Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to protect their customer’s private information.
The GLBA requires the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission, the Commodity Futures Trading Commission (CFTC), and the Federal Trade Commission (FTC) to promulgate regulations to safeguard nonpublic personal information (NPI). GLBA also requires the FTC and SEC to implement standards, while other agencies have the option of issuing guidance.
The primary concern of GLBA is to ensure the confidentiality of customers' personally identifiable information (PII) and financial information by following certain privacy and security standards:
Privacy standards: Customers must be notified of information sharing practices and provided with a way to opt-out of unnecessary sharing, see U.S.C Title 15 (a) of Sec. 6801
Security standards: Have an information security policy designed to ensure the confidentiality, integrity, and availability of customer records and information; protect customer records from anticipated cyber attacks, cyber threats , and other attack vectors; and protect against unauthorized access to or use of customer records or information that could result in harm or inconvenience to the customer, e.g. data breaches and data leaks, see U.S.C Title 15 (b) of Sec. 6801
The GLBA applies to financial institutions, any business offering financial products and services to individuals like loans, financial advice, investment advice, or insurance. As well as limited obligations on certain third-parties who receive nonpublic personal information (NPI) from GLBA regulated financial institutions.
As GLBA is focused on customer data, financial institutions that only provide services to other businesses are not covered by GLBA. Nor is an individual who uses an ATM or cashes a check because there is no ongoing customer relationship.
Examples of financial institutions include:
Non-bank mortgage lenders
Real estate appraisers
Some financial or investment advisers
Tax return preparers
Real estate settlement service providers
An individual's income, social security number, marital status, amount of savings or investments, payment history, loan or deposit balance, credit or debit card purchases, account numbers, or consumer reports
The fact the individual has an account with a particular financial institution
Any list, description, or grouping of customers that is derived using a combination of nonpublic personal information (NPI) and publicly available information
Any information the financial institution has obtained over the customer relationship or collected through cookies
There are three major components of the GLBA, designed to work together to govern the collection, disclosure, and protection of customers' nonpublic personal information (NPI), namely:
The Financial Privacy Rule: Restricts the sharing of nonpublic personal information (NPI) about an individual and requires financial institutions to provide each consumer with a privacy notice at the start of the customer relationship and annually thereafter.
The Safeguards Rule: Requires financial institutions to develop an information security plan that describes how the company is prepared for and plans to continue to protect customers' and former customers' nonpublic personal information (NPI).
Pretexting Protection: Pretexting or social engineering occurs when someone tries to gain access to nonpublic personal information without the authority to do so. This may entail requesting private information by impersonating the account holder by phone, by mail, or by phishing or spear phishing. GLBA encourages organizations to implement safeguards against pretexting.
The GLBA Financial Privacy Rule restricts the sharing of nonpublic personal information (NPI) and requires customers to be given a privacy notice at the start of the customer relationship and annually thereafter.
The notice outlines what information is collected, where the information is shared, how the information is used, and how it is protected, as well as highlights the customer's right to opt-out of information sharing with nonaffiliated third parties pursuant to the provisions of the Fair Credit Reporting Act.
When customers agree to have their information shared with unaffiliated parties, the unaffiliated parties must handle the information in accordance with the original privacy notice agreement.
The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security plan that outlines administrative, technical and physical safeguards that are appropriate for the size and complexity of the organization and its financial activities.
Ensure the confidentiality, integrity, and availability of current and former customers' nonpublic personal information (NPI)
Protect against common cyber attacks, cyber threats , and attack vectors
Protect against data breaches, data leaks , and unauthorized access to or use of nonpublic personal information (NPI)
Apply to any record containing nonpublic personal information (NPI) whether paper, electronic or other form