GRAMM-LEACH-BLILEY ACT
Public Law 106-102
106th Congress
An Act
To enhance competition in the financial services industry by providing a
prudential framework for the affiliation of banks, securities firms,
insurance companies, and other financial service providers, and for
other purposes.
[Extract; non-private detective operations related sections deleted].
TITLE V--PRIVACY
Subtitle A--Disclosure of Nonpublic Personal Information
Sec. 501. Protection of nonpublic personal information.
Sec. 502. Obligations with respect to disclosures of personal information.
Sec. 503. Disclosure of institution privacy policy.
Sec. 504. Rulemaking.
Sec. 505. Enforcement.
Sec. 506. Protection of Fair Credit Reporting Act.
Sec. 507. Relation to State laws.
Sec. 508. Study of information sharing among financial affiliates.
Sec. 509. Definitions.
Sec. 510. Effective date.
Subtitle B--Fraudulent Access to Financial Information
Sec. 521. Privacy protection for customer information of financial institutions.
Sec. 522. Administrative enforcement.
Sec. 523. Criminal penalty.
Sec. 524. Relation to State laws.
Sec. 525. Agency guidance.
Sec. 526. Reports.
Sec. 527. Definitions.
TITLE V--PRIVACY
Subtitle A--Disclosure of Nonpublic Personal Information
SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION (15 USC
6801).
(a) Privacy Obligation Policy.--It is the policy of the Congress that each financial
institution has an affirmative and continuing obligation to respect the privacy of its customers
and to protect the security and confidentiality of those customers' nonpublic personal
information.
(b) Financial Institutions Safeguards.--In furtherance of the policy in subsection (a), each
agency or authority described in section 505(a) shall establish appropriate standards for the
financial institutions subject to their jurisdiction relating to administrative, technical, and
physical safeguards--
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity
of such records; and
(3) to protect against unauthorized access to or use of such records or information
which could result in substantial harm or inconvenience to any customer.
SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL
INFORMATION (15 USC 6802).
(a) Notice Requirements.--Except as otherwise provided in this subtitle, a financial
institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any
nonpublic personal information, unless such financial institution provides or has provided to the
consumer a notice that complies with section 503.
(b) Opt Out.--
(1) In general.--A financial institution may not disclose nonpublic personal
information to a nonaffiliated third party unless--
(A) such financial institution clearly and conspicuously discloses to the
consumer, in writing or in electronic form or other form permitted by the regulations prescribed
under section 504, that such information may be disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such
information is initially disclosed, to direct that such information not be disclosed to such third
party; and
(C) the consumer is given an explanation of how the consumer can
exercise that nondisclosure option.
(2) Exception.--This subsection shall not prevent a financial institution from
providing nonpublic personal information to a nonaffiliated third party to perform services for or
functions on behalf of the financial institution, including marketing of the financial institution's
own products or services, or financial products or services offered pursuant to joint agreements
between two or more financial institutions that comply with the requirements imposed by the
regulations prescribed under section 504, if the financial institution fully discloses the providing
of such information and enters into a contractual agreement with the third party that requires the
third party to maintain the confidentiality of such information.
(c) Limits on Reuse of Information.--Except as otherwise provided in this subtitle, a
nonaffiliated third party that receives from a financial institution nonpublic personal information
under this section shall not, directly or through an affiliate of such receiving third party, disclose
such information to any other person that is a nonaffiliated third party of both the financial
institution and such receiving third party, unless such disclosure would be lawful if made
directly to such other person by the financial institution.
(d) Limitations on the Sharing of Account Number Information for Marketing
Purposes.--A financial institution shall not disclose, other than to a consumer reporting agency,
an account number or similar form of access number or access code for a credit card account,
deposit account, or transaction account of a consumer to any nonaffiliated third party for use in
telemarketing, direct mail marketing, or other marketing through electronic mail to the
consumer.
(e) General Exceptions.--Subsections (a) and (b) shall not prohibit the disclosure of
nonpublic personal information--
(1) as necessary to effect, administer, or enforce a transaction requested or
authorized by the consumer, or in connection with--
(A) servicing or processing a financial product or service requested or
authorized by the consumer;
(B) maintaining or servicing the consumer's account with the financial
institution, or with another entity as part of a private label credit card program or other extension
of credit on behalf of such entity; or
(C) a proposed or actual securitization, secondary market sale (including
sales of servicing rights), or similar transaction related to a transaction of the consumer;
(2) with the consent or at the direction of the consumer;
(3) (A) to protect the confidentiality or security of the financial institution's
records pertaining to the consumer, the service or product, or the transaction therein;
(B) to protect against or prevent actual or potential fraud, unauthorized
transactions, claims, or other liability;
(C) for required institutional risk control, or for resolving customer
disputes or inquiries;
(D) to persons holding a legal or beneficial interest relating to the
consumer; or
(E) to persons acting in a fiduciary or representative capacity on behalf of
the consumer;
(4) to provide information to insurance rate advisory organizations, guaranty
funds or agencies, applicable rating agencies of the financial institution, persons assessing the
institution's compliance with industry standards, and the institution's attorneys, accountants, and
auditors;
(5) to the extent specifically permitted or required under other provisions of law
and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies
(including a Federal functional regulator, the Secretary of the Treasury with respect to subchapter
II of chapter 53 of title 31, United States Code, and chapter 2 of title I of Public Law 91-508 (12
U.S.C. 1951-1959), a State insurance authority, or the Federal Trade Commission),
self-regulatory organizations, or for an investigation on a matter related to public safety;
(6) (A) to a consumer reporting agency in accordance with the Fair Credit
Reporting Act, or
(B) from a consumer report reported by a consumer reporting agency;
(7) in connection with a proposed or actual sale, merger, transfer, or exchange of
all or a portion of a business or operating unit if the disclosure of nonpublic personal information
concerns solely consumers of such business or unit; or
(8) to comply with Federal, State, or local laws, rules, and other applicable legal
requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or
subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or
government regulatory authorities having jurisdiction over the financial institution for
examination, compliance, or other purposes as authorized by law.
SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY (15 USC 6803).
(a) Disclosure Required.--At the time of establishing a customer relationship with a
consumer and not less than annually during the continuation of such relationship, a financial
institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in
electronic form or other form permitted by the regulations prescribed under section 504, of such
financial institution's policies and practices with respect to--
(1) disclosing nonpublic personal information to affiliates and nonaffiliated third
parties, consistent with section 502, including the categories of information that may be
disclosed;
(2) disclosing nonpublic personal information of persons who have ceased to be
customers of the financial institution; and
(3) protecting the nonpublic personal information of consumers. Such disclosures
shall be made in accordance with the regulations prescribed under section 504.
(b) Information To Be Included.--The disclosure required by subsection (a) shall include--
(1) the policies and practices of the institution with respect to disclosing
nonpublic personal information to nonaffiliated third parties, other than agents of the institution,
consistent with section 502 of this subtitle, and including--
(A) the categories of persons to whom the information is or may be
disclosed, other than the persons to whom the information may be provided pursuant to section
502(e); and
(B) the policies and practices of the institution with respect to disclosing
of nonpublic personal information of persons who have ceased to be customers of the financial
institution;
(2) the categories of nonpublic personal information that are collected by the
financial institution;
(3) the policies that the institution maintains to protect the confidentiality and
security of nonpublic personal information in accordance with section 501; and
(4) the disclosures required, if any, under section 603(d)(2)(A)(iii) of the Fair
Credit Reporting Act.
SEC. 504. RULEMAKING (15 USC 6804).
(a) Regulatory Authority.--
(1) Rulemaking.--The Federal banking agencies, the National Credit Union
Administration, the Secretary of the Treasury, the Securities and Exchange Commission, and the
Federal Trade Commission shall each prescribe, after consultation as appropriate with
representatives of State insurance authorities designated by the National Association of Insurance
Commissioners, such regulations as may be necessary to carry out the purposes of this subtitle
with respect to the financial institutions subject to their jurisdiction under section 505.
(2) Coordination, consistency, and comparability.--Each of the agencies and
authorities required under paragraph (1) to prescribe regulations shall consult and coordinate
with the other such agencies and authorities for the purposes of assuring, to the extent possible,
that the regulations prescribed by each such agency and authority are consistent and comparable
with the regulations prescribed by the other such agencies and authorities.
(3) Procedures and deadline.--Such regulations shall be prescribed in accordance
with applicable requirements of title 5, United States Code, and shall be issued in final form not
later than 6 months after the date of the enactment of this Act.
(b) Authority To Grant Exceptions.--The regulations prescribed under subsection (a) may
include such additional exceptions to subsections (a) through (d) of section 502 as are deemed
consistent with the purposes of this subtitle.
SEC. 505. ENFORCEMENT (15 USC 6805).
(a) In General.--This subtitle and the regulations prescribed thereunder shall be enforced
by the Federal functional regulators, the State insurance authorities, and the Federal Trade
Commission with respect to financial institutions and other persons subject to their jurisdiction
under applicable law, as follows:
(1) Under section 8 of the Federal Deposit Insurance Act, in the case of--
(A) national banks, Federal branches and Federal agencies of foreign
banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers), by the Office of the Comptroller of the
Currency;
(B) member banks of the Federal Reserve System (other than national
banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies,
and insured State branches of foreign banks), commercial lending companies owned or
controlled by foreign banks, organizations operating under section 25 or 25A of the Federal
Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates (except
brokers, dealers, persons providing insurance, investment companies, and investment advisers),
by the Board of Governors of the Federal Reserve System;
(C) banks insured by the Federal Deposit Insurance Corporation (other
than members of the Federal Reserve System), insured State branches of foreign banks, and any
subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment
companies, and investment advisers), by the Board of Directors of the Federal Deposit Insurance
Corporation; and
(D) savings associations the deposits of which are insured by the Federal
Deposit Insurance Corporation, and any subsidiaries of such savings associations (except
brokers, dealers, persons providing insurance, investment companies, and investment advisers),
by the Director of the Office of Thrift Supervision.
(2) Under the Federal Credit Union Act, by the Board of the National Credit
Union Administration with respect to any federally insured credit union, and any subsidiaries of
such an entity.
(3) Under the Securities Exchange Act of 1934, by the Securities and Exchange
Commission with respect to any broker or dealer.
(4) Under the Investment Company Act of 1940, by the Securities and Exchange
Commission with respect to investment companies.
(5) Under the Investment Advisers Act of 1940, by the Securities and Exchange
Commission with respect to investment advisers registered with the Commission under such Act.
(6) Under State insurance law, in the case of any person engaged in providing
insurance, by the applicable State insurance authority of the State in which the person is
domiciled, subject to section 104 of this Act.
(7) Under the Federal Trade Commission Act, by the Federal Trade Commission
for any other financial institution or other person that is not subject to the jurisdiction of any
agency or authority under paragraphs (1) through (6) of this subsection.
(b) Enforcement of Section 501.--
(1) In general.--Except as provided in paragraph (2), the agencies and authorities
described in subsection (a) shall implement the standards prescribed under section 501(b) in the
same manner, to the extent practicable, as standards prescribed pursuant to section 39(a) of the
Federal Deposit Insurance Act are implemented pursuant to such section.
(2) Exception.--The agencies and authorities described in paragraphs (3), (4), (5),
(6), and (7) of subsection (a) shall implement the standards prescribed under section 501(b) by
rule with respect to the financial institutions and other persons subject to their respective
jurisdictions under subsection (a).
(c) Absence of State Action.--If a State insurance authority fails to adopt regulations to
carry out this subtitle, such State shall not be eligible to override, pursuant to section
47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the insurance customer protection
regulations prescribed by a Federal banking agency under section 47(a) of such Act.
(d) Definitions.--The terms used in subsection (a)(1) that are not defined in this subtitle or
otherwise defined in section 3(s) of the Federal Deposit Insurance Act shall have the same
meaning as given in section 1(b) of the International Banking Act of 1978.
SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.
(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is
amended--
(1) in subsection (d), by striking everything following the end of the second
sentence; and
(2) by striking subsection (e) and inserting the following:
``(e) Regulatory Authority.--
``(1) The Federal banking agencies referred to in paragraphs (1)
and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the
purposes of this Act with respect to any persons identified under paragraphs (1) and (2) of
subsection (b), and the Board of Governors of the Federal Reserve System shall have authority to
prescribe regulations consistent with such joint regulations with respect to bank holding
companies and affiliates (other than depository institutions and consumer reporting agencies) of
such holding companies.
``(2) The Board of the National Credit Union Administration shall
prescribe such regulations as necessary to carry out the purposes of this Act with respect to any
persons identified under paragraph (3) of subsection (b).''.
(b) Conforming Amendment.--Section 621(a) of the Fair Credit Reporting Act (15 U.S.C.
1681s(a)) is amended by striking paragraph (4).
(c) Relation <<NOTE: 15 USC 6806.>> to Other Provisions.--Except for the
amendments made by subsections (a) and (b), nothing in this title shall be construed to modify,
limit, or supersede the operation of the Fair Credit Reporting Act, and no inference shall be
drawn on the basis of the provisions of this title regarding whether information is transaction or
experience information under section 603 of such Act.
SEC. 507. RELATION TO STATE LAWS (15 USC 6807).
(a) In General.--This subtitle and the amendments made by this subtitle shall not be
construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in
effect in any State, except to the extent that such statute, regulation, order, or interpretation is
inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.
(b) Greater Protection Under State Law.--For purposes of this section, a State statute,
regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the
protection such statute, regulation, order, or interpretation affords any person is greater than the
protection provided under this subtitle and the amendments made by this subtitle, as determined
by the Federal Trade Commission, after consultation with the agency or authority with
jurisdiction under section 505(a) of either the person that initiated the complaint or that is the
subject of the complaint, on its own motion or upon the petition of any interested party.
SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES
(15 USC 6808).
(a) In General.--The Secretary of the Treasury, in conjunction with the Federal functional
regulators and the Federal Trade Commission, shall conduct a study of information sharing
practices among financial institutions and their affiliates. Such study shall include--
(1) the purposes for the sharing of confidential customer information with
affiliates or with nonaffiliated third parties;
(2) the extent and adequacy of security protections for such information;
(3) the potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of such sharing of
information;
(5) the potential benefits for customers of such sharing of information;
(6) the adequacy of existing laws to protect customer privacy;
(7) the adequacy of financial institution privacy policy and privacy rights
disclosure under existing law;
(8) the feasibility of different approaches, including opt-out and opt-in, to permit
customers to direct that confidential information not be shared with affiliates and nonaffiliated
third parties; and
(9) the feasibility of restricting sharing of information for specific uses or of
permitting customers to direct the uses for which information may be shared.
(b) Consultation.--The Secretary shall consult with representatives of State insurance
authorities designated by the National Association of Insurance Commissioners, and also with
financial services industry, consumer organizations and privacy groups, and other representatives
of the general public, in formulating and conducting the study required by subsection (a).
(c) Report.--On or before January 1, 2002, the Secretary shall submit a report to the
Congress containing the findings and conclusions of the study required under subsection (a),
together with such recommendations for legislative or administrative action as may be
appropriate.
Sec. 509. DEFINITIONS (15 USC 6809). As used in this subtitle:
(1) Federal banking agency.--The term ``Federal banking agency'' has the same meaning
as given in section 3 of the Federal Deposit Insurance Act.
(2) Federal functional regulator.--The term ``Federal functional regulator'' means--
(A) the Board of Governors of the Federal Reserve System;
(B) the Office of the Comptroller of the Currency;
(C) the Board of Directors of the Federal Deposit Insurance Corporation;
(D) the Director of the Office of Thrift Supervision;
(E) the National Credit Union Administration Board; and
(F) the Securities and Exchange Commission.
(3) Financial institution.--
(A) In general.--The term ``financial institution'' means any institution the
business of which is engaging in financial activities as described in section 4(k) of the Bank
Holding Company Act of 1956.
(B) Persons subject to cftc regulation.-- Notwithstanding subparagraph (A), the
term ``financial institution'' does not include any person or entity with respect to any financial
activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under
the Commodity Exchange Act.
(C) Farm credit institutions.-- Notwithstanding subparagraph (A), the term
``financial institution'' does not include the Federal Agricultural Mortgage Corporation or any
entity chartered and operating under the Farm Credit Act of 1971.
(D) Other secondary market institutions.-- Notwithstanding subparagraph (A), the
term ``financial institution'' does not include institutions chartered by Congress specifically to
engage in transactions described in section 502(e)(1)(C), as long as such institutions do not sell
or transfer nonpublic personal information to a nonaffiliated third party.
(4) Nonpublic personal information.--
(A) The term ``nonpublic personal information'' means personally identifiable
financial information--
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service
performed for the consumer; or
(iii) otherwise obtained by the financial institution.
(B) Such term does not include publicly available information, as such term is
defined by the regulations prescribed under section 504.
(C) Notwithstanding subparagraph (B), such term--
(i) shall include any list, description, or other grouping of consumers (and
publicly available information pertaining to them) that is derived using any nonpublic personal
information other than publicly available information; but
(ii) shall not include any list, description, or other grouping of consumers
(and publicly available information pertaining to them) that is derived without using any
nonpublic personal information.
(5) Nonaffiliated third party.--The term ``nonaffiliated third party'' means any entity that
is not an affiliate of, or related by common ownership or affiliated by corporate control with, the
financial institution, but does not include a joint employee of such institution.
(6) Affiliate.--The term ``affiliate'' means any company that controls, is controlled by, or
is under common control with another company.
(7) Necessary to effect, administer, or enforce.--The term ``as necessary to effect,
administer, or enforce the transaction'' means--
(A) the disclosure is required, or is a usual, appropriate, or acceptable method, to
carry out the transaction or the product or service business of which the transaction is a part, and
record or service or maintain the consumer's account in the ordinary course of providing the
financial service or financial product, or to administer or service benefits or claims relating to the
transaction or the product or service business of which it is a part, and includes--
(i) providing the consumer or the consumer's agent or broker with a
confirmation, statement, or other record of the transaction, or information on the status or value
of the financial service or financial product; and
(ii) the accrual or recognition of incentives or bonuses associated with the
transaction that are provided by the financial institution or any other party;
(B) the disclosure is required, or is one of the lawful or appropriate methods, to
enforce the rights of the financial institution or of other persons engaged in carrying out the
financial transaction, or providing the product or service;
(C) the disclosure is required, or is a usual, appropriate, or acceptable method, for
insurance underwriting at the consumer's request or for reinsurance purposes, or for any of the
following purposes as they relate to a consumer's insurance: Account administration, reporting,
investigating, or preventing fraud or material misrepresentation, processing premium payments,
processing insurance claims, administering insurance benefits (including utilization review
activities), participating in research projects, or as otherwise required or specifically permitted by
Federal or State law; or
(D) the disclosure is required, or is a usual, appropriate or acceptable method, in
connection with--
(i) the authorization, settlement, billing, processing, clearing, transferring,
reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or
other payment card, check, or account number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
(8) State insurance authority.--The term ``State insurance authority'' means, in the case of
any person engaged in providing insurance, the State insurance authority of the State in which the
person is domiciled.
(9) Consumer.--The term ``consumer'' means an individual who obtains, from a financial
institution, financial products or services which are to be used primarily for personal, family, or
household purposes, and also means the legal representative of such an individual.
(10) Joint agreement.--The term ``joint agreement'' means a formal written contract
pursuant to which two or more financial institutions jointly offer, endorse, or sponsor a financial
product or service, and as may be further defined in the regulations prescribed under section 504.
(11) Customer relationship.--The term ``time of establishing a customer relationship''
shall be defined by the regulations prescribed under section 504, and shall, in the case of a
financial institution engaged in extending credit directly to consumers to finance purchases of
goods or services, mean the time of establishing the credit relationship with the consumer.
SEC. 510. EFFECTIVE DATE (15 USC 6801).
This subtitle shall take effect 6 months after the date on which rules are required to be prescribed
under section 504(a)(3), except--
(1) to the extent that a later date is specified in the rules prescribed under section 504; and
(2) that sections 504 and 506 shall be effective upon enactment.
� Subtitle B--Fraudulent Access to Financial Information
SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF
FINANCIAL INSTITUTIONS. (15 USC 6821).
(a) Prohibition on Obtaining Customer Information by False Pretenses.--It shall be a
violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or
attempt to cause to be disclosed to any person, customer information of a financial institution
relating to another person--
(1) by making a false, fictitious, or fraudulent statement or representation to an
officer, employee, or agent of a financial institution;
(2) by making a false, fictitious, or fraudulent statement or representation to a
customer of a financial institution; or
(3) by providing any document to an officer, employee, or agent of a financial
institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently
obtained, or contains a false, fictitious, or fraudulent statement or representation.
(b) Prohibition on Solicitation of a Person To Obtain Customer Information From
Financial Institution Under False Pretenses.--It shall be a violation of this subtitle to request a
person to obtain customer information of a financial institution, knowing that the person will
obtain, or attempt to obtain, the information from the institution in any manner described in
subsection (a).
(c) Nonapplicability to Law Enforcement Agencies.--No provision of this section shall be
construed so as to prevent any action by a law enforcement agency, or any officer, employee, or
agent of such agency, to obtain customer information of a financial institution in connection
with the performance of the official duties of the agency.
(d) Nonapplicability to Financial Institutions in Certain Cases.--No provision of this
section shall be construed so as to prevent any financial institution, or any officer, employee, or
agent of a financial institution, from obtaining customer information of such financial
institution in the course of--
(1) testing the security procedures or systems of such institution for maintaining
the confidentiality of customer information;
(2) investigating allegations of misconduct or negligence on the part of any
officer, employee, or agent of the financial institution; or
(3) recovering customer information of the financial institution which was
obtained or received by another person in any manner described in subsection (a) or (b).
(e) Nonapplicability to Insurance Institutions for Investigation of Insurance Fraud.--No
provision of this section shall be construed so as to prevent any insurance institution, or any
officer, employee, or agency of an insurance institution, from obtaining information as part
of an insurance investigation into criminal activity, fraud, material misrepresentation, or material
nondisclosure that is authorized for such institution under State law, regulation, interpretation, or
order.
(f) Nonapplicability to Certain Types of Customer Information of Financial
Institutions.--No provision of this section shall be construed so as to prevent any person from
obtaining customer information of a financial institution that otherwise is available as a public
record filed pursuant to the securities laws (as defined in section 3(a)(47) of the Securities
Exchange Act of 1934).
(g) Nonapplicability to Collection of Child Support Judgments.--No provision of this
section shall be construed to prevent any State-licensed private investigator, or any officer,
employee, or agent of such private investigator, from obtaining customer information of a
financial institution, to the extent reasonably necessary to collect child support from a person
adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the
extent that such action by a State-licensed private investigator is not unlawful under any other
Federal or State law or regulation, and has been authorized by an order or judgment of a court of
competent jurisdiction.
SEC. 522. ADMINISTRATIVE ENFORCEMENT (15 USC 6822).
(a) Enforcement by Federal Trade Commission.--Except as provided in subsection (b),
compliance with this subtitle shall be enforced by the Federal Trade Commission in the same
manner and with the same power and authority as the Commission has under the Fair Debt
Collection Practices Act to enforce compliance with such Act.
(b) Enforcement by Other Agencies in Certain Cases.--
(1) In general.--Compliance with this subtitle shall be enforced under--
(A) section 8 of the Federal Deposit Insurance Act, in the case of--
(i) national banks, and Federal branches and Federal agencies of
foreign banks, by the Office of the Comptroller of the Currency;
(ii) member banks of the Federal Reserve System (other than
national banks), branches and agencies of foreign banks (other than Federal branches, Federal
agencies, and insured State branches of foreign banks), commercial lending companies owned or
controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal
Reserve Act, by the Board;
(iii) banks insured by the Federal Deposit Insurance Corporation
(other than members of the Federal Reserve System and national nonmember banks) and insured
State branches of foreign banks, by the Board of Directors of the Federal Deposit Insurance
Corporation; and
(iv) savings associations the deposits of which are insured by the
Federal Deposit Insurance Corporation, by the Director of the Office of Thrift Supervision; and
(B) the Federal Credit Union Act, by the Administrator of the National
Credit Union Administration with respect to any Federal credit union.
(2) Violations of this subtitle treated as violations of other laws.--For the purpose of the
exercise by any agency referred to in paragraph (1) of its powers under any Act referred to in that
paragraph, a violation of this subtitle shall be deemed to be a violation of a requirement imposed
under that Act. In addition to its powers under any provision of law specifically referred to in
paragraph (1), each of the agencies referred to in that paragraph may exercise, for the purpose of
enforcing compliance with this subtitle, any other authority conferred on such agency by law.
SEC. 523. CRIMINAL PENALTY (15 USC 6823).
(a) In General.--Whoever knowingly and intentionally violates, or knowingly and
intentionally attempts to violate, section 521 shall be fined in accordance with title 18, United
States Code, or imprisoned for not more than 5 years, or both.
(b) Enhanced Penalty for Aggravated Cases.--Whoever violates, or attempts to violate,
section 521 while violating another law of the United States or as part of a pattern of any illegal
activity involving more than $100,000 in a 12-month period shall be fined twice the amount
provided in subsection (b)(3) or (c)(3) (as the case may be) of section 3571 of title 18, United
States Code, imprisoned for not more than 10 years, or both.
SEC. 524. RELATION TO STATE LAWS (15 USC 6824).
(a) In General.--This subtitle shall not be construed as superseding, altering, or affecting
the statutes, regulations, orders, or interpretations in effect in any State, except to the extent that
such statutes, regulations, orders, or interpretations are inconsistent with the provisions of this
subtitle, and then only to the extent of the inconsistency.
(b) Greater Protection Under State Law.--For purposes of this section, a State statute,
regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the
protection such statute, regulation, order, or interpretation affords any person is greater than the
protection provided under this subtitle as determined by the Federal Trade Commission, after
consultation with the agency or authority with jurisdiction under section 522 of either the person
that initiated the complaint or that is the subject of the complaint, on its own motion or upon the
petition of any interested party.
SEC. 525. AGENCY GUIDANCE (15 USC 6825).
In furtherance of the objectives of this subtitle, each Federal banking agency (as defined in
section 3(z) of the Federal Deposit Insurance Act), the National Credit Union Administration,
and the Securities and Exchange Commission or self-regulatory organizations, as appropriate,
shall review regulations and guidelines applicable to financial institutions under their respective
jurisdictions and shall prescribe such revisions to such regulations and guidelines as may be
necessary to ensure that such financial institutions have policies, procedures, and controls in
place to prevent the unauthorized disclosure of customer financial information and to deter and
detect activities proscribed under section 521.
SEC. 526. REPORTS (15 USC 6826).
(a) Report to the Congress.--Before the end of the 18-month period beginning on the date
of the enactment of this Act, the Comptroller General, in consultation with the Federal Trade
Commission, Federal banking agencies, the National Credit Union Administration, the Securities
and Exchange Commission, appropriate Federal law enforcement agencies, and appropriate State
insurance regulators, shall submit to the Congress a report on the following:
(1) The efficacy and adequacy of the remedies provided in this subtitle in
addressing attempts to obtain financial information by fraudulent means or by false pretenses.
(2) Any recommendations for additional legislative or regulatory action to address
threats to the privacy of financial information created by attempts to obtain information by
fraudulent means or false pretenses.
(b) Annual Report by Administering Agencies.--The Federal Trade Commission and the
Attorney General shall submit to Congress an annual report on number and disposition of all
enforcement actions taken pursuant to this subtitle.
SEC. 527. DEFINITIONS (15 USC 6827).
For purposes of this subtitle, the following definitions shall apply:
(1) Customer.--The term ``customer'' means, with respect to a financial institution, any
person (or authorized representative of a person) to whom the financial institution provides a
product or service, including that of acting as a fiduciary.
(2) Customer information of a financial institution.--The term ``customer information of a
financial institution'' means any information maintained by or for a financial institution which is
derived from the relationship between the financial institution and a customer of the financial
institution and is identified with the customer.
(3) Document.--The term ``document'' means any information in any form.
(4) Financial institution.--
(A) In general.--The term ``financial institution'' means any institution engaged in
the business of providing financial services to customers who maintain a credit, deposit, trust, or
other financial account or relationship with the institution.
(B) Certain financial institutions specifically included.--The term ``financial
institution'' includes any depository institution (as defined in section 19(b)(1)(A) of the Federal
Reserve Act), any broker or dealer, any investment adviser or investment company, any
insurance company, any loan or finance company, any credit card issuer or operator of a credit
card system, and any consumer reporting agency that compiles and maintains files on consumers
on a nationwide basis (as defined in section 603(p) of the Consumer Credit Protection Act).
(C) Securities institutions.--For purposes of subparagraph (B)--
(i) the terms ``broker'' and ``dealer'' have the same meanings as given in
section 3 of the Securities Exchange Act of 1934 (15 U.S.C. 78c);
(ii) the term ``investment adviser'' has the same meaning as given in
section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)); and
(iii) the term ``investment company'' has the same meaning as given in
section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3).
(D) Certain persons and entities specifically excluded.--The term ``financial
institution'' does not include any person or entity with respect to any financial activity that is
subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity
Exchange Act and does not include the Federal Agricultural Mortgage Corporation or any entity
chartered and operating under the Farm Credit Act of 1971.
(E) Further definition by regulation.--The Federal Trade Commission, after
consultation with Federal banking agencies and the Securities and Exchange Commission, may
prescribe regulations clarifying or describing the types of institutions which shall be treated as
financial institutions for purposes of this subtitle.