September 2001 

Classifieds
Letters
Display Ads
Archives
Article Index
Sep '01 Issue
Latest Issue
MSBA Home Page

"law firms arguably can be subject to the law if they are engaging in financial activities referenced in
the BHC Act and listed in the Federal Reserve's implementing Regulations Y
and K."

Title V of the Gramm-Leach-Bliley Act ("GLBA") contains a new federal privacy law that applies to financial institutions that are significantly engaged in financial activities. Given GLBA's broad definition of "financial institution," questions have been raised about whether lawyers and law firms are subject to GLBA and, if so, what lawyers must do to comply with the law. This article provides information on the law's scope and requirements, how to determine whether GLBA applies to a particular legal practice, the risks of noncompliance, and the practical implications of complying with GLBA.

President Clinton signed GLBA on November 12, 1999. The law grants banking organizations additional powers and permits affiliations among securities, insurance and banking institutions by, among other things, amending the Bank Holding Company Act ("BHC Act"). It also contains a new federal privacy law.

Under this privacy law, "financial institutions" are required to (i) provide consumers and customers with a notice of the financial institution's privacy policies and practices; (ii) provide customers, during the continuation of a customer relationship, with an annual privacy notice; and (iii) provide consumers and customers with an opportunity to opt-out of having their nonpublic personal financial information shared with nonaffiliated third parties if disclosure does not fit within one of the exceptions contained in the law. In addition, financial institutions must adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

In May and June of 2000, the federal banking regulators, the SEC and the FTC issued consistent implementing regulations. Pursuant to these regulations, GLBA's privacy provisions became effective on November 13, 2000, with full compliance required by July 1, 2001. The FTC's regulations are at 16 CFR Part 313.

"Financial Institutions." The privacy law applies to "financial institutions" that provide products and services to consumers. "Financial institution" is broadly defined to include any institution engaged in financial activities under the BHC Act.1 As a result, it applies not only to banks, credit unions, and savings banks but to other companies that provide financial services, such as real estate appraisers, broker/dealers, investment advisers, insurance companies, insurance agents, and collection agencies.

It also potentially covers a third tier of companies that are not typically subject to banking legislation because it focuses on the activities conducted by a company and not on the nature of the business engaging in those activities. For example, one of the financial activities permissible for a banking organization is extending credit. Thus, a retailer that has its own credit card is engaging in a financial activity -- extending credit -- and is subject to GLBA privacy provisions. See the sidebar accompanying this article for other examples included in the FTC's implementing regulations.

The law, regulations, examples contained in the regulations, and other materials issued by the regulators do not mention law firms. However, because law firms are not expressly exempt under the law, law firms arguably can be subject to the law if they are engaging in financial activities referenced in the BHC Act and listed in the Federal Reserve's implementing Regulations Y and K. The financial activities approved by the Federal Reserve are numerous. However, the following activities are the financial activities that might arguably be conducted by a law firm: (i) providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management; (ii) management consulting and counseling activities (including providing financial career counseling); (iii) real estate settlement services; and (iv) debt collection services.

"Significantly Engaged" in Financial Activities. During the public comment period, the FTC received numerous comments urging the agency to limit the definition of "financial institution" to those companies that engage in traditional financial activities. Consumer groups opposed any narrowing, contending that the need to protect personal financial data extends beyond traditional financial institutions and that Congress intended to regulate a wide range of businesses. The FTC did not limit the definition of financial institution in its final regulations noting that it found no sound rationale for fundamentally revising the scope.2 The FTC further stated, however, that an institution is covered only if it is "significantly engaged" in a financial activity. In addition, the FTC explained that many entities that might come within the broad definition of financial institution will likely not be subject to GLBA requirements because not all financial institutions have "consumers" or "customer relationships"3 (see discussion below). In other words, while the FTC did not expressly exclude certain types of businesses from the privacy regulations, the FTC emphasized that the law would not apply to every business that might arguably come within the broad definition of financial institution.

Under the "significantly engaged" test, "[e]ntities that engage in financial activities but that are not significantly engaged in those financial activities" are not deemed to be financial institutions for purposes of the law and regulations.4 The FTC regulations do not define significantly engaged, but rather give the following four examples:

1. A retailer is not a financial institution if its only means of extending credit are occasional "lay away" and deferred payment plans or accepting payment by means of credit cards issued by others.
2. A retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.
3. A merchant is not a financial institution merely because it allows an individual to "run a tab."
4. A grocery store is not a financial institution merely because it allows individuals to whom it sells groceries to cash a check, or write a check for a higher amount than the grocery purchase and obtain cash in return.5

When issuing the final regulations, the FTC also noted that an individual who provides a financial service only informally (e.g., preparing tax forms without remuneration for friends or family, or as community service) is not likely significantly engaged in a financial activity.6

Financial Products and Services. The regulations define "financial product or service" as any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the BHC Act.7 Financial service also includes an evaluation or brokerage of information that is collected in connection with a request or an application from a consumer for a financial product or service.8 An entity's status as a financial institution does not cause every product or service offered by that entity to be a financial product or service. The FTC's preamble to the final regulations includes one example -- that of a retailer that issues its own credit card directly to consumers. In that case, the retailer provides a financial service (credit) to consumers who use the card. When the same retailer sells merchandise, it provides a nonfinancial product or service (retail sale of merchandise).

Consumers and Customer Relationships. As noted earlier, many businesses that might fit the definition of "financial institution" may not be subject to the privacy law because it applies only to financial products and services to "consumers." Consumer is defined as an individual who obtains or has obtained a financial product or service that is used primarily for personal, family, or household purposes, or that individual's legal representative. Thus, according to the FTC's final regulations, "[m]any entities that come within the broad definition of financial institution will likely not be subject to the disclosure requirements of the rule because not all financial institutions have 'consumers' or establish 'customer relationships.'"9 The FTC explained, for example, that management consulting is a financial activity but it is not likely that any individual obtains this service for personal, family or household purposes. Further, courier services, data processors, and real estate appraisers who perform services for financial institutions, but do not provide financial products or services to individuals, will not be required to make disclosures because they do not have "consumers" or "customers."

Karen Grandstrand is chair of the Bank & Finance Group at the Fredrikson & Byron law firm in Minneapolis. She was with the Federal Reserve Bank of Minneapolis for 14 years and was Senior Vice President of the Banking Supervision and Risk Management Departments.

For the past year, regulatory and privacy attorneys, regulators, and industry commentators generally held the view that GLBA did not apply to lawyers. This was the "conventional wisdom," given that legal services are intrinsically different from financial services and activities. Further, lawyers are subject to rules of professional conduct.
Early this summer, informal communications began circulating through the legal community suggesting that the applicability of GLBA to lawyers was unclear. Further, several attorneys sought informal opinions from FTC staff on the applicability of GLBA to lawyers. In response, the FTC, to date, has not expressly opined that lawyers are not covered, taking the view that businesses need to apply the regulatory definitions of "financial institution," "consumer," "significantly engaged," and the like, and make their own determinations based on all the facts and circumstances.

On June 8, 2001, the American Bar Association ("ABA") Board of Governors passed a resolution, stating that attorneys at law engaged in the practice of law should not be subject to the notice provisions of GLBA and that the ABA should take reasonable measures to determine the applicability of GLBA and, if necessary, seek a ruling or file a petition with the FTC to obtain an exclusion.

Consistent with the resolution, on July 10, 2001, ABA President Martha Barnett sent a letter to the chair of the FTC, Timothy J. Muris, requesting that the FTC exempt lawyers from the privacy requirements of GLBA. The letter emphasizes that the rules of professional conduct govern lawyers in each state and the District of Columbia and impose confidentiality requirements that provide a greater degree of protection for consumers of legal services than do the GLBA provisions. The GLBA requirements are ill-suited for the attorney-client relationship and applying the GLBA rules may cause client confusion and dilute the public's expectations about lawyers.

The ABA letter also states that Congress did not intend to regulate the legal profession. Further, legal services are intrinsically different from financial services and activities and, accordingly, lawyers and law firms should not be considered "financial institutions." Applying GLBA is at odds with longstanding state regulation of lawyer conduct and the attorney-client relationship. Additionally, compliance with GLBA imposes an undue administrative burden on small law firms and individual practitioners.

Given that the FTC has not expressly determined that lawyers are not subject to GLBA, law firms and individual practitioners need to determine whether, given the nature of their practices, they are subject to GLBA. Some legal practices may fall within the scope of the law, while others may not. This analysis should consider at least four issues.

First, lawyers must determine whether they are an "institution" as that term is used in the definition of "financial institution." The GLBA's regulations define financial institution as "any institution the business of which is engaging in activities that are financial in nature as described in section 4(k) of the BHC Act."10 The use of the word "institution" indicates that the regulations apply to entities, not individuals. In response to comments suggesting that sole proprietors be exempt, the FTC stated that "[w]hether or not a commercial enterprise is operated by a single individual is not determinative in analyzing whether the entity is a 'financial institution.' If an individual is in the 'business of … engaging in financial activities …' that 'business' is included within the 'financial institution' definition."11

Second, lawyers must determine whether they are engaging in activities that are financial in nature as described in section 4(k) of the BHC Act. From a review of the activities listed in section 4(k) and its implementing regulations, the following listed activities might arguably be activities conducted by lawyers:

• Providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management
• Management consulting and counseling activities (including providing financial career counseling)
• Real estate settlement services
• Debt collection services

Third, lawyers must determine whether any of these services or products are for "consumers" for personal, household or family use. Providing services to businesses is not covered by GLBA.

Fourth, if some portion of a lawyer's business consists of "financial activities" to "consumers," the lawyer needs to determine whether the business is "significantly engaged" in these financial activities.

The FTC's regulations do not directly address the issue of whether law firms or lawyers are significantly engaged in activities subject to GLBA. Examples in the regulations mention accountants, tax preparation services, retailers, and a host of other businesses. Lawyers are not mentioned. Certain of the examples, however, can be used as guidance. The FTC has stated that an institution is engaged in a business if it offers a financial activity as its "sole business or as one of its product lines" (see the selling and printing checks example). Further, an institution is engaged in any activity if it "regularly" provides the financial service (see the wire transfer example). However, extending credit by allowing an individual to "run a tab," or by occasional "lay-away" or deferred payment plans are not financial activities. Thus, the critical question appears to be whether the business is regularly providing, as one of its product or service lines, any of the BHC Act financial activities.

Reportedly, the FTC has indicated that any analysis of the applicability of GLBA to a law firm should take into consideration the percent of time spent by various practice groups within the firm on financial activities. In other words, a law firm might be deemed to be "significantly engaged" in a financial activity if one of its departments or business units is significantly engaged in financial activities. One FTC staff member has further reportedly stated that a business may be significantly engaged in an activity if it holds itself out as engaging in that activity.

"The FTC's regulations do not directly address the issue of whether law firms or lawyers are significantly engaged in activities subject to GLBA"

"the critical question appears to be whether the business is regularly providing, as one of its product or service lines, any of the BHC
Act financial activities."

GLBA does not provide for a private cause of action. Rather, it gives the FTC enforcement power over financial institutions that are not regulated by the banking regulators or the SEC. Thus, law firms would be subject to the FTC's jurisdiction. GLBA does not clearly define the FTC's enforcement authority. However, in recent privacy actions, the FTC has used its broad enforcement powers by finding privacy law violations to be unfair and deceptive trade practices. If the FTC followed a similar course to enforce GLBA, the FTC might issue orders forcing compliance and assess civil money penalties (potentially $11,000 per occurrence). The FTC, historically, has taken into consideration mitigating factors, such as a company's good faith efforts to comply, when determining the type of enforcement action.

Under GLBA, financial institutions were required to send initial notices of their privacy policies and procedures to their customers before July 1, 2001. Practical issues associated with complying with this requirement include (i) determining who are existing non-business customers; and (ii) what the notice should say given that lawyers have separate obligations under rules of professional conduct.

Second, a financial institution must provide notice of its privacy policies to customers at the time of entering into the customer relationship. Therefore, if a law firm determines that it is subject to GLBA, it will need to have policies and procedures in place to ensure that new clients receive notice at the time, or before, they become firm clients.

Third, financial institutions must send annual notices to customers with whom they have a continuing relationship. This determination needs to be done with care in that it could affect other issues such as the continuation of the attorney-client privilege.

Fourth, a financial institution needs to give consumers the ability to opt-out if the firm discloses information to any nonaffiliated third parties and if that disclosure does not fall within one of the exemptions contained in GLBA and the regulations.

Fifth, financial institutions are required to adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. In other words, GLBA incorporates not only privacy standards, but security standards. On August 7, 2001, the FTC issued proposed security standards as required by section 501(b) of GLBA.12 Under these proposed standards, financial institutions are required to develop, implement, and maintain a comprehensive written information security program. In developing, implementing and maintaining the program, institutions must:

• Designate an employee or employees to coordinate the program.
• Identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. This risk assessment must, at a minimum, consider employee training and management, information systems (including information processing, storage, transmission and disposal), and prevention and response measures for attacks, intrusions, or other systems failures.
• Design and implement information safeguards to control the identified risks.
• Oversee service providers.
• Evaluate and adjust the program as needed.

Sixth, a financial institution may need to comply with state privacy laws. GLBA does not supersede state laws that provide consumers greater protection.

Many sound arguments exist as to why GLBA does not apply to law firms and lawyers. Congress did not intend to include lawyers, lawyers are covered by stringent state rules of professional conduct, and the "financial activities" included within the BHC Act are not the type of activities engaged in by lawyers. Nevertheless, until the FTC expressly states that law firms and lawyers are not covered, lawyers will need to determine, on a case-by-case basis, whether the law applies to their businesses. If a firm or lawyer determines that GLBA does apply to them, compliance with the law means more than issuing an initial notice to existing customers. Compliance is an ongoing process that will need to keep pace with ever-evolving laws, regulations, and agency interpretations.

Who Is Potentially Subject to GLBA Privacy Provisions?

The following examples are taken from the FTC's implementing regulations for the GLBA; this list should not be presumed to be comprehensive:

• A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution because printing and selling checks is a financial activity listed in the BHC Act and its implementing regulations.
• A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity referenced in section 4(k)(4)(A) of the <H>bhc<P> Act and regularly providing that service demonstrates that the business is significantly engaged in that activity.
• A check-cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity under section 4(k)(4)(A) of the BHC Act.
• An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity under the BHC Act and its implementing regulations.
• A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity listed in implementing regulations and referenced in section 4(k) of the BHC Act.
• An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity referenced in section 4(k) of the BHC Act and listed in its implementing regulations.
• A mortgage broker is a financial institution because brokering loans is a financial activity referenced in section 4(k) of the BHC Act and listed in its implementing regulations.
• An investment advisory company and a credit counseling service are each financial institutions because providing financial and investment advisory services are financial activities referenced in section 4(k) of the BHC Act.13

1 16 CFR 313 at 313.3(k).
2 65 Fed. Reg. 33646, 33647-48 (May 24, 2001).
3 Id.
4 16 CFR 313.3(k)(3)(iv).
5 Id. at 313.3(k)(4).
6 65 Fed. Reg. 33646, 33656.
7 16 CFR 313.3(l)(1).
8 Id. at 313.3(l)(2).
9 65 Fed. Reg. 33646, 33648.
10 16 CFR 313.3(k)(1).
11 65 Fed. Reg. 33646, 33656.
12 66 Fed. Reg. 41162 (August 7, 2001).
13 16 CFR 313 at 313.3(k)(2).

FTC Summary of Privacy Rules of the Gramm-Leach-Bliley Act, http://www.ftc.gov/privacy/glbact/

July 10, 2001 letter from ABA President Martha Barnett to Federal Trade Commission regarding application of Gramm-Leach-Bliley Act to lawyers.

June 25, 2001 letter from New York State Bar Association to Federal Trade Commission, seeking exemption for New York lawyers.