[an error occurred while processing this directive]


YOU CAN HELP
Click here


REGULATORY AGENCY'S COMMENT ON GLB AND REPORTING OF FINANCIAL EXPLOITATION

Back

Letter Letter Enclosure

Michigan Adult Protective Services Law

Michigan’s adult protective services law provides that any person, including a financial institution, who suspects that an adult has been abused, neglected, or exploited may make a report to a county FIA. This, Michigan law permits, but does not require, financial institutions to report cases of suspected abuse, neglect, or exploitation. Michigan law further provides that a person acting in good faith who makes a report is immune from civil liability, but that immunity is limited under Michigan law and, in any event, would not shield a person from liability under a federal law. We understand that the FIA has developed protocol agreements, described more fully below, under which financial institutions may make reports to local FIA offices. The protocols involve identifying and investigation situations in which an adult has been abused, neglected, or exploited and do not relate to ordinary transactions between or among adults without a suspicion that an adult has been abused, neglected, or exploited.

GLBA Privacy Requirements

The GLBA establishes a general rule that a financial institution may not disclose any nonpublic personal information about a consumer to any nonaffiliated third party unless the institution first provides the consumer with a notice that describes the disclosure (as well as other aspects of its privacy policies and practices) and a reasonable opportunity to opt out of the disclosure, and the consumer does not opt out. However, section 502(e) of the GLBA provides a variety of exceptions to this general rule that permit a financial institution to disclose information to nonaffiliated third parties in the ordinary course of business without first complying with the notice and opt-out requirements. Based on the two protocol agreements that accompany your letter and our understanding of the program, we believe that disclosures of nonpublic personal information about consumers made in reports to the FIA under those protocols will fall within the exceptions in section 502(e) of the GLB and section_.15 of the agencies’ implementing regulations.1 If the FIA develops other protocol agreements, we would be happy to review report requirements that would apply under those agreements to determine whether disclosures of nonpublic personal information about customers would be covered by the exceptions to the notice and opt-out-requirements.

Applicability of the GLBA Exceptions to Reports by Financial Institutions to the FIA

The two protocols provide different avenues for a financial institution to disclose information to the FIA. The protocol entitled “Adult Protective Services Investigation Protocol Agreement” (Investigation Protocol) seems to apply to those circumstances where the FIA is conducting an investigation and asks a financial institution for information about the institution’s customer. In those circumstances, the agreement requires consent to the disclosure by the customer or the customer’s fiduciary. Where consent cannot be obtained, the FIA may seek a court order compelling disclosure.

Under the exceptions in section 502(e)(8) of the GLBA and sections_.15(a)(7)(ii)-(iii) of the regulations, a financial institution may disclose nonpublic personal information about a consumer in response to a properly authorized regulatory investigation or in response to judicial process. Under the exception in section 502(e)(2) of the GLBA and section_.15(a)(1) of the regulations, a financial institution also may disclose nonpublic personal information with that customer’s consent (or consent of the customer’s legal representative) with respect to information about him or her. Therefore, a financial institution’s disclosure of nonpublic personal information about the customer in accordance with the Investigation Protocol would fall within the statutory and regulatory exceptions to the notice and opt-out requirements.

The other protocol, entitled “Financial Institution Protocol Agreement for Reporting Instances of Financial Exploitation to the Michigan Family Independence Agency” (Reporting Protocol), governs those situations in which a financial institution, without first being contacted by the FIA, reports suspected financial exploitation of a customer. The Reporting Protocol describes various types of “financial exploitation,” including: the willful misuse of an adult’s finances by a family member, caretaker, fiend, or fiduciary; forging and cashing checks, or theft of an adult’s money from a financial institution without the adult’s knowledge; using coercion, intimidation, force, or threat of force (which includes withholding of food, isolation, confinement, as well as acts of physical violence) to obtain money or transfer title to property owned by an adult; or committing acts of deceit or misrepresentation to obtain consent of an adult to sign over money or other assets.

Section 502(e)(3)(B) of the GLBA and section_.15(a)(2)(ii) of the regulations provide an exception to the notice and opt-out requirements for disclosing nonpublic personal information to protect against or prevent fraud, unauthorized transactions, claims, or other liability. This exception would allow a financial institution to disclose nonpublic personal information to report incidents of willful misuse, forgery, theft, or deceit that result in taking an adult’s funds without actual consent or to report incidents of obtaining an adult’s consent to sign over assets through misrepresentation of the intent of the transaction.

Other forms of financial exploitation covered by the Reporting Protocol include the transfer of assts when under duress and obtaining an adult's money, assets, or personal property, through coercion, such as by withholding food or committing acts of physical violence. In addition to other applicable exceptions, the exception for disclosing nonpublic personal information for an investigation on a matter related to public safety applies to these situations. We believe that this exception, set forth in section 502(e)(5) of the GLBA and section_.15(a)(4) of the regulations, allows a financial institution to disclose nonpublic personal information to the FIA because Michigan law and the Reporting Protocol contemplate that the FIA will undertake an investigation to protect the safety of the adult who is the subject of the report.

Conclusion

The agencies believe that the circumstances for making reports to the FIA under the protocols that involve disclosing nonpublic personal information about a consumer, as described above, would be permitted by the exceptions to the notice and opt-out requirements.

If you have any questions about this matter, please contact:

Thomas E. Scanlon (FRB), (202) 452-3594
Robert A. Patrick (FDIC), (202) 898-3757
Mary Rupp (NCUA), (703) 578-6540
Mark Tenhundfeld (OCC), (202) 874-5090
Paul J. Robin (OTS), (202) 906-6648
Penelope Saltzman (SEC), (202) 942-0689
Loretta H. Garrison (FTC), (202) 326-3043

------------------------------------------

1 The Agencies' rules implement section 502(e) in 12 C.F.R. §§ 40.14-15 (OCC); 12 C.F.R. §§ 216.14-15 (FRB); 12 C.F.R. §§ 332.14-15 (FDIC); 12 C.F.R. §§ 573.14-15 (OTS); 12 C.F.R. §§ 716.14-15 (NCUA); 16 C.F.R. §§ 313.14-15 (FTC); and 17 C.F.R. §§ 248.14-15 (SEC). Because the agencies’ rules are substantively identical, citations of the rules omit the preceding title and section and refer only to the appropriate subsection.

Letter Letter Enclosure

Go back