Gramm-Leach-Bliley Act

Published on :

21 Aug, 2024

Blog Author :

Edited by :

Reviewed by :

The Gramm-Leach-Bliley Act (GLBA) or Financial Modernization Act refers to a law in the U.S. that requires financial institutions, for example, banks, to mention how they safeguard and share their customers' NPI or nonpublic personal information. It aims to safeguard consumers' financial privacy.

The majority of the financial institutions in the U.S. need to meet the compliance requirements of this act. It minimizes the risk of reputational damage and penalties caused by leaks and data breaches. The FTC or Federal Trade Commission, multiple federal regulatory authorities, and state insurance oversight agencies enforce the federal law.

What Is The Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act refers to a law enacted by the federal government that requires financial institutions, such as loan brokers and banks, to elucidate how they share and safeguard their customers' private and financial information.
In the case of violations of the Gramm-Leach-Bliley Act, financial institutions must pay a fine of $100,000 for each violation.
There are multiple criticisms of this act. For example, enforcement and compensation mechanisms are not that strong. Moreover, it cannot improve consumers' control regarding affiliate information sharing.
A key benefit of this law is that it offers protection of consumer data against cyber attacks.

Gramm-Leach-Bliley Act Explained

The Gramm-Leach-Bliley Act refers to a federal law that came into existence to regulate the disclosure and protection of NPI accumulated by financial institutions from persons who provided the details to get a financial service or product for household, personal, or family purposes.

The Gramm-Leach-Bliley Act of 1999 aims to ensure that financial institutions keep their customer's financial information and Personal Identifiable Information (PII) confidential by adhering to the set security and privacy standards. One must remember that NPI may include phone numbers, names, addresses, account numbers, and any other confidential information provided to a financial institution, for example, a bank, real estate appraiser, loan broker, non-bank mortgage lender, etc.

Servicers and institutions must develop, execute, and maintain a detailed, written information security program to achieve the objectives of this act. The regulations of the Federal Trade Commission require the information security program to include physical, administrative, and technical safeguards suitable for the servicer or institution's complexity and size, the scope and nature of their operations, in addition to the sensitivity of any student-related information.

Compliance Rules & Requirements

The Gramm-Leach-Bliley Act of 1999 has three key rules which one must know to understand the requirements of this legislation clearly. Each of the rules guides and informs organizations regarding:

The kinds of data to protect
Reducing and preventing any opportunity for unauthorized access
Particular measures individuals expect from the bill

Let us look at these three rules in detail.

#1 - Financial Privacy Rule

Financial institutions and organizations receiving NPI from different financial institutions must adhere to this rule of the GLBA Act. The rule covers the majority of an individual's personal data, for example, name, Social Security number, date of birth, etc., and transactional information, such as credit card details and bank account numbers. Moreover, it covers private information one may obtain when carrying out a transaction, for instance, a credit report.

#2 - Safeguards Rule

The safeguards rule ensures that financial institutions and other organizations have the necessary means to safeguard consumers' private information. In other words, per this rule, the adherents of GLBA need to have physical, administrative, and technical safeguards that they can utilize to process, distribute, accumulate, store, safeguard, remove, transmit, or otherwise manage customers' information.

Some noteworthy requirements to follow this rule are proper software, employee training, and monitoring and texting vulnerabilities.

#3 - Pretexting Provisions

Besides safeguarding NPI, GLBA adherents must take the necessary steps to identify and prevent instances involving unauthorized access as much as possible. The main purpose of creating this rule is to minimize data loss and safeguard consumers.

Examples

Let us look at a few Gramm-Leech-Bliley examples to understand the concept better.

Example #1

On February 4, 2023, Patrick Timothy McHenry, the United States representative for North Carolina, proposed the development of the Data Privacy Act via the introduction of a bill. This bill aims to amend the Financial Modernization Act by making several changes. Some of the alterations are as follows:

It will update the 'financial institutions' included by the act to cover 'data aggregators.'
Consumers could delete their NPI or request access to the information.
The privacy notice that the GLBA requires would expand to cover additional necessary content.

Example #2

On November 15, 2022, The FTC announced that companies would get a 6-month extension to comply with specific updated requirements of the GLBA's Safeguards Rule. The new deadline was set on June 9, 2023. Specifically, provisions impacted by the extension included certain requirements for financial institutions. Some of the requirements are as follows:

They would have to create a written risk assessment.
The financial institutions must designate a qualified person to oversee the information security program.
They would have to restrict and track who is able to access sensitive information related to customers.

Benefits

The GLBA requires financial institutions and other GLBA adherents to offer the following benefits to consumers:

They take the required measures to secure consumers' information against unauthorized access.
The adherents notify customers regarding any private information shared between them and third parties.
They monitor user activity, including any attempt to gain access to safeguarded records. Thus, they can safeguard data from anticipated cyber threats and attacks.
Compliance with GLBA safeguards consumer records and consumers, helping the adherents and their customers to form longstanding relationships.
All requirements of the GLBA boost customer loyalty and enhances the reputation of the organizations adhering to federal law.

Criticisms

Some criticisms of this act are as follows:

It weakens customers' ability to control their private and financial information.
GLBA notices can be confusing. Moreover, they can restrict transparency concerning information practices.
GLBA does not do enough to address privacy notices' lack of transparency. Its notices do not inform consumers about who will get their personal information and for what purpose.
This act cannot improve customers' control concerning affiliate information sharing.
The GLBA's compensation and enforcement mechanisms are weak.
A financial institution, for example, a bank, can avoid opt-out requirements by exploiting exceptions in the act.

Potential Penalties

If violations of the Gramm-Leach-Bliley Act are proven, the punishment may have life or business-altering ramifications. Some noteworthy non-compliance penalties are as follows:

A fine worth $10,000 for every violation by individuals.
A $100,000 fine for every violation by a financial institution.
A maximum jail term of 5 years for individuals

Best Practices

The primary focus of this act is to tighten and grow customer information privacy restrictions and safeguards. Financial institutions and Information Technology or IT professionals' main concern with regard to this federal law is ensuring and securing the confidentiality of the financial and private information belonging to customers. Ensuring the maintenance of GLBA compliance is vital for financial institutions as the violations can be expensive and detrimental to their operations.

That said, by taking the necessary measures to protect nonpublic information and comply with the act, organizations will benefit from increased customer loyalty and trust besides avoidance of penalties and security.

Frequently Asked Questions (FAQs)

1. What disclosures are required by the Gramm-Leach-Bliley Act?

The law requires financial institutions to reveal their practices and policies to safeguard the confidentiality, integrity, and security of consumers' nonpublic personal information, irrespective of whether they are the financial institution's customers.

2. What is the difference between GDPR and Gramm-Leach-Bliley Act?

While the GLBA applies to financial institutions only, the General Data Protection Regulation or GDPR applies to organizations that process the personal information of citizens belonging to the European Union. Also, GDPR provides individuals with the right to erase their personal data. However, such a provision is absent in the case of GLBA.

3. What is the difference between PCI and Gramm-Leach-Bliley Act?

Every financial institution has to comply with the GLBA and accordingly execute security programs to safeguard individuals' private details. On the other hand, the Payment Card Industry Data Security Standard or PCI DSS provides guidelines for all organizations accepting payments via debit and credit cards.