[House Report 105-701]
[From the U.S. Government Publishing Office]



105th Congress                                            Rept. 105-701
                        HOUSE OF REPRESENTATIVES

 2d Session                                                      Part 1
_______________________________________________________________________


 
               FINANCIAL INFORMATION PRIVACY ACT OF 1998

                                _______
                                

                August 21, 1998.--Ordered to be printed

_______________________________________________________________________


    Mr. Leach, from the Committee on Banking and Financial Service, 
                        submitted the following

                              R E P O R T

                             together with

                            ADDITIONAL VIEWS

                        [To accompany H.R. 4321]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Banking and Financial Services, to whom 
was referred the bill (H.R. 4321) to protect consumers and 
financial institutions by preventing personal financial 
information from being obtained from financial institutions 
under false pretenses, having considered the same, reports 
favorably thereon with an amendment and recommends that the 
bill as amended do pass.
    The amendment is as follows:
    Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1, SHORT TITLE.

    This Act may be cited as the ``Financial Information Privacy Act of 
1998''.

SEC. 2. FINANCIAL INFORMATION PRIVACY.

    (a) In General.--The Consumer Credit Protection Act (15 U.S.C. 1601 
et seq.) is amended by adding at the end the following:

          ``TITLE X--FINANCIAL INFORMATION PRIVACY PROTECTION

``Sec.
``1001. Short title.
``1002. Definitions.
``1003. Privacy protection for customer information of financial 
institutions.
``1004. Administrative enforcement.
``1005. Civil liability.
``1006. Criminal penalty.
``1007. Relation to State laws.
``1008. Agency guidance.

``Sec. 1001. Short title

    ``This title may be cited as the `Financial Information Privacy 
Act'.

``Sec. 1002. Definitions.

    ``For purposes of this title, the following definitions shall 
apply:
          ``(1) Customer.--The term `customer' means, with respect to a 
        financial institution, any person (or authorized representative 
        of a person) to whom the financial institution provides a 
        product or service, including that of acting as a fiduciary.
          ``(2) Customer information of a financial institution.--The 
        term `customer information of a financial institution' means 
        any information maintained by a financial institution which is 
        derived from the relationship between the financial institution 
        and a customer of the financial institution and is identified 
        with the customer.
          ``(3) Document.--The term `document' means any information in 
        any form.
          ``(4) Financial institution.--
                  ``(A) In general.--The term `financial institution' 
                means any institution engaged in the business of 
                providing financial services to customers who maintain 
                a credit, deposit, trust, or other financial account or 
                relationship with the institution.
                  ``(B) Certain financial institutions specifically 
                included.--The term `financial institution' includes 
                any depository institution (as defined in section 
                19(b)(1)(A) of the Federal Reserve Act), any loan or 
                finance company, any credit card issuer or operator of 
                a credit card system, and any consumer reporting agency 
                that compiles and maintains files on consumers on a 
                nationwide basis (as defined in section 603(p)).
                  ``(C) Further definition by regulation.--The Board of 
                Governors of the Federal Reserve System may prescribe 
                regulations further defining the term `financial 
                institution', in accordance with subparagraph (A), for 
                purposes of this title.

``Sec. 1003. Privacy protection for customer information of financial 
                    institutions

    ``(a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be a violation of this title for any person to 
obtain or attempt to obtain, or cause to be disclosed or attempt to 
cause to be disclosed to any person, customer information of a 
financial institution relating to another person--
          ``(1) by knowingly making a false, fictitious, or fraudulent 
        statement or representation to an officer, employee, or agent 
        of a financial institution with the intent to deceive the 
        officer, employee, or agent into relying on that statement or 
        representation for purposes of releasing the customer 
        information;
          ``(2) by knowingly making a false, fictitious, or fraudulent 
        statement or representation to a customer of a financial 
        institution with the intent to deceive the customer into 
        relying on that statement or representation for purposes of 
        releasing the customer information or authorizing the release 
        of such information; or
          ``(3) by knowingly providing any document to an officer, 
        employee, or agent of a financial institution, knowing that the 
        document is forged, counterfeit, lost, or stolen, was 
        fraudulently obtained, or contains a false, fictitious, or 
        fraudulent statement or representation, if the document is 
        provided with the intent to deceive the officer, employee, or 
        agent into relying on that document for purposes of releasing 
        the customer information.
    ``(b) Prohibition on Solicitation of a Person to Obtain Customer 
Information From Financial Institution Under False Pretenses.--It shall 
be a violation of this title to request a person to obtain customer 
information of a financial institution, knowing or consciously avoiding 
knowing that the person will obtain, or attempt to obtain, the 
information from the institution in any manner described in subsection 
(a).
    ``(c) Nonapplicability to Law Enforcement Agencies.--No provision 
of this section shall be construed so as to prevent any action by a law 
enforcement agency, or any officer, employee, or agent of such agency, 
to obtain customer informationof a financial institution in connection 
with the performance of the official duties of the agency.
    ``(d) Nonapplicability to Financial Institutions in Certain 
Cases.--No provision of this section shall be construed so as to 
prevent any financial institution, or any officer, employee, or agent 
of a financial institution, from obtaining customer information of such 
financial institution in the course of--
          ``(1) testing the security procedures or systems of such 
        institution for maintaining the confidentiality of customer 
        information;
          ``(2) investigating allegations of misconduct or negligence 
        on the part of any officer, employee, or agent of the financial 
        institution; or
          ``(3) recovering customer information of the financial 
        institution which was obtained or received by another person in 
        any manner described in subsection (a) or (b).
    ``(e) Nonapplicability to Certain Types of Customer Information of 
Financial Institutions.--No provision of this section shall be 
construed so as to prevent any person from obtaining customer 
information of a financial instution that otherwise is available as a 
public record filed pursuant to he securities laws (as defined in 
section 3(a)(47) of the Securities Exchange Act of 1934).

``Sec. 1004. Administrative enforcement

    ``(a) Enforcement by Federal Trade Commission.--Except as provided 
in subsection (b), compliance with this title shall be enforced by the 
Federal Trade Commission in the same manner and with the same power and 
authority as the Commission has under the title VIII , the Fair Debt 
Collection Practices Act, to enforce compliance with such title.
    ``(b) Enforcement by Other Agencies in Certain Cases.--
          ``(1) In general.--Compliance with this title shall be 
        enforced under--
                  ``(A) section 8 of the Federal Deposit Insurance Act, 
                in the case of--
                          ``(i) national banks, and Federal branches 
                        and Federal agencies of foreign banks, by the 
                        Office of the Comptroller of the Currency;
                          (ii) member banks of the Federal Reserve 
                        System (other than national banks), branches 
                        and agencies of foreign banks (other than 
                        Federal branches, Federal agencies, and insured 
                        State branches of foreign banks), commercial 
                        lending companies owned or controlled by 
                        foreign banks, and organizations operating 
                        under section 25 or 25A of the Federal Reserve 
                        Act, by the Board;
                          ``(iii) banks insured by the Federal Deposit 
                        Issuance Corporation (other than members of the 
                        Federal Reserve System and national nonmember 
                        banks) and insured State branches of foreign 
                        banks, by the Board of Directors of the Federal 
                        Deposit Insurance Corporation; and
                          ``(iv) savings associations the deposits of 
                        which are insured by the Federal Deposit 
                        Insurance Corporation, by the Director of the 
                        Office of Thrift Supervision; and
                  ``(B) the Federal Credit Union Act, by the 
                Administrator or the National Credit Union 
                Administration with respect to any Federal credit 
                union.
          ``(2) Violations of the title treated as violations of other 
        laws.--For the purpose of the exercise by any agency referred 
        to in paragraph (1) of its powers under any Act referred to in 
        that paragraph, a violation of this title shall be deemed to be 
        a violation of a requirement imposed under that Act. In 
        addition to its powers under any provision of law specifically 
        referred to in paragraph (1), each of the agencies referred to 
        in that paragraph may exercise, for the purpose of enforcing 
        compliance with this title, any other authority conferred on 
        such agency by law.
    ``(c) State Action for Violations.--
          ``(1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief law 
        enforcement officer of a State, or an official or agency 
        designated by a State, has reason to believe that any person 
        has violated or is violating this title, the State--
                  ``(A) may bring an action to enjoin such violation in 
                any appropriate United States district court or in any 
                other court of competent jurisdiction;
                  ``(B) may bring an action on behalf of the residents 
                of the State to recover damages of not more than $1,000 
                for each violation; and
                  ``(C) in the case of any successful action under 
                subparagraph (A) or (B), shall be awarded the cost of 
                the action and reasonable attorney fees as determined 
                by the court.
          ``(2) Rights of Federal Regulations.--
                  ``(A) Prior Notice. The State shall serve prior 
                written notice of any action under paragraph (1) upon 
                the Federal Trade Commission, and, in thecase of an 
action which involves a financial institution described in section 
1004(b)(1), the agency referred to in such section with respect to such 
institution and provide the Federal Trade Commission and any such 
agency with a copy of its complaint, except in any case in which such 
prior notice is not feasible, in which case the State shall serve such 
notice immediately upon instituting such action.
                  ``(B) Right to intervene.--The Federal Trade 
                Commission or an agency described in subsection (b) 
                shall have the right--
                          ``(i) to intervene in an action under 
                        paragraph (1);
                          ``(ii) upon so intervening, to be heard on 
                        all matters arising therein;
                          ``(iii) to remove the action to the 
                        appropriate United States district court; and
                          ``(iv) to file petitions for appeal.
          ``(3) Investigatory powers.--For purposes of bringing any 
        action under this subsection, no provision of this subsection 
        shall be construed as preventing the chief law enforcement 
        officer, or an official or agency designated by a State, from 
        exercising the powers conferred on the chief law enforcement 
        officer or such official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations or to 
        compel the attendance of witnesses or the production of 
        documentary and other evidence.
          ``(4) Limitation on state action while federal action 
        pending.--If the Federal Trade Commission or any agency 
        described in subsection (b) has instituted a civil action for a 
        violation of this title, no State may, during the pendency of 
        such action, bring an action under this section against any 
        defendant named in the complaint of the Federal Trade 
        Commission or such agency for any violation of this title that 
        is alleged in that complaint.

``Sec. 1005. Civil liability

    ``Any person, other than a financial institution, who fails to 
comply with any provision of this title with respect to any financial 
institution or any customer information of a financial institution 
shall be liable to such financial institution or the customer to whom 
such information relates in an amount equal to the sum of the amounts 
determined under each of the following paragraphs:
          ``(1) Actual damages.--The greater of--
                  ``(A) the amount of any actual damage sustained by 
                the financial institution or customer as a result of 
                such failure; or
                  ``(B) any amount received by the person who failed to 
                comply with this title, including an amount equal to 
                the value of any nonmonetary consideration, as a result 
                of the action which constitutes such failure.
          ``(2) Additional damages.--Such additional amount as the 
        court may allow.
          ``(3) Attorneys' fees.--In the case of any successful action 
        to enforce any liability under paragraph (1) or (2), the costs 
        of the action, together with reasonable attorneys' fees.

``Sec. 1006. Criminal penalty

    ``(a) In general.--Whoever violates, or attempts to violate, 
section 1003 shall be fined in accordance with title 18, United States 
Code, or imprisoned for not more than 5 years, or both.
    ``(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, or 
attempts to violate, section 1003 while violating another law of the 
United States or as part of a pattern of any illegal activity involving 
more than $100,000 in a 12-month period shall be fined twice the amount 
provided in subsection (b)(3) or (c)(3) (as the case may be) of section 
3571 of title 18, United States code, imprisoned for not more than 10 
years, or both.

``Sec. 1007. Relation to State laws

    ``(a) In General.--This title shall not be construed as 
superseding, altering, or affecting the statutes, regulations, orders, 
or interpretations in effect in any State, except to the extent that 
such statutes, regulations, orders, or interpretations are inconsistent 
with the provisions of this title, and then only to the extent of the 
inconsistency.
    ``(b) Greater Protection Under State Law.--For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this title if the protection such 
statute, regulation, order, or interpretation affords any person is 
greater than the protection provided under this title.

``Sec. 1008. Agency guidance

    ``In furtherance of the objectives of this title, each Federal 
banking agency (as defined in section 3(z) of the Federal Deposit 
Insurance Act) shall issue advisories to depository institutions under 
the jurisdiction of the agency, in order to assist such depository 
institutions in deterring and detecting activities proscribed under 
section 1003.''.
    (b) Report to the Congress.--Before the end of the 18-month period 
beginning on the date of the enactment of this Act, the Comptroller 
General, in consultation with the Federal Trade Commission, Federal 
banking agencies, and appropriate Federal law enforcement agencies, 
shall submit to the Congress a report on the following:
          (1) The efficacy and adequacy of the remedies provided in the 
        amendments made by subsection (a) in addressing attempts to 
        obtain financial information by fraudulent means or by false 
        pretenses.
          (2) Any recommendations for additional legislative or 
        regulatory action to address threats to the privacy of 
        financial information created by attempts to obtain information 
        by fraudulent means or false pretenses.

                          Purpose and Summary

    The purpose of H.R. 4321 is to protect consumers by 
preserving the confidentiality of customer information 
maintained by banks and other financial institutions. The 
legislation attempts to address the significant threat to 
financial privacy posed by an emerging industry of so-called 
``information brokers,'' who use deception and false pretenses 
to collect personal financial information for their clients.
    H.R. 4321, as amended by the Committee, makes it a federal 
crime to obtain or attempt to obtain, or cause to be disclosed 
or attempt to cause to be disclosed, customer information of a 
financial institution through fraudulent or deceptive means, 
such as by misrepresenting the identity of the person 
requesting the information or otherwise tricking an institution 
or customer into making unwitting disclosures of such 
information. The legislation also makes it unlawful to request 
that customer financial information be obtained, knowing or 
consciously avoiding knowing that the information will be 
collected in a fraudulent or deceptive manner. Exempted from 
coverage are law enforcement agencies that acquire customer 
information of a financial institution in carrying out their 
official duties, as well as financial institutions engaged in 
efforts to combat fraud, such as tests of security systems for 
maintaining the confidentiality of customer information and 
investigations of allegations of employee misconduct.
    The legislation authorizes the Federal Trade Commission to 
enforce the provisions of the Act over entities that come under 
its jurisdiction through the imposition of civil penalties and 
other administrative and equitable remedies available under the 
Federal Trade Commission Act. In instances where depository 
institutions engage in activities proscribed by the Act, the 
appropriate Federal banking agencies are given enforcement 
authority. The Federal banking agencies are also directed to 
issue advisories to depository institutions under their 
jurisdiction to assist those institutions in deterring and 
detecting the activities prohibited by the legislation.
    H.R. 4321 creates other mechanisms for enforcing the Act's 
prohibitions, including (1) State actions for injunctive relief 
or to recover damages of not more than $1,000 per violation; 
(2) civil lawsuits by financial institutions or customers whose 
information has been obtained unlawfully; and (3) criminal 
sanctions, including up to five years in prison and substantial 
fines (up to $250,000 in the case of an individual or $500,000 
in the case of a corporation), with penalties doubled for 
aggravated offenses. The legislation preempts State laws only 
to the extent that they are inconsistent with its provisions.

                Background and Need for the Legislation

    No issue is of more pressing concern to customers of banks 
and other financial institutions than that of financial 
privacy. The unprecedented technological advances of the past 
several decades--and an ever-increasing demand by businesses 
and private litigants for financial information that can only 
be derived from non-public sources--haveundermined consumers' 
expectation of privacy in conducting their financial affairs. Criminal 
elements have also sought to exploit opportunities created by the 
explosion of information available on individual consumers to commit 
fraud and other financial crimes.
    In response to these growing threats to financial privacy, 
the Committee has conducted extensive oversight in the last two 
Congresses, designed to educate consumers and providers of 
financial services regarding the nature of the threats, and to 
encourage the development of legislative solutions to address 
them.\1\ As part of its oversight efforts in this area, the 
Committee became aware earlier this year of a rapid growth in 
the number of information brokers specializing in the 
collection and dissemination of personal financial information. 
Advertising their services in legal and investigative trade 
journals and over the Internet, these companies tout their 
ability to gain access to a wide array of confidential 
information maintained by financial institutions on their 
customers, including bank account numbers and balances; stock, 
bond and mutual fund holdings; credit card information, 
including account numbers, credit lines, and specific 
transactions; and the contents of safe-deposit boxes.
---------------------------------------------------------------------------
    \1\ See, e.g., Organized Crime and Banking: Hearing before the 
House Comm. on Banking and Financial Services, 104th Cong., 2d Sess. 
(1996), Serial No. 104-47; Personal Banking Fraud: Hearing before the 
House Comm. on Banking and Financial Services, 104th Cong., 2d Sess. 
(1996), Serial No. 104-54; Consumer Financial Privacy: Hearing before 
the Subcomm. on Financial Institutions and Consumer Credit of the House 
Comm. on Banking and Financial Services, 105th Cong., 1st Sess. (1997), 
Serial No. 105-33.
---------------------------------------------------------------------------
    According to testimony elicited by the Committee from law 
enforcement authorities and industry participants, the primary 
method used to collect this information involves a form of what 
is known in the private investigative trade as ``pretexting,'' 
in which an information broker impersonates the individual 
whose account information is sought or engages in other ruses 
designed to trick a financial institution into disclosing the 
information. The successful ``pretexter'' has usually obtained 
identifying information about a consumer (such as social 
security number, date of birth, or mother's maiden name) from 
some other source before approaching the financial institution 
from which additional information is sought. By citing this 
previously gathered information correctly, the information 
broker attempts to mislead a customer service representative at 
the targeted financial institution into believing that he is 
processing a legitimate inquiry from one of the institution's 
customers, and that release of the requested information is 
therefore appropriate.
    Once obtained, the information can be combined with other 
information gathered by the broker to compile an ``asset 
profile'' of his subject for a business competitor; an 
adversary in litigation or other commercial or personal 
dispute; or an individual simply seeking to satisfy personal 
curiosity. Personal financial information collected by false 
pretenses can also be used to commit ``identity theft,'' 
whereby criminals essentially assume the identities of their 
victims to gain control over or open new bank or credit card 
accounts, apply for loans, or incur other forms of debt, all 
with devastating consequences for the credit rating and 
personal finances of the targeted individual.
    Perhaps the most compelling evidence of the nature and 
scope of the threat to financial privacy presented by 
unscrupulous information brokers was developed in a recent 
investigation conducted by the Massachusetts Attorney General's 
office. In 1993, officials in the security department of Bank 
Boston became aware that a Massachusetts company was 
advertising ``asset search and information services'' that 
included a ``system'' for obtaining complete bank account 
information, including balances, without the knowledge or 
authorization of the account holder. As a way of testing its 
internal controls for protecting the confidentiality of 
customer account information--and also gaining a better 
understanding of the nature of the activities conducted by 
information brokers--BankBoston undertook a lengthy 
investigation of the firm which had advertised this service. It 
later supplied the results of its inquiry to the Massachusetts 
Attorney General's office, which launched a broader probe of 
the information brokering industry that has, to date, yielded 
some $275,000 in civil penalties against nine firms in five 
different states.
    The Massachusetts Attorney General's office brought its 
cases against information brokers pursuant to Massachusetts' 
unfair and deceptive trade practices law, which is patterned 
after the Federal Trade Commission Act and similar to statutes 
adopted in many other jurisdictions. Only three states 
(Connecticut, Illinois and Maine) have enacted laws making it 
unlawful to knowingly and willfully induce or attempt to induce 
an employee or officer of a financial institution to disclose 
another person's records. While it has been suggested that the 
use of false or deceptive methods to procure confidential 
financial information may also constitute wire fraud, 
prosecutable under title 18, United States Code, there are no 
reported instances of such cases being brought against 
information brokers. Federal regulators and experts on 
information brokering have told the Committee that the absence 
of a Federal statute directly prohibiting the retrieval of 
customer information from financial institutions under false 
pretenses has allowed information brokers and their clients to 
argue that the use of ``pretexting'' to collect such 
information is permissible under current law.
    Regardless of the legal merits of that position, the 
paucity of reported Federal or State actions against 
information brokers indicates that existing enforcement 
mechanisms may be insufficient to deter the fundamentally 
deceptive practices disclosed during the Committee's 
examination of the information brokering industry. By 
specifically and directly targeting these practices, H.R. 4321 
is intended to send a signal to information brokers and those 
who retain their services that they are no longer operating in 
a ``gray area'' of the law, but are instead engaged in conduct 
that is explicitly proscribed and punishable both by civil 
penalties and strong criminal sanctions.
    The legislation has been drafted with an eye toward 
preserving the easy and immediate access to personal account 
information that most consumers of financial services have come 
to expect. Thus, H.R. 4321 imposes no regulatory mandates or 
legalrequirements that could cause financial institutions to 
restrict or limit the access to account information they offer their 
legitimate customers. This approach recognizes that financial 
institutions, like the customers whose information they are charged 
with safeguarding, are victims of the fraud perpetrated by those who, 
through deceptive methods, seek unauthorized access to that 
information. Indeed, the Supreme Court has recognized that account 
information maintained by a bank constitutes the ``business records'' 
of that institution, giving rise to a property interest in that 
information that is arguably violated by anyone who seeks to access it 
by false pretenses. See United States v. Miller, 425 U.S. 435, 440-41 
(1976).
    The legislation includes several ``savings clauses'' 
designed to avoid the unintended consequences that might ensure 
from application of its provisions to anti-fraud initiatives 
undertaken by law enforcement authorities of financial 
institutions themselves. Thus, for example, a Federal, State or 
local government agency attempting to enforce child support 
obligations would not be precluded from employing a form of 
``pretexting'' to locate the assets of a delinquent parent. Nor 
would a financial institution seeking to root out possible 
corruption among its employees or achieve some other anti-fraud 
objective be prohibited from engaging in certain activities 
that might, in some other context, run afoul of the Act.
    During the markup, Mr. Royce and Mrs. Roukema expressed 
concern about the impact of the legislation on the ability of 
individuals involved in domestic disputes to obtain information 
regarding the location of financial assets. The Committee 
intends to work with Mr. Royce and Mrs. Roukema to address this 
concern when H.R. 4321 is considered on the Floor.

                                Hearings

    On July 23, 1998, Chairman Leach introduced H.R. 4321, the 
Financial Information Privacy Act. The Committee held a hearing 
on the legislation on July 28, 1998. Testifying at the hearing 
were Al Schweitzer, President, Al Schweitzer Investigations; 
Robert Douglas, President, Douglas Investigations; Julie L. 
Williams, Acting Comptroller of the Currency; Mozelle W. 
Thompson, Commissioner, Federal Trade Commission; Jeffrey D. 
Clements, Assistant Attorney General, Commonwealth of 
Massachusetts; Boris F. Melnikoff, Senior Vice President, 
Wachovia Corporation, who appeared on behalf of the American 
Bankers Association; Eddy L. McClain, Chairman, Krout and 
Schneider, Inc., who appeared on behalf of the National Council 
of Investigation and Security Services; Robert Glass, Vice 
President, LEXIS-NEXIS, who appeared on behalf of the 
Individual Reference Services Group; Evan Hendricks, Editor and 
Publisher, Privacy Times; and Russell Schrader, Senior Vice 
President, VISA U.S.A., Inc.

                   Committee Consideration and Votes

    On August 5, 1998, the full Committee met in open session 
to mark up H.R. 4321, the Financial Information Privacy Act of 
1998. The Committee called up H.R. 4321 as original text for 
purposes of amendment.
    During the mark up, a Manager's Amendment and seven other 
amendments were offered. The Manager's Amendment and two 
amendments were adopted.

Amendments that were adopted

    1. The Manager's Amendment as adopted by voice vote would 
do the following:
          Remove from the list of specific entities included in 
        the definition of a financial institution ``any broker 
        or dealer in investment securities, any insurance 
        company, and any investment adviser or investment 
        company'';
          Authorize the Federal Reserve Board of Governors 
        instead of the Federal Trade Commission to promulgate 
        regulations further defining the types of institutions 
        to be treated as ``financial institutions'' under the 
        title;
          Clarify that the prohibition on obtaining customer 
        information by false pretenses applies only to 
        instances in which a person seeks customer information 
        of another;
          Modify the prohibition on obtaining customer 
        information by false, fictitious or fraudulent means by 
        providing that such conduct must be carried out with 
        the intent to deceive another person into relying on 
        the false or fraudulent statement or represtation for 
        purposes of releasing the customer information;
          Provide that it is unlawful to request a person to 
        obtain customer information of a financial institution, 
        knowing or consciously avoiding knowing that the person 
        will obtain, or attempt to obtain, the information from 
        the institution in any manner described in section 
        1003(a);
          Clarify that the prohibitions on obtaining or 
        receiving customer information by false pretenses do 
        not apply to situations in which a financial 
        institution is (1) testing its procedures for 
        maintaining the confidentiality of customer 
        information, (2) investigating allegations of 
        misconduct or negligence on the part of one of its 
        employees or agents, or (3) attempting to recover 
        customer information obtained or received by another 
        person in any manner described in Section 1003(a) or 
        (b); or to situations in which a person seeks to obtain 
        information that is otherwise available as a public 
        record filed pursuant to the Federal securities laws;
          Delete reference to the Farm Credit Act of 1971 under 
        the administrative enforcement section for appropriate 
        Federal banking agencies;
          Eliminate the requirement that the Federal Trade 
        Commission make determinations as to whether specific 
        state statutes, regulations, orders, or interpretations 
        are inconsistent with this statute;
          Require Federal banking agencies to issue advisories 
        to depository institutions under their jurisdiction, in 
        order to assist those institutions in deterring and 
        detecting activities proscribed by this legislation; 
        and
          Make other technical and grammatical modifications.
    2. An amendment offered by Mrs. Roukema was adopted by 
voice vote to give financial institutions the right to bring a 
cause of action and to recover damages against those persons 
who have violated the title. The amendment was amended by Mr. 
LaFalce to allow the financial institutions to recover such 
additional damages as a court may allow in addition to actual 
damages sustained.
    3. An amendment offered by Mr. LaFalce and Mrs. Kelly was 
adopted by voice vote to give customers of financial 
institutions the right to bring a cause of action and to 
recover damages from any person, other than a financial 
institution, who fails to comply with the title.

Amendment that was defeated

    1. An amendment offered by Mr. Hinchey to restrict the 
ability of financial institutions to use or disclose nonpublic 
customer information for marketing purposes unless the 
institution receives prior written consent from the customer 
was defeated by a vote of 7-23.
        AYES                          NAYS
Mr. LaFalce                         Mr. Leach
Mr. Kennedy                         Mr. McCollum
Mr. Sanders                         Mrs. Roukema
Ms. Roybal-Allard                   Mr. Bereuter
Ms. Velazquez                       Mr. Baker
Mr. Hinchey                         Mr. Lazio
Mr. Lee                             Mr. Bachus
                                    Mr. Castle
                                    Mr. Royce
                                    Mr. Lucas
                                    Mrs. Kelly
                                    Dr. Paul
                                    Dr. Weldon
                                    Mr. Ryun
                                    Mr. Snowbarger
                                    Mr. Riley
                                    Mr. Sessions
                                    Mr. Redmond
                                    Mr. Vento
                                    Mr. Bensten
                                    Mr. Maloney
                                    Mr. Sherman
                                    Mr. Goode

    With a quorum being present, the Committee adopted by voice 
vote H.R. 4321, as amended, for final passage and to be 
favorably reported to the full House of Representatives for 
consideration. Also, the Committee adopted, by voice vote, a 
motion to authorize the Chairman to offer such motions as may 
be necessary in the House of Representatives to go to 
conference with the Senate on a similar bill.

                      Committee Oversight Findings

    In compliance with clause 2(l)(3)(A) of rule XI of the 
Rules of the House of Representatives, the Committee reports 
that the findings and recommendations of the Committee, based 
on oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

         Committee on Government Reform and Oversight Findings

    No findings and recommendations of the Committee on 
Government Reform and Oversight were received as referred to in 
clause 2(l)(3)(D) of rule XI of the Rules of the House of 
Representatives.

                        Constitutional Authority

    In compliance with clause 2(l)(4) of rule XI of the Rules 
of the House of the Representatives, the constitutional 
authority for Congress to enact this legislation is derived 
from the interstate commerce clause (Clause 3, Section 8, 
Article I). In addition, the power ``to coin money'' and 
``regulate the value thereof'' (Clause 5, Section 8, Article I) 
has been broadly construed to allow for the Federal regulation 
of the provision of credit.

               New Budget Authority and Tax Expenditures

    Clause 2(l)(3)(B) of rule XI of the Rules of the House of 
Representatives is inapplicable because this legislation does 
not provide new budgetary authority of increased tax 
expenditures.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                    Congressional Accountability Act

    The reporting requirement under section 102(b)(3) of the 
Congressional Accountability Act (P.L. 104-1) is inapplicable 
because this legislation does not relate to terms and 
conditions of employment or access to public services or 
accommodations.

    Congressional Budget Office Cost Estimate and Unfunded Mandates 
                                Analysis

    The CBO cost estimate and unfunded mandates analysis for 
the bill is attached.

H.R. 4321--Financial Information Privacy Act of 1998

    Summary: H.R. 4321 would prohibit obtaining or requesting a 
customer's personal financial information from a financial 
institution under false pretenses. For most purposes, the bill 
would be enforced by the Federal Trade Commission (FTC). The 
Office of the Comptroller of the Currency (OCC), the Board of 
Governors of the Federal Reserve System, the Federal Deposit 
Insurance Corporation (FDIC), the Office of Thrift Supervision 
(OTS), and the National Credit Union Administration (NCUA) 
would enforce H.R. 4321 as it applies to the financial 
institutions that those agencies regulate. The Federal Reserve 
System would issue regulations defining the phrase ``financial 
institution'' as directed by the bill. Finally, H.R. 4321 would 
allow states to bring legal actions in federal district court 
against violators of the bill.
    CBO estimates that implementing H.R. 4321 would increase 
discretionary spending by less than $500,000 a year over the 
1999-2003 period. Such costs would be subject to the 
availability of appropriated funds. H.R. 4321 could affect 
direct spending and revenues; therefore, pay-as-you-go 
procedures would apply, but CBO estimates that any such effects 
would be less than $500,000 in a year over the 1999-2003 
period.
    H.R. 4321 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would impose no costs on state, local, or tribal 
governments.
    Estimated cost to the Federal Government: H.R. 4321 would 
make it a federal crime to obtain or request a customer's 
personal financial information from a financial institution 
under false pretenses. Subject to the availability 
ofappropriated funds, CBO estimates that implementing H.R. 4321 would 
increase the costs of the FTC and the NCUA by less than $500,000 a year 
over the 1999-2003 period. Violators would be subject to imprisonment 
and fines. As a result, the federal government would be able to pursue 
cases that it otherwise would not be able to prosecute. CBO expects 
that the government probably would not pursue many such cases, so we 
estimate that any increase in federal costs for law enforcement court 
proceedings, or prison operations would not be significant. Any such 
additional costs would be subject to the availability of appropriated 
funds.
    Because those prosecuted and convicted under H.R. 4321 
could be subject to criminal fines, the federal government 
might collect additional fines if the bill is enacted. 
Collections of such fines are recorded in the budget as 
governmental receipts (revenues), which are deposited in the 
Crime Victims Fund and spent in the following year. CBO expects 
that any additional collections from enacting H.R. 4321 would 
be negligible, however, because of the small number of cases 
likely to be involved. Because any increase in direct spending 
would equal the fines collected with a one-year lag, the 
additional direct spending also would be negligible.
    Both the OTS and the OCC charge fees to cover all their 
administrative costs; therefore, any additional spending by 
these agencies would have no net budget effect. That is not the 
case with the FDIC, however, which uses deposit insurance 
premiums paid by all banks to cover the expenses it incurs to 
supervise state-chartered banks. The bill would cause a small 
increase in FDIC spending, but would probably not affect its 
premium income. In any case, CBO estimates that H.R. 4321 would 
increase direct spending and offsetting receipts for those 
agencies by less than $500,000 a year over the 1999-2003 
period.
    Budgetary effects on the Federal Reserve are recorded as 
changes in revenues. Based on information from the Federal 
Reserve, CBO estimates that enacting H.R. 4321 would reduce 
revenues by less than $500,000 a year over the 1999-2003 
period.
    Pay-as-you-go considerations: The Balanced Budget and 
Emergency Deficit Control Act sets up pay-as-you go procedures 
for legislation affecting direct spending or receipts. CBO 
estimates that enacting H.R. 4321 would affect direct spending 
and governmental receipts but that there would be no 
significant impact in any year.
    Intergovernmental and private-sector impact: H.R. 4321 
contains no intergovernmental or private-sector mandates as 
defined in UMRA and would impose no costs on state, local, or 
tribal governments.
    Estimate prepared by: Federal costs: Mark Hadley; Revenues: 
Carolyn Lynch.
    Estimate approved by: Paul N. Van de Water, Assistant 
Director for Budget Analysis.

                      Section-By-Section Analysis

                         section 1. short title

    This Act may be cited as the ``Financial Information 
Privacy Act of 1998.''

                section 2. financial information privacy

    This section amends the Consumer Credit Protection Act by 
adding a new title to be cited as ``Title X--The Financial 
Information Privacy Act.'' The new title is comprised of eight 
sections:

Section 1001. Short title

    ``Financial Information Privacy Act.''

Section 1002. Definitions

    The term ``customer'' is defined as any person to whom the 
financial institution provides a product or service, including 
that of acting as a fiduciary. The term ``customer information 
of a financial institution'' is defined as any information 
maintained by a financial institution which is derived from the 
relationship between the financial institution and its customer 
and is identified with the customer. The term ``financial 
institution'' is defined as any institution engaged in the 
business of providing financial services to customers who 
maintained a credit, deposit, trust, or other financial account 
or relationship with the institution, including but not limited 
to depository institutions (as defined in section 19(b)(1)(A) 
of the Federal Reserve Act); loan or finance companies; credit 
card issuers; operators of credit card systems; and consumer 
reporting agencies. The Federal Reserve Board is authorized to 
prescribe regulations further defining the types of 
institutions which shall be treated as ``financial 
institutions'' for purposes of this title.

Section 1003. Privacy protection for customer information of financial 
        institutions

    This section makes it unlawful for any person to obtain or 
attempt to obtain, or cause to be disclosed or attempt to cause 
to be disclosed to any person, customer information of a 
financial institution relating to another person by (1) 
knowingly making a false, fictitious, or fraudulent statement 
or representation to an officer, employee, or agent of a 
financial institution with the intent to deceive the officer, 
employee, or agent into relying on that statement or 
representation for purposes of releasing the customer 
information; (2) knowingly making a false, fictitious, or 
fraudulent statement or representation to a customer of a 
financial institution with the intent to deceive the customer 
into relying on that statement or representation for purposes 
of releasing the customer information or authorizing the 
release of such information; or (3) providing any document to 
an officer, employee, or agent of a financial institution, 
knowing that the document is forged, counterfeit, lost, or 
stolen, was fraudulently obtained, or contains a false, 
fictitious, or fraudulent statement or representation, if the 
document is provided with the intent to deceive the officer, 
employee, or agent into relying on that document for purposes 
of releasing the customer information. This section makes it 
unlawful to request a person to obtain customer information of 
a financial institution knowing or consciously avoiding knowing 
that it was obtained through any of the three methods described 
in this section.
    The prohibitions specified in this section do not apply to 
any action by a law enforcement agency to obtain customer 
information of a financial institution in the performance of 
its official duties. For purposes of this section, the term 
``law enforcement agency'' is intended to include Federal, 
State and local agencies, and specifically encompasses those 
agencies responsible for enforcing child-support obligations.
    This section's prohibitions do not apply to instances in 
which a financial institution or its officers, employees, or 
agents, obtain customer information of such financial 
institution in the course of (1) testing the security 
procedures or systems of such institution for maintaining the 
confidentiality of customer information; (2) investigating 
allegations of misconduct or negligence on the part of any 
officer, employee, or agent of the financial institution; or 
(3) recovering customer information of the financial 
institution which was obtained or received by another person in 
any manner described in this section. Thus, for example, when a 
fraud prevention unit of a financial institution succeeds in 
retrieving from an information broker that has been obtained 
through fraud or deceit, the financial institution is not in 
violation of this statute. This ``safe harbor'' extends to 
agents or contractors retained by a financial institution to 
implement anti-fraud or self-testing programs.
    This section also does not apply to the obtaining of 
customer information of a financial institution that is 
otherwise available as a public record filed pursuant to the 
federal securities laws.
    Nothing in this section should be construed as limiting or 
in any way interfering with the sharing of information among 
affiliates or subsidiaries within a single bank or bank holding 
company structure, as permitted under the Fair Credit Reporting 
Act.

Section 1004. Administrative enforcement

    This section assigns enforcement authority to the Federal 
Trade Commission (FTC) and the Federal banking agencies 
according to their respective jurisdictions. The enforcement 
authority exercised by the FTC under this title is coextensive 
with its authority under the Fair Debt Collection Practices 
Act. In instances where depository institutions are implicated 
in obtaining information through fraudulent means, or 
requesting that such information be obtained knowing or 
consciously avoiding knowing that fraudulent or deceptive 
methods will be used to collect it, the appropriate Federal 
banking agencies have the authority to enforce this Act.
    This section further provides that in addition to such 
other remedies as are available under State law, the States 
have the authority to enforce this Act, through actions to 
enjoin violations or recover damages of not more than $1,000 
for each violation. The FTC and the other Federal agencies with 
enforcement authority under this section have the right to 
intervene in any action by a State to enforce this Act. Where 
the FTC or any other Federal agency with enforcement authority 
under this section has instituted a civil action to enforce 
this Act, no State may, during the pendency of that action, 
bring its own action under this section against any defendant 
named in the Federal complaint for any act alleged in that 
complaint.

Section 1005. Civil liability

    This section provides that any person which is not a 
financial institution may be held civilly liable for violating 
this Act by a financial institution or a customer whose 
financial information was obtained unlawfully. The Act 
authorizes the recovery of (A) actual damages (1) in the amount 
sustained by the financial institution or customer as a result 
of the violation, or (2) in the amount of any compensation 
received by the defendant, including the value of any 
nonmonetary compensation, as a result of the violation, 
whichever is greater; (B) such additional damages as the court 
may allow; and (C) in the case of a successful action the costs 
of the action including reasonable attorneys' fees.
    The purpose of this section is to permit consumers and 
financial institutions who have been victimized by unscrupulous 
information brokers and others who traffic in fraudulently 
obtained financial information to hold those parties 
accountable. Affording injured private parties a right of 
action increases the likelihood that the Act's prohibitions 
will be vigorously enforced. For example, a financial 
institution will, in some instances, have a stronger incentive 
to proceed against an information broker or his client than a 
law enforcement agency or prosecutor operating with limited 
resources and forced to juggle competing priorities, 
particularly in those cases where the amount of monetary 
damages is minimal.
    This section does not give rise to a private right of 
action against a financial institution from which customer 
information has been obtained in a manner proscribed by section 
1003.

Section 1006. Criminal penalties

    Whoever violates this Act or attempts to violate this Act 
shall be fined in accordance with title 18, United States Code 
(up to $250,000 in the case of an individual or $500,000 in the 
case of a corporation) or imprisoned for not more than 5 years, 
or both. Whoever violates this Act while violating or 
attempting to violate other laws, as part of a pattern of 
illegal activity involving more than $100,000 in a 12 month 
period shall have their fines doubled or be imprisoned for not 
more than 10 years, or both.

Section 1007. Relation to State laws

    This Act does not supersede any State statutes, 
regulations, orders, or interpretations, except to the extent 
that they are inconsistent with the provisions of this Act, and 
then only to the extent of the inconsistency. A State statute, 
regulation, order, or interpretation is not inconsistent with 
the provisions of this Act if the protection such statute, 
regulation, order, or interpretation affords any person is 
greater than the protection provided under this Act.

Section 1008. Agency guidance

    This section requires the Federal banking agencies (as 
defined in section 3(z) of the Federal Deposit Insurance Act) 
to issue advisories to depository institutions under their 
jurisdiction to assist those institutions in deterring and 
detecting activities proscribed in this Act.
    Finally, the legislation requires the General Accounting 
Office, in consultation with the FTC, Federal banking agencies, 
and appropriate Federal law enforcement agencies, to submit a 
report to Congress within 18 months of the date of enactment on 
(1) of efficiency and adequacy of this legislation in 
addressing attempts to obtain financial information by 
fraudulent means and false pretenses; and (2) any 
recommendations regarding additional legislation or regulations 
necessary to address threats to the privacy of financial 
information.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3 of the rule XIII of the Rules 
of the House of Representatives, changes in existing law made 
by the bill, as reported, are shown as follows (new matter is 
printed in italic):

             TITLE X OF THE CONSUMER CREDIT PROTECTION ACT

           TITLE X--FINANCIAL INFORMATION PRIVACY PROTECTION

Sec.
1001. Short title.
1002. Definitions.
1003. Privacy protection for customer information of financial 
institutions.
1004. Administrative enforcement.
1005. Civil liability.
1006. Criminal penalty.
1007. Relation to State laws.
1008. Agency guidance.

Sec. 1001. Short title

    This title may be cited as the ``Financial Information 
Privacy Act''.

Sec. 1002. Definitions

    For purposes of this title, the following definitions shall 
apply:
          (1) Customer.--The term ``customer'' means, with 
        respect to a financial institution, any person (or 
        authorized representative of a person) to whom the 
        financial institution provides a product or service, 
        including that of action as a fiduciary.
          (2) Customer information of a financial 
        institution.--The term ``customer information of a 
        financial institution'' means any information 
        maintained by a financial institution which is derived 
        from the relationship between the financial institution 
        and a customer of the financial institution and is 
        identified with the customer.
          (3) Document.--The term ``document'' means any 
        information in any form.
          (4) Financial institution.--
                  (A) In general.--The term ``financial 
                institution'' means any institution engaged in 
                the business of providing financial services to 
                customers who maintain a credit, deposit, 
                trust, or other financial account or 
                relationship with the institution.
                  (B) Certain financial institutions 
                specifically included.--The term ``financial 
                institution'' includes any depository 
                institution (as defined in section 19(b)(1)(A) 
                of the Federal Reserve Act), any loan or 
                finance company, any credit card issuer or 
                operator of a credit card system, and credit 
                card issuer or operator of a credit card 
                system, and any consumer reporting agency that 
                compiles and maintains files on consumers on a 
                nationwide basis (as defined in section 
                603(p)).
                  (C) Further definition by regulation.--The 
                Board of Governors of the Federal Reserve 
                System may prescribe regulations further 
                defining the term ``financial institution'', in 
                accordance with subparagraph (A), for purposes 
                of this title.

Sec. 1003. Privacy protection for customer information of financial 
                    institutions

    (a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be a violation of this title for any 
person to obtain or attempt to obtain, or cause to be disclosed 
or attempt to cause to be disclosed to any person, customer 
information of a financial institution relating to another 
person--
          (1) by knowingly making a false, fictitious, or 
        fraudulent statement or representation to an officer, 
        employee, or agent of a financial institution with the 
        intent to deceive the officer, employee, or agent into 
        relying on that statement or representation for 
        purposes of releasing the customer information;
          (2) by knowingly making a false, fictitious, or 
        fraudulent statement or representation to a customer of 
        a financial institution with the intent to deceive the 
        customer into relying on that statement or 
        representation for purposes of releasing the customer 
        information or authorizing the release of such 
        information; or
          (3) by knowingly providing any document to an 
        officer, employee, or agent of a financial institution, 
        knowing that the document is forged, counterfeit, lost, 
        or stolen, was fraudulently obtained, or contains a 
        false, fictitious, or fraudulent statement or 
        representation, if the document is provided with the 
        intent to deceive the officer, employee, or agent into 
        relying on that document for purposes of releasing the 
        customer information.
    (b) Prohibition on Solicitation of a Person to Obtain 
Customer Information From Financial Institution Under False 
Pretenses.--It shall be a violation of this title to request a 
person to obtain customer information of a financial 
institution, knowing or consciously avoiding knowing that the 
person will obtain, or attempt to obtain, the information from 
the institution in any manner described in subsection (a).
    (c) Nonapplicability to Law Enforcement Agencies.--No 
provision of this section shall be construed so as to prevent 
any action by a law enforcement agency, or any officer, 
employee, or agent of such agency, to obtain customer 
information of a financial institution in connection with the 
performance of the official duties of the agency.
    (d) Nonapplicability to Financial Institutions in Certain 
Cases.--No provision of this section shall be construed so as 
to prevent any financial institution, or any officer, employee, 
or agent of a financial institution, from obtaining customer 
information of such financial institution in the course of--
          (1) testing the security procedures or systems of 
        such institution for maintaining the confidentiality of 
        customer information;
          (2) investigating allegations of misconduct or 
        negligence on the part of any officer, employee, or 
        agent of the financial institution; or
          (3) recovering customer information of the financial 
        institution which was obtained or received by another 
        person in any manner described in subsection (a) or 
        (b).
    (e) Nonapplicability to Certain Types of Customer 
Information of Financial Institutions.--No provision of this 
section shall be construed so as to prevent any person from 
obtaining customer information of a financial institution that 
otherwise is available as a public record filed pursuant to the 
securities laws (as defined in section 3(a)(47) of the 
Securities Exchange Act of 1934).

Sec. 1004. Administrative enforcement

    (a) Enforcement by Federal Trade Commission.--Except as 
provided in subsection (b), compliance with this title shall be 
enforced by the Federal Trade Commission in the same manner and 
with the same power and authority as the Commission has under 
the title VIII, the Fair Debt Collection Practices Act, to 
enforce compliance with such title.
    (b) Enforcement by Other Agencies in Certain Cases.--
          (1) In general.--Compliance with this title shall be 
        enforced under--
                  (A) section 8 of the Federal Deposit 
                Insurance Act, in the case of--
                          (i) national banks, and Federal 
                        branches and Federal agencies of 
                        foreign banks, by the Office of the 
                        Comptroller of the Currency;
                          (ii) member banks of the Federal 
                        Reserve System (other than national 
                        banks), branches and agencies of 
                        foreign banks (other than Federal 
                        branches, Federal agencies, and insured 
                        State branches of foreign banks), 
                        commercial lending companies owned or 
                        controlled by foreign banks, and 
                        organizations operating under section 
                        25 or 25A of the Federal Reserve Act, 
                        by the Board;
                          (iii) banks insured by the Federal 
                        Deposit Insurance Corporation (other 
                        than members of the Federal Reserve 
                        System, and national nonmember banks) 
                        and insured State branches of foreign 
                        banks, by the Board of Directors of the 
                        Federal Deposit Insurance Corporation; 
                        and
                          (iv) savings associations the 
                        deposits of which are insured by the 
                        Federal Deposit Insurance Corporation, 
                        by the Director of the Office of Thrift 
                        Supervision; and
                  (B) the Federal Credit Union Act, by the 
                Administrator of the National Credit Union 
                Administration with respect to any Federal 
                credit union.
          (2) Violations of this title treated as violations of 
        other laws.--For the purpose of the exercise by any 
        agency referred to in paragraph (1) of its powers under 
        any Act referred to in that paragraph, a violation of 
        this title shall be deemed to be a violation of a 
        requirement imposed under that Act. In addition to its 
        power under any provision of law specificallyreferred 
to in paragraph (1), each of the agencies referred to in that paragraph 
may exercise, for the purpose of enforcing compliance with this title, 
any other authority conferred on such agency by law.
    (c) State Action for Violations.--
          (1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief 
        law enforcement officer of a State, or an official or 
        agency designated by a State, has reason to believe 
        that any person has violated or is violating this 
        title, the State--
                  (A) may bring an action to enjoin such 
                violation in any appropriate United States 
                district court or in any other court of 
                competent jurisdiction;
                  (B) may bring an action on behalf of the 
                residents of the State to recover damages of 
                not more than $1,000 for each violation; and
                  (C) in the case of any successful action 
                under subparagraph (A) or (B), shall be awarded 
                the costs of the action and reasonable attorney 
                fees as determined by the court.
          (2) Rights of federal regulators.--
                  (A) Prior notice.--The State shall serve 
                prior written notice of any action under 
                paragraph (1) upon the Federal Trade Commission 
                and, in the case of an action which involves a 
                financial institution described in section 
                1004(b)(1), the agency referred to in such 
                section with respect to such institution and 
                provide the Federal Trade Commission and any 
                such agency with a copy of its complaint, 
                except in any case in which such prior notice 
                is not feasible, in which case the State shall 
                serve such notice immediately upon instituting 
                such action.
                  (B) Right to intervene.--The Federal Trade 
                Commission or an agency described in subsection 
                (b) shall have the right--
                          (i) to intervene in an action under 
                        paragraph (1);
                          (ii) upon so intervening, to be heard 
                        on all matters arising therein;
                          (iii) to remove the action to the 
                        appropriate United States district 
                        court; and
                          (iv) to file petitions for appeal.
          (3) Investigatory powers.--For purposes of bringing 
        any action under this subsection, no provision of this 
        subsection shall be construed as preventing the chief 
        law enforcement officer, or an official or agency 
        designated by a State, from exercising the powers 
        conferred on the chief law enforcement officer or such 
        official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations 
        or to compel the attendance of witnesses or the 
        production of documentary and other evidence.
          (4) Limitation on state action while federal action 
        pending.--If the Federal Trade Commission or any agency 
        described in subsection (b) has instituted a civil 
        action for a violation of this title, no State may, 
        during the pendency of such action, bring an action 
        under this section against any defendant named in the 
        compliant of the Federal Trade Commission orsuch agency 
for any violation of this title that is alleged in that complaint.

Sec. 1005. Civil liability

    Any person, other than a financial institution, who fails 
to comply with any provision of this title with respect to any 
financial institution or any customer information of a 
financial institution shall be liable to such financial 
institution or the customer to whom such information relates in 
an amount equal to the sum of the amounts determined under each 
of the following paragraphs:
          (1) Actual damages.--The greater of--
                  (A) the amount of any actual damage sustained 
                by the financial institution or customer as a 
                result of such failure; or
                  (B) any amount received by the person who 
                failed to comply with this title, including an 
                amount equal to the value of any nonmonetary 
                consideration, as a result of the action which 
                constitutes such failure.
          (2) Additional damages.--Such additional amount as 
        the court may allow.
          (3) Attorneys' fees.--In the case of any successful 
        action to enforce any liability under paragraph (1) or 
        (2), the costs of the action, together with reasonable 
        attorney's fees.

Sec. 1006. Criminal penalty

    (a) In General.--Whoever violates, or attempts to violate, 
section 1003 shall be fined in accordance with title 18, United 
States Code, or imprisoned for not more than 5 years, or both.
    (b) Enhanced Penalty for Aggravated Cases.--Whoever 
violates or attempts to violate, section 1003 while violating 
another law of the United States or as part of a pattern of any 
illegal activity involving more than $100,000 in a 12-month 
period shall be fined twice the amount provided in subsection 
(b)(3) or (c)(3) (as the case may be) of section 3571 of title 
18, United States Code, imprisoned for not more than 10 years, 
or both.

Sec. 1007. Relation to State laws

    (a) In General.--This title shall not be construed as 
superseding, altering, or affecting the statutes, regulations, 
orders, or interpretations in effect in any State, except to 
the extent that such statutes, regulations, orders, or 
interpretations are inconsistent with the provisions of this 
title, and then only to the extent of the inconsistency.
    (b) Greater Protection Under State Law.--For purposes of 
this section, a State statute, regulation, order, or 
interpretation is not inconsistent with the provisions of this 
title if the protection such statute, regulation, order, or 
interpretation affords any person is greater than the 
protection provided under this title.

Sec. 1008. Agency guidance

    In furtherance of the objectives of this title, each 
Federal banking agency (as defined in section 3(z) of the 
Federal Deposit Insurance Act) shall issue advisories to 
depository institutions under the jurisdiction of the agency, 
in order to assist such depository institutions in deterring 
and detecting activities proscribed under section 1003.

                            ADDITIONAL VIEWS

    As an original co-sponsor of the Financial Information 
Privacy Act, I fully support its goal of punishing unscrupulous 
``information brokers'' who use fraud and misrepresentation to 
obtain confidential financial information from banks. My strong 
support for this bill is based on the belief that it will not 
be the Committee's last effort in this area, but rather that it 
is just the beginning of a broad review of financial privacy 
issues.
    Privacy in the information age presents policymakers with a 
number of challenges that this relatively narrow bill does not 
even begin to tackle. For instance, the bill does not address 
the apparent lack of internal controls that makes it so easy 
for information brokers to obtain confidential data from 
financial institutions in the first place. At the very least, 
the Banking Committee should have insisted that banks establish 
written policies and procedures that set out very clearly their 
obligations to safeguard customers' information.
    Financial institutions, unlike information brokers, have a 
relationship with their customers. As the custodian of our 
financial assets, we expect a measure of security from our 
banks; hence the vaults, window bars, bullet proof glass, 
armored cars, safe deposit boxes, and elaborate security 
systems in place to protect the physical assets.
    When it comes to safeguarding the information connected 
with those physical assets--account numbers, PIN numbers, 
balances, transaction records, and credit data--banks' security 
systems are not nearly as strong. The Banking Committee heard 
testimony on July 28, 1998 from two information brokers on the 
ease with which this data can be obtained over the telephone.
    While it is appropriate that the Committee address the 
practices of information brokers, they are only one side of the 
issue. The OCC's testimony at the July 28 hearing highlighted 
the need to address the other side--by looking at what banks 
are doing to protect their customers' privacy. Acting 
Comptroller Julie Williams told us:

          Consumers want adequate disclosures about a company's 
        information collection and use policies--[They] are 
        concerned about possible secondary uses of their 
        information beyond that needed for the original 
        transaction--Yet there are no privacy laws that afford 
        consumers comprehensive protection in the private 
        sector uses of their personal information, or even in 
        the disclosures of the uses of that information.

    She said that the industry has dealt with these concerns 
through largely self-regulatory measures. She noted, however, 
that such measures have been grossly inadequate to date, as 
there is little evidence that individual institutions have 
adopted comprehensive or meaningful privacy policies. For 
example, in the area of on-line privacy, and FTC survey of 
1,400 commercial we sites--including financial institutions--
found that only 14 percent of the sites that collected personal 
information provided any form of notice and that only 2 percent 
had a comprehensive privacy policy.
    To address H.R. 4321's shortcomings, I offered an amendment 
at the Banking Committee's August 5 mark up that would have 
prohibited banks from disclosing any non-public customer 
information without the customer's prior written consent. By 
requiring the customer to ``opt in'' to information sharing 
arrangements, the provision would have prevented the 
indiscriminate release of financial data.
    The Fair Credit Reporting Act currently allows consumers to 
``opt out'' of information sharing arrangements, but again Ms. 
Williams testified that this process is not working as it was 
intended. She described how ``opt out'' disclosures are:

        buried in the middle or near the end of a multi-page 
        account agreement. For existing accounts, some 
        institutions have been known to reduce the opt out 
        disclosures to the fine print along with a long list of 
        other required disclosures. Under these circumstances, 
        few consumers will even notice the opt-out disclosures, 
        let alone take the time to write the opt out letter.

    My amendment would have shifted the burden for protecting 
customers privacy from the consumer--to whom this information 
belongs in the first place--and placed it on financial 
institution. It is perfectly complementary to the objectives of 
the Financial Information Privacy Act to give individuals a 
measure of control over how their bank handles their 
confidential financial records. In intend to pursue this and 
other consumer privacy protections in the appropriate context.

                                                Maurice D. Hinchey.