The Gramm-Leach-Bliley Act, known as the GLBA, was passed in 1999 under President Clinton. The goal of the GLBA was to update and modernize the financial industry. Today, it’s primarily used to protect customer and consumer information, with steep penalties for financial institutions that violate its privacy rules. Here’s what you need to know about the GLBA and its regulations.
Background: What does the GLBA do?
When the GLBA was passed, it aimed to update and modernize the financial industry. The GLBA is best known for repealing the Glass-Steagall Act, an act created in the wake of the stock market crash in 1929 to protect bank depositors from additional exposure to risk.
The GLBA also includes key measures to protect consumer financial privacy. GLBA requires “financial institutions” to explain their information-sharing practices to customers. The FTC, which oversees the GLBA, defines financial institutions broadly. Organizations that are subject to the GLBA are those which participate in:
- Loans, exchanges, money transfers, or investments for others, as well as safeguarding money or securities. “These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders,” according to the FTC.
- Offering financial, investment, or economic advice. “These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors,” wrote the FTC.
- Brokering and/or servicing loans
- Debt collection
- Real estate settlement services
- Career counseling for those seeking work in the financial services industry
There are steep penalties for not complying with the GLBA. Financial institutions that don’t adhere to the GLBA financial privacy rule are subject to civil penalties that can add up to $100,000 for each violation. The most serious violations could be subject to further fines, and even imprisonment of up to five years.
The GLBA requirements are divided into three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions. Let’s take a deeper look at the Financial Privacy Rule.
The GLBA Financial Privacy Rule
The Financial Privacy Rule is the core component of the GLBA. It requires financial institutions to notify customers about their privacy policies and to protect the confidentiality of customer data. Essentially, a privacy notice must be shared with a customer the moment the relationship is established or if the policy changes.
Some organizations struggle with the Privacy Rule’s distinction between a customer and a consumer. The financial institution is only responsible for protecting the information of a customer, not a consumer.
- A consumer, according to the rule, is “an individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes — or that individual’s legal representative.”
- A customer is “a subclass of consumer who maintains a continuing relationship with a financial institution.”
For instance, a consumer would be someone who applies for a loan, whether or not they actually obtain the loan. A customer is someone who opens a credit card account, uses the services of a mortgage broker, or gets a loan from a payday lender.
Privacy notice requirements
Under the Privacy Rule, institutions must give their customers "clear and conspicuous" written notice describing their privacy policies and practices. All customers must receive a privacy notice, and some consumers, too if you plan to share NPI with nonaffiliated third parties.
The privacy notice describes how you collect, disclose and protect NPI. The GLBA clearly delineates what you must disclose to customers and consumers in the notice. This could include:
- Categories of information collected
- Categories of information disclosed
- Categories of third parties to which you disclose information
- Policies and practices to guard the confidentiality and security of NPI
Read the FTC’s guide on the GLBA privacy notice for the full list of information you must include in the privacy notice.
Essentially, the Privacy Rule seeks to give customers more control over what information is shared and how it is protected. And, while much of the Privacy Rule focuses on the privacy notice, there are other requirements around safeguarding NPI.
Protecting customer NPI
The actual specifics of how to protect customer NPI are shared under the GLBA’s Safeguards Rule, a separate directive from the Privacy Rule. The Safeguards Rule outlines what security measures a financial institution needs to take to keep NPI from falling into the wrong hands.
A central component of the Safeguards Rule is the detailed, written security plan that financial institutions must create to ensure customer data is protected. This plan requires the following elements:
- Assign at least one employee to develop and coordinate an information security program
- Perform a risk assessment to identify risks to customer information in every area of the company; evaluate existing safeguards to combat these risks
- Design and implement an information security program; regularly monitor and test the efficacy of your protections
- Offer regular employee data security training
- Work with service providers that are able to maintain safeguards; ensure contracts require partners to implement and regularly maintain these safeguards
- Modify and update the security program as needed to ensure it is still effective at protecting customer data.
The Privacy Rule requires organizations to share this security plan with consumers and customers. As a result, getting it right is vital — which is where tools like Nightfall can help.
Comply with the GLBA privacy rule
In order to remain in compliance with the GLBA Privacy rule, you must send a privacy notice that includes:
- Your company’s privacy practices
- The type of information it collects and retains on a consumer/customer
- Any partners or individuals with whom it shares the information with
- How the institution protects that information
Make sure your privacy notice includes opt-out information: an explanation that customers/consumers do have a right to decline to share certain information with affiliate companies.
Financial institutions are required to update and share privacy notices with customers at least once every 12 months for the duration of the customer relationship. Note that an opt-out direction by a consumer or customer is effective - even after the customer relationship is terminated - until canceled in writing, or, if the consumer agrees, electronically.
Learn how Nightfall can help achieve GLBA compliance by setting up a demo at the link below.