What is the Gramm-Leach-Bliley Act (GLBA)? (2024)

What is the Gramm-Leach-Bliley Act?

The GLBA or Gramm-Leach-Bliley Act is a federal law that was introduced in the US in 1999. This applied to financial institutions including companies that propose financial products or services like loans, financial or investment advice, or insurance to their consumers. The main purpose of the act was to ensure that these institutions explain their information-sharing methods to their consumers and protect their sensitive data.

The GLBA which is also known as the Financial Services Modernization Act of 1999 is comprised of the following three sections:

1. The Financial Privacy Rule

This rule regulates the collection and disclosure of all private financial information. According to the rule, federal institutions are not allowed to share the information of their consumers with any non-affiliated third party. Before starting a relationship with a customer, the organization must provide clear-cut and detailed notice.

The Privacy Rule determines which data should be collected and how it must be used and shared. It also describes who can access it and the strategies and techniques used to conserve it. The Fair Credit Reporting Act also states that customers should get notification of the privacy policy annually.

2. The Safeguards Rule

The Safeguards Rules specifies that the financial institution should follow certain security programs to safeguard any kind of private information.

This rule was issued in 2002 by the Federal Trade Commission (FTC).

The rule states that organizations must execute managerial, physical, and technical protections to save any data from cyber attacks, email spoofing, phishing schemes, and other cybersecurity dangers.

The rule also expects an organization to appoint at least a single person that should be held responsible for all kinds of information security plans, including development and regular testing.

3. The Pretexting Provisions

This section involves the prohibition of any kind of effort for pretexting or accessing private information.

The act says that financial institutions must give customers written privacy policy notices. These notices explain all about their information-sharing methods.

If a state wants to impose more strictness than a GLBA then it is totally up to its governing body. Financial institutions should be well aware of GLBA and the rules that are imposed by the state.

Who Must Follow the Act?

Those who must comply with the act include financial organizations, dealers, sellers, and people providing insurance assistance, including investment companies and investment consultants.

Objectives of GLBA

The main objective behind the introduction of the GLBA Act is to ensure that the financial institutes and their affiliated authorities guarantee the complete privacy of personally identifiable information (PII). The law states that the companies must strictly follow the guidelines to secure the data collected from customer records in paper, electronic, or any other form.

It should also ensure the safety of sensitive personal information against unauthorized access.

Data Covered by the GLBA

The data compliance by the GLBA Act is a huge step for companies to be safe from the prospect of any kind of data breach. In this way, the companies will be safe from any legal or financial penalties.

As a result, we have seen a real boost in the functioning of the company’s internal risk evaluation and systematic testing of internal controls.

Data that falls under the GLBA Act is as follows:

  • Customer’s address
  • Bank account details and financial information
  • Biometric and relevant data
  • A person’s date of birth
  • Credit card history or record
  • Customer’s car dealers information
  • Educational performance
  • Employment details
  • Inferences took from other data
  • Internet information
  • Geolocation
  • Names
  • Tax-related information
  • Income
  • Social security details

Institutions That Are Regulated by GLBA

Any organization that is somehow involved in financial activities is regulated by the GLBA. Even those companies that do not disclose nonpublic personal information are asked by the GLBA to create a foolproof security policy to cope with any future data threats.

GLBA applies to banks, brokerage firms, and insurers. Apart from that some corporations that process loans or deal in credit risk also come under this rule. Professions and businesses that are subjected to GLBA’s conditions are:

  • Accountants
  • ATM operators
  • Car rental corporations
  • Courier services
  • Credit reporting firms
  • Credit unions
  • Debt collectors
  • Financial advisory corporations
  • Hedge funds
  • Non-bank mortgage lenders
  • Payday lenders
  • Property appraisers
  • Real estate companies
  • Retailers
  • Stockbrokers
  • Tax makers
  • Public or private Universities

Nonpublic personal information (NPI)

Nonpublic personal information is personally identifiable financial information which is not present in public records. It is given by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer. Or maybe it is obtained by the financial institution.

Who ensures GLBA regulations?

GLBA provisions can only be enforced by the State and federal banking agencies.  However, the degree of their authority to enforce the law may vary. If an institution is unable to fulfill the privacy rules then FTC has full right to take action in federal district courts against it. GLBA’s Section 5 gives the FTC the authority to audit privacy policies. It also ensures they are fairly applied by the institution.

The responsibility to enforce the Safeguard Rule stays with the FTC. Some other federal agencies play a significant role in GLBA enforcement including the Federal Reserve Board, FDIC, Office of Thrift Supervision, and the Office of the Comptroller of the Currency.

What Are the Penalties for GLBA noncompliance

Be ready to face some serious consequences, if you are an employee or an executive and you fail to ensure GLBA compliance. Your organization can face a fine of up to $100,000 for every offense.

In addition, the officers and directors can also be fined up to $10,000. They can also get five years imprisonment or both. The company may also get a bad reputation or a loss of confidence from its customers.

Information sharing Regulation by the GLBA Act

Remember that if you are a financial institution you cannot share a consumer’s NPI with a non affiliated third party. First of all, you must inform the consumer and provide them an option to opt-out if they don’t want to share their information. You must give clear notice and give time to the consumer so that he can make his decision about information sharing.


The GLBA Act ensures that the financial institutions that offer financial products or services like loans, financial or investment advice, or insurance to consumers are safe from any data breaches. The Act requires an explanation from the company about their information-sharing practices to their customers.

Flashcards added to our CIPP/E and CIPP/US training courses!