Opinion No.

The Honorable Martha Shoffner State Representative P.O. Box 44 Newport, AR 72112-0044

Dear Representative Shoffner:

You have requested an Attorney General opinion concerning the disclosure of personal information by financial institutions. I am issuing the following opinion in response to your request.

You indicate that two of your constituents received a notice from their bank concerning the disclosure of certain nonpublic personal information. They expressed a concern and raised questions about such disclosures.

Your have presented the following questions:

(1) Is it legal for a bank to disclose a list of information about non-public personal business transactions and account records?

(2) What does the phrase "notice of our financial privacy rights" mean regarding the above information?

RESPONSE

Question 1 — Is it legal for a bank to disclose a list of informationabout non-public personal business transactions and account records?

Summary of Response to Question 1

The answer to this question will depend upon the specific type of information in question, the entity disclosing the information, and the entity to whom the information is being disclosed.

It is my opinion that:

(1) financial institutions are generally not prohibited by law from disclosing non-public personal business information to nonaffiliated third parties, provided that they follow certain procedures; however, under the Gramm-Leach-Bliley Act, customers and other consumers may "opt out" of certain disclosures to non-affiliates (i.e., they may instruct their financial institutions not to disclose certain information to non-affiliates);

(2) financial institutions are prohibited from disclosing certain account information to certain entities for marketing purposes, without regard to whether the customer or other consumer has "opted out;" and

(3) financial institutions are generally not prohibited by law from disclosing some non-public personal business information about consumers to their affiliates; however, if, under the specific facts of a particular situation, the financial institution in question constitutes an entity that is regulated by the Fair Credit Reporting Act, consumers may "opt out" of the disclosure of certain types of information to the financial institution's affiliates (i.e., in these situations, they may instruct their financial institutions not to disclose such information to their affiliates).

These conclusions will be explained more fully below.

Discussion

Neither state nor federal law provides a general prohibition against the disclosure of personal information by financial institutions. However, certain federal laws place some restrictions on disclosures of certain information to certain entities.

The Gramm-Leach-Bliley Act

The Financial Services Modernization Act (also called the "Gramm-Leach-Bliley Act" or "GLB") (Pub.L. 106-102, Nov. 12, 1999,113 Stat. 1338) places some restrictions on the ability of financial institutions to disclose nonpublic personal information. The GLB provides that financial institutions cannot disclose the "nonpublic personal information" of any customer or other consumer to any "non-affiliated third party" unless the financial institution has notified the customer or consumer of the types of information it may disclose to such entities, and has notified the customer or consumer of his or her right under the GLB to "opt out" of the disclosure.¹

Under the "opt out" provision of the Act, customers of financial institutions and other consumers are permitted to instruct financial institutions not to disclose "nonpublic personal information" to any "non-affiliated third party." The GLB defines "nonpublic personal information" to mean:

personally identifiable financial information —

(i) provided by a consumer to a financial institution;

(ii) resulting from any transaction with the consumer or any service performed for the consumer; or

(iii) otherwise obtained by the financial institution.

15 U.S.C. § 6809(4).

The term "non-public personal information" does not refer to publicly available information, but does include "any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information[.]"

The GLB defines the term "nonaffiliated third party" to mean "any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution[.]"15 U.S.C. § 6809(5). This term does not include a joint employee of the institution.

The notice that financial institutions are required to provide their customers and other consumers must state a time frame within which customers and consumers may opt out, and must state a procedure for doing so. If the customers or consumers do not avail themselves of the opportunity to opt out, the financial institution may disclose their nonpublic personal information to non-affiliated third parties. (However, customers can opt out as to future disclosures at any time.)

It should be noted that the notice and opt out provisions of the GLB do not apply to disclosures of nonpublic personal information to affiliates of financial institutions. That is, financial institutions may disclose such information to affiliates without giving notice to customers, and the GLB does not grant customers the right to opt out of disclosures to affiliates. (However, as discussed below, the Fair Credit Reporting Act15 U.S.C. § 1681 et seq., may grant customers the right to opt out of the disclosure by some institutions of some types of information to affiliates.)

The "opt out" provision of the GLB contains several significant exceptions, even as to non-affiliated third parties.

First, it does not prevent a financial institution from providing nonpublic personal information to non-affiliated third parties for the following purposes:

to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services, or financial products or services offered pursuant to joint agreements between two or more financial institutions that comply with the requirements imposed by the regulations prescribed under section 6804 of this title, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.

15 U.S.C. § 6802(b)(2).

In addition, the "opt out" provision of the GLB contains the following general exceptions:

(e) General exceptions

Subsections (a) and (b) of this section shall not prohibit the disclosure of nonpublic personal information —

(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with —

(A) servicing or processing a financial product or service requested or authorized by the consumer;

(B) maintaining or servicing the consumer's account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or

(C) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;

(2) with the consent or at the direction of the consumer;

(3)(A) to protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product, or the transaction therein; (B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (C) for required institutional risk control, or for resolving customer disputes or inquiries; (D) to persons holding a legal or beneficial interest relating to the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;

(4) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution's compliance with industry standards, and the institution's attorneys, accountants, and auditors;

(5) to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including a Federal functional regulator, the Secretary of the Treasury with respect to subchapter II of chapter 53 of title 31, and chapter 2 of title I of Public Law 91-508 (12 U.S.C. 1951-1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

(6)(A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), or (B) from a consumer report reported by a consumer reporting agency;

(7) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or

(8) to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.

15 U.S.C. § 6802(e).

A customer's or consumer's exercise of the "opt out" opportunity under the GLB will not prevent disclosure of nonpublic personal information in accordance with the above-quoted exceptions.

The GLB prohibits financial institutions from disclosing (other than to a consumer reporting agency) "an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." 15 U.S.C. § 6802(d). This prohibition appears to apply without regard to whether the customer has opted out or not. That is, the GLB appears to prohibit this type of disclosure even if the customer has not opted out.

The Fair Credit Reporting Act

The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) (FCRA) regulates "consumer reporting agencies" and "consumer reports." Banks normally do not constitute "consumer reporting agencies," as defined in the FCRA (see 15 U.S.C. § 1681a(f)), and therefore are not normally regulated by the FCRA. However, if the specific facts of a particular situation indicate that a bank does constitute a "consumer reporting agency," thus falling within the regulatory authority of the FCRA,² a limitation may be placed on its ability to disclose certain information, as explained below.

The FCRA generally permits the disclosure of "consumer reports" (information related to the customer's creditworthiness) under a variety of circumstances and for a variety of purposes. 15 U.S.C. § 1681b. However, the FCRA excludes from the definition of "consumer reports" reports to corporate affiliates containing information solely about "transactions or experiences between the consumer and the person making the report" — unless the consumer reporting agency has given the customer notice and an opportunity to direct the agency not to disclose that information to the affiliate. 15 U.S.C. § 1681a(d)(2)(A).

This requirement thus places a limitation on the ability of consumer reporting agencies to disclose nonpublic personal information to affiliates, even though that information would otherwise be disclosable under the GLB.

In addition to the limitations on disclosures discussed above under the GLB and the FCRA, it should be noted that the Right to Financial Privacy Act (12 U.S.C. § 3401 et seq.) imposes various limitations on the disclosability of nonpublic personal financial information to governmental agencies.

Question 2 — What does the phrase "notice of our financial privacyrights" mean regarding the above information?

You have taken this phrase from a letter from your constituents, in which they described a notice they received from their bank. It is likely that the notice your constituents received was the notice that was required by the GLB to be sent to existing customers of financial institutions by July 31, 2001. If so, this notice should have included a statement of the bank's privacy policy and an explanation of the customers' right to opt out of certain disclosures of nonpublic personal information, pursuant to the GLB.

Assistant Attorney General Suzanne Antley prepared the foregoing opinion, which I hereby approve.

Sincerely,

MARK PRYOR Attorney General

¹ Financial institutions must notify all customers annually, and were required to notify their existing customers by July 31, 2001.

² The question of whether a particular institution falls within the regulatory authority of the FCRA is largely a question of fact that will turn on various factors, including (in addition to the nature of the institution itself) the type of information being disclosed, the entity to which the information is being disclosed, and the nature of the transaction between the reporting institution and the entity receiving the information.