Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, in 1999.28 It is the primary law governing the protection of consumer financial information. The law made great changes in the banking industry, allowing banks, securities, and insurance companies to merge, which was not allowed before the law. The financial industry urged Congress to pass the law so that customers could use one company for all their financial needs.
GLBA allowed large companies to merge. In doing so, these new, larger corporations would have access to sizable amounts of consumer financial information. Therefore, people feared that their privacy would suffer. This fear was not unreasonable, because financial institutions often sold customer banking information to other companies. To help alleviate this fear, Congress included privacy protections in the GLBA.
GLBA applies to financial institutions. It defines a financial institution as any institution that engages in financial activities. The definition of financial activities is very broad. It includes borrowing, lending, providing credit counseling, debt collection, and other activities.29
The law requires financial institutions to protect a customer’s nonpublic financial information. It states that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers.”30 This means institutions must provide privacy and security protections to its customers and the customers’ nonpublic personal information (NPI).
Nonpublic personal information is personally identifiable financial information that a consumer gives to a financial institution.31 NPI also includes private information that an institution gets from other sources. It also includes lists or descriptions of consumers that are prepared by using this kind of information. NPI can be in paper or electronic form and includes:
NPI does not include publicly available information about a consumer. Publicly available personal information is available to the general public. It can be made public through state or federal records or disclosures that are required by law. Information can be made public in different ways, such as records filed in a county recorder’s office. Financial institutions cannot assume that certain types of personally identifiable information are publicly available. They must take reasonable steps to make sure that information is actually publicly available if they want to claim that it is publicly available.
NOTE
A person’s address in a phone book is publicly available.
GLBA requires financial institutions to follow three main rules to protect consumer financial information:
GLBA applies to consumer financial transactions. These are transactions made for personal, family, or household services. GLBA does not apply to business transactions.
Under the GLBA Privacy Rule,32 a financial institution may not share NPI with non-affiliated third parties unless the institution gives notice to the consumer. The notice must tell consumers about the types of data that the institution collects and how it uses that information. This is called a notice of privacy practices. GLBA also requires that consumers have a chance to opt-out of some data sharing. The GLBA Privacy Rule went into effect on July 1, 2001.
FYI
Congress originally gave the federal bank regulatory agencies, the Securities and Exchange Commission (SEC), and the FTC the authority to create rules to enforce the GLBA privacy provisions. All of the agencies created and issued similar regulations that are tailored for their respective oversight areas. In 2010, the Dodd-Frank Act33 transferred the rulemaking authority to the CFPB. The CFPB then restated the implementing regulations in a document known as Regulation P.34
GLBA distinguishes between customers and consumers for its notice requirements:35
A person is a customer of a financial institution if he or she has an ongoing relationship with the institution. For example, a person with a checking or savings account at a bank has an ongoing relationship with that bank. An example of a consumer without a customer relationship is a person who withdraws cash from an ATM machine that does not belong to his or her personal bank.
GLBA requires that certain information be included in the privacy notice.36 For example, the financial institution must describe the types of NPI that it collects. It must disclose how it shares NPI with affiliated and nonaffiliated third parties. Finally, it must state how it protects a customer’s NPI. Customers must receive a copy of the privacy notice annually for as long as the customer relationship continues.
NOTE
A nonaffiliated party is an entity that is not legally related to a financial institution. Affiliated parties, in contrast, have a legal relationship of some kind. An affiliated party is an entity that controls, is controlled by, or is under the common control of another entity. Affiliates are businesses that are within the same corporate family.
The privacy notice also must provide a customer with an opportunity to stop a financial institution from sharing the customer’s NPI with nonaffiliated third parties.37 This is called an “opt-out” provision. The privacy notice must tell customers how to opt-out. If a customer does not opt-out, then the financial institution can share NPI in the ways described by its privacy notice.
GLBA does not give customers the right to opt-out of situations where a financial institution shares NPI with its affiliates. There are also some instances where customers cannot opt-out at all. For example, customers cannot opt-out of a disclosure that is required by law.
NOTE
The FCRA also allows customers to opt-out of some types of information sharing. Under that law, customers can stop financial institutions from sharing their credit report or credit applications with affiliates. GLBA privacy notices must include this disclosure.
GLBA did not specify how a financial institution should write its notice of privacy practices. Many of the first-created notices were hard to read because they contained legal and complex language. That made it difficult for people to understand their rights. It was also very hard to compare the privacy policies of different financial institutions.
After customers complained about the hard-to-read notices, Congress responded quickly. The Financial Services Regulatory Relief Act of 2006 amended the GLBA Privacy Rule so that it required the agencies responsible for enforcing the Privacy Rule to propose a model form for privacy notices. Congress directed that this model form should be easy to read and understand.
NOTE
In 2001, the Privacy Rights Clearinghouse studied the privacy notices of 60 financial institutions. The study found that most notices were written at a third- or fourth-year college reading level.38
On November 17, 2009, the federal bank regulatory agencies, the SEC, and the FTC announced that they had completed the model form.39 All of the agencies amended their privacy regulations to include use of it. The agencies made an online form builder available in April 2010. The Model Privacy Notice Form is shown in FIGURE 4-2.
GLBA requires the federal bank regulatory agencies, the SEC, and the FTC to issue security standards for the institutions that they regulate.40 This is commonly referred to as the Safeguards Rule. The law requires that each agency establish standards that:
Congress did not require the regulatory agencies to work together to create these standards, as it did for the Privacy Rule.41 Therefore, the SEC issued its standards in June 2000. The federal bank regulatory agencies worked through the FFIEC to create joint guidelines that were issued in 2001. The FTC issued its Safeguards Rule in May 2002. Financial institutions regulated by the FTC had to comply with its rule by May 2003. This section will refer to the FTC Safeguards Rule.
The FTC Safeguards Rule42 requires financial institutions to create a written information security program that must state how the institution collects and uses customer information. It must also describe the administrative, technical, or physical controls used to protect that information. The program must protect information in paper and electronic form.
The FTC rule requires that a financial institution’s information security program be a good fit for its size and complexity. The program also must be suitable for the sensitivity of the customer information that the institution uses. As part of its program, an institution must:
The Safeguards Rule allows financial institutions to pick the controls that best protect their customer information. It specifies three areas that institutions must review:
Institutions must be sure to address these areas when conducting their risk assessments. They also must make sure that these areas are included in their information security program.
A financial institution also must make sure that its service providers protect customer information. A service provider is an entity that provides services to a financial institution. A business that handles outsourced tasks is a service provider. These providers may access customer information when they provide services to an institution. Institutions must require their affiliates and service providers to protect customer information.
FYI
The FTC announced in March 2019 that it was seeking comments on proposed changes to the Safeguards Rule, which were due in August 2019. As of this writing, the FTC has not made any updates to the Safeguards Rule. You can track the progress of any updates to the rule at https://www.regulations.gov/docket?D=FTC-2019-0019.
GLBA’s final consumer protection is the Pretexting Rule.43 Pretexting, also known as social engineering, is trying to gain access to customer information without proper authority to do so.
Under the law, it is illegal to make false, fictitious, or fraudulent statements to a financial institution or its customers to get customer information. It is also illegal to use forged, counterfeit, lost, or stolen documents to do the same thing. These rules try to stop identity theft before a crime is committed. Courts can impose criminal penalties if these rules are violated.
Most financial institutions address pretexting in their information security programs. It is covered as part of security awareness and training activities. Employees are trained to recognize and report pretexting.
GLBA compliance oversight falls to different federal agencies. Oversight is based on the type of financial institution under review. The federal bank regulatory agencies (the Fed, FDIC, OCC, and NCUA) enforce GLBA for the institutions that they regulate. For example, the SEC oversees GLBA for securities brokers and dealers. Each agency can bring an action against the institutions that they regulate for not complying with GLBA.
The FTC enforces GLBA for any financial institution that is not regulated by one of the other agencies. Similar to the other agencies, the FTC may bring an action against any financial institution that does not comply with GLBA. The FTC has been quite active in pursuing GLBA enforcement actions.