OTHER PAGE

The Gramm-Leach-Bliley Act Privacy Provisions

Time is running down! Of critical importance to agencies, companies and other financial institutions are the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). In this article, we'll summarize some important features and tell you how to get more information, including sample notices.

IMPORTANT: The information provided below is based on federal law. States may have adopted more specific requirements (including extended compliance deadlines) which IIABA members can learn about from their state associations.

According to the Insurance Regulatory Examiners Society Special Report on GLBA, “The 144-page document took hundreds of authors more than two decades to produce. Contrast this with the two weeks it took Thomas Jefferson – working alone – to draft the Declaration of Independence and you’ll understand that either (a) we live in extremely complex times or (b) our democratic process is extremely flawed.”

Well, regardless of which side you take, Title V of the GLBA is upon us... financial institutions have until July 1, 2001 (except where extended by state legislation...see below) to provide privacy and opt-out notices to customers. The purpose of this article is to give you an overview of important provisions and requirements of the GLBA, along with the opportunity to get more detailed information, including sample privacy notices.

To truly appreciate the significance of the GLBA legislation it is helpful to recognize what other prominent financial industry legislation it amends or overrides. Some of those impacted laws include:

• Glass Steagall Act of 1933
• The Bank Holding Company Act of 1956
• The Riegle-Neale Interstate Banking and Branching Efficiency Act of 1994
• The Investment Company Act of 1940
• The Investment Advisers Act of 1940
• The Securities Exchange Act of 1934
• The International Banking Act of 1978
• The Federal Reserve Act
• The Federal Deposit Insurance Act
• The National Bank Act
• The Home Owners' Loan Act.

(At least Jefferson started with a blank piece of parchment.)

Major Sections of the GLBA

Title I – Facilitating Affiliation Among Banks, Securities Firms, and Insurance Companies. The “cornerstone” of GLBA – permits affiliations between banks, securities firms, and insurance companies through a holding company. Repeals Glass-Steagall Act from Depression era.

Title II – Functional Regulation. Deals with regulatory issues between securities firms and banks.

Title III – Insurance. Reaffirms that states are the primary regulators of insurance. Retains provisions of McCarran-Ferguson. However, gives states 3 years from date of signing to streamline and modernize current barriers to interstate sale of insurance, and multi-state licensing. If the majority of states have not adopted favorable legislation to meet this requirement by November, 2002, there will be federal regulation of licensing by a new entity called NARAB – the National Association of Registered Agents and Brokers.

Title IV – Unitary Savings and Loan Holding Companies. Amends Home Owners’ Loan Act regarding unitary thrift holding companies.

Title V – Privacy. Requires all financial institutions to develop a Privacy Policy regarding how they collect and disclose nonpublic personal financial information about customers. Customers are to be sent a copy of the institution’s Privacy Policy by July 1, 2001, and annually thereafter. Under certain conditions, customers may “opt-out” of the sharing of their personal information with nonaffiliated third parties.

Title VI – Federal Home Loan Bank System Modernization. Reforms the FHLBS to provide small banks with greater access to FHLB funds.

Title VII – Other Provisions. Most notable: requires ATM machines to post a notice if there will be a fee for use by non-customers.

Provisions of Title V

Requires clear disclosure by all financial institutions of their privacy policy regarding the sharing of nonpublic personal information with both affiliates and third parties.
Requires a notice to consumers and an opportunity to "opt-out" of sharing of nonpublic personal information with nonaffiliated third parties subject to certain limited exceptions.
Addresses a potential imbalance between the treatment of large financial services conglomerates and small banks by including an exception, subject to strict controls, for joint marketing arrangements between financial institutions.
Clarifies that the disclosure of a financial institution's privacy policy is required to take place at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.
Provides for separate rather than joint rulemaking to carry out the purposes of the subtitle; the relevant federal agencies are directed, however, to consult and coordinate with one another for purposes of assuring to the maximum extent possible that the regulations that each prescribes are consistent and comparable with those prescribed by the other agencies.
Allows the functional regulators sufficient flexibility to prescribe necessary exceptions and clarifications to the prohibitions and requirements of section 502.
Clarifies that the remedies described in section 505 are the exclusive remedies for violations of the subtitle.
Clarifies that nothing in Title V is intended to modify, limit, or supersede the operation of the Fair Credit Reporting Act.
Extends the time period for completion of a study on financial institutions' information-sharing practices from 6 to 18 months from date of enactment.
Assigns authority for enforcing the subtitle's provisions to the Federal Trade Commission and the federal banking agencies, the National Credit Union Administration, and the Securities and Exchange Commission, according to their respective jurisdictions, and provides for enforcement of the subtitle by the States.

Important Provisions of the GLBA

GLBA's privacy provisions apply to insurance agents, brokers and companies as well as to other financial institutions such as banks, thrifts, credit unions, securities brokers and underwriters, mortgage companies, investment companies and mutual funds. GLBA's privacy regulations became effective on November 13, 2000, but the deadline for full compliance was extended until July 1, 2001.

IMPORTANT: Some states have introduced legislation to implement the GLBA with an extended deadline beyond July 1, 2001. Also, the privacy laws in some states may be more stringent than those in the GLBA. Check with your state department of insurance or IIABA state association.

GLBA distinguishes between a "consumer" and a "customer." Every individual having dealings with an agent or broker is a "consumer" but only consumers with a specific or ongoing relationship with the agent or broker are "customers." This distinction is important because GLBA requires agents and brokers to provide initial and annual privacy notices and opt-out notices to all customers, whereas notice to a non-customer consumer is only required if the agent or broker intends to disclose such consumer's information to unaffiliated third parties.

As a general rule, agencies must provide an initial privacy notice that accurately reflects their privacy policies to each consumer at the time that a continuing relationship is established, i.e., at the point such consumer purchases an insurance product and becomes a customer. Agencies must also provide an initial notice to consumers prior to the disclosure of any non-public information to an unaffiliated third party.

For customers only, agencies must also provide privacy notices on an annual basis and whenever the privacy policy is updated or revised. Notice must be delivered in writing or electronically, if agreed to by the consumer. Oral delivery, either in person or by telephone, is never sufficient.

The type of privacy notice agencies must send depends on whether or not the agency is located in a state that adopted the 1982 NAIC Model Act. The sixteen 1982 NAIC Model Act States are Arizona, California, Connecticut, Georgia, Illinois, Kansas (adopted in part), Maine, Massachusetts, Minnesota, Montana, Nevada, New Jersey, North Carolina, Ohio, Oregon, and Virginia. Sample privacy notices for both types of situations are referenced in the "Resource" section below.

Frequently Asked Questions

Below is a sampling of FAQ's and answers from the IIABA Legal Department. A more extensive listing is referenced in the "Resources" section below.

Question When an agency writes policies in different states for the same customer/policyholder, which state's privacy laws govern?

Answer? An agency must comply with the privacy laws of the state or states in which the risk of loss is located. For example, if a New York agency has a customer/policyholder with a primary residence located in New York and a vacation home in New Jersey, the New York agency must comply with the privacy laws of New York as to the policy on the primary residence and with the privacy laws of New Jersey as to the vacation home. Agencies that conduct business in multiple states may be able to create one privacy notice that complies with the laws of each state in which the agency conducts business.

Question Are third-party claimants and beneficiaries treated as consumers or customers under the GLBA?

Answer? Under GLBA, consumers include third-party claimants and beneficiaries under life insurance policies and employee benefit plans. If the insurer discloses non-public information about the beneficiaries and/or third-party claimants for a non-excepted purpose, the beneficiaries or third-party claimants must receive a privacy notice and opportunity to opt out. If a beneficiary or third-party claimant submits a claim and chooses a settlement option that involves an ongoing relationship with an insurer, these individuals become "customers" and also are owed an annual privacy notice and opt-out notice.

Question What are the various types of physical, electronic, and procedural safeguards that may be used to protect the customers' non-public information.

Answer? Examples of physical safeguards include physical security of office space, and locking file cabinets. Examples of procedural safeguards include restricting access to files to employees with a need to know the information at issue in order to perform their job duties, compliance audits, and employee training about appropriate treatment of information about customers and consumers. Examples of electronic safeguards include maintaining and protecting information through security-enhancing software (such as intrusion detection software), password protection on database access for employees, and establishment of backup and recovery procedures.

A more comprehensive FAQ listing is referenced in the "Resources" section below. In addition, you can review an NAIC FAQ listing here: NAIC FAQ's

Resources

IIABA's Web Site
If you are an IIABA member agency, go to www.independentagent.com and login as a member. This will take you into a password protected area...if you are an IIABA member agency, but don't know your ID and password, send an email to info@iiaba.net and you will be contacted promptly. Once you get access to this area of the IIABA web site, you'll find the following FREE information:

• Explanatory Memorandum to State Associations, including FAQ's
   and Sample Privacy Notices
• Summary of the GLBA Requirements
• The Insurance Agent and Broker's Guide to Privacy and Appendices
   (these address particular issues in greater detail help you develop
   your own privacy notice, and discuss other compliance issues)
• Fair Credit Reporting Act (FCRA)
• FCRA - Motor Vehicle Reports

In addition to the above, you'll find other information of value to your agency such as company contract reviews, the Violent Crime Control Act, and more.

Important: The GLBA establishes a minimum federal standard of privacy. States may enact greater consumer privacy protections which which an agent or broker must also comply. Many of our state associations have extensive state-specific resources, so we recommend that you visit their web sites or contact them directly.

The Insurance Agent and Broker's Guide to Privacy
Since the above information is in a password-protected area and available only to members, IIABA has packaged much of this material into a guide for nonmembers. However, since a great deal of research and legal analysis went into developing the guide and sample privacy statements, a charge is necessary for nonmembers. The Guide and its appendices provide instruction for complying with GLBA's privacy requirements as well as with those of the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the 1982 NAIC Insurance Information and Privacy Protection Model Act, and the European Community Directive on Data Protection.

To download an order form in PDF format that includes detailed information, click here:

Insurance Agent and Broker's Guide to Privacy Order Form

Other Web Sites
• NAMIC Online (includes state privacy laws update)
• Privacy Headquarters
• Privacy Rights (consumer site)
• IIAB of Louisian a - GLBA One Year Later
• IIAB of Louisiana - GLBA & Agency Agreements
Note: You can also find GLBA information (reliable or not) by going to a search engine such as www.google.com and searching for "graham-leach-bliley."

Acknowledgements

Most of this information was provided by the IIABA Legal Department, including Marianne Caulfield, Associate General Counsel, and Debra Perkins, Executive Vice President and General Counsel. In addition, summary information was provided by Mike Edwards, Director of Education for the IIA of Louisiana, who has done extensive research and lecturing in this area.