On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act, Public Law 106-102 (captioned Disclosure of Nonpublic Personal Information). This act requires financial institutions to provide their customers with an annual notice of their privacy policies and practices and also prohibits financial institutions from disclosing nonpublic personal information about a client to nonaffiliated third parties, unless the financial institution meets various disclosure and opt-out requirements, and the customer has not elected to opt out of the disclosure.
Requirements
The Federal Trade Commission (FTC) concluded that the act applies to accountants engaged in the business of completing income tax returns and financial planners. Practitioners that are not “significantly” engaged in preparing personal tax returns or financial planning are not subject to these FTC regulations. Generally speaking, as a financial institution, a CPA firm involved in income tax preparation or financial planning must describe its privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties, including a client’s right to opt out of disclosures to nonaffiliated third parties that are not otherwise permitted by law. (Affiliate refers to any company that controls, is controlled by, or is under common control with another company.)
The FTC’s final rule was adopted on May 24, 2000, and became effective on November 13, 2000; however, full compliance with the disclosure and customer opt-out requirements of the act was delayed until July 1, 2001. Privacy notices are not required for business clients because the act is limited to individuals that obtain a financial product or service from a financial institution to be used only for personal, family, or household purposes.
The FTC expects an initial privacy disclosure notice to be delivered to existing clients no later than July 1, 2001. New clients must be given an initial privacy notice no later than the time the person becomes a client. In addition, all clients must receive an annual privacy notice. The FTC rules provide some flexibility on the timing of annual notices. If an initial privacy notice is given to a client during 2001, then the first annual notice to that client must be given by December 31, 2002, and each subsequent annual notice must be given within 12 months. No annual notice is required for an individual who ceased being a client, and a single notice addressed to husband and wife joint clients is satisfactory, unless separate notices are requested.
Although the initial and annual privacy notices are required to be issued to clients, CPA firms that do not share or reserve the right to share a client’s nonpublic personal information with nonaffiliated third parties are not required to include opt-out notices. Nor is an opt-out notice required for disclosures that are authorized by law.
CPAs, however, are generally held to a higher standard under applicable codes of professional conduct. ET 301 of both the AICPA and NYSSCPA’s Codes of Professional Conduct generally prohibits a CPA from disclosing confidential client information to any party (including affiliates and nonaffiliated third parties) without the client’s specific consent for such disclosure. Furthermore, IRC section 7216 prohibits paid tax preparers from disclosing tax return information without the client’s consent, other than for the specific purpose of preparing, assisting in preparing, or obtaining and providing services in connection with preparing any income tax return of the taxpayer.
Exceptions
Other than certain exceptions, a CPA that discloses a client’s nonpublic personal information to an affiliate or a nonaffiliated third party based upon the client’s failure to “opt out” of such disclosure would be in violation of ET 301, which requires specific consent (“opt in”). Under the act, a client’s failure or neglect to opt out after full notice of the client’s right to do so would allow a firm to disclose nonpublic personal information to a nonaffiliated third party; however, the specific consent required by ET 301 will not be satisfied by the “passive consent” arising from the failure to opt out.
The exceptions to ET 301 are consistent with the exceptions to opt-out requirements set forth in the FTC rules. ET 301’s exceptions for disclosure of confidential client information are limited to the following:
NYSSCPA Professional Ethics Committee, the AICPA ethics division or trial board, or the duly constituted investigative or disciplinary body of another state CPA society or board of accountancy
In addition to the above exceptions, AICPA Ethics Rulings 391.001 and 391.009, as well as the FTC’s exceptions to the opt-out requirements for service providers (16 CFR 313.13), allow disclosure of nonpublic personal information to affiliates of the firm or nonaffiliated third parties who perform services or functions for the firm pursuant to a contractual agreement that prohibits the disclosure or use of the information for other purposes. This would, for example, allow the use of an outside service bureau to process client tax returns, or a records-retention agency to store client records.
The FTC rule requires that initial and annual notices to clients be clear and conspicuous and accurately reflect the firm’s privacy policy and practices, and such notices must be in writing and mailed to the client’s last known address, hand-delivered to the client, or, if the client agrees, transmitted electronically.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.