies of 
                foreign banks (other than Federal branches, Federal 
                agencies, and insured State branches of foreign banks), 
                commercial lending companies owned or controlled by 
                foreign banks, organizations operating under section 25 
                or 25A of the Federal Reserve Act, bank holding 
                companies by the Board of Governors of the Federal 
                Reserve System;
                    ``(C) banks insured by the Federal Deposit 
                Insurance Corporation (other than members of the 
                Federal Reserve System), insured State branches of 
                foreign banks by the Board of Directors of the Federal 
                Deposit Insurance Corporation; and
                    ``(D) savings association the deposits of which are 
                insured by the Federal Deposit Insurance Corporation by 
                the Director of the Office of Thrift Supervision.
            ``(2) Under the Federal Credit Union Act, by the 
        Administrator of the National Credit Union Administration with 
        respect to any Federal or state chartered credit union.
            ``(3) Under the Securities Exchange Act of 1934, by the 
        Securities and Exchange Commission with respect to any broker-
        dealer.
            ``(4) Under the Investment Company Act of 1940, by the 
        Securities and Exchange Commission with respect to investment 
        companies.
            ``(5) Under the Investment Advisers Act of 1940, by the 
        Securities and Exchange Commission with respect to investment 
        advisers registered with the Commission under such Act.
            ``(6) Under the Federal Home Loan Bank Act, by the Federal 
        Housing Finance Board with respect to Federal home loan banks.
            ``(7) In the case of any person engaged in providing 
        insurance, by the State insurance authority, if that State has 
        elected to become a participating State, notwithstanding any of 
        the limitations of section 104 of the Gramm-Leach-Bliley Act.
            ``(8) Under the Federal Trade Commission Act, by the 
        Federal Trade Commission for--
                    ``(A) any other financial institution (other than a 
                person engaged in providing insurance) or any other 
                person that is not subject to the jurisdiction of any 
                agency or authority under paragraphs (1) through (6) of 
                this subsection; and
                    ``(B) any person engaged in providing insurance who 
                is domiciled in a State that does not elect to become a 
                participating State.
    ``(b) Enforcement of Section 501.--
            ``(1) In general.--Except as provided in paragraph (2), the 
        agencies and authorities described in subsection (a) shall 
        implement the standards prescribed under section 501(b) in the 
        same manner, to the extent practicable, as standards prescribed 
        pursuant to subsection (a) of section 39 of the Federal Deposit 
        Insurance Act are implemented pursuant to such section.
            ``(2) Exception.--The agencies and authorities described in 
        paragraphs (3), (4), (5), (7), and (8) of subsection (a) shall 
        implement the standards prescribed under section 501(b) by rule 
        with respect to the financial institutions subject to their 
        respective jurisdictions under subsection (a).
    ``(c) State Action for Violations.--
            ``(1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief law 
        enforcement officer of a State, or an official or agency 
        designated by a State, has reason to believe that any person 
        has violated or is violating this subtitle or a rule prescribed 
        under this subtitle, other than section 501 or a rule 
        prescribed under such section, the State--
                    ``(A) may bring an action to enjoin such violation 
                in any appropriate United States district court or in 
                any other court of competent jurisdiction; and
                    ``(B) may bring an action on behalf of the 
                residents of the State to enforce compliance with such 
                rule, to obtain damages, restitution, or other 
                compensation on behalf of residents of such State, or 
                to obtain such further and other relief as the court 
                may deem appropriate.
            ``(2) Rights of federal regulators.--
                    ``(A) Prior notice.--The State shall serve prior 
                written notice of any action under paragraph (1) upon 
                the Federal Trade Commission and provide the Federal 
                Trade Commission with a copy of its complaint, except 
                in any case in which such prior notice is not feasible, 
                in which case the State shall serve such notice 
                immediately upon instituting such action.
                    ``(B) Right to intervene.--The Federal Trade 
                Commission shall transmit the notice received under 
                subparagraph (A) to the agency or authority that has 
                jurisdiction of the subject of the complaint, and such 
                agency or authority shall have the right--
                            ``(i) to intervene in an action under 
                        paragraph (1);
                            ``(ii) upon so intervening, to be heard on 
                        all matters arising therein;
                            ``(iii) to remove the action to the 
                        appropriate United States district court; and
                            ``(iv) to file petitions for appeal.
            ``(3) Investigatory powers.--For purposes of bringing any 
        action under this subsection, no provision of this subsection 
        shall be construed as preventing the chief law enforcement 
        officer, or an official or agency designated by a State, from 
        exercising the powers conferred on the chief law enforcement 
        officer or such official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations or to 
        compel the attendance of witnesses or the production of 
        documentary and other evidence.
            ``(4) Limitation on state action while federal action 
        pending.--If a Federal agency or authority has instituted a 
        civil action for a violation of this subtitle, no State may, 
        during the pendency of such action, bring an action under this 
        section against any defendant named in the complaint of the 
        Federal agency or authority or such agency for any violation of 
        this subtitle that is alleged in that complaint.
    ``(d) Definitions.--The terms used in subsection (a)(1) that are 
not defined in this subtitle or otherwise defined in section 3(s) of 
the Federal Deposit Insurance Act shall have the meaning given to them 
in section 1(b) of the International Banking Act of 1978.

``SEC. 505. FAIR CREDIT REPORTING ACT AMENDMENT.

    ``(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15 
U.S.C. 1681s) is amended--
            ``(1) in subsection (d), by striking everything following 
        the end of the second sentence; and
            ``(2) by striking subsection (e) and inserting in lieu 
        thereof the following:
    `` `(e) Regulatory Authority.--
            `` `(1) The Federal banking agencies referred to in 
        paragraphs (1) and (2) of subsection (b) shall jointly 
        prescribe such regulations as necessary to carry out the 
        purposes of this Act with respect to any persons identified 
        under paragraphs (1) and (2) of subsection (b).
            `` `(2) The Administrator of the National Credit Union 
        Administration shall prescribe such regulations as necessary to 
        carry out the purposes of this Act with respect to any persons 
        identified under paragraph (3) of subsection (b).
            `` `(3) The Federal Trade Commission shall prescribe such 
        regulations as necessary to carry out the purposes of this Act 
        with respect to any persons identified under subsection (a).'.
    ``(b) Relation to Other Provisions.--Except for the amendment made 
by this section, nothing in this title shall be construed to modify, 
limit, or supersede the operation of the Fair Credit Reporting Act, and 
no inference shall be drawn on the basis of the provisions of this 
title regarding whether information is transaction or experience 
information under section 603 of such Act.

``SEC. 506. STATE ELECTION TO PARTICIPATE.

    ``(a) Regulations.--The Secretary of the Treasury may promulgate 
such regulations as may be necessary to establish the procedures 
governing whether the election required under section 504(a)(7) has 
been made.
    ``(b) Deadline.--The deadline for a State to elect to become a 
participating state is the first day of the first calendar quarter 
beginning after the close of the first legislative session of the State 
legislature that begins on or after the date the regulations required 
by section 504(a) are issued in final form. For purposes of the 
previous sentence, in the case of a State that has a 2-year legislative 
session, each year of such session shall be deemed to be a separate 
regular session of the State legislature.

``SEC. 507. RELATION TO STATE LAWS.

    ``(a) In General.--This subtitle shall not be construed as 
superseding, altering, or affecting the statutes, regulations, orders, 
or interpretations in effect in any State, except to the extent that 
such statutes, regulations, orders, or interpretations are inconsistent 
with the provisions of this subtitle, and then only to the extent of 
the inconsistency.
    ``(b) Greater Protection Under State Law.--For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this subtitle if the protection 
such statute, regulation, order, or interpretation affords any person 
is greater than the protection provided under this subtitle as 
determined by the Commission or a Federal functional regulator, on its 
own motion or upon the petition of any interested party.

``SEC. 508. DEFINITIONS.

    ``As used in this subtitle:
            ``(1) Commission.--The term `Commission' means the Federal 
        Trade Commission.
            ``(2) Federal functional regulator.--The term `Federal 
        functional regulator' means--
                    ``(A) the Board of Governors of the Federal Reserve 
                System;
                    ``(B) the Office of the Comptroller of the 
                Currency;
                    ``(C) the Board of Directors of the Federal Deposit 
                Insurance Corporation;
                    ``(D) the Director of the Office of Thrift 
                Supervision;
                    ``(E) the National Credit Union Administration 
                Board; and
                    ``(F) the Securities and Exchange Commission.
            ``(3) Financial institution.--The term `financial 
        institution' means any institution the business of which is 
        engaging in financial activities or activities that are 
        incidental or complementary to financial activities, as 
        determined under section 4(k) of the Bank Holding Company Act 
        of 1956.
            ``(4) Nonpublic personal information.--
                    ``(A) The term `nonpublic personal information' 
                means personally identifiable financial information--
                            ``(i) provided by a consumer to a financial 
                        institution;
                            ``(ii) resulting from any transaction with 
                        the consumer or the service performed for the 
                        consumer; or
                            ``(iii) otherwise obtained by the financial 
                        institution.
                    ``(B) Such term does not include publicly available 
                information, as such term is defined by the regulations 
                prescribed under section 504.
                    ``(C) Notwithstanding subparagraph (B), such term--
                            (i) shall include any list, description, or 
                        other grouping of consumers (and publicly 
                        available information pertaining to them) that 
                        is derived using any personally identifiable 
                        information other than publicly available 
                        information; but
                            ``(ii) shall not include any list, 
                        description, or other grouping of consumers 
                        (and publicly available information pertaining 
                        to them) that is derived without using any 
                        nonpublic personal information.
            ``(5) Directory information.--The term `publicly available 
        directory information' means subscriber list information 
        required to be made available for publication pursuant to 
        section 222(e) of the Communications Act of 1934 (47 U.S.C. 
        222(3)).
            ``(6) Unrelated use.--The term `unrelated use', when used 
        with respect to information collected by the financial 
        institution in connection with any transaction with a consumer 
        in any financial product or any financial service, means any 
        use other than a use that is necessary to effect, administer, 
        or enforce such transaction.
            ``(7) Affiliate.--The term `affiliate' means any company 
        that controls, is controlled by, or is under common control 
        with another company.
            ``(8) Nonaffiliated third party.--The term `nonaffiliated 
        third party' means any entity that is not an affiliate of, or 
        related by common ownership or affiliated by corporate control 
        with, the financial institution, but does not include a joint 
        employee of such institution.
            ``(9) Necessary to effect, administer, or enforce.--The 
        disclosing or use of nonpublic personal information shall be 
        treated as necessary to effect or administer a transaction with 
        a consumer if the disclosing or use--
                    ``(A) is required, or is a usual, appropriate, or 
                acceptable method, to carry out the transaction or the 
                product or service business of which the transaction is 
                a part, and record or service or maintain the 
                consumer's account in the ordinary course of providing 
                the financial service or financial product, or to 
                administer or service benefits or claims relating to 
                the transaction or the product or service business of 
                which it is a part, and includes--
                            ``(i) providing the consumer or the 
                        consumer's agent or broker with a confirmation, 
                        statement, or other record of the transaction, 
                        or information on the status or value of the 
                        financial service or financial product; and
                            ``(ii) the accrual or recognition of 
                        incentives or bonuses associated with the 
                        transaction that are provided by the financial 
                        institution or any other party;
                    ``(B) is required, or is one of the lawful or 
                appropriate methods, to enforce the rights of the 
                financial institution or of other persons engaged in 
                carrying out the financial transaction, or providing 
                the product or service;
                    ``(C) is required, or is a usual, appropriate, or 
                acceptable method, for insurance underwriting at the 
                consumer's request or for reinsurance purposes, or for 
                any of the following purposes as they relate to a 
                consumer's insurance: account administration, 
                reporting, investigating, or preventing fraud or 
                material misrepresentation, processing premium 
                payments, processing insurance claims, administering 
                insurance benefits (including utilization review 
                activities), participating in research projects, or as 
                otherwise required or specifically permitted by Federal 
                or State law; or
                    ``(D) the disclosure is required, or is a usual, 
                appropriate or acceptable method, in connection with--
                            ``(i) the authorization, settlement, 
                        billing, processing, clearing, transferring, 
                        reconciling, or collection of amounts charged, 
                        debited, or otherwise paid using a debit, 
                        credit or other payment card, check, or account 
                        number, or by other payment means;
                            ``(ii) the transfer of receivables, 
                        accounts or interests therein; or
                            ``(iii) the audit of debit, credit or other 
                        payment information.
        Each agency or authority described in section 504(a) shall, 
        consistent with the purposes of this subtitle, prescribe by 
        rule actions that shall, in a variety of financial services, 
        and with respect to a variety of financial products, be treated 
        as necessary to effect, administer, or enforce a financial 
        transaction.
            ``(10) Financial services; financial products; transaction; 
        related transaction.--Each agency or authority described in 
        section 504(a) shall, consistent with the purposes of this 
        subtitle, prescribe by rule definitions of the terms `financial 
        services', `financial products', `transaction', `related 
        transaction', and `unrelated third party' for purposes of this 
        subtitle.
            ``(11) State insurance authority.--The term `State 
        insurance authority' means, in the case of any person engaged 
        in providing insurance, the State insurance authority of the 
        State in which the person is domiciled.
            ``(12) Consumer.--The term `consumer' means an individual 
        who obtains, from a financial institution, financial products 
        or services which are to be used primarily for personal, 
        family, or household purposes, and also means the legal 
        representative of such an individual.
            ``(13) Customer relationship.--The term `time of 
        establishing a customer relationship' shall be defined by the 
        regulations prescribed under section 504.

``SEC. 509. EFFECTIVE DATE.

    ``This subtitle shall take effect 6 months after the date on which 
rules are required to be prescribed under section 504(a)(3), except--
            ``(1) to the extent that a later date is specified in the 
        rules prescribed under section 504; and
            ``(2) that sections 504 and 506 shall be effective upon 
        enactment.

        ``Subtitle B--Fraudulent Access to Financial Information

``SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL 
              INSTITUTIONS.

    ``(a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be a violation of this subtitle for any person to 
obtain or attempt to obtain, or cause to be disclosed or attempt to 
cause to be disclosed to any person, customer information of a 
financial institution relating to another person--
            ``(1) by making a false, fictitious, or fraudulent 
        statement or representation to an officer, employee, or agent 
        of a financial institution;
            ``(2) by making a false, fictitious, or fraudulent 
        statement or representation to a customer of a financial 
        institution; or
            ``(3) by providing any document to an officer, employee, or 
        agent of a financial institution, knowing that the document is 
        forged, counterfeit, lost, or stolen, was fraudulently 
        obtained, or contains a false, fictitious, or fraudulent 
statement or representation.
    ``(b) Prohibition on Solicitation of a Person To Obtain Customer 
Information From Financial Institution Under False Pretenses.--It shall 
be a violation of this subtitle to request a person to obtain customer 
information of a financial institution, knowing that the person will 
obtain, or attempt to obtain, the information from the institution in 
any manner described in subsection (a).
    ``(c) Nonapplicability to Law Enforcement Agencies.--No provision 
of this section shall be construed so as to prevent any action by a law 
enforcement agency, or any officer, employee, or agent of such agency, 
to obtain customer information of a financial institution in connection 
with the performance of the official duties of the agency.
    ``(d) Nonapplicability to Financial Institutions in Certain 
Cases.--No provision of this section shall be construed so as to 
prevent any financial institution, or any officer, employee, or agent 
of a financial institution, from obtaining customer information of such 
financial institution in the course of--
            ``(1) testing the security procedures or systems of such 
        institution for maintaining the confidentiality of customer 
        information;
            ``(2) investigating allegations of misconduct or negligence 
        on the part of any officer, employee, or agent of the financial 
        institution; or
            ``(3) recovering customer information of the financial 
        institution which was obtained or received by another person in 
        any manner described in subsection (a) or (b).
    ``(e) Nonapplicability to Insurance Institutions for Investigation 
of Insurance Fraud.--No provision of this section shall be construed so 
as to prevent any insurance institution, or any officer, employee, or 
agency of an insurance institution, from obtaining information as part 
of an insurance investigation into criminal activity, fraud, material 
misrepresentation, or material nondisclosure that is authorized for 
such institution under State law, regulation, interpretation, or order.
    ``(f) Nonapplicability to Certain Types of Customer Information of 
Financial Institutions.--No provision of this section shall be 
construed so as to prevent any person from obtaining customer 
information of a financial institution that otherwise is available as a 
public record filed pursuant to the securities laws (as defined in 
section 3(a)(47) of the Securities Exchange Act of 1934).

``SEC. 522. ADMINISTRATIVE ENFORCEMENT.

    ``(a) Enforcement by Federal Trade Commission.--Compliance with 
this subtitle shall be enforced by the Federal Trade Commission in the 
same manner and with the same power and authority as the Commission has 
under the title VIII, the Fair Debt Collection Practices Act, to 
enforce compliance with such title.
    ``(b) Notice of Actions.--The Federal Trade Commission shall--
            ``(1) notify the Securities and Exchange Commission 
        whenever the Federal Trade Commission initiates an 
        investigation with respect to a financial institution subject 
        to regulation by the Securities and Exchange Commission;
            ``(2) notify the Federal banking agency (as defined in 
        section 3(z) of the Federal Deposit Insurance Act) whenever the 
        Commission initiates an investigation with respect to a 
        financial institution subject to regulation by such Federal 
        banking agency; and
            ``(3) notify the appropriate State insurance regulator 
        whenever the Commission initiates an investigation with respect 
        to a financial institution subject to regulation by such 
        regulator.
    ``(c) State Action for Violations.--
            ``(1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief law 
        enforcement officer of a State, or an official or agency 
        designated by a State, has reason to believe that any person 
        has violated or is violating this subtitle, the State--
                    ``(A) may bring an action to enjoin such violation 
                in any appropriate United States district court or in 
                any other court of competent jurisdiction;
                    ``(B) may bring an action on behalf of the 
                residents of the State to recover damages of not more 
                than $1,000 for each violation; and
                    ``(C) in the case of any successful action under 
                subparagraph (A) or (B), shall be awarded the costs of 
                the action and reasonable attorney fees as determined 
                by the court.
            ``(2) Rights of federal regulators.--
                    ``(A) Prior notice.--The State shall serve prior 
                written notice of any action under paragraph (1) upon 
                the Federal Trade Commission and provide the Federal 
                Trade Commission with a copy of its complaint, except 
                in any case in which such prior notice is not feasible, 
                in which case the State shall serve such notice 
                immediately upon instituting such action.
                    ``(B) Right to intervene.--The Federal Trade 
                Commission shall have the right--
                            ``(i) to intervene in an action under 
                        paragraph (1);
                            ``(ii) upon so intervening, to be heard on 
                        all matters arising therein;
                            ``(iii) to remove the action to the 
                        appropriate United States district court; and
                            ``(iv) to file petitions for appeal.
            ``(3) Investigatory powers.--For purposes of bringing any 
        action under this subsection, no provision of this subsection 
        shall be construed as preventing the chief law enforcement 
        officer, or an official or agency designated by a State, from 
        exercising the powers conferred on the chief law enforcement 
        officer or such official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations or to 
        compel the attendance of witnesses or the production of 
        documentary and other evidence.
            ``(4) Limitation on state action while federal action 
        pending.--If the Federal Trade Commission has instituted a 
        civil action for a violation of this subtitle, no State may, 
        during the pendency of such action, bring an action under this 
        section against any defendant named in the complaint of the 
        Federal Trade Commission or such agency for any violation of 
        this subtitle that is alleged in that complaint.

``SEC. 523. CRIMINAL PENALTY.

    ``(a) In General.--Whoever knowingly and intentionally violates, or 
knowingly and intentionally attempts to violate, section 521 shall be 
fined in accordance with title 18, United States Code, or imprisoned 
for not more than 5 years, or both.
    ``(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, or 
attempts to violate, section 521 while violating another law of the 
United States or as part of a pattern of any illegal activity involving 
more than $100,000 in a 12-month period shall be fined twice the amount 
provided in subsection (b)(3) or (c)(3) (as the case may be) of section 
3571 of title 18, United States Code, imprisoned for not more than 10 
years, or both.

``SEC. 524. RELATION TO STATE LAWS.

    ``(a) In General.--This subtitle shall not be construed as 
superseding, altering, or affecting the statutes, regulations, orders, 
or interpretations in effect in any State, except to the extent that 
such statutes, regulations, orders, or interpretations are inconsistent 
with the provisions of this subtitle, and then only to the extent of 
the inconsistency.
    ``(b) Greater Protection Under State Law.--For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this subtitle if the protection 
such statute, regulation, order, or interpretation affords any person 
is greater than the protection provided under this subtitle as 
determined by the Commission, on its own motion or upon the petition of 
any interested party.

``SEC. 525. AGENCY GUIDANCE.

    ``In furtherance of the objectives of this subtitle, each Federal 
banking agency (as defined in section 3(z) of the Federal Deposit 
Insurance Act) and the Securities and Exchange Commission or self-
regulatory organizations, as appropriate, shall review regulations and 
guidelines applicable to financial institutions under their respective 
jurisdictions and shall prescribe such revisions to such regulations 
and guidelines as may be necessary to ensure that such financial 
institutions have policies, procedures, and controls in place to 
prevent the unauthorized disclosure of customer financial information 
and to deter and detect activities proscribed under section 521.

``SEC. 526. REPORTS.

    ``(a) Report to the Congress.--Before the end of the 18-month 
period beginning on the date of the enactment of this Act, the 
Comptroller General, in consultation with the Federal Trade Commission, 
Federal banking agencies, the Securities and Exchange Commission, 
appropriate Federal law enforcement agencies, and appropriate State 
insurance regulators, shall submit to the Congress a report on the 
following:
            ``(1) The efficacy and adequacy of the remedies provided in 
        this subtitle in addressing attempts to obtain financial 
        information by fraudulent means or by false pretenses.
            ``(2) Any recommendations for additional legislative or 
        regulatory action to address threats to the privacy of 
        financial information created by attempts to obtain information 
        by fraudulent means or false pretenses.
    ``(b) Annual Report by Administering Agencies.--The Federal Trade 
Commission and the Attorney General shall submit to Congress an annual 
report on number and disposition of all enforcement actions taken 
pursuant to this subtitle.

``SEC. 527. DEFINITIONS.

    ``For purposes of this subtitle, the following definitions shall 
apply:
            ``(1) Customer.--The term `customer' means, with respect to 
        a financial institution, any person (or authorized 
        representative of a person) to whom the financial institution 
        provides a product or service, including that of acting as a 
        fiduciary.
            ``(2) Customer information of a financial institution.--The 
        term ``customer information of a financial institution'' means 
        any information maintained by or for a financial institution 
        which is derived from the relationship between the financial 
        institution and a customer of the financial institution and is 
        identified with the customer.
            ``(3) Document.--The term `document' means any information 
        in any form.
            ``(4) Financial institution.--
                    ``(A) In general.--The term `financial institution' 
                means any institution engaged in the business of 
                providing financial services to customers who maintain 
                a credit, deposit, trust, or other financial account or 
                relationship with the institution.
                    ``(B) Certain financial institutions specifically 
                included.--The term `financial institution' includes 
                any depository institution (as defined in section 
                19(b)(1)(A) of the Federal Reserve Act), any broker or 
                dealer, any investment adviser or investment company, 
                any insurance company, any loan or finance company, any 
                credit card issuer or operator of a credit card system, 
                and any consumer reporting agency that compiles and 
                maintains files on consumers on a nationwide basis (as 
                defined in section 603(p)).
                    ``(C) Securities institutions.--For purposes of 
                subparagraph (B)--
                            ``(i) the terms `broker' and `dealer' have 
                        the meanings provided in section 3 of the 
                        Securities Exchange Act of 1934 (15 U.S.C. 
                        78c);
                            ``(ii) the term `investment adviser' has 
                        the meaning provided in section 202(a)(11) of 
                        the Investment Advisers Act of 1940 (15 U.S.C. 
                        80b-2(a)); and
                            ``(iii) the term `investment company' has 
                        the meaning provided in section 3 of the 
                        Investment Company Act of 1940 (15 U.S.C. 80a-
                        3).
                    ``(D) Further definition by regulation.--The 
                Federal Trade Commission, after consultation with 
                Federal banking agencies and the Securities and 
                Exchange Commission, may prescribe regulations 
                clarifying or describing the types of institutions 
                which shall be treated as financial institutions for 
                purposes of this subtitle.
                                 <all>