[House Report 105-701]
[From the U.S. Government Publishing Office]



105th Congress                                            Rept. 105-701
                        HOUSE OF REPRESENTATIVES

 2d Session                                                      Part 2
_______________________________________________________________________


 
               FINANCIAL INFORMATION PRIVACY ACT OF 1998

                                _______
                                

              September  25, 1998.--Ordered to be printed

_______________________________________________________________________


  Mr. Bliley, from the Committee on Commerce, submitted the following

                              R E P O R T

                        [To accompany H.R. 4321]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Commerce, to whom was referred the bill 
(H.R. 4321) to protect consumers and financial institutions by 
preventing personal financial information from being obtained 
from financial institutions under false pretenses, having 
considered the same, report favorably thereon with an amendment 
and recommend that the bill as amended do pass.

                                CONTENTS
                                                                   Page
Amendment........................................................     2
Purpose and Summary..............................................     6
Background and Need for Legislation..............................     7
Hearings.........................................................     8
Committee Consideration..........................................     8
Rollcall Votes...................................................     8
Committee Oversight Findings.....................................     9
Committee on Government Reform and Oversight.....................     9
New Budget Authority, Entitlement Authority, and Tax Expenditures     9
Committee Cost Estimate..........................................     9
Congressional Budget Office Estimate.............................     9
Federal Mandates Statement.......................................    11
Advisory Committee Statement.....................................    11
Constitutional Authority Statement...............................    11
Applicability to Legislative Branch..............................    11
Section-by-Section Analysis of the Legislation...................    12
Changes in Existing Law Made by the Bill, as Reported............    15

    The amendment is as follows:
  Strike out all after the enacting clause and insert in lieu 
thereof the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Financial Information Privacy Act of 
1998''.

SEC. 2. FINANCIAL INFORMATION PRIVACY.

  (a) In General.--The Consumer Credit Protection Act (15 U.S.C. 1601 
et seq.) is amended by adding at the end the following:

          ``TITLE X--FINANCIAL INFORMATION PRIVACY PROTECTION

``Sec.
``1001. Short title.
``1002. Definitions.
``1003. Privacy protection for customer information of financial 
institutions.
``1004. Administrative enforcement.
``1005. Civil liability.
``1006. Criminal penalty.
``1007. Relation to State laws.
``1008. Agency guidance.

``Sec. 1001. Short title

  ``This title may be cited as the `Financial Information Privacy Act'.

``Sec. 1002. Definitions

  ``For purposes of this title, the following definitions shall apply:
          ``(1) Customer.--The term `customer' means, with respect to a 
        financial institution, any person (or authorized representative 
        of a person) to whom the financial institution provides a 
        product or service, including that of acting as a fiduciary.
          ``(2) Customer information of a financial institution.--The 
        term `customer information of a financial institution' means 
        any information maintained by or for a financial institution 
        which is derived from the relationship between the financial 
        institution and a customer of the financial institution and is 
        identified with the customer.
          ``(3) Document.--The term `document' means any information in 
        any form.
          ``(4) Financial institution.--
                  ``(A) In general.--The term `financial institution' 
                means any institution engaged in the business of 
                providing financial services to customers who maintain 
                a credit, deposit, trust, or other financial account or 
                relationship with the institution.
                  ``(B) Certain financial institutions specifically 
                included.--The term `financial institution' includes 
                any depository institution (as defined in section 
                19(b)(1)(A) of the Federal Reserve Act), any broker or 
                dealer, any investment adviser or investment company, 
                any insurance company, any loan or finance company, any 
                credit card issuer or operator of a credit card system, 
                and any consumer reporting agency that compiles and 
                maintains files on consumers on a nationwide basis (as 
                defined in section 603(p)).
                  ``(C) Securities institutions.--For purposes of 
                subparagraph (B)--
                          ``(i) the terms `broker' and `dealer' have 
                        the meanings provided in section 3 of the 
                        Securities Exchange Act of 1934 (15 U.S.C. 
                        78c);
                          ``(ii) the term `investment adviser' has the 
                        meaning provided in section 202(a)(11) of the 
                        Investment Advisers Act of 1940 (15 U.S.C. 80b-
                        2(a)); and
                          ``(iii) the term `investment company' has the 
                        meaning provided in section 3 of the Investment 
                        Company Act of 1940 (15 U.S.C. 80a-3).
                  ``(D) Further definition by regulation.--The Federal 
                Trade Commission, after consultation with Federal 
                banking agencies and the Securities and Exchange 
                Commission, may prescribe regulations clarifying or 
                describing the types of institutions which shall be 
                treated as financial institutions for purposes of this 
                title.

``Sec. 1003. Privacy protection for customer information of financial 
                    institutions

  ``(a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be a violation of this title for any person to 
obtain or attempt to obtain, or cause to be disclosed or attempt to 
cause to be disclosed to any person, customer information of a 
financial institution relating to another person--
          ``(1) by making a false, fictitious, or fraudulent statement 
        or representation to an officer, employee, or agent of a 
        financial institution;
          ``(2) by making a false, fictitious, or fraudulent statement 
        or representation to a customer of a financial institution; or
          ``(3) by providing any document to an officer, employee, or 
        agent of a financial institution, knowing that the document is 
        forged, counterfeit, lost, or stolen, was fraudulently 
        obtained, or contains a false, fictitious, or fraudulent 
        statement or representation.
  ``(b) Prohibition on Solicitation of a Person To Obtain Customer 
Information From Financial Institution Under False Pretenses.--It shall 
be a violation of this title to request a person to obtain customer 
information of a financial institution, knowing that the person will 
obtain, or attempt to obtain, the information from the institution in 
any manner described in subsection (a).
  ``(c) Nonapplicability to Law Enforcement Agencies.--No provision of 
this section shall be construed so as to prevent any action by a law 
enforcement agency, or any officer, employee, or agent of such agency, 
to obtain customer informationof a financial institution in connection 
with the performance of the official duties of the agency.
  ``(d) Nonapplicability to Financial Institutions in Certain Cases.--
No provision of this section shall be construed so as to prevent any 
financial institution, or any officer, employee, or agent of a 
financial institution, from obtaining customer information of such 
financial institution in the course of--
          ``(1) testing the security procedures or systems of such 
        institution for maintaining the confidentiality of customer 
        information;
          ``(2) investigating allegations of misconduct or negligence 
        on the part of any officer, employee, or agent of the financial 
        institution; or
          ``(3) recovering customer information of the financial 
        institution which was obtained or received by another person in 
        any manner described in subsection (a) or (b).
  ``(e) Nonapplicability to Insurance Institutions for Investigation of 
Insurance Fraud.--No provision of this section shall be construed so as 
to prevent any insurance institution, or any officer, employee, or 
agency of an insurance institution, from obtaining information as part 
of an insurance investigation into criminal activity, fraud, material 
misrepresentation, or material nondisclosure that is authorized for 
such institution under State law, regulation, interpretation, or order.
  ``(f) Nonapplicability to Certain Types of Customer Information of 
Financial Institutions.--No provision of this section shall be 
construed so as to prevent any person from obtaining customer 
information of a financial institution that otherwise is available as a 
public record filed pursuant to the securities laws (as defined in 
section 3(a)(47) of the Securities Exchange Act of 1934).

``Sec. 1004. Administrative enforcement

  ``(a) Enforcement by Federal Trade Commission.--Except as provided in 
subsection (b), compliance with this title shall be enforced by the 
Federal Trade Commission in the same manner and with the same power and 
authority as the Commission has under the title VIII, the Fair Debt 
Collection Practices Act, to enforce compliance with such title.
  ``(b) Enforcement by Other Agencies in Certain Cases.--
          ``(1) In general.--Compliance with this title shall be 
        enforced under--
                  ``(A) section 8 of the Federal Deposit Insurance Act, 
                in the case of--
                          ``(i) national banks, and Federal branches 
                        and Federal agencies of foreign banks, by the 
                        Office of the Comptroller of the Currency;
                          ``(ii) member banks of the Federal Reserve 
                        System (other than national banks), branches 
                        and agencies of foreign banks (other than 
                        Federal branches, Federal agencies, and insured 
                        State branches of foreign banks), commercial 
                        lending companies owned or controlled by 
                        foreign banks, and organizations operating 
                        under section 25 or 25A of the Federal Reserve 
                        Act, by the Board;
                          ``(iii) banks insured by the Federal Deposit 
                        Insurance Corporation (other than members of 
                        the Federal Reserve System and national 
                        nonmember banks) and insured State branches of 
                        foreign banks, by the Board of Directors of the 
                        Federal Deposit Insurance Corporation; and
                          ``(iv) savings associations the deposits of 
                        which are insured by the Federal Deposit 
                        Insurance Corporation, by the Director of the 
                        Office of Thrift Supervision; and
                  ``(B) the Federal Credit Union Act, by the 
                Administrator of the National Credit Union 
                Administration with respect to any Federal credit 
                union.
          ``(2) Violations of this title treated as violations of other 
        laws.--For the purpose of the exercise by any agency referred 
        to in paragraph (1) of its powers under any Act referred to in 
        that paragraph, a violation of this title shall be deemed to be 
        a violation of a requirement imposed under that Act. In 
        addition to its powers under any provision of law specifically 
        referred to in paragraph (1), each of the agencies referred to 
        in that paragraph may exercise, for the purpose of enforcing 
        compliance with this title, any other authority conferred on 
        such agency by law.
          ``(3) Restitution.--In the case of any failure by an entity 
        referred to in paragraph (1) to comply with the requirements of 
        this title, an agency referred to in such paragraph may require 
        such entity to make restitution to any person harmed by such 
        failure in the manner provided under section 8(b)(6)(A) of the 
        Federal Deposit Insurance Act or section 206(e)(3)(A) of the 
        Federal Credit Union Act, as the case may be, without regard to 
        clauses (i) and (ii) of such sections, and in an amount equal 
        to the sum of the amounts determined under each of the 
        following subparagraphs:
                  ``(A) Actual damages.--The greater of--
                          ``(i) the amount of any actual damage 
                        sustained by the person as a result of such 
                        failure; or
                          ``(i) any amount received by the entity which 
                        failed to comply with this title, including an 
                        amount equal to the value of any nonmonetary 
                        consideration, as a result of the action which 
                        constitutes such failure.
                  ``(B) Additional damages.--Such additional amount as 
                the agency may determine to be appropriate under the 
                circumstances.
  ``(c) State Action for Violations.--
          ``(1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief law 
        enforcement officer of a State, or an official or agency 
        designated by a State, has reason to believe that any person 
        has violated or is violating this title, the State--
                  ``(A) may bring an action to enjoin such violation in 
                any appropriate United States district court or in any 
                other court of competent jurisdiction;
                  ``(B) may bring an action on behalf of the residents 
                of the State to recover damages of not more than $1,000 
                for each violation; and
                  ``(C) in the case of any successful action under 
                subparagraph (A) or (B), shall be awarded the costs of 
                the action and reasonable attorney fees as determined 
                by the court.
          ``(2) Rights of federal regulators.--
                  ``(A) Prior notice.--The State shall serve prior 
                written notice of any action under paragraph (1) upon 
                the Federal Trade Commission and--
                          ``(i) in the case of an action which involves 
                        a financial institution described in section 
                        1004(b)(1), the agency referred to in such 
                        section with respect to such institution; or
                          ``(ii) in the case of an action which 
                        involves a financial institution subject to 
                        regulation by the Securities and Exchange 
                        Commission, such Commission.
                The State shall provide the Federal Trade Commission 
                and any such agency with a copy of its complaint, 
                except in any case in which such prior notice is not 
                feasible, in which case the State shall serve such 
                notice immediately upon instituting such action.
                  ``(B) Right to intervene.--The Federal Trade 
                Commission or an agency described in subsection (b) 
                shall have the right--
                          ``(i) to intervene in an action under 
                        paragraph (1);
                          ``(ii) upon so intervening, to be heard on 
                        all matters arising therein;
                          ``(iii) to remove the action to the 
                        appropriate United States district court; and
                          ``(iv) to file petitions for appeal.
          ``(3) Investigatory powers.--For purposes of bringing any 
        action under this subsection, no provision of this subsection 
        shall be construed as preventing the chief law enforcement 
        officer, or an official or agency designated by a State, from 
        exercising the powers conferred on the chief law enforcement 
        officer or such official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations or to 
        compel the attendance of witnesses or the production of 
        documentary and other evidence.
          ``(4) Limitation on state action while federal action 
        pending.--If the Federal Trade Commission or any agency 
        described in subsection (b) has instituted a civil action for a 
        violation of this title, no State may, during the pendency of 
        such action, bring an action under this section against any 
        defendant named in the complaint of the Federal Trade 
        Commission or such agency for any violation of this title that 
        is alleged in that complaint.
  ``(d) Notice to SEC of Actions.--The Federal Trade Commission shall 
notify the Securities and Exchange Commission whenever the Federal 
Trade Commission initiates an investigation with respect to a financial 
institution subject to regulation by the Securities and Exchange 
Commission.

``Sec. 1005. Civil liability

  ``Any person, other than a financial institution, who fails to comply 
with any provision of this title with respect to any financial 
institution or any customer information of a financial institution 
shall be liable to such financial institution or the customer to whom 
such information relates in an amount equal to the sum of the amounts 
determined under each of the following paragraphs:
          ``(1) Actual damages.--The greater of--
                  ``(A) the amount of any actual damage sustained by 
                the financial institution or customer as a result of 
                such failure; or
                  ``(B) any amount received by the person who failed to 
                comply with this title, including an amount equal to 
                the value of any nonmonetary consideration, as a result 
                of the action which constitutes such failure.
          ``(2) Additional damages.--Such additional amount as the 
        court may allow.
          ``(3) Attorneys' fees.--In the case of any successful action 
        to enforce any liability under paragraph (1) or (2), the costs 
        of the action, together with reasonable attorneys' fees.

``Sec. 1006. Criminal penalty

  ``(a) In General.--Whoever knowingly and intentionally violates, or 
knowingly and intentionally attempts to violate, section 1003 shall be 
fined in accordance with title 18, United States Code, or imprisoned 
for not more than 5 years, or both.
  ``(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, or 
attempts to violate, section 1003 while violating another law of the 
United States or as part of a pattern of any illegal activity involving 
more than $100,000 in a 12-month period shall be fined twice the amount 
provided in subsection (b)(3) or (c)(3) (as the case may be) of section 
3571 of title 18, United States Code, imprisoned for not more than 10 
years, or both.

``Sec. 1007. Relation to State laws

  ``(a) In General.--This title shall not be construed as superseding, 
altering, or affecting the statutes, regulations, orders, or 
interpretations in effect in any State, except to the extent that such 
statutes, regulations, orders, or interpretations are inconsistent with 
the provisions of this title, and then only to the extent of the 
inconsistency.
  ``(b) Greater Protection Under State Law.--For purposes of this 
section, a State statute, regulation, order, or interpretation is not 
inconsistent with the provisions of this title if the protection such 
statute, regulation, order, or interpretation affords any person is 
greater than the protection provided under this title.

``Sec. 1008. Agency guidance

  ``In furtherance of the objectives of this title, each Federal 
banking agency (as defined in section 3(z) of the Federal Deposit 
Insurance Act) and the Securities and Exchange Commission or self-
regulatory organizations, as appropriate, shall review regulations and 
guidelines applicable to financial institutions under their respective 
jurisdictions and shall prescribe such revisions to such regulations 
and guidelines as may be necessary to ensure that such financial 
institutions have policies, procedures, and controls in place to 
prevent the unauthorized disclosure of customer financial information 
and to deter and detect activities proscribed under section 1003.''.
  (b) Report to the Congress.--Before the end of the 18-month period 
beginning on the date of the enactment of this Act, the Comptroller 
General, in consultation with the Federal Trade Commission, Federal 
banking agencies, the Securities and Exchange Commission, and 
appropriate Federal law enforcement agencies, shall submit to the 
Congress a report on the following:
          (1) The efficacy and adequacy of the remedies provided in the 
        amendments made by subsection (a) in addressing attempts to 
        obtain financial information by fraudulent means or by false 
        pretenses.
          (2) Any recommendations for additional legislative or 
        regulatory action to address threats to the privacy of 
        financial information created by attempts to obtain information 
        by fraudulent means or false pretenses.
  (c) Annual Report by Administering Agencies.--The Federal Trade 
Commission, the Attorney General, and each of the agencies referred to 
in section 1004(b)(1) of Financial Information Privacy Act (as added by 
this Act) shall submit to Congress an annual report on number and 
disposition of all enforcement actions taken pursuant to such Act.

                          Purpose and Summary

    H.R. 4321, the Financial Information Privacy Act of 1998, 
will protect consumers and financial institutions by preventing 
personal confidential information from being obtained from 
financial institutions under false pretenses. H.R. 4321 would 
achieve this goal by increasing the penalties for fraudulent 
information gathering, enhancing the ability of Federal and 
State enforcement agencies to prosecute such fraudulent 
activities, and expanding the ability of injured consumers and 
financial institutions to obtain restitution for their losses.
    As amended by the Committee on Commerce, H.R. 4321 makes it 
a violation of Federal law to attempt to obtain or cause to be 
disclosed customer information of a financial institution by 
making fraudulent representations or by using documents that 
are forged or improperly obtained or that contain false 
statements. H.R. 4321 also makes it a violation to request that 
another person obtain a consumer's confidential financial 
information knowing that the attempt to obtain such information 
is done in a fraudulent manner. These prohibitions are intended 
to prevent companies and individuals from deceiving financial 
institutions into providing confidential customer information.
    H.R. 4321 provides several exceptions to the general 
prohibition against making false representations to obtain 
confidential financial information. The prohibition does not 
apply to law enforcement officials and agents in connection 
with the performance of their official duties. A similar 
exception is authorized for financial institutions that are 
testing their internal security procedures, investigating 
allegations of improper conduct of an employee or agent, or 
attempting to recover information that was fraudulently 
obtained from them. Insurance companies and their agents are 
given a general exception to investigate insurance fraud or 
other consumer misconduct, but only as authorized under State 
law. This exception is intended to protect State laws which are 
variations of the model code established by the National 
Association of Insurance Commissioners allowing ``pretext'' 
interviews by insurance entities in certain cases to combat 
consumer fraud and other misrepresentation or omissions related 
to insurance transactions.
    The legislation delegates enforcement of H.R. 4321 to the 
Federal Trade Commission (FTC) for those entities under its 
jurisdiction, in a manner coterminous with its authority under 
the Fair Debt Collection Practices Act. Compliance by banks, 
savings associations, and credit unions is enforced by the 
appropriate Federal banking agency (the Office of the 
Comptroller of the Currency, the Board of Governors of the 
Federal Reserve System, the Federal Deposit Insurance 
Corporation, the Office of Thrift Supervision, and the National 
Credit Union Administration) with violations of H.R. 4321 being 
deemed a violation of the Federal Deposit Insurance Act or the 
Federal Credit Union Act (according to the regulated depository 
entity). These Federal banking agencies are given explicit 
authority to provide for restitution of persons who have 
suffered harm as a result of violations of H.R. 4321, including 
actual damages sustained by such persons, disgorgement of 
monetary or other value received by the violator as a result of 
the violation, and such other additional amount as the 
regulator deems appropriate. The legislation also authorizes 
the States to bring civil or injunctive actions against any 
entity violating this Act, although with damages limited to 
$1,000 per violation plus reasonable attorneys fees, and prior 
notice to the FTC or Securities and Exchange Commission (SEC) 
required as appropriate.
    H.R. 4321 also grants a private right of action to 
consumers and financial institutions whose information has been 
fraudulently obtained, imposing civil liability on any person 
other than a financial institution that violates this Act with 
damages up to the greater of actual damages or the remuneration 
of the fraudulent party, as well as reasonable attorneys fees, 
the cost of the action, and any additional awards granted by 
the court. Nothing in the legislation restricts civil remedies 
available under any other provision of law.
    For persons who knowingly and intentionally attempt to 
violate this Act, H.R. 4321 establishes criminal penalties for 
commission of a felony of up to 5 years imprisonment plus fines 
of up to $250,000 for individuals and $500,000 for 
corporations, with aggravated cases (significant multiple 
offenses or a violation of multiple laws) resulting in doubled 
penalties.
    State authority is preempted by H.R. 4321 only to the 
extent that the State's laws, regulations, orders, or 
interpretations are inconsistent with the Act. If State 
authority provides greater protection to any person, then that 
State authority remains controlling law.
    H.R. 4321 requires each Federal banking agency and the SEC 
or self-regulatory organizations to review their regulations 
and guidelines governing the protection of confidentialconsumer 
financial information and to revise such provisions as necessary to 
ensure appropriate confidentiality safeguards. Those safeguards will 
include those policies, procedures, and controls as would reasonably be 
expected to prevent and detect, insofar as practicable, activities 
proscribed by the legislation. Within 18 months, the Comptroller 
General will consult with the FTC, SEC, and appropriate Federal banking 
and law enforcement agencies and report to Congress on the 
effectiveness and adequacy of this Act in preventing the fraudulent 
obtainment of confidential consumer financial information, as well as 
any recommendations for additional legislative or regulatory action 
that is appropriate. The regulatory bodies charged with enforcing the 
bill must submit to Congress an annual report on their enforcement 
actions pursuant to the legislation.

                  Background and Need for Legislation

    The evolution of electronic commerce has brought privacy 
issues, especially financial information privacy, into the 
media spotlight. An increasing amount of private consumer data 
is being stored by financial institutions, including asset and 
investment accounts, payments or loans related to commercial 
transactions, and sensitive insurance-related information. 
Consumers have a reasonable expectation of confidentiality for 
their information. However, this confidentiality is being 
constantly broached by unscrupulous individuals.
    Private detectives, information brokers, and lawyers, among 
others, have been exploiting the information explosion, using 
false identities or other deceptive pretexts to wrongly obtain 
information about targeted victims from financial institutions. 
These ``pretexters'' might use information gained from one 
source, such as a social security number or mother's maiden 
name, to gather information from a second--such as an 
investment account, credit card limit, or savings balance. 
Financial institutions are being placed in the increasingly 
difficult position of trying to maintain the balance between 
providing simple and remote access by legitimate consumers to 
their financial accounts while still preventing the 
unauthorized access to confidential information by skillful 
pretexters.
    The FTC currently has limited powers under the Federal 
Trade Commission Act (FTCA) to act against persons who use 
deceptive practices to obtain confidential consumer 
information. Additionally, the use of false or deceptive 
methods to procure confidential financial information will 
often give rise to wire fraud, punishable under Title 18, 
United States Code. However, prosecution of fraudulent 
information brokers under Title 18 has not been frequent, and 
under current law, the FTC cannot impose civil penalties 
against an entity until after a second violation has occurred. 
Furthermore, the availability of criminal penalties and civil 
rights of action are limited. H.R. 4321 would make it clear 
that, with limited exceptions for financial institutions and 
law enforcement agents, using pretexting to fraudulently obtain 
confidential customer financial information is illegal, and 
immediately subject to a variety of criminal, civil, and 
administrative punishment.
    In addition, H.R. 4321 recognizes the importance of 
financial institutions implementing strong internal controls to 
prevent unauthorized disclosure of their customers' private 
financial information. The legislation requires financial 
regulatory agencies to review their confidentiality rules and 
guidelines and, if necessary, make adjustments in order to 
ensure that supervised financial institutions maintain 
appropriate privacy protections.

                                Hearings

    Because of the severe time constraints of the Committee's 
sequential referral, there were no hearings held on this 
legislation by the Committee on Commerce or its subcommittees.

                        Committee Consideration

    On September 24, 1998, the Committee on Commerce met in 
open markup session and ordered H.R. 4321, the Financial 
Information Privacy Act of 1998, reported to the House, 
amended, by a voice vote, a quorum being present.

                             Rollcall Votes

    Clause 2(l)(2)(B) of rule XI of the Rules of the House 
requires the Committee to list the recorded votes on the motion 
to report legislation and amendments thereto. There were no 
recorded votes taken in connection with ordering H.R. 4321 
reported. An Amendment in the Nature of a Substitute by Mr. 
Bliley was agreed to by a voice vote. An amendment to the 
Bliley Amendment in the Nature of a Substitute by Mr. Markey 
concerning civil liability, was not agreed to by a voice vote. 
A motion by Mr. Bliley to order H.R. 4321 reported to the 
House, amended, was agreed to by a voice vote, a quorum being 
present.

                      Committee Oversight Findings

    Pursuant to clause 2(l)(3)(A) of rule XI of the Rules of 
the House of Representatives, the Committee has made findings 
that are reflected in this report.

              Committee on Government Reform and Oversight

    Pursuant to clause 2(l)(3)(D) of rule XI of the Rules of 
the House of Representatives, no oversight findings have been 
submitted to the Committee by the Committee on Government 
Reform and Oversight.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 2(l)(3)(B) of rule XI of the 
Rules of the House of Representatives, the Committee finds that 
H.R. 4321, the Financial Information Privacy Act of 1998, would 
result in no new or increased budget authority, entitlement 
authority, or tax expenditures or revenues.

                        Committee Cost Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                  Congressional Budget Office Estimate

    Pursuant to clause 2(l)(3)(C) of rule XI of the Rules of 
the House of Representatives, the following is the cost 
estimate provided by the Congressional Budget Office pursuant 
to section 402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                Washington, DC, September 25, 1998.
Hon. Tom Bliley,
Chairman, Committee on Commerce,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4321, the 
Financial Information Privacy Act of 1998.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contacts are Mark Hadley 
(for federal costs), and Carolyn Lynch (for revenues).
            Sincerely,
                                         June E. O'Neill, Director.
    Enclosure.

H.R. 4321--Financial Information Privacy Act of 1998

    Summary: H.R. 4321 would prohibit obtaining or requesting a 
customer's personal financial information from a financial 
institution under false pretenses. For most purposes, the bill 
would be enforced by the Federal Trade Commission (FTC). The 
Office of the Comptroller of the Currency (OCC), the Board of 
Governors of the Federal Reserve System, the Federal Deposit 
Insurance Corporation (FDIC), the Office of Thrift Supervision 
(OTS), the National Credit Union Administration (NCUA), and the 
Securities and Exchange Commission (SEC) would implement H.R. 
4321 as it applies to the financial institutions that those 
agencies regulate. The FTC would issue regulations defining the 
phrase ``financial institution'' as directed by the bill. 
Finally, H.R. 4321 would allow states to bring legal actions in 
federal district court against violators of the bill.
    CBO estimates that implementing H.R. 4321 would increase 
discretionary spending by between $500,000 and $1 million a 
year over the 1999-2003 period. Such costs would be subject to 
the availability of appropriated funds. H.R. 4321 could affect 
direct spending and revenues; therefore, pay-as-you-go 
procedures would apply, but CBO estimates that any such effects 
would be less than $500,000 in a year over the 1999-2003 
period.
    H.R. 4321 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would impose no costs on state, local, or tribal 
governments.
    Estimated cost to the Federal Government: H.R. 4321 would 
make it a federal crime to obtain or request a customer's 
personal financial information from a financial institution 
under false pretenses. Subject to the availability of 
appropriated funds, CBO estimates that implementing H.R. 4321 
would increase the costs of the FTC, SEC, and NCUA by less than 
$1 million a year over the 1999-2003 period. Violators would be 
subject to imprisonment and fines. As a result, the federal 
government would be able to pursue cases that it otherwise 
would not be able to prosecute. CBO expects that the government 
probably would not pursue many such cases, so we estimate that 
any increase in federal costs for law enforcement, court 
proceedings, or prison operations would not be significant. Any 
such additional costs would be subject to the availability of 
appropriated funds.
    Because those prosecuted and convicted under H.R. 4321 
could be subject to criminal fines, the federal government 
might collect additional fines if the bill is enacted. 
Collections of such fines are recorded in the budget as 
governmental receipts (revenues), which are deposited in the 
Crime Victims Fund and spent in the following year. CBO expects 
that any additional collections from enacting H.R. 4321 would 
be negligible, however, because of the small number of cases 
likely to be involved. Because any increase in direct spending 
would equal the fines collected with a one-year lag, the 
additional direct spending also would be negligible.
    Both the OTS and the OCC charge fees to cover all their 
administrative costs; therefore, any additional spending by 
these agencies would have no net budgetary effect. That is not 
the case with the FDIC, however, which uses deposit insurance 
premiums paid by all banks to cover the expenses it incurs to 
supervise state-chartered banks. The bill would cause a small 
increase in FDIC spending, but would probably not affect its 
premium income. In any case, CBO estimates that H.R. 4321 would 
increase direct spending and offsetting receipts for those 
agencies by less than $500,000 a year over the 1999-2003 
period.
    Budgetary effects on the Federal Reserve are recorded as 
changes in revenues. Based on information from the Federal 
Reserve, CBO estimates that enacting H.R. 4321 would reduce 
revenues by less than $500,000 a year over the 1999-2003 
period.
    Pay-as-you-go considerations: The Balanced Budget and 
Emergency Deficit Control Act sets up pay-as-you-go procedures 
for legislation affecting direct spending or receipts. CBO 
estimates that enacting H.R. 4321 would affect direct spending 
and governmental receipts but that there would be no 
significant impact in any year.
    Intergovernmental and private-sector impact: H.R. 4321 
contains no intergovernmental or private-sector mandates as 
defined in UMRA and would impose no costs on state, local, or 
tribal governments.
    Previous CBO estimate: On August 21, 1998, CBO transmitted 
an estimate of H.R. 4321, the Financial Information Privacy Act 
of 1998, as ordered reported by the House Committee on Banking 
and Financial Services on August 5, 1998. That version of the 
bill would require the Federal Reserve System (instead of the 
FTC) to define which financial institutions would be affected 
by the bill and would not specifically include securities 
brokers (which are regulated by the SEC). CBO estimated that 
the House Committee on Banking and Financial Services' version 
of the bill would increase discretionary spending by less than 
$500,000 a year, slightly less than the estimated costs for the 
Commerce Committee's version, because that previous version of 
the bill would not impose any costs on the SEC and would impose 
fewer costs on the FTC.
    Estimate prepared by: Federal cost: Mark Hadley; and 
Revenues: Carolyn Lynch.
    Estimate approved by: Paul N. Van de Water, Assistant 
Director for Budget Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                   Constitutional Authority Statement

    Pursuant to clause 2(l)(4) of rule XI of the Rules of the 
House of Representatives, the Committee finds that the 
Constitutional authority for this legislation is provided in 
Article I, section 8, clause 3, which grants Congress the power 
to regulate commerce with foreign nations, among the several 
States, and with the Indian tribes.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation

Sec. 1. Short title

    This section provides the short title of the bill, the 
``Financial Information Privacy Act of 1998.''

Sec. 2. Financial information privacy

    This section amends the Consumer Credit Protection Act by 
adding a new title to be cited as ``Title X--the Financial 
Information Privacy Act.'' The new title is composed of eight 
sections:
    Sec. 1001. Short title. This section provides the title's 
short title, the ``Financial Information Privacy Act.''
    Sec. 1002. Definitions. This section defines several terms. 
The term ``customer'' is defined as any person to whom a 
financial institution provides a product or service, including 
that of acting as a fiduciary. It also defines the term 
``customer information of a financialinstitution'' as any 
information maintained by or for a financial institution which is 
derived from the relationship between the financial institution and its 
customer and is identified with the customer, and the term ``document'' 
as information in any form.
    Finally, the term ``financial institution'' is defined as 
any institution engaged in the business of providing financial 
services to customers who maintain a credit, deposit, trust, or 
other financial account or relationship with the institution, 
including but not limited to depository institutions (as 
defined in section 19(b)(1)(A) of the Federal Reserve Act); 
brokers and dealers (as defined in section 3 of the Securities 
Exchange Act of 1934); investment advisers (as defined in 
section 202(a)(11) of the Investment Advisers Act of 1940); 
investment companies (as defined in section 3 of the Investment 
Company Act of 1940); insurance companies; loan or finance 
companies; credit card issuers; operators of credit card 
systems; and consumer reporting agencies. In addition, the 
Federal Trade Commission (FTC), after consultation with Federal 
banking agencies and the Securities and Exchange Commission 
(SEC), may prescribe regulations further defining the types of 
institutions that are treated as ``financial institutions'' for 
purposes of this title.
    Sec. 1003. Privacy protection for customer information of 
financial institutions. This section makes it unlawful for any 
person to obtain or attempt to obtain, or cause to be disclosed 
or attempt to cause to be disclosed to any person, customer 
information of a financial institution relating to another 
person by (1) making a false, fictitious, or fraudulent 
statement or representation to an officer, employee, or agent 
of a financial institution; (2) making a false, fictitious, or 
fraudulent statement or representation to a customer of a 
financial institution; or (3) providing any document to an 
officer, employee, or agent of a financial institution, knowing 
that the document is forged, counterfeit, lost, or stolen, was 
fraudulently obtained, or contains a false, fictitious, or 
fraudulent statement or representation.
    This section also makes it unlawful to request a person to 
obtain customer information of a financial institution knowing 
that it was obtained through any of the three methods described 
in this section.
    The prohibitions specified in this section do not apply to 
any action by a law enforcement agency to obtain customer 
information of a financial institution in the performance of 
its official duties. For purposes of this section, the term 
``law enforcement agency'' is intended to include Federal, 
State and local agencies, and specifically encompasses those 
agencies responsible for enforcing child-support obligations.
    This section's prohibitions do not apply to instances in 
which a financial institution or its officers, employees, or 
agents, obtain customer information of such financial 
institution in the course of (1) testing the security 
procedures or systems of such institution for maintaining the 
confidentiality of customer information; (2) investigating 
allegations of misconduct or negligence on the part of any 
officer, employee, or agent of the financial institution; or 
(3) recovering customer information of the financial 
institution which was obtained or received by another person in 
any manner described in this section. Thus, for example, when a 
fraud prevention unit of a financial institution succeeds in 
retrieving information from an information broker that has been 
obtained through fraud or deceit, the financial institution is 
not in violation of this statute. This ``safe harbor'' extends 
to agents or contractors retained by a financial institution to 
implement anti-fraud or self-testing programs.
    This section's prohibitions do not apply to instances in 
which an insurance institution or its officers, employees or 
agents, obtain information as part of an insurance 
investigation into criminal activity, fraud, material 
misrepresentation, or material nondisclosure that is authorized 
for such institution under State law, regulation, 
interpretation, or order. This section also does not apply to 
the obtaining of customer information of a financial 
institution that is otherwise available as a public record 
filed pursuant to the Federal securities laws.
    The Committee does not intend that any provision of this 
section should be construed as limiting or in any way 
interfering with the sharing of information among affiliates or 
subsidiaries within a financial services institution as 
permitted under any other applicable law.
    Sec. 1004. Administrative enforcement. This section assigns 
enforcement authority to the FTC and the Federal banking 
agencies according to their respective jurisdictions. The 
enforcement authority exercised by the FTC under this title is 
coextensive with its authority under the Fair Debt Collection 
Practices Act. In instances where depository institutions are 
implicated in obtaining information through fraudulent means, 
or requesting that such information be obtained knowing that 
fraudulent or deceptive methods will be used to collect it, the 
appropriate Federal banking agencies have the authority to 
enforce this Act. If a depository institution fails to comply 
with this title, the appropriate Federal banking agency has the 
authority to require that institution to make restitution to 
any person harmed by such failure. Restitution would occur in 
the manner provided under section 8(b)(6)(A) of the Federal 
Deposit Insurance Act or section 206(c)(3)(A) of the Federal 
Credit Union Act, as appropriate, without regard to clauses (i) 
and (ii) of such sections. Restitution would include the 
greater of (1) the actual damage to the person harmed, or (2) 
the amount received by the entity which failed to comply, and 
such additional amount as the agency may determine to be 
appropriate under the circumstances.
    This section further provides that in addition to such 
other remedies as are available under State law, the States 
have the authority to enforce this Act through actions to 
enjoin violations or recover damages of not more than $1,000 
for each violation. States are required to provide the FTC and 
the other Federal agencies, as appropriate, prior notice of 
such actions. The FTC and the other Federal agencies with 
enforcement authority under this section have the right to 
intervene in any action by a State to enforce this Act. This 
section does not limit investigations authorized by State law. 
When the FTC or any other Federal agency with enforcement 
authority under this section has instituted a civil action to 
enforce this Act, no State may, during the pendency of that 
action, bring its own action under this section against any 
defendant named in the Federal complaint for any act alleged in 
that complaint. The FTC shall notify the SEC when, pursuant to 
this title, it initiates an investigation of an entity 
regulated by the SEC.
    Sec. 1005. Civil liability. This section provides that any 
person that is not a financial institution may be held civilly 
liable for violating this Act by a financial institution or a 
customer whose financial information was obtained unlawfully. 
The Act authorizes the recovery of (A) actual damages (1) in 
the amount sustained by the financial institution or customer 
as a result of the violation, or (2) in the amount of any 
compensation received by the defendant, including the value of 
any nonmonetary compensation, as a result of the violation, 
whichever is greater; (B) such additional damages as the court 
may allow; and (C) in the case of a successful action, the 
costs of the action, including reasonable attorneys' fees.
    This section is intended to permit consumers and financial 
institutions who have been victimized by unscrupulous 
information brokers and others who traffic in fraudulently 
obtained financial information to hold those parties 
accountable. Affording injured private parties a right of 
action increases the likelihood that the Act's prohibitions 
will be vigorously enforced. For example, a financial 
institution will, in some instances, have a stronger incentive 
to proceed against an information broker or his client than a 
law enforcement agency or prosecutor operating with limited 
resources and forced to juggle competing priorities, 
particularly in those cases where the amount of monetary 
damages is minimal.
    This section does not give rise to a private right of 
action against a financial institution from which customer 
information has been obtained in a manner proscribed by section 
1003. This section does not affect any other civil remedies 
that may lie against any person, including financial 
institutions, under any other laws applicable to the conduct 
proscribed under this Act.
    Sec. 1006. Criminal penalties. This section provides that 
persons violating or attempting to violate these provisions are 
subject to fines under title 18, United States Code (up to 
$250,000 in the case of an individual or $500,000 in the case 
of a corporation), or imprisonment for not more than 5 years, 
or both. It further subjects persons violating these provisions 
in the course of violations of, or attempts to violate, other 
laws, as part of a pattern of illegal activity involving more 
than $100,000 in a 12-month period, the doubling of fines or 
imprisonment for not more than 10 years, or both.
    Sec. 1007. Relation to State laws. The bill does not 
supersede any State statutes, regulations, orders, or 
interpretations, except to the extent that they are 
inconsistent with the provisions of this Act, and then only to 
the extent of the inconsistency. A State statute, regulation, 
order, or interpretation is not inconsistent with the 
provisions of the legislation if the protection such statute, 
regulation, order, or interpretation affords any person is 
greater than the protection provided by this legislation.
    Sec. 1008. Agency guidance. This section requires the 
Federal banking agencies (as defined in section 3(z) of the 
Federal Deposit Insurance Act) and the SEC or self-regulatory 
organizations, as appropriate, to review regulations and 
guidelines for financial institutions under their respective 
jurisdictions and prescribe revisions to such regulations and 
guidelines as may be necessary to ensure that such financial 
institutions have policies, procedures, and controls in place 
to prevent unauthorized disclosure of customer financial 
information and to assist those institutions in deterring and 
detecting activities proscribed in this Act. The Committee 
expects the appropriate examining authorities to include 
compliance with such guidelines and the adequacy of such 
internal controls in their examinations of these institutions.
    The legislation requires the General Accounting Office, in 
consultation with the FTC, Federal banking agencies, the SEC, 
and appropriate Federal law enforcement agencies, to submit a 
report to Congress within 18 months of the date of enactment on 
(1) the efficacy and adequacy of this legislation in addressing 
attempts to obtain financial information by fraudulent means 
and false pretenses; and (2) any recommendations regarding 
additional legislation or regulations necessary to address 
threats to the privacy of financial information.
    Entities charged with enforcing this title must provide 
annual reports to Congress on the number and disposition of all 
enforcement actions taken pursuant to the Act.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3 of rule XIII of the Rules of the 
House of Representatives, changes in existing law made by the 
bill, as reported, are shown as follows (new matter is printed 
in italic):

             TITLE X OF THE CONSUMER CREDIT PROTECTION ACT

           TITLE X--FINANCIAL INFORMATION PRIVACY PROTECTION

Sec.
1001. Short title.
1002. Definitions.
1003. Privacy protection for customer information of financial 
          institutions.
1004. Administrative enforcement.
1005. Civil liability.
1006. Criminal penalty.
1007. Relation to State laws.
1008. Agency guidance.

Sec. 1001. Short title

  This title may be cited as the ``Financial Information 
Privacy Act''.

Sec. 1002. Definitions

  For purposes of this title, the following definitions shall 
apply:
          (1) Customer.--The term ``customer'' means, with 
        respect to a financial institution, any person (or 
        authorized representative of a person) to whom the 
        financial institution provides a product or service, 
        including that of acting as a fiduciary.
          (2) Customer information of a financial 
        institution.--The term ``customer information of a 
        financial institution'' means any information 
        maintained by or for a financial institution which is 
        derived from the relationship between the financial 
        institution and a customer of the financial institution 
        and is identified with the customer.
          (3) Document.--The term ``document'' means any 
        information in any form.
          (4) Financial institution.--
                  (A) In general.--The term ``financial 
                institution'' means any institution engaged in 
                the business of providing financial services to 
                customers who maintain a credit, deposit, 
                trust, or other financial account or 
                relationship with the institution.
                  (B) Certain financial institutions 
                specifically included.--The term ``financial 
                institution'' includes any depository 
                institution (as defined in section 19(b)(1)(A) 
                of the Federal Reserve Act), any broker or 
                dealer, any investment adviser or investment 
                company, any insurance company, any loan or 
                finance company, any credit card issuer or 
                operator of a credit card system, and any 
                consumer reporting agency that compiles and 
                maintains files on consumers on a nationwide 
                basis (as defined in section 603(p)).
                  (C) Securities institutions.--For purposes of 
                subparagraph (B)--
                          (i) the terms ``broker'' and 
                        ``dealer'' have the meanings provided 
                        in section 3 of the Securities Exchange 
                        Act of 1934 (15 U.S.C. 78c);
                          (ii) the term ``investment adviser'' 
                        has the meaning provided in section 
                        202(a)(11) of the Investment Advisers 
                        Act of 1940 (15 U.S.C. 80b-2(a)); and
                          (iii) the term ``investment company'' 
                        has the meaning provided in section 3 
                        of the Investment Company Act of 1940 
                        (15 U.S.C. 80a-3).
                  (D) Further definition by regulation.--The 
                Federal Trade Commission, after consultation 
                with Federal banking agencies and the 
                Securities and Exchange Commission, may 
                prescribe regulations clarifying or describing 
                the types of institutions which shall be 
                treated as financial institutions for purposes 
                of this title.

Sec. 1003. Privacy protection for customer information of financial 
                    institutions

  (a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be a violation of this title for any 
person to obtain or attempt to obtain, or cause to be disclosed 
or attempt to cause to be disclosed to any person, customer 
information of a financial institution relating to another 
person--
          (1) by making a false, fictitious, or fraudulent 
        statement or representation to an officer, employee, or 
        agent of a financial institution;
          (2) by making a false, fictitious, or fraudulent 
        statement or representation to a customer of a 
        financial institution; or
          (3) by providing any document to an officer, 
        employee, or agent of a financial institution, knowing 
        that the document is forged, counterfeit, lost, or 
        stolen, was fraudulently obtained, or contains a false, 
        fictitious, or fraudulent statement or representation.
  (b) Prohibition on Solicitation of a Person To Obtain 
Customer Information From Financial Institution Under False 
Pretenses.--It shall be a violation of this title to request a 
person to obtain customer information of a financial 
institution, knowing that the person will obtain, or attempt to 
obtain, the information from the institution in any manner 
described in subsection (a).
  (c) Nonapplicability to Law Enforcement Agencies.--No 
provision of this section shall be construed so as to prevent 
any action by a law enforcement agency, or any officer, 
employee, or agent of such agency, to obtain customer 
information of a financial institution in connection with the 
performance of the official duties of the agency.
  (d) Nonapplicability to Financial Institutions in Certain 
Cases.--No provision of this section shall be construed so as 
to prevent any financial institution, or any officer, employee, 
or agent ofa financial institution, from obtaining customer 
information of such financial institution in the course of--
          (1) testing the security procedures or systems of 
        such institution for maintaining the confidentiality of 
        customer information;
          (2) investigating allegations of misconduct or 
        negligence on the part of any officer, employee, or 
        agent of the financial institution; or
          (3) recovering customer information of the financial 
        institution which was obtained or received by another 
        person in any manner described in subsection (a) or 
        (b).
  (e) Nonapplicability to Insurance Institutions for 
Investigation of Insurance Fraud.--No provision of this section 
shall be construed so as to prevent any insurance institution, 
or any officer, employee, or agency of an insurance 
institution, from obtaining information as part of an insurance 
investigation into criminal activity, fraud, material 
misrepresentation, or material nondisclosure that is authorized 
for such institution under State law, regulation, 
interpretation, or order.
  (f) Nonapplicability to Certain Types of Customer Information 
of Financial Institutions.--No provision of this section shall 
be construed so as to prevent any person from obtaining 
customer information of a financial institution that otherwise 
is available as a public record filed pursuant to the 
securities laws (as defined in section 3(a)(47) of the 
Securities Exchange Act of 1934).

Sec. 1004. Administrative enforcement

  (a) Enforcement by Federal Trade Commission.--Except as 
provided in subsection (b), compliance with this title shall be 
enforced by the Federal Trade Commission in the same manner and 
with the same power and authority as the Commission has under 
the title VIII, the Fair Debt Collection Practices Act, to 
enforce compliance with such title.
  (b) Enforcement by Other Agencies in Certain Cases.--
          (1) In general.--Compliance with this title shall be 
        enforced under--
                  (A) section 8 of the Federal Deposit 
                Insurance Act, in the case of--
                          (i) national banks, and Federal 
                        branches and Federal agencies of 
                        foreign banks, by the Office of the 
                        Comptroller of the Currency;
                          (ii) member banks of the Federal 
                        Reserve System (other than national 
                        banks), branches and agencies of 
                        foreign banks (other than Federal 
                        branches, Federal agencies, and insured 
                        State branches of foreign banks), 
                        commercial lending companies owned or 
                        controlled by foreign banks, and 
                        organizations operating under section 
                        25 or 25A of the Federal Reserve Act, 
                        by the Board;
                          (iii) banks insured by the Federal 
                        Deposit Insurance Corporation (other 
                        than members of the Federal Reserve 
                        System and national nonmember banks) 
                        and insured State branches of foreign 
                        banks, by the Board of Directors of the 
                        Federal Deposit Insurance Corporation; 
                        and
                          (iv) savings associations the 
                        deposits of which are insured by the 
                        Federal Deposit Insurance Corporation, 
                        by the Director of the Office of Thrift 
                        Supervision; and
                  (B) the Federal Credit Union Act, by the 
                Administrator of the National Credit Union 
                Administration with respect to any Federal 
                credit union.
          (2) Violations of this title treated as violations of 
        other laws.--For the purpose of the exercise by any 
        agency referred to in paragraph (1) of its powers under 
        any Act referred to in that paragraph, a violation of 
        this title shall be deemed to be a violation of a 
        requirement imposed under that Act. In addition to its 
        powers under any provision of law specifically referred 
        to in paragraph (1), each of the agencies referred to 
        in that paragraph may exercise, for the purpose of 
        enforcing compliance with this title, any other 
        authority conferred on such agency by law.
          (3) Restitution.--In the case of any failure by an 
        entity referred to in paragraph (1) to comply with the 
        requirements of this title, an agency referred to in 
        such paragraph may require such entity to make 
        restitution to any person harmed by such failure in the 
        manner provided under section 8(b)(6)(A) of the Federal 
        Deposit Insurance Act or section 206(e)(3)(A) of the 
        Federal Credit Union Act, as the case may be, without 
        regard to clauses (i) and (ii) of such sections, and in 
        an amount equal to the sum of the amounts determined 
        under each of the following subparagraphs:
                  (A) Actual damages.--The greater of--
                          (i) the amount of any actual damage 
                        sustained by the person as a result of 
                        such failure; or
                          (i) any amount received by the entity 
                        which failed to comply with this title, 
                        including an amount equal to the value 
                        of any nonmonetary consideration, as a 
                        result of the action which constitutes 
                        such failure.
                  (B) Additional damages.--Such additional 
                amount as the agency may determine to be 
                appropriate under the circumstances.
  (c) State Action for Violations.--
          (1) Authority of states.--In addition to such other 
        remedies as are provided under State law, if the chief 
        law enforcement officer of a State, or an official or 
        agency designated by a State, has reason to believe 
        that any person has violated or is violating this 
        title, the State--
                  (A) may bring an action to enjoin such 
                violation in any appropriate United States 
                district court or in any other court of 
                competent jurisdiction;
                  (B) may bring an action on behalf of the 
                residents of the State to recover damages of 
                not more than $1,000 for each violation; and
                  (C) in the case of any successful action 
                under subparagraph (A) or (B), shall be awarded 
                the costs of the action and reasonable attorney 
                fees as determined by the court.
          (2) Rights of federal regulators.--
                  (A) Prior notice.--The State shall serve 
                prior written notice of any action under 
                paragraph (1) upon the Federal Trade Commission 
                and--
                          (i) in the case of an action which 
                        involves a financial institution 
                        described in section 1004(b)(1), the 
                        agency referred to in such section with 
                        respect to such institution; or
                          (ii) in the case of an action which 
                        involves a financial institution 
                        subject to regulation by the Securities 
                        and Exchange Commission, such 
                        Commission.
                The State shall provide the Federal Trade 
                Commission and any such agency with a copy of 
                its complaint, except in any case in which such 
                prior notice is not feasible, in which case the 
                State shall serve such notice immediately upon 
                instituting such action.
                  (B) Right to intervene.--The Federal Trade 
                Commission or an agency described in subsection 
                (b) shall have the right--
                          (i) to intervene in an action under 
                        paragraph (1);
                          (ii) upon so intervening, to be heard 
                        on all matters arising therein;
                          (iii) to remove the action to the 
                        appropriate United States district 
                        court; and
                          (iv) to file petitions for appeal.
          (3) Investigatory powers.--For purposes of bringing 
        any action under this subsection, no provision of this 
        subsection shall be construed as preventing the chief 
        law enforcement officer, or an official or agency 
        designated by a State, from exercising the powers 
        conferred on the chief law enforcement officer or such 
        official by the laws of such State to conduct 
        investigations or to administer oaths or affirmations 
        or to compel the attendance of witnesses or the 
        production of documentary and other evidence.
          (4) Limitation on state action while federal action 
        pending.--If the Federal Trade Commission or any agency 
        described in subsection (b) has instituted a civil 
        action for a violation of this title, no State may, 
        during the pendency of such action, bring an action 
        under this section against any defendant named in the 
        complaint of the Federal Trade Commission or such 
        agency for any violation of this title that is alleged 
        in that complaint.
  (d) Notice to SEC of Actions.--The Federal Trade Commission 
shall notify the Securities and Exchange Commission whenever 
the Federal Trade Commission initiates an investigation with 
respect to a financial institution subject to regulation by the 
Securities and Exchange Commission.

Sec. 1005. Civil liability

  Any person, other than a financial institution, who fails to 
comply with any provision of this title with respect to any 
financial institution or any customer information of a 
financial institution shall be liable to such financial 
institution or the customer to whom such information relates in 
an amount equal to the sum of the amounts determined under each 
of the following paragraphs:
          (1) Actual damages.--The greater of--
                  (A) the amount of any actual damage sustained 
                by the financial institution or customer as a 
                result of such failure; or
                  (B) any amount received by the person who 
                failed to comply with this title, including an 
                amount equal to the value of any nonmonetary 
                consideration, as a result of the action which 
                constitutes such failure.
          (2) Additional damages.--Such additional amount as 
        the court may allow.
          (3) Attorneys' fees.--In the case of any successful 
        action to enforce any liability under paragraph (1) or 
        (2), the costs of the action, together with reasonable 
        attorneys' fees.

Sec. 1006. Criminal penalty

  (a) In General.--Whoever knowingly and intentionally 
violates, or knowingly and intentionally attempts to violate, 
section 1003 shall be fined in accordance with title 18, United 
States Code, or imprisoned for not more than 5 years, or both.
  (b) Enhanced Penalty for Aggravated Cases.--Whoever violates, 
or attempts to violate, section 1003 while violating another 
law of the United States or as part of a pattern of any illegal 
activity involving more than $100,000 in a 12-month period 
shall be fined twice the amount provided in subsection (b)(3) 
or (c)(3) (as the case may be) of section 3571 of title 18, 
United States Code, imprisoned for not more than 10 years, or 
both.

Sec. 1007. Relation to State laws

  (a) In General.--This title shall not be construed as 
superseding, altering, or affecting the statutes, regulations, 
orders, or interpretations in effect in any State, except to 
the extent that such statutes, regulations, orders, or 
interpretations are inconsistent with the provisions of this 
title, and then only to the extent of the inconsistency.
  (b) Greater Protection Under State Law.--For purposes of this 
section, a State statute, regulation, order, or interpretation 
is not inconsistent with the provisions of this title if the 
protection such statute, regulation, order, or interpretation 
affords any person is greater than the protection provided 
under this title.

Sec. 1008. Agency guidance

  In furtherance of the objectives of this title, each Federal 
banking agency (as defined in section 3(z) of the Federal 
Deposit Insurance Act) and the Securities and Exchange 
Commission or self-regulatory organizations, as appropriate, 
shall review regulations and guidelines applicable to financial 
institutions under their respective jurisdictions and shall 
prescribe such revisions to such regulations and guidelines as 
may be necessary to ensure that such financial institutions 
have policies, procedures, and controls in place to prevent the 
unauthorized disclosure of customer financial information and 
to deter and detect activities proscribed under section 1003.

                                
