The Gramm-Leach-Bliley Act

Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, in 1999.28 It is the primary law governing the protection of consumer financial information. The law made great changes in the banking industry, allowing banks, securities, and insurance companies to merge, which was not allowed before the law. The financial industry urged Congress to pass the law so that customers could use one company for all their financial needs.

GLBA allowed large companies to merge. In doing so, these new, larger corporations would have access to sizable amounts of consumer financial information. Therefore, people feared that their privacy would suffer. This fear was not unreasonable, because financial institutions often sold customer banking information to other companies. To help alleviate this fear, Congress included privacy protections in the GLBA.

Purpose, Scope, and Main Requirements

GLBA applies to financial institutions. It defines a financial institution as any institution that engages in financial activities. The definition of financial activities is very broad. It includes borrowing, lending, providing credit counseling, debt collection, and other activities.29

The law requires financial institutions to protect a customer’s nonpublic financial information. It states that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers.”30 This means institutions must provide privacy and security protections to its customers and the customers’ nonpublic personal information (NPI).

Nonpublic personal information is personally identifiable financial information that a consumer gives to a financial institution.31 NPI also includes private information that an institution gets from other sources. It also includes lists or descriptions of consumers that are prepared by using this kind of information. NPI can be in paper or electronic form and includes:

  • SSN
  • Financial account numbers
  • Credit card numbers
  • Date of birth
  • Name, address, and phone numbers when collected with financial data
  • Details of any transactions or the fact that an individual is a customer of a financial institution

NPI does not include publicly available information about a consumer. Publicly available personal information is available to the general public. It can be made public through state or federal records or disclosures that are required by law. Information can be made public in different ways, such as records filed in a county recorder’s office. Financial institutions cannot assume that certain types of personally identifiable information are publicly available. They must take reasonable steps to make sure that information is actually publicly available if they want to claim that it is publicly available.

Decorative image NOTE

A person’s address in a phone book is publicly available.

GLBA requires financial institutions to follow three main rules to protect consumer financial information:

  • Privacy Rule
  • Safeguard Rule
  • Pretexting Rule

GLBA applies to consumer financial transactions. These are transactions made for personal, family, or household services. GLBA does not apply to business transactions.

The Privacy Rule

Under the GLBA Privacy Rule,32 a financial institution may not share NPI with non-affiliated third parties unless the institution gives notice to the consumer. The notice must tell consumers about the types of data that the institution collects and how it uses that information. This is called a notice of privacy practices. GLBA also requires that consumers have a chance to opt-out of some data sharing. The GLBA Privacy Rule went into effect on July 1, 2001.

FYI

Congress originally gave the federal bank regulatory agencies, the Securities and Exchange Commission (SEC), and the FTC the authority to create rules to enforce the GLBA privacy provisions. All of the agencies created and issued similar regulations that are tailored for their respective oversight areas. In 2010, the Dodd-Frank Act33 transferred the rulemaking authority to the CFPB. The CFPB then restated the implementing regulations in a document known as Regulation P.34

GLBA distinguishes between customers and consumers for its notice requirements:35

  • A customer is a consumer who has a continuing relationship with a financial institution. An institution must give a customer written notice of its privacy practices as soon as the customer relationship begins.
  • A consumer is any individual who obtains a consumer financial product or service from a financial institution. A financial institution does not have to give consumers notice of its privacy practices if it does not share its consumers’ NPI with nonaffiliated parties.

A person is a customer of a financial institution if he or she has an ongoing relationship with the institution. For example, a person with a checking or savings account at a bank has an ongoing relationship with that bank. An example of a consumer without a customer relationship is a person who withdraws cash from an ATM machine that does not belong to his or her personal bank.

GLBA requires that certain information be included in the privacy notice.36 For example, the financial institution must describe the types of NPI that it collects. It must disclose how it shares NPI with affiliated and nonaffiliated third parties. Finally, it must state how it protects a customer’s NPI. Customers must receive a copy of the privacy notice annually for as long as the customer relationship continues.

Decorative image NOTE

A nonaffiliated party is an entity that is not legally related to a financial institution. Affiliated parties, in contrast, have a legal relationship of some kind. An affiliated party is an entity that controls, is controlled by, or is under the common control of another entity. Affiliates are businesses that are within the same corporate family.

The privacy notice also must provide a customer with an opportunity to stop a financial institution from sharing the customer’s NPI with nonaffiliated third parties.37 This is called an “opt-out” provision. The privacy notice must tell customers how to opt-out. If a customer does not opt-out, then the financial institution can share NPI in the ways described by its privacy notice.

GLBA does not give customers the right to opt-out of situations where a financial institution shares NPI with its affiliates. There are also some instances where customers cannot opt-out at all. For example, customers cannot opt-out of a disclosure that is required by law.

Decorative image NOTE

The FCRA also allows customers to opt-out of some types of information sharing. Under that law, customers can stop financial institutions from sharing their credit report or credit applications with affiliates. GLBA privacy notices must include this disclosure.

GLBA did not specify how a financial institution should write its notice of privacy practices. Many of the first-created notices were hard to read because they contained legal and complex language. That made it difficult for people to understand their rights. It was also very hard to compare the privacy policies of different financial institutions.

After customers complained about the hard-to-read notices, Congress responded quickly. The Financial Services Regulatory Relief Act of 2006 amended the GLBA Privacy Rule so that it required the agencies responsible for enforcing the Privacy Rule to propose a model form for privacy notices. Congress directed that this model form should be easy to read and understand.

Decorative image NOTE

In 2001, the Privacy Rights Clearinghouse studied the privacy notices of 60 financial institutions. The study found that most notices were written at a third- or fourth-year college reading level.38

On November 17, 2009, the federal bank regulatory agencies, the SEC, and the FTC announced that they had completed the model form.39 All of the agencies amended their privacy regulations to include use of it. The agencies made an online form builder available in April 2010. The Model Privacy Notice Form is shown in FIGURE 4-2.

A screenshot shows a model privacy notice form, page 1.

FIGURE 4-2A
The Model Privacy Notice Form.

Federal Trade Commission (see https://www.ftc.gov/sites/default/files/attachments/press-releases/federal-regulators-issue-final-model-privacy-notice-form/privacymodelform.pdf).

Description
A screenshot shows a model privacy notice form, page 2.

FIGURE 4-2B
The Model Privacy Notice Form, page 2.

Federal Trade Commission, https://www.ftc.gov/sites/default/files/attachments/press-releases/federal-regulators-issue-final-model-privacy-notice-form/privacymodelform.pdf

Description

The Safeguards Rule

GLBA requires the federal bank regulatory agencies, the SEC, and the FTC to issue security standards for the institutions that they regulate.40 This is commonly referred to as the Safeguards Rule. The law requires that each agency establish standards that:

  • Protect the security and confidentiality of customer information.
  • Protect against threats to the security or integrity of customer information.
  • Protect against unauthorized access to or use of customer information that could result in harm to a customer.

Congress did not require the regulatory agencies to work together to create these standards, as it did for the Privacy Rule.41 Therefore, the SEC issued its standards in June 2000. The federal bank regulatory agencies worked through the FFIEC to create joint guidelines that were issued in 2001. The FTC issued its Safeguards Rule in May 2002. Financial institutions regulated by the FTC had to comply with its rule by May 2003. This section will refer to the FTC Safeguards Rule.

The FTC Safeguards Rule42 requires financial institutions to create a written information security program that must state how the institution collects and uses customer information. It must also describe the administrative, technical, or physical controls used to protect that information. The program must protect information in paper and electronic form.

The FTC rule requires that a financial institution’s information security program be a good fit for its size and complexity. The program also must be suitable for the sensitivity of the customer information that the institution uses. As part of its program, an institution must:

  • Assign an employee to coordinate the program.
  • Conduct a risk assessment to identify risks to the security, confidentiality, and integrity of customer information and assess current safeguards to make sure that they are effective.
  • Design and implement safeguards to control the identified risks.
  • Select service providers and make sure that any contract includes terms to protect customer information.
  • Review the information security program on an ongoing basis to account for changes in the business.

The Safeguards Rule allows financial institutions to pick the controls that best protect their customer information. It specifies three areas that institutions must review:

  • Employee management and training
  • Information systems design
  • Detecting and responding to attacks and system failures

Institutions must be sure to address these areas when conducting their risk assessments. They also must make sure that these areas are included in their information security program.

A financial institution also must make sure that its service providers protect customer information. A service provider is an entity that provides services to a financial institution. A business that handles outsourced tasks is a service provider. These providers may access customer information when they provide services to an institution. Institutions must require their affiliates and service providers to protect customer information.

FYI

The FTC announced in March 2019 that it was seeking comments on proposed changes to the Safeguards Rule, which were due in August 2019. As of this writing, the FTC has not made any updates to the Safeguards Rule. You can track the progress of any updates to the rule at https://www.regulations.gov/docket?D=FTC-2019-0019.

The Pretexting Rule

GLBA’s final consumer protection is the Pretexting Rule.43 Pretexting, also known as social engineering, is trying to gain access to customer information without proper authority to do so.

Under the law, it is illegal to make false, fictitious, or fraudulent statements to a financial institution or its customers to get customer information. It is also illegal to use forged, counterfeit, lost, or stolen documents to do the same thing. These rules try to stop identity theft before a crime is committed. Courts can impose criminal penalties if these rules are violated.

Most financial institutions address pretexting in their information security programs. It is covered as part of security awareness and training activities. Employees are trained to recognize and report pretexting.

Oversight

GLBA compliance oversight falls to different federal agencies. Oversight is based on the type of financial institution under review. The federal bank regulatory agencies (the Fed, FDIC, OCC, and NCUA) enforce GLBA for the institutions that they regulate. For example, the SEC oversees GLBA for securities brokers and dealers. Each agency can bring an action against the institutions that they regulate for not complying with GLBA.

The FTC enforces GLBA for any financial institution that is not regulated by one of the other agencies. Similar to the other agencies, the FTC may bring an action against any financial institution that does not comply with GLBA. The FTC has been quite active in pursuing GLBA enforcement actions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset