Lawmakers Tackle Privacy

Congress catches up to technology.

  • E-COMMERCE PRIVACY ISSUES ARE HIGH PROFILE in Washington. Technology allows the easy accumulation and distribution of personal financial data as well as the theft of these data, and security must be ensured.
  • INCIDENTS THAT CAUGHT THE ATTENTION OF Congress were a bank selling confidential information to third-party marketers; a major Internet company publishing customer data; and a hacker who tried to extort money from a company to stop publication of stolen credit card numbers.
  • IMPORTANT ACTION IS UNDER WAY. Look at the list of bodies promulgating regulations that will affect financial institutions: the Federal Reserve Board, the FDIC, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the SEC, the FTC and the National Credit Union Administration.
  • WHAT CONSTITUTES A FINANCIAL INSTITUTION? The act’s definition goes far beyond traditional labels. It defines one as an entity engaging in an activity that is financial in nature or incidental or complementary to a financial activity, and it empowers the Federal Reserve Board to determine which businesses fit the definition. That description could include a local merchant that extends consumer credit or a CPA firm that prepares tax returns.
  • THE FINANCIAL SERVICES MODERNIZATION ACT of 1999 bans the dissemination of consumer information to third parties without a customer option to prevent it. It also requires financial institutions to disclose to consumers their privacy policy at the outset of the relationship and annually thereafter. Enforcement is solely the province of federal financial regulators.
Peter M. Kravitz is director of congressional/political affairs at the AICPA. His email address is . Anthony Pugliese, CPA, is director of assurance services at the AICPA. His email address is . The authors are both employees of the American Institute of CPAs and their views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation.

ech growing pains are giving privacy issues a high profile. Technology allows the easy accumulation and distribution of personal financial data as well as the theft of these data. The growing demands and interrelatedness of the marketplace have increased companies’ need for profiling the purchasing habits and financial situations of consumers. A few companies made headlines last year for their poor stewardship of customer information. This notoriety helped to make consumer financial privacy an urgent issue for Congress, the public and the business community.

The Financial Services Modernization Act of 1999

The privacy law imposes burdens on all “financial institutions,” whether or not they transmit nonpublic personal information to third parties.

The law prohibits

  • The transmission of private personal information to nonaffiliated third parties without prior notice to the customer and without a customer option to prevent it.
  • The transmission of an account number “or similar form of access number or access code” to a nonaffiliated third party that wants to use the information for marketing purposes.

The law requires all financial institutions to

  • Notify their consumer customers of the privacy policy at the onset of the relationship and annually thereafter.
  • Disclose the affiliate sharing notice and the opt-out opportunity for affiliate information sharing.

What it doesn’t do

  • The act does not regulate the sharing of information between a financial institution and its affiliates.
  • The act does not ban all third-party transmissions. It provides for some exceptions, allowing the transmission of nonpublic personal information to third parties such as accountants and auditors without the necessity of customer disclosure and the opt-out choice.
  • The act does not provide for private rights of action for violations. Enforcement is given over to the federal financial regulators for banks, thrifts and credit unions; to the SEC for brokers, dealers, investment companies and advisers; to state insurance regulators for insurance companies; and to the FTC for everyone else.
  • The act does not amend the Fair Credit Reporting Act, which provides an opportunity for customers to opt out of a company’s sharing “nontransaction” financial information, such as a credit report, with an affiliate.

For example, U.S. Bancorp of Minnesota sold confidential customer financial information from its files to third-party marketers. The story made national news, causing U.S. Bancorp and several other financial institutions to stop the practice and prompting the Minnesota attorney general to file suit against U.S. Bancorp. In another major privacy story, profiled its customers’ most popular book and music purchases, named the companies employing those customers making the purchases and published the information on its Web site. Customers’ reaction caused to immediately stop publishing it. But Amazon still retains the data.

According to USA Today, only 20 of the 100 biggest online retailers have privacy policies that restrict the use of customer information to completing transactions. Although some e-commerce companies have seals—such as the WebTrustSM seal—to indicate the company’s privacy policy, consumer groups and many on Capitol Hill believe that regulating the use of private financial information is necessary, and that disclosure and consumer choice regarding privacy policies are not enough to protect consumer privacy.

This is an area where the CPA’s expertise puts him or her in an excellent position to help financial institutions to implement, maintain and monitor the privacy policies and systems they will have to create.


In early January details about the first major theft of consumer financial information from an e-commerce company flashed into the news. A computer hacker had broken into the system of CD Universe and copied 300,000 customer credit card files. The hacker attempted to extort money from CD Universe in exchange for returning the information. When CD Universe refused to submit to extortion, the hacker posted the names, addresses and credit card numbers of 25,000 customers on a Web site. Although this theft happened to an e-company, confidential financial information can be stolen from any company that maintains such records.

Although federal law essentially shields consumers from any loss due to the unauthorized use of their credit cards (there is a $50 dollar limit on a credit card), this incident heightened concern over the privacy and security of data stored in computers. Ultimately, all consumers will foot the bill for these losses when companies pass the charges to their customers in the form of higher costs.


Since the accounting profession’s stock-in-trade is confidential financial information, it is conceivable that the Federal Reserve Board could adopt a regulation subjecting CPAs in public practice to the privacy rules applicable to financial institutions, which require periodic disclosures to clients about the privacy and integrity of confidential data. However, the proliferation of current and upcoming privacy statutes and regulations also opens up business opportunities for the profession and at the same time could subject CPAs to tougher requirements.

To mitigate risks, companies will seek assurance services that test the efficacy of their privacy systems. Clearly, what WebTrust achieves for e-commerce and SysTrustSM for any business are pioneering efforts in this area (see sidebar, “AICPA Assurance Service Programs That Address Privacy Issues”). Privacy consulting—both creating privacy policies and systems as well as internal controls—is also an area where the accounting profession’s expertise can put CPAs front and center in the effort to guard public and business interests.

AICPA Assurance Service Programs that Address Privacy Issues
WebTrust SM

WebTrust addresses the fundamental privacy concerns of both the business community and the on-line customer. The WebTrust seal informs potential customers that a CPA has evaluated a Web site’s business practices and controls to verify they conform with the WebTrust principles and criteria for business-to-consumer electronic commerce. WebTrust is the only online privacy seal program that provides for independent verification and the only Internet service that reviews security of financial information maintained by e-commerce companies.

As e-commerce becomes the global and preferred way of conducting business, countries around the world are setting standards to assure citizens that their information is kept private. The European Union privacy directives for the European market took the lead in this area. In the United States, the Online Privacy Alliance, a coalition of businesses, is leading an initiative to demonstrate that the government does not need to be involved. WebTrust meets or exceeds all these key organizations’ critical requirements regarding privacy, as well as the key requirements of the Financial Services Modernization Act of 1999.

WebTrust requires online businesses to make privacy disclosures and testing in the following areas:

  • The specific kinds and sources of private information that is being collected and maintained; the use of the information; and third-party distribution of the information.
  • Choices regarding how identifiable private information collected from an individual online may be used and/or distributed.
  • The business transaction consequences of an individual’s refusal to provide private information or of his or her decision to opt out of a particular use of such information.
  • How individually identifiable private information collected can be reviewed and, if necessary, corrected or removed.
  • If a Web site uses cookies (files placed on a consumer’s computer by an online business that allow it to track information on sites visited and buying habits), how they are used and the business transaction consequences of an individual’s refusal to accept a cookie.

For a complete copy of the CPA WebTrust principles and criteria, refer to

SysTrust SM

In a SysTrust engagement, a CPA firm issues an attestation report that evaluates whether management of an e-business has maintained effective controls to ensure that its systems function reliably within a specified period of time.

Developments in information technology make far greater power available to companies at far lower costs. The systems supported by this technology range from tools for bookkeeping to running businesses, producing products and services and dealing with customers and business partners. Among the concerns of customers and business partners is the reliability of conducting business in a manner that protects private or confidential information from unintended or unlawful uses.

A reliable system is defined as one that is capable of operating without material error, flaw or failure during a specified period of time in a specified environment. A SysTrust report on a reliable system is underpinned by four essential principles—the benchmarks of reliability:

  • Availability—the system is available for operation and use.
  • Security—the system is protected against unauthorized access.
  • Integrity—the system processing is complete, accurate, timely and authorized.
  • Maintainability—the system can be updated when necessary.

SysTrust is the only attestation service available for signifying whether a company’s privacy systems have effective controls that enable the system to function reliably. For more information on the CPA SysTrust services and to review the SysTrust principles and criteria, refer to


The privacy provisions of the 1999 Financial Services Modernization Act apply to financial institutions and their treatment of nonpublic personal information. The act defines a financial institution as “any institution the business of which is engaging in financial activities,” and the Federal Reserve Board is given the authority to determine what activities are financial. Once an activity is determined to be financial in nature, then companies that engage in such an activity are subject to the privacy provisions of the act, whether or not the company is affiliated with a financial holding company.

Such a broadening of the term financial institution heaps compliance burdens on an enormous number of businesses that before this development would not have been considered part of the financial arena. For example, a local mom-and-pop store could be a financial institution because it extends store credit to its customers. Stretching the concept further, it also is possible that accounting firms could be considered financial institutions for purposes of the privacy law—preparing tax returns is arguably a financial service.

Businesses will face challenges: (1) they must comply with the provisions of the act and/or (2) they must ensure they do not lose customer loyalty because their systems are not secure and reliable.

With the growing prominence of privacy issues, CPAs operating in various roles in industry, especially in financial institutions, should take notice of the privacy issues that affect their employers in both the online and offline worlds. These issues might take the form of new laws and regulations, such as those required by the act and/or the best practices that are being followed by industry to ensure that customer confidence and trust are kept at the highest levels possible (see sidebar, “Best Practices”). Best practices include accepted industry standards and practices such as posting privacy policies on a Web site in a conspicuous place or having internal controls to ensure that privacy policies are not violated. For more information on best practices for banking and other industries, the CPA working in industry might look to the AICPA WebTrust program.

Best Practices for Building Consumer Trust
In response to growing concerns from online shoppers about security and privacy protection, and in light of recent high-profile breaches of public trust at several brand-name Web sites, the AICPA offers several tips to Web merchants to help them build consumer trust and confidence.
Maintain a High Level of Security

E-commerce sites must use the most reliable security controls and tools and communicate that they do so to their customers in easy-to-understand language. This includes the latest SSL encryption technology, digital certificates, secure server technology and authentication to ensure that personal customer information is safe. The site should be independently verified to ensure that its security controls adequately protect its customers from risk of security breaches.

Build Online Credibility and Legitimacy

Brand names are important on the Internet. They help shoppers make choices when they have a limited range of knowledge about quality and functionality. If an e-commerce site lacks its own recognizable consumer brand name, it can sell branded products from other manufacturers, partner with an established brand, offer samples of its services through low-risk trials and creative offers or use a CPA to independently verify that it is a legitimate business. Whichever strategy is used, it is important to be consistent and adhere to the highest set of standards so that customers trust the site.

Maintain a High Standard of Integrity With All Transactions

Web sites have to maintain a high degree of integrity with every transaction and they should be independently tested for compliance against a stringent set of standards. Many a Web site loses sales when the buyer has to struggle to complete a transaction. Nothing alienates shoppers more often than order-entry glitches that cause the loss of entered information, computer freezes or being bounced off the site. A site’s lack of full disclosure regarding actual costs is also a big turnoff. Online shoppers want to know all costs before going through detailed registration in order to avoid surprises and significant changes to the online price. An order-tracking system that allows online shoppers to review orders and/or maintain addresses and credit card information is also very helpful in building trust in a site.

Fully Disclose Policies and Make the Site Easy to Navigate

Online shoppers want to know how a site will handle their personal information, so Web merchants must explain how they collect and handle consumer data and must post easy-to-read privacy statements. Some customers are not willing to buy online without assurance from independent third parties that their confidential information will be protected. The design and content of a site are also critical elements in attracting potential customers.

Support Online Consumer-to-Consumer Dialogue

E-commerce sites can build additional trust when they encourage their customers to contact and inform each other about a site’s products and services: A chat group sponsored by the site allows its customers to question each other about their purchasing experiences. The online business can also provide links to other independent sites that allow customers to obtain feedback and ratings.

Empower Consumers to Take Control of Decisions

Online shoppers will trust a site when they know that they control access to their personal information. Web sites that ask permission to obtain customers’ personal details are taking the smartest approach. Some companies, for example, discuss the benefits provided by cookies on a user’s hard drive (the cookie ensures that preferred settings appear without the customer logging in each time) and then asks the user for permission to place a cookie. The online shopper is fully informed and empowered to make the decision whether to allow the cookie onto the hard drive. Many e-commerce sites are beginning to ask consumers to serve on panels that independently audit their privacy policies, the integrity of their transactions and their fulfillment records.

CPAs who work in public practice should know the requirements of the act and inform clients how the requirements will affect day-to-day operations, especially businesses that might not think of themselves as “financial institutions” but are now considered such. In addition, the recent focus on privacy creates a wealth of service opportunities for the practitioner in his or her role as adviser to clients. As more and more clients migrate to e-commerce environments or engage in information-sharing practices, the need for consultative advice and assurance on all aspects of operations affected by these changes becomes paramount to clients and potential clients. Sometimes it’s not the details that clients are aware of that add the most value to CPA services but, rather, the things they are not aware of.

What’s Happening in D.C.?

Privacy was not an issue during the first four years of debate on the Financial Services Modernization Act of 1999 (the Gramm-Leach-Bliley act). This changed when the U.S. Bancorp story broke. Concerns about privacy helped spur Congress to adopt as part of the act the first comprehensive federal privacy provisions applicable to financial institutions.

According to Gary Gensler, treasury undersecretary for domestic finance, the Clinton administration will offer new privacy legislation this year. The Treasury will also finish a wide-ranging study of privacy issues by the end of 2000, which could lead to additional privacy proposals. In February Senator Richard Shelby (R-Ala.) and Congressman Edward Markey (D-Mass.) announced the founding of a bipartisan Congressional Privacy Caucus. Its purpose is to fight for tougher consumer financial privacy laws.

Regulations defining the exact scope of the privacy provisions will be promulgated by several federal agencies. The federal banking agencies, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Office of Thrift Supervision have issued a joint proposal and will adopt identical regulations. Also adopting regulations will be the Securities and Exchange Commission, the Federal Trade Commission, and the National Credit Union Administration. It is expected that these regulations will be similar to each other in some aspects but will differ in others.

An example of how they may differ in treatment is the definition of nonpublic personal information. The modernization act defines personally identifiable financial information as information that is provided by the consumer to the financial institution. Excluded is information that is publicly available through sources such as the telephone book, tax records or land records. It is possible to determine that a customer’s name and address are nonpublic because the financial institution receives them from the customer. Contradictorily, since this information is also available from the telephone book, tax records and other public records, it could be determined to be public information.

The act allows states to adopt privacy policies that provide consumers with even more protections. If the states ultimately adopt different privacy laws, financial institutions operating across state lines will need to have multiple privacy policies and disclosures.

The federal banking agencies, NCUA and the FTC issued their proposed regulations in February, the SEC in March. The modernization act provides that the regulations be made final by May 12, with an effective date six months later. Federal regulators are empowered to set an effective date that is later than November 12.


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.