Although better known for its privacy stipulations, the Gramm-Leach-Bliley Act (GLBA), also called the Financial Modernization Act of 1999, is a US federal law whose original purpose was to allow different types of financial institutions such as banks, insurance companies and securities firms to merge. These types of mergers were, until then, prohibited under the Glass–Steagall Act of 1933 which the GLBA repealed.
Out of concern for the amounts of data these new institutions would have access to, the GLBA also included a new set of rules on how financial institutions would need to protect and secure customer information privacy.
GLBA compliance is enforced by the Federal Trade Commission (FTC) and has three key components:
- The Financial Privacy Rule, as defined in the GLBA itself, regulates the collection and disclosure of private financial information;
- The Safeguards Rule, issued by the FTC as part of its implementation of the GLBA, requires companies to have measures in place to keep customer information secure;
- The Pretexting Provisions, listed in the GLBA, stipulate that organizations must guard against access to personal information under false pretenses which include social engineering, phishing, scams etc.
Who does the GLBA apply to?
The FTC states that all companies that offer consumers financial products or services like loans, financial or investment advice or insurance are required to be GLBA compliant. The general tendency is to assume the GLBA only applies to banks and insurance companies. However, there is no business size requirement for GLBA compliance and any company significantly engaged in providing financial products or services falls under the Act’s incidence.
This includes, among others, organizations offering online money transfer services, mortgage brokers, automobile dealerships, debt collectors, investment advisors and retailers issuing their own credit cards. Due to federal student loans and other financial activities that fall under the scope of the banking law, higher education institutions also need to be GLBA compliant.
What is protected under the GLBA?
The GLBA protects nonpublic personal information that financial institutions obtain directly from consumers, from any transaction or services performed for consumers or through any other means. It also applies to lists, descriptions or groups of consumers derived from nonpublic personal information. Publically available information is exempt from GLBA compliance.
Nonpublic personal information is defined as personally identifiable financial information (PIFI) that enables the identification, validation or search of an individual’s financial information through a specialized database or system. It consists of information such as a person’s social security number, bank account number, credit card number, name or contact details.
Consumers vs Customers
The GLBA’s Financial Privacy Rule differentiates between consumers and customers. It requires companies to give notice to all their customers about their privacy practices, and, if they share their information in certain ways, to their consumers as well.
A consumer is defined as an individual who obtains a financial product or service from a financial institution that is primarily for personal use. An important thing to note is that the Financial Privacy Rule applies only to individuals, not commercial clients. Consumers include those that use ATMs of banks they have no accounts open with or rejected loan applicants.
Customers are a subset of consumers that have a continuing relationship with a financial institution. They are those individuals that have open bank accounts, signed leases or insurance policies. Past customers, individuals who, for example, have used a financial institution’s services, but have ended their relationship with it, are still considered customers in terms of GLBA compliance.
The Financial Privacy Rule
Through the Financial Privacy Rule, financial institutions must give their customers a clear and conspicuous written privacy notice that explains what data they collect about them, where it is shared, how the information will be used and how it will be protected. Organizations must provide an initial notice when the customer relationship is established and an annual notice thereafter for as long as the relationship lasts.
If a company shares nonpublic financial information with nonaffiliated third parties they are required to notify all consumers and give them the option to opt-out within a reasonable time before the data is shared and must provide them with an acceptable way to opt out.
When it comes to non-customer consumers, if organizations need to provide them with privacy notices, they can choose to give them a short-form notice, which must explain that a full privacy notice is available upon request, describe how it can be obtained and inform them of their right to opt-out.
There are several exceptions to the Financial Privacy Rule. They consist of various types of information sharing necessary for the processing or administration of a financial transaction requested or authorized by a consumer as well as disclosures needed to perform a credit check. Other exceptions include disclosures for purposes of preventing fraud, responding to judicial process or a subpoena, or complying with federal, state, or local laws.
The Safeguards Rule
To comply with the Safeguards Rule, companies must develop a written information security plan that describes their program to protect customer information. Companies must implement safeguards appropriate to their size and complexity, the nature and scope of its activities and the sensitivity of the information it handles.
As part of their plan, organizations must designate one or more employees to coordinate its information security program. They must identify and assess the risks to customer data as well as safeguards already in place and their efficiency. Based on this assessment, a safeguards program must be designed and implemented. Once in place, the program must be regularly monitored and tested.
Companies have to select service providers with appropriate safeguards in place and ensure they are contractually bound to maintain them. They must also oversee their handling of customer information. Lastly, safeguards programs must be evaluated and adjusted according to relevant changes in the firms’ business or operations or based on the results of security testing and monitoring.
Fines under the GLBA
GLBA noncompliance comes at a great cost: financial institutions are subject to civil penalties of up to $100,000 for each violation. Officers and directors of an organization are also personally liable for fines of up to $10,000 for each violation.
Certain parts of the GLBA, most notably its provisions regarding pretexting, can also generate fines and even imprisonment of not more than five years in accordance with Title 18 of the United States Code.
It is also worth noting that the GLBA does preempt state laws, meaning that, depending on the number of consumers affected, greater statutory damages can result from state-level enforcement actions.