What is the Gramm-Leach-Bliley Act (GLBA)?
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate.
The History of the GLBA
Due to the remarkable losses incurred as a result of 1929’s Black Tuesday and Thursday, the Glass-Steagall Act was originally created to protect bank depositors from additional exposure to risk, associated with stock market volatility. As a result, for many years, commercial banks were not legally allowed to act as brokers. Since many regulations have been instituted since the 1930s to protect bank depositors, GLBA was created to allow these financial industry participants to offer more services.
GLBA was passed on the heels of commercial bank Citicorp’s merger with the insurance firm Travelers Group. This led to the formation of the conglomerate Citigroup, which offered not only commercial banking and insurance services, but also lines of business related to securities. Its brands at this stage included Citibank, Smith Barney, Primerica, and Travelers. Citicorp’s merger was a violation of the then-existing Glass–Steagall Act, as well as the Bank Holding Company Act of 1956.
To allow the merger to take place, the U.S. Federal Reserve gave Citigroup a temporary waiver in September 1998—a precursor to Congress’s passage of GLBA. Moving forward, other similar mergers would be fully legal. Repealing Glass–Steagall also removed the ban of “simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank.”
Who must Compile with the GLBA?
The GLBA applies to financial institutions, any business offering financial products and services to individuals like loans, financial advice, investment advice or insurance. As well as limited obligations on certain third-parties who receive nonpublic personal information (NPI) from GLBA regulated financial institutions.
Examples of financial institutions include:
- Non-bank mortgage lenders
- Real estate appraisers
- Loan brokers
- Some financial or investment advisers
- Debt collectors
- Tax return preparers
- Real estate settlement service providers
As GLBA is focused on customer data, financial institutions who only provide services to other businesses are not covered by GLBA. Nor is an individual who uses an ATM or cashes a check because there is no ongoing customer relationship.
What are the penalties for non-compliance with GLBA
Gramm-Leach-Bliley Act applies to all penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:
- The institution will be subject to a civil penalty of not more than $100,000 for each violation
- Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
- The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both
What Provisions does the GLBA have?
The GLBA created provisions protecting the financial information of consumers held by financial institutions. The law’s privacy protection provisions have three principal parts:
- Financial Privacy Rule. Governs the collection and disclosure of customers’ personal financial information by financial institutions. Applies to companies, including financial institutions, that receive this information. Under this rule, recipients of consumer information must furnish to their customers a privacy notice explaining how customer information is shared, used, and protected. On November 17, 2009, eight federal agencies, including the FDIC, the SEC, and the FTC, released a model privacy notice that will make it easier for consumers to understand how their information is collected (see Federal Regulators Issue Final Model Privacy Notice Form).
- Safeguards Rule. Requires the design, implementation, and maintenance of systems to safeguard customers’ financial information. Applies to financial institutions and companies, such as credit rating agencies, that receive customer information.
- Pretexting provisions. Protects consumers from companies and individuals that obtain their financial information under false pretenses.