Fed Up with the States on Privacy, Insurers Warm Up to U.S. Charter

Article excerpt

After gestating for decades, the Gramm-Leach-Bliley financial modernization law just celebrated its first birthday.

As the old saying goes: "To whom much is given, much is expected."

Since the affected industries certainly gave much in lobbying resources over 20 years, there were great expectations for this law. But the revolutionary changes predicted are either absent or delayed.

With time, many of those predictions -- larger financial institutions, cross-industry consolidation, blending of banking and commerce -- likely will come true. To date, however, enactment has had an ironic and unexpected consequence: the embrace of federal regulation by certain segments of the insurance industry.

Who would have guessed that the same industry that first fought financial services modernization for fear that it would undermine state regulation, then demanded that Gramm-Leach-Bliley adopt functional regulation, would now be eager to explore an optional system of federal insurance regulation?

Why is this happening, and what did the financial reform law have to do with it? Examining the implementation of its privacy provisions for banks versus insurance companies provides a clue.

Under the law, all financial services entities must notify their consumers of the company's information-sharing practices and allow them to opt out of certain disclosures to nonaffiliated third parties. But Congress scrupulously honored state regulation of insurance and merely encouraged the states to adopt implementing rules for companies and agents. Federal financial regulators were required to adopt uniform rules for federal financial institutions.

By February, six federal agencies had jointly published uniform proposed rules. They reviewed more than 8,000 comments before issuing nearly identical final rules in June. The deadline for compliance by federal depository institutions was extended to July 1, 2001, and the final rule includes sample notices, detailed discussion and examples, and sample disclosure language.

In other words, depository institutions, their holding companies, securities firms, broker-dealers -- all financial institutions except insurance companies - had before them uniform final privacy rules and over a year to understand and comply with them.

How and when did the states act? It is almost fair to say that the Florida recount has gone faster and smoother.

First, there is timing. On June 27, the National Association of Insurance Commissioners agreed to follow the lead of federal regulators by extending the privacy compliance date. But so far, just 10 states have realized that intent in a legally significant manner, such as a rule or legislation. Several other state commissioners have issued a bulletin or otherwise re-announced their intent to extend the compliance deadline.

The contrast with the timing of the federal rules is stark and not favorable for state regulators.

The substance of the state privacy rules is similarly muddled.

After considerable debate and delay, last month the NAIC issued a model privacy rule that differs from the federal rules in several significant ways. Under this model, consumers must affirmatively consent, or opt in, before insurers can disclose protected health information. …