HOUSE BILL 364

47th legislature - STATE OF NEW MEXICO - first session, 2005

INTRODUCED BY

Danice Picraux

 

 

 

 

 

AN ACT

RELATING TO FINANCIAL PRIVACY; REQUIRING CONSENT FOR SHARING CERTAIN FINANCIAL INFORMATION; LIMITING FINANCIAL DISCLOSURES BETWEEN FINANCIAL INSTITUTIONS; PROVIDING FOR ENFORCEMENT; ESTABLISHING PENALTIES.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     Section 1. SHORT TITLE.--This act may be cited as the "Financial Information Privacy Act".  

     Section 2. PURPOSE.--The purpose of the Financial Information Privacy Act is to ensure that financial institutions provide consumers notice and meaningful choice about the use of nonpublic personal information.

     Section 3. DEFINITIONS.--As used in the Financial Information Privacy Act:

          A. "affiliate" means an entity that controls, is controlled by or is under common control with another entity, but does not include a joint employee of the entity and the affiliate. A franchisor, including any affiliate thereof, shall be deemed an affiliate of the franchisee for purposes of the Financial Information Privacy Act;

          B. "affinity partner" means the relationship established between a financial institution and an organization or business entity that is not a financial institution when the non-financial institution issues a credit card or financial product or service on behalf of the financial institution;

          C. "annually" means at least once in any period of twelve consecutive months during which a financial relationship exists. The financial institution may define the twelve-consecutive-month period, but shall apply it to a consumer on a consistent basis. If, for example, a financial institution defines the twelve-consecutive-month period as a calendar year and provides the annual notice to the consumer once in each calendar year, it complies with the requirement to send the notice annually;

          D. "clear and conspicuous" means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice;  

          E. "consumer" means a natural person or that person's personal representative who has obtained a financial product or service from a financial institution;

          F. "control" means:

                (1) ownership or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of a company, acting through one or more persons;

                (2) command in any manner over the election of a majority of the directors or of persons exercising similar functions; and

                (3) authority to exercise, directly or indirectly, a controlling influence over the management or policies of a company;

          G. "financial institution" means any institution that engages significantly in financial activities and does business in New Mexico;

          H. "financial product or service" means any product or service offered by engaging in an activity that is financial in nature or incidental to a financial activity, and includes a financial institution's evaluation or brokerage of information that the financial institution collects in connection with a request or an application for a financial product or service from a consumer;

          I. "identity theft" means willfully obtaining, recording or transferring personal identifying information of another person without the authorization or consent of that person and with the intent to defraud that person or another;

          J. "necessary to effect, administer or enforce" means the type of information required with consumer disclosures pursuant to the Financial Information Privacy Act;          K. "nonaffiliated third party" means an entity that is not an affiliate of or related by common ownership or affiliated by corporate control with the financial institution, but does not include a joint employee of that institution and a third party;

          L. "nonpublic personal information" means personally identifiable financial information provided by a consumer to a financial institution that results from a transaction with the consumer or from a publicly available list, description or other grouping of consumers;

          M. "personally identifiable financial information" means information provided by a consumer to a financial institution in order to obtain a product or service from the financial institution. "Personally identifiable financial information" includes information:

                (1) that a consumer provides to a financial institution on an application to obtain a loan, credit card or other financial product or service;

                (2) on a consumer's account balance, payment history, overdraft history and credit or debit card purchase information;

                (3) indicating that a person is or has been a consumer of a financial institution or has obtained a financial product or service from a financial institution;

                (4) that a consumer provides to a financial institution or that a financial institution or its agent otherwise obtains in connection with collecting on a loan or servicing a loan;

                (5) from a consumer report; and

                (6) that is personally identifiable financial information collected through an internet or information collecting device from a web server; and

          N. "protected information" means information subject to protections of the Financial Information Privacy Act.

     Section 4. CONSUMER CONSENT REQUIRED PRIOR TO DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION TO NONAFFILIATED THIRD PARTIES.--

          A. A financial institution shall not sell, share, transfer or otherwise disclose nonpublic personal information to or with any nonaffiliated third party without the express prior consent of the consumer to whom the nonpublic personal information relates.

          B. A financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or a financial service because the consumer has not consented to allow the financial institution to disclose or share nonpublic personal information pertaining to the consumer with any nonaffiliated third party.

     Section 5. CONSUMER RIGHT TO OPT OUT OF DISCLOSURES TO AFFILIATES AND NONAFFILIATED THIRD PARTIES FOR MARKETING PURPOSES--LIMITATIONS ON MARKETING.--

          A. Unless a consumer has directed a financial institution not to disclose nonpublic personal information, a financial institution may market its own financial products and services or the products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as:

                (1) nonpublic personal information is not disclosed in connection with the delivery of the applicable marketing materials; and

                (2) in cases in which the applicable nonaffiliated third party may extrapolate nonpublic personal information about the consumer responding to those marketing materials, the applicable nonaffiliated third party has signed a contract with the financial institution under the terms of which the nonaffiliated third party is prohibited from using that information for any purpose other than the purpose for which it was provided, as set forth in the contract, and the financial institution has the right by audit, inspections or other means to verify the nonaffiliated third party's compliance with that contract.

          B. A financial institution shall not be liable for failing to offer financial products and services to a consumer solely because the consumer failed to consent to disclosure of the consumer's nonpublic personal information, and the consumer failed to provide consent.

          C. Unless a consumer has directed a financial institution not to disclose nonpublic personal information, a financial institution may share nonpublic personal information on its consumer with a nonaffiliated financial institution for purposes of jointly offering a financial product or service pursuant to a written agreement with the financial institution that receives the nonpublic personal information; provided that the following requirements are met:

                (1) the financial product or service offered is a product or service of, and is provided by, at least one of the financial institutions that is a party to the written agreement;

                (2) the financial product or service is jointly offered, endorsed or sponsored, and clearly and conspicuously identifies for the consumer the financial institutions that disclose and receive the disclosed nonpublic personal information; and

                (3) the written agreement provides that the financial institution that receives that nonpublic personal information is required to maintain the confidentiality of that information and is prohibited from disclosing or using that information other than to carry out the joint offering or servicing of a financial product or service that is the subject of the written agreement.

          D. A financial institution may disclose nonpublic personal information to a nonaffiliated financial institution pursuant to a preexisting contract with the nonaffiliated financial institution, for purposes of offering a financial product or service, if that contract was entered into on or after the effective date of the Financial Information Privacy Act. Beginning on January 1, 2006, nonpublic personal information may not be disclosed pursuant to that contract unless all the requirements of the Financial Information Privacy Act are met.

     Section 6. RELEASE OF NONPUBLIC PERSONAL INFORMATION PERMITTED--CONDITIONS FOR RELEASE.--A financial institution may release nonpublic personal information under the following circumstances:

          A. when the consumer consents or directs the financial institution to release the information;

          B. when the release is necessary to effect, administer or enforce a transaction:

                (1) in connection with servicing or processing a financial product or service requested or authorized by the consumer;

                (2) in connection with maintaining or servicing the consumer's account with the financial institution or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity; and

                (3) in connection with the financial institution's proposed or actual secondary market sale or securing the sale, including sales of servicing rights or similar transactions related to a transaction of the consumer;

          C. when the nonpublic personal information is released:

                (1) to protect the confidentiality or security of the financial institution's records pertaining to the consumer, the service or product or the transaction at issue;

                (2) to protect against or prevent actual or potential fraud, identity theft, unauthorized transactions claims or other liability; and

                (3) for required institutional risk control or for resolving customer disputes or inquiries;

          D. when the nonpublic personal information is released in connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of the business or unit;

          E. when the nonpublic personal information is released to comply with federal, state or local laws, rules and other applicable legal requirements; to comply with a properly authorized civil, criminal, administrative or regulatory investigation or subpoena or summons by federal, state or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance or other purposes as authorized by law;

          F. when the nonpublic personal information is released to an affiliate or a nonaffiliated third party in order for the affiliate or nonaffiliated third party to perform business or professional services on behalf of the financial institution; provided that the following requirements are met:

                (1) the services to be performed by the affiliate or nonaffiliated third party could lawfully be performed by the financial institution;

                (2) there is a written contract between the affiliate or nonaffiliated third party and the financial institution that prohibits the affiliate or nonaffiliated third party from disclosing or using the nonpublic personal information other than to carry out the purpose for which the financial institution disclosed the information, as set forth in the written contract;

                (3) the nonpublic personal information provided to the affiliate or nonaffiliated third party is limited to that which is necessary for the affiliate or nonaffiliated third party to perform the services contracted for on behalf of the financial institution;

                (4) the financial institution does not receive any payment from or through the affiliate or nonaffiliated third party in connection with or as a result of, the release of the nonpublic personal information; and

                (5) when the nonpublic personal information is released as required by Title III of the federal United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001;

          G. when the nonpublic personal information is released in connection with a written agreement between a consumer and a broker-dealer registered under the federal Securities Exchange Act of 1934 or an investment adviser registered under the federal Investment Advisers Act of 1940 to provide investment management services, portfolio advisory services or financial planning, and the nonpublic personal information is released for the sole purpose of providing the products and services covered by that agreement; and

          H. when the financial institution has a written contractual agreement that includes:

                (1) the rights and obligations between the licensees arising out of the business relationship relating to insurance or securities transactions;

                (2) an explicit limitation on the use of nonpublic personal information about a consumer to transactions authorized by the contract and permitted pursuant to the Financial Information Privacy Act; and

                (3) a requirement that transactions specified in the contract fall within the scope of activities permitted by the licensees of the parties.

     Section 7. GENERAL REQUIREMENTS FOR PRIVACY NOTICES.--

          A. A form that complies with the Financial Information Privacy Act shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of nonpublic personal information. A financial institution shall be conclusively presumed to have satisfied the notice requirements of the Financial Information Privacy Act if it uses the form set forth in that act.

          B. A financial institution shall provide a consumer with annual notice of its policies for sharing consumer information and shall allow forty-five days to lapse from the date of providing the form in person or the postmark or other postal verification of mailing before disclosing nonpublic personal information pertaining to the consumer.

          C. If a financial institution does not have a continuing relationship with a consumer other than the initial transaction in which the financial product or service is provided, no annual disclosure requirement exists pursuant to the Financial Information Privacy Act as long as the financial institution provides the consumer with the form required by that act at the time of the initial transaction.

          D. The financial institution shall use a notice form that:

                (1) uses the title "IMPORTANT PRIVACY CHOICES FOR CONSUMERS" and contains paragraphs titled: "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services";

                (2) clearly and conspicuously displays titles and headings in boldface and does not display text in a form smaller than ten-point type;

                (3) is a separate one-page document;

                (4) uses short, explanatory sentences and

avoids multiple negatives, legal terminology and highly technical terminology; and

                (5) provides wide margins and ample line spacing and uses boldface or italics to distinguish it from plain text for key words.

          E. If a financial institution does not disclose or share nonpublic personal information, the financial institution may omit the references to sharing nonpublic personal information in the form. The form with such omissions shall be conclusively presumed to satisfy the notice requirements of the Financial Information Privacy Act.

          F. The outside of the envelope in which the form is sent to the consumer shall clearly state in sixteen-point boldface type "IMPORTANT PRIVACY CHOICES", except that a financial institution sending the form to a consumer in the same envelope as a bill, account statement or application requested by the consumer does not have to include the wording "IMPORTANT PRIVACY CHOICES" on that envelope. The form shall be sent with a bill, other statement of account or application requested by the consumer, in which case the information required by Title V of the federal Gramm-Leach-Bliley Act may also be included in the same envelope, as a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and including only information related to privacy or with another mailing, in which case it shall be the first page of the mailing.

          G. A financial institution may provide a joint notice from it and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the notice is accurate with respect to the financial institution and the affiliates and other financial institutions.

          H. A notice provided to a member of a household shall be considered notice to all members of that household unless the household contains another person who also has a separate account with the financial institution.

     Section 8. FORMATTING AND CONTENT REQUIREMENTS FOR DISCLOSURE CONSENT FORMS.--

          A. A financial institution shall use a form to obtain consent to disclose nonpublic personal information to a nonaffiliated third party that:

                (1) is a separate document, not attached to any other document;

                (2) is to be dated and signed by the consumer;

                (3) clearly and conspicuously discloses that by signing, the consumer is consenting to the disclosure to nonaffiliated third parties of nonpublic personal information pertaining to the consumer;

                (4) clearly and conspicuously discloses:

                     (a) that the consent will remain in effect until revoked or modified by the consumer;

                     (b) that the consumer may revoke the consent at any time; and

                     (c) the procedure for the consumer to revoke consent; and

                (5) clearly and conspicuously informs the consumer that:

                     (a) the financial institution will maintain the document or a true and correct copy;

                     (b) the consumer is entitled to a copy of the document upon request; and

                     (c) the consumer may want to make a copy of the document for the consumer's records.

          B. A response directing the financial institution not to disclose nonpublic personal information to a nonaffiliated financial institution shall be deemed a direction to the financial institution to not disclose nonpublic personal information to an affinity partner, unless the form containing the notice provides the consumer with a separate choice for disclosure to an affinity partner.

          C. When a consumer directs that nonpublic personal information not be disclosed, that direction is in effect until otherwise stated by the consumer.

     Section 9. EXCEPTIONS TO PROHIBITIONS ON DISCLOSURE.--

          A. "Nonpublic personal information" does not include publicly available information that the financial institution has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government records, widely distributed media or disclosures to the general public that are required by federal, state or local law.

          B. For purposes of the Financial Information Privacy Act, a person is not a consumer solely because of:

                (1) participating or benefiting from an employee benefit plan that a financial institution administers or sponsors or for which the financial institution acts as a trustee, insurer or fiduciary;

                (2) coverage under a group or blanket insurance policy or group annuity contract issued by the financial institution;

                (3) status as a beneficiary in a workers' compensation plan;

                (4) status as a beneficiary of a trust for which the financial institution is a trustee; or

                (5) being a person who has designated the financial institution as trustee for a trust; provided that the financial institution provides all required notices and rights required by the Financial Information Privacy Act to the plan sponsor, group or blanket insurance policyholder or group annuity contract holder.

          C. "Financial institution" does not include:

                (1) an institution that is primarily engaged in providing hardware, software or interactive services; provided that it does not act as a debt collector or engage in activities for which the institution is required to acquire a charter, license or registration from a state or federal governmental banking, insurance or securities agency;

                (2) an entity chartered and operating under the federal Farm Credit Act of 1971; provided that the entity does not sell or transfer nonpublic personal information to an affiliate or a nonaffiliated third party;

                (3) an institution chartered by congress specifically to engage in a proposed or actual securitization, or a secondary market sale, including sales of servicing rights or similar transactions related to a transaction of the consumer, as long as those institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party;

                (4) a provider of professional services or any wholly owned affiliate thereof that is prohibited by rules of professional ethics and applicable law from voluntarily disclosing confidential client information without the consent of the client; or

                (5) a person licensed as a dealer for the installment sale or lease of motor vehicles pursuant to the requirements of the Motor Vehicle Code who assigns substantially all of those contracts to financial institutions within thirty days.

          D. Nothing in the Financial Information Privacy Act shall be construed to change existing law relating to access by law enforcement agencies to information held by financial institutions.

          E. Nothing in the Financial Information Privacy Act shall be construed to prohibit a financial institution from denying a consumer a financial product or service if the financial institution could not provide the financial product or service to a consumer without the consent required prior to disclosure of the consumer's nonpublic personal information, but the consumer has failed to provide consent.

          F. Nothing in the Financial Information Privacy Act is intended to prohibit a financial institution from offering incentives or discounts to elicit a specific response to the notice.

     Section 10. DISCLOSURE-RELATED LIABILITY LIMITATIONS.--A financial institution shall not be required to offer or provide financial products or services offered through affiliated entities or jointly with nonaffiliated financial institutions when the consumer has directed that nonpublic personal information not be disclosed pursuant to the Financial Information Privacy Act and the financial institution could not offer or provide the financial products or services to the consumer without disclosure of the consumer's nonpublic personal information that the consumer has directed not be disclosed pursuant to that act.

     Section 11. ENFORCEMENT.--The following entities are authorized to assess civil penalties in an action brought pursuant to the Financial Information Privacy Act:

          A. the attorney general; or

          B. a functional regulator with jurisdiction over regulation of the financial institution as follows:

                (1) in the case of banks, savings associations, credit unions, commercial lending companies and bank holding companies, the financial institutions division of the regulation and licensing department or the appropriate federal authority;

                (2) in the case of any person engaged in the business of insurance, by the insurance division of the public regulation commission; and

                (3) in the case of any investment broker or dealer, investment company, investment advisor, residential mortgage lender or finance lender, by the financial institutions division of the regulation and licensing department or the appropriate federal authority.

     Section 12. PENALTIES.--Penalties for violations of the Financial Information Privacy Act that apply irrespective of the amount of damages suffered by the consumer as a result of that violation include:

          A. for a negligent disclosure, sharing or use of nonpublic personal information, the penalty shall not exceed two thousand five hundred dollars ($2,500) per person for violations of disclosures or five hundred thousand dollars ($500,000) for violations applied to release of information on more than one person;

          B. for a knowing and willful violation, disclosure, sharing or use of nonpublic personal information, a civil penalty not to exceed two thousand five hundred dollars ($2,500);

          C. to determine the penalty to be assessed pursuant to a violation of the Financial Information Privacy Act, the court shall take into account the following factors:

                (1) the total assets and net worth of the violating entity;

                (2) the nature and seriousness of the violation;

                (3) the persistence of the violation, including any attempts to correct the situation leading to the violation;

                (4) the length of time over which the violation occurred;

                (5) the number of times the entity has violated the Financial Information Privacy Act;

                (6) the harm caused to consumers by the violation;

                (7) the level of proceeds derived from the violation; and

                (8) the impact of possible penalties on the overall fiscal solvency of the violating entity; and

          D. in the event a violation of the Financial Information Privacy Act results in the identity theft of a consumer, the civil penalties set forth in this section shall be doubled and restitution shall be assessed for any financial loss sustained by the person injured, including out-of-pocket costs, attorney fees and expenses incurred in clearing the consumer's credit history or credit rating, as well as costs incurred in connection with a civil or administrative proceeding to satisfy a debt, lien, judgment or other obligation arising as a result of the identity theft.

     Section 13. SEVERABILITY.--If any part or application of the Financial Information Privacy Act is held invalid, the remainder or its application to other situations or persons shall not be affected.

     Section 14. APPLICABILITY.--Nothing in this act shall be construed as altering or annulling the authority of any department or agency of the state to regulate any financial institution subject to its jurisdiction. However, this act shall preempt and be exclusive of all local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions. This section shall apply both prospectively and retroactively.

     Section 15. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2005.

- 22 -