The Murky World of Privacy Notices Under Gramm-Leach-Bliley

James (Telk) Elkus and R. Bradford Huss, Esq., APM • Trucker Huss • San Francisco

Many ASPPA members have recently received privacy notices from financial institutions such as banks and credit card companies. These notices are being sent pursuant to the Gramm-Leach-Bliley Act ("GLBA") and questions have arisen as to whether service providers for employee benefit plans are subject to the notice requirement. Unfortunately, there remains a great deal of uncertainty concerning the GLBA and, in particular, its possible application to actuaries, TPAs, attorneys and other employee benefits professionals. We apologize for not getting this information to you sooner. We were hoping to get a definitive answer as to the application of GLBA to service providers. However, we still have not gotten a clear answer from the government. ASPPA's Government Affairs Committee will be contacting the appropriate government agencies to comment that the law was not intended to apply to our industry. We note that other professional organizations, such as the American Bar Association, have been faced with similar uncertainty, and also have not been able to provide definitive guidance to their members.

Statutory Provisions
Title V of the GLBA limits disclosure by any "financial institution" of a "consumer's" "nonpublic personal information" to nonaffiliated third parties. It requires that such an institution provide notices to consumers regarding the institution's information sharing policies with both affiliates and nonaffiliated third parties. The financial institution is required to give the consumer an initial notice and provide a mechanism for the consumer to "opt-out" of certain types of disclosures. If the financial institution enters into a continuing relationship with a consumer (a "customer relationship"), the financial institution is also required to provide an annual notice to the consumer detailing its privacy policy (GLBA §§502(b) and 503(a)).

Application of the GLBA
Application of the GLBA hinges upon a series of definitions set forth in the law and the related regulations. Of primary importance is the definition of "financial institution," which is defined in both the GLBA and the regulations thereunder as any institution "the business of which is engaging in financial activities as described in §4(k) of the Bank Holding Company Act of 1956." (GLBA §509(3)). The Federal Reserve System regulations under the Bank Holding Company Act of 1956 provide an extensive list of such financial activities, which include, among many others: making, brokering, or servicing loans, financial or investment or advisory services, employee benefits consulting services (to plans only, not individuals) and providing tax-planning and tax-preparation services to any person (12 CFR §225.28). A Federal Trade Commission regulation states that an institution must be "significantly engaged in financial activities" to qualify as a financial institution. The term "significantly," however, is not defined. In addition, there is no distinction made between providing services to individuals and institutional clients, so that an institution may be classified as a financial institution for the purposes of the GLBA, even though it provides the bulk of its services to clients that do not qualify for protection under the GLBA (see definition of "consumer," below). At first impression, it would appear that at many law firms, CPAs and TPAs engage significantly in one or more of these financial activities.

Four other definitions are critical: "nonpublic personal information," "consumer," "customer relationship" and "tax preparer."

The definition of consumer is key. If an institution does not perform any of the relevant services for an individual who qualifies as a consumer, the GLBA does not apply to any of the client relationships. If relevant services are provided to any individual clients, the GLBA may apply since, as stated above, the institution may be classified as a financial institution without regard to the fact that only a small percentage of its services are provided to individuals.

Exceptions to General Application
An individual, however, is not a "consumer" for purposes of the GLBA solely because he or she is a beneficiary of a trust for which an entity is a trustee, or solely because he or she is a beneficiary of an employee benefit plan that an entity sponsors or for which an entity acts as trustee or fiduciary." (12 CFR §§ 40.3, 216.3, 332.3 and 573.3, also 16 CFR §313.3(d)(2)). A section-by-section analysis in both the FTC and Federal Reserve Final Rules embroider upon the trustee/fiduciary/plan sponsor/beneficiary relationships, by specifically providing that, in those situations, the trust itself is the institution's ''customer,'' and the rule does not apply because the trust is not an individual. The section-by-section analysis also specifically excludes individuals who are beneficiaries of a trust or plan participants of an employee benefit plan from the definitions of customer and consumer. The examples used in this analysis, however, are the regulation sections cited above, which provide that individuals will not be regarded as customers solely on the basis of the trustee/fiduciary/plan sponsor/beneficiary relationship. It is quite possible that specific activities, such as processing participant loans or hardship distributions, which require a financial institution to have access to a greater-than-normal amount of nonpublic personal information would be regarded as being outside of this exception. In addition, individuals who select a financial institution to be a trustee or custodian of an IRA are considered consumers. It is also possible that an employee benefit plan could be regarded as an institution independent of the underlying trust, and, therefore, be independently subject to the GLBA (65 FR 101, pp. 33652-3; 65 FR 106, pg. 35167).

The regulations further state that an "individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution" (16 CFR §313.3(d)(2)) (emphasis added). If interpreted broadly, this provision may protect providers for employee benefit plans from the requirements of the GLBA. A strict interpretation of the wording of the regulation may not do so, however, because the beneficiaries of the plan are not consumers with relationship to the trustee or plan sponsor (the entities with which a provider would be contracting).
Exceptions to Notice and Opt-Out Requirements

Even if a financial institution is subject to the provisions of the GLBA, it need not provide consumers with the opportunity to opt-out if its disclosure of information is to a nonaffiliated third party to perform services for, or functions on behalf of, the institution and the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information (GLBA §502(b)(2)). A financial institution need not provide the consumer with either the initial notice, nor the opportunity to opt-out, if disclosure is either to process or complete a transaction requested or authorized by the consumer, or if the disclosure is with the consent of, or at the direction of, the consumer (GLBA §502(e)). This provision should exempt a financial institution from the initial notice and opt-out requirements for processing plan loans. Neither of these exceptions, however, apply to the annual disclosure requirements. If, therefore, a plan or fiduciary does stand in a financial institution/customer relationship with an individual, an annual disclosure notice must be given.

Summary
Whether the GLBA applies to employee benefit service providers is very unclear. The law may apply, presumably as an unintended consequence, in certain situations where a service provider qualifies as a financial institution and is dealing directly with individuals. If tax advice is given, if loans or hardship distributions are processed, if investment advice is given or possibly if 5500s are prepared for sole proprietorships, it is possible that the annual disclosure notice should be given. It is also unclear whether the FTC can impose fines for a violation of GLBA. A GLBA notice need not be complicated. It need only provide a clear and concise description of the types of nonpublic private information collected and the policy of the financial institution regarding disclosure to affiliates and nonaffiliated third parties. A simple sample form of privacy notice is available by clicking here.

This ASAP is not intended to provide legal advice. Because of the lack of clarity in the applicable law, each service provider should consult their own legal counsel in making an assessment of their possible status under GLBA as a financial institution and of any possible consumer or customer relationship with existing or potential clients. If you decide a notice is necessary or appropriate because the law is applicable to you, the initial notice to existing clients theoretically must be provided by July 1, 2001. We hope and expect the FTC to be reasonable with transition relief as firms try to comply with this complex law.