top of page
The GLBA.jpg
Top of Page

The Gramm-Leach-Bliley ACT (GLB or GLBA)

 

Link to FTC / GLBA  Business Guidance 

This guide provides an overview of the main provisions of the GLBA. Easily navigate within this guide through the following sections:
 

Overview

What is it?
The GLBA is a federal law that became effective in the United States In 1999. The GLBA is also known as the Financial Services Modernization Act of 1999.
Privacy policymakers zero in on Title V, Subtitle A of the GLBA (15 U.S.C. 6801, where the topic of “Privacy” and the “Disclosure of Nonpublic Personal Information” may be found.
Under Title V, Subtitle A, Section 501 describes the “Protection of Nonpublic Personal Information,” stating that “each financial institution has an affirmative and continuing obligation “to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-public personal information” (15 U.S.C. § 6801). Also, financial regulatory agencies have to “establish appropriate administrative, technical, and physical safeguard standards” that will:
  • Ensure the security and confidentiality of customer records and information.
  • Protect against any anticipated threats or hazards to the security or integrity of such records.
  • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (15 U.S.C. § 6801, 15 U.S.C. § 6804). 
Section 502 describes “Obligations with Respect to Disclosures of Personal Information.” The GLBA requires that financial institutions share their privacy policies and practices with consumers in writing. Also, if the financial institution wants to share consumer nonpublic personal information with non-affiliated third parties, the financial institution must give consumers the right to opt out from the information sharing.
States may enforce stricter rules than the GLBA. Financial institutions should understand the GLBA, rules issued by applicable financial regulatory agencies, and the rules of the states in which they operate.
Who must comply with it?
Financial institutions, brokers, dealers, and people providing insurance services, including investment companies and investment advisors.
Enforcement
When the GLBA became effective in 1999, federal financial regulatory agencies were required to enforce the GLBA (15 U.S.C. § 6805).
In 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rule-making authority for most of Subtitle V of the GLBA to the Consumer Financial Protection Bureau for the Board of Governors of the Federal Reserve System, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, Federal Deposit Insurance Corporation, and the Federal Trade Commission (in part) (see 12 C.F.R. § 1016).

The Three Key Rules

  • Financial Privacy Rule

The Financial Privacy Rule is another name for the GLBA’s requirement that financial institutions must give customers and consumers the right to opt out, or not allow, a financial institution to share the customer/consumer’s information with nonaffiliated third parties prior to sharing it. (15 U.S.C. § 6802).  
What is nonpublic personal information? 
NPI is personally identifiable financial information that is not available in public records that (a) a consumer gives to a financial institution (b) for any transaction or service performed for the consumer, or (c) is otherwise obtained by the financial institution in relation to providing the customer with a financial product or service.
NPI includes “lists, descriptions, or grouping of consumers (and publicly available information pertaining to them)” created using nonpublic personal information.
How does the GLBA regulate information sharing?
A financial institution cannot share a consumer’s NPI with a nonaffiliated third party without first notifying the consumer and giving the consumer a chance to opt out of information sharing. The notice must be clear and conspicuous, and the consumer must be given time to review the information and say no to information sharing (15 U.S.C. § 6801).
A financial institution may not share account numbers, access numbers and access codes for credit cards, deposit accounts and the like with third parties “for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.” (15 U.S.C. § 6801) Such information may be shared with a credit reporting agency.
 
  • The Safeguards Rule

In 2006, the Financial Services Regulatory Relief Act (Relief Act) amended the GLBA. The Relief Act amendment directed financial regulatory agencies to collaborate and develop a model privacy notice. In 2009, eight regulatory agencies amended each of their rules to adopt a model privacy form.
For more context about why and how a model privacy form was developed, see the Supplemental Information section of the Final Model Privacy Form under the Gramm-Leach-Bliley Act Rule.
 
 
  • Privacy Protection for Customer Information —

                Pretexting & Fraudulent Access

Under the GLBA, a person may not obtain or try to obtain customer information about another person “by making a false, fictitious, or fraudulent statement or representation to an officer, employee,” agent, or customer of an institution (15 U.S.C. § 6821). The GLBA also prohibits a person from knowingly using “forged, counterfeit, lost, fraudulently obtained” documents to obtain consumer information (Id.).
Pretexting involves a person making up a story and tricking another person into providing nonpublic information.
Regulatory agencies enforce this regulation against pretexting and fraudulent access of financial information. Individuals who “knowingly and intentionally violate” or “attempt to violate” the regulation may be fined, imprisoned, or both.
 
 
1. GLBA Overview
Financial Privacy Rule
Safeguards Rule

 

Link to full article by the International Association of Privacy Professionals (IAPP)

Pretexting/Fraudulent
GLBA Certification
  • GLBA Certification Link
  • Enter your email

  • Test page will open

  • Follow instructions

  • Results will be sent to you and to your Trainer

bottom of page