The Gramm-Leach-Bliley Act (GLBA)

GLBA also known as the Financial Services Modernization Act of 1999 applies to the financial sector. GLBA repealed part of the Glass-Steagall Act of 1933 which required financial institutions to be restricted to acting as either an investment bank, a commercial bank, or an insurance company. With the repeal, financial institutions were allowed to merge these activities under one company or financial group.

The Gramm-Leach-Bliley Act also created a Privacy Rule to regulate the collection, use and disclosure of customer’s financial information. Furthermore it created a Safeguards rule which requires security measures to be implemented to protect consumer information from unauthorized access and disclosure.

Who must comply with the Gramm-Leach-Bliley Act?

All financial institutions must comply with the act, even those that do not disclose private financial information. Privacy policies and security safeguards must be in place regardless of the disclosure practices of a company. The Safeguards Rule applies not only to financial institutions but all entities handling financial information such as Consumer Reporting agencies.

The Privacy Rule

The Privacy Rule of the GLBA protects the privacy of customers of financial institutions and their nonpublic information. A customer is defined as having a long-term relationship with a financial institution such as the lending of a mortgage, a loan or insurance. Only information that is not considered part of the public record is protected under the Privacy Rule. Nonpublic information includes information provided by the consumer in connection with an application for, or receipt of, a product or service with the financial institution.

Under the Privacy Rule:

  • A customer must receive a copy of the financial institution’s privacy notice upon entering the relationship and once every year for the duration of the relationship. A new copy of the notice must be provided upon the modification of any of the privacy policies.
  • The Privacy Notice must contain the type of information collected by the financial institution how it is used, notice of possible third party disclosures and a statement regarding the safeguarding of their personal information.
  • The Privacy Notice must contain a statement notifying the customer of the opportunity to opt out of disclosure of information to unaffiliated third parties so as to comply with the Fair Credit Reporting Act.
  • Financial Institutions are prohibited from sharing customer account numbers with non-affiliated third parties.

Title V of the Gramm-Leach-Bliley Act provides regulations for the disclosure of information to third parties:

  • Financial institutions may share any customer information with affiliated third parties
  • Financial institutions may share customer information with nonaffiliated third parties only if an opt out notice has been given to the customer and they have not exercised their right to stop nonaffiliated disclosures.

The Safeguards Rule

The Safeguards rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. An Information Security Plan must make use of:

  • Administrative safeguards, such as employee oversight and training;
  • Physical safeguards, such as restricted access to hardware and disaster recovery plans;
  • Technical safeguards such as firewalls, encryption, access controls and secure computer networks.

Safeguards must be implemented in proportion to the scope of and risk to the institution and the information it handles.

Furthermore, the Safeguards rule requires that an employee oversee the development and coordination of security in the institution.


The Gramm-Leach-Bliley Act made major changes to the financial sector, particularly with regard to the protection of customer information. Though the GLBA pertains mostly to financial institutions engaged in long term relationships with individuals, it is important for all business owners to understand how financial information is protected and where their organization, and the financial information they collect, fits under financial sector privacy law.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • U.S. Public and Private Sector General Laws including GLBA (I.B.a.iii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>