Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to protect their customer’s private information. 

Frequently Asked Questions

  • GLBA
  • What's GLBA?

    Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to protect their customer’s private information.

    The GLBA requires the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission, the Commodity Futures Trading Commission (CFTC), and the Federal Trade Commission (FTC) to promulgate regulations to safeguard nonpublic personal information (NPI). GLBA also requires the FTC and SEC to implement standards, while other agencies have the option of issuing guidance.

  • What is the Purpose of the Gramm-Leach-Bliley Act?

    The primary concern of GLBA is to ensure the confidentiality of customers' personally identifiable information (PII) and financial information by following certain privacy and security standards:

    Privacy standards: Customers must be notified of information sharing practices and provided with a way to opt-out of unnecessary sharing, see U.S.C Title 15 (a) of Sec. 6801

    Security standards: Have an information security policy designed to ensure the confidentiality, integrity, and availability of customer records and information; protect customer records from anticipated cyber attacks, cyber threats , and other attack vectors; and protect against unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer, e.g. data breaches and data leaks, see U.S.C Title 15 (b) of Sec. 6801

  • Who is Regulated by GLBA?

    The GLBA applies to financial institutions, any business offering financial products and services to individuals like loans, financial advice, investment advice, or insurance. As well as limited obligations on certain third-parties who receive nonpublic personal information (NPI) from GLBA regulated financial institutions.

    As GLBA is focused on customer data, financial institutions that only provide services to other businesses are not covered by GLBA. Nor is an individual who uses an ATM or cashes a check because there is no ongoing customer relationship.

    Examples of financial institutions include:

    Non-bank mortgage lenders

    Real estate appraisers

    Loan brokers

    Some financial or investment advisers

    Debt collectors

    Tax return preparers


    Real estate settlement service providers

  • What is Nonpublic Personal Information (NPI)?
    Nonpublic personal information (NPI) is all personally identifiable information (PII) and financial information that is: Provided by the customer to the financial institution Resulting from any transactions with the customer or any service provided to the customer Otherwise obtained by the financial institution Information that is generally public but has been made private (e.g. having an unlisted phone number), must be treated as nonpublic.
  • Examples of nonpublic personal information (NPI)

    An individual's income, social security number, marital status, amount of savings or investments, payment history, loan or deposit balance, credit or debit card purchases, account numbers, or consumer reports

    The fact the individual has an account with a particular financial institution

    Any list, description, or grouping of customers that is derived using a combination of nonpublic personal information (NPI) and publicly available information

    Any information the financial institution has obtained over the customer relationship or collected through cookies

  • What are the Benefits of GLBA Compliance?
    *It lowers the risk of penalties and reputational damage caused by breaches and data leaks. *GLBA compliance can also help with compliance with the European Union's General Data Protection Regulation (GDPR) *Private or sensitive information being secured against unauthorized access *Customers being notified of private information sharing between financial institutions and third parties, and having the ability to opt-out if desired *User and employee activity being tracked including any attempts to access sensitive information or protected records These benefits improve the reputation of your organization and increase customer trust, leading to greater customer loyalty, lower churne, higher lifetime value, and less regulatory fines.
  • What are the Major Components of the Gramm-Leach-Bliley Act?

    There are three major components of the GLBA, designed to work together to govern the collection, disclosure, and protection of customers' nonpublic personal information (NPI), namely:

    The Financial Privacy Rule: Restricts the sharing of nonpublic personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually thereafter.

    The Safeguards Rule: Requires financial institutions to develop an information security plan that describes how the company is prepared for and plans to continue to protect customers' and former customers' nonpublic personal information (NPI).

    Pretexting Protection: Pretexting or social engineering occurs when someone tries to gain access to nonpublic personal information without the authority to do so. This may entail requesting private information by impersonating the account holder by phone, by mail, or by phishing or spear phishing. GLBA encourages organizations to implement safeguards against pretexting.

  • What is the GLBA Financial Privacy Rule?

    The GLBA Financial Privacy Rule restricts the sharing of nonpublic personal information (NPI) and requires customers to be given a privacy notice at the start of the customer relationship and annually thereafter.

    The notice outlines what information is collected, where the information is shared, how the information is used, and how it is protected, as well as highlights the customer's right to opt-out of information sharing with nonaffiliated third parties pursuant to the provisions of the Fair Credit Reporting Act.

    If the financial institution's privacy policy changes, customers be notified for acceptance of changes. Whenever the privacy notice is reestablished, the consumer has the right to opt-out again.

    When customers agree to have their information shared with unaffiliated parties, the unaffiliated parties must handle the information in accordance with the original privacy notice agreement.

  • What is the GLBA Safeguards Rule?

    The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical and physical safeguards that are appropriate for the size and complexity of the organization and its financial activities.

  • What Safeguards should do?

    Ensure the confidentiality, integrity, and availability of current and former customers' nonpublic personal information (NPI)

    Protect against common cyber attacks, cyber threats , and attack vectors

    Protect against data breaches, data leaks , and unauthorized access to or use of nonpublic personal information (NPI)

    Apply to any record containing nonpublic personal information (NPI) whether paper, electronic or other form



    Financial Privacy

    The BiblioGov Project is an effort to expand awareness of the public documents and records of the U.S. Government via print publications. In broadening the public understanding of government and its work, an enlightened democracy can grow and prosper. Ranging from historic Congressional Bills to the most recent Budget of...

    Read more



    Focuses on the general requirements and considerations outlined in the Gramm-Leach-Bliley Act safeguards rule. Learn to recognize sensitive customer information as defined by the rule that mandates how banks must respond to data breaches.

    Read more


    Nonaffiliated Third Party

    A “nonaffiliated third party” is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate.

    Read more




    ”Gramm-Leach-Bliley Act law does not…”

    ''Gramm-Leach-Bliley Act law does not preempt state-level action. You see state laws like the California Financial Information Privacy Act, which actually has a stricter requirement for financial institutions. Financial institutions have to comply with both GLBA at the federal level and CalFIPA at the state level. I certainly see that...

    Read more


    GLBA Compliance Auditing

    To be compliant with the GLBA, financial organizations must meet the data security standards within the Safeguards Rule. Along with the FTC Privacy Rule, this framework requires institutions to have a written security plan and information security measures in place to protect the privacy of customers and consumers. In accordance...

    Read more

    Welcome Back!

    Create New Account!

    Retrieve your password

    Please enter your username or email address to reset your password.

    Add New Playlist