February 19, 2024

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, was enacted by the 106th United States Congress on November 12, 1999. This legislation significantly changed the landscape of financial services in the U.S. 

The law governs the way financial institutions handle individuals’ private information.  

The primary purpose of the Gramm-Leach-Bliley Act is to enhance consumer privacy and protection by regulating the collection and disclosure of nonpublic personal information by financial institutions.

The Gramm-Leach-Bliley Act applies to organizations that offer consumers financial products or services, such as loans, financial or investment advice, or insurance. Financial institutions covered by the GLBA include banks, credit unions, securities firms, insurance companies, and other entities engaged in providing financial products and services. It also sets forth rules for how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments or financial aid). 

How and why the Gramm-Leach-Bliley Act was created

The Gramm-Leach-Bliley Act came about in response to changing trends and practices in the financial industry during the late 20th century. Historically, there was a strict separation between banking, securities, and insurance activities in the United States.  

However, as the financial industry evolved, institutions wanted to engage in a broader range of activities. While many forces drove the enactment of the Gramm-Leach-Bliley Act, two catalysts are commonly noted—the Citibank-Travers Group merger and a Victoria’s Secret catalog fracas. 

The merger between Citicorp and the insurance firm Travelers Group in 1998 presented a direct challenge to the regulations of the time. The Glass-Steagall Act of 1933 prohibited banks from offering investment, commercial banking, and insurance services. However, the Citicorp-Travelers Group merger effectively took advantage of an existing loophole in the Bank Holding Company Act, which gave companies up to five years to divest prohibited assets acquired during mergers.  

Citigroup, which had been lobbying for changes to the existing laws, gambled that they could get the laws changed in time to keep the insurance business. They did, with the Gramm-Leach-Bliley Act passing the following year. 

Victoria’s Secret’s role in the passing of the Gramm-Leach-Bliley Act was related to their use of customer information. When it was revealed that the Victoria’s Secret catalog shared customer information with third parties without consent, the public was outraged and demanded greater privacy protections. This led to the inclusion of the Privacy Rule in the Gramm-Leach-Bliley Act. 

This bill went through the legislative process, including committee hearings and debates in both the House of Representatives and the Senate. It was passed by Congress, with bipartisan support, and signed into law by President Bill Clinton. 

Changes caused by the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act brought about significant changes to the United States financial services industry, including the following. 

Consumer privacy protections

The Gramm-Leach-Bliley Act addresses consumer information privacy concerns related to the integration of financial services. It includes provisions to regulate the handling of nonpublic personal information (NPI) and provide protections against misuse of consumers’ data. 

Increased competition

Enabling financial institutions to sell multiple types of products and services, the Gramm-Leach-Bliley Act increased competition, giving consumers more choices.   

Pretexting provisions

The issue of pretexting is addressed in the Gramm-Leach-Bliley Act, making it illegal for financial institutions to obtain consumers’ financial information under false pretenses.   

Regulatory oversight

Compliance with the Gramm-Leach-Bliley Act is overseen by a number of regulatory bodies based on the type of institution (e.g., banks and thrift institutions). These agencies include the Federal Trade Commission (FTC), the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).  

State insurance authorities and other federal regulatory agencies, such as the Securities and Exchange Commission (SEC), also enforce the law. 

Safeguards for customer information

The Security Rule of the Gramm-Leach-Bliley Act mandates that financial institutions have systems and processes in place to protect the privacy of consumers’ personal information. 

Structural changes

The Gramm-Leach-Bliley Act broke down the barriers that separated banking, securities, and insurance activities. This change in the financial industry’s structural framework allows a bank holding company to become a financial holding company and offer a broader range of services by integrating the traditionally separate functions of investment, commercial banking, and insurance services.   

The Gramm-Leach-Bliley Act and privacy

The Gramm-Leach-Bliley Act reflects concerns about the sensitivity of personal financial information. The Privacy Rule provides clear direction for what organizations must do to protect nonpublic personal information. Key elements of the Gramm-Leach-Bliley Act Privacy Rule are as follows. 

To comply with the Gramm-Leach-Bliley Act, financial institutions must: 

  • Inform consumers about their privacy policies and practices. 
  • Provide customers with a privacy notice at the time a relationship is established and annually after that. 
  • Explain what kind of information is being collected and how it is shared, used, and protected.  
  • Give customers the right to opt out of having their information shared with non-affiliated third parties. 

The Gramm-Leach-Bliley Act allows for some exceptions to these rules. For example, information can be shared with non-affiliated third parties in order to process a transaction requested by a customer or to maintain or service their account. 

What is the Safeguards Rule?

The Gramm-Leach-Bliley Act requires that financial institutions implement safeguards to protect the security and confidentiality of customer information from unauthorized access. These safeguards should include developing and implementing written information security programs.  

Additional requirements of the Gramm-Leach-Bliley Act Safeguards Rule include the following. 

Financial institutions must: 

  • Design and implement safeguards to control the identified risks, as well as monitor and regularly test the efficacy of the safeguards. 
  • Designate an individual or team to be responsible for overseeing the information security program to provide requisite protections.  
  • Ensure that all service providers have in place and are able to maintain appropriate safeguards for customer information.  
  • Evaluate and adjust information security programs based on findings from testing and monitoring, changes in operations, or any other change that could put the security of customer information at risk. 
  • Identify and assess reasonably foreseeable internal and external risks in each relevant area of operation where customer information could be susceptible to unauthorized access or use. 

What is pretexting protection?

In the context of financial services, pretexting involves the acquisition of personal financial information through false pretenses. The Gramm-Leach-Bliley Act addresses this, making it illegal. Ways in which the Gramm-Leach-Bliley Act seeks to do this include the following. 

Prohibition of pretexting

In addition to making it illegal to try to gain access to personal information through pretexting, the Gramm-Leach-Bliley Act explicitly calls out attempts to gain consumers from financial institutions. Provisions against this include making it illegal for anyone to use false, fictitious, or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution. 

Educational requirements

The Gramm-Leach-Bliley Act requires financial institutions to provide training to their employees to educate them about why protecting customer information is important, ways to recognize and prevent pretexting attempts, and how to comply with the law.   

Consumer awareness

The Gramm-Leach-Bliley Act encourages financial institutions to provide resources to raise consumer awareness about the risks of pretexting. 

The Gramm-Leach-Bliley Act and usury

The Gramm-Leach-Bliley Act and usury laws were both enacted with the objective of codifying consumer protections from nefarious or compromising practices in the financial services sector. However, they address different areas of consumer protection.   

Gramm-Leach-Bliley Act Usury Laws 
The Gramm-Leach-Bliley Act is focused on privacy, security, and the integration of financial services. The purpose of the Gramm-Leach-Bliley Act is to modernize the laws that govern the United States to better align them with the needs of institutions and their customers by removing barriers between banking, securities, and insurance products and services, allowing for greater integration of financial services. The law focuses on the privacy and security of consumer financial information.   

The Gramm-Leach-Bliley Act is a federal law. No single state controls its rules and enforcement.   

Federal-level privacy rules 
One of the key provisions of the Gramm-Leach-Bliley Act is the Privacy Rule. This regulation requires financial institutions to inform consumers about privacy policies and practices related to nonpublic personal information (NPI). It also gives consumers more control over how financial institutions use their NPI. This includes allowing consumers to stop financial institutions from sharing their NPI with non-affiliated third parties unless the consumer explicitly grants permission to do so.   

Federal-level security rules 
The Gramm-Leach-Bliley Act’s Safeguards Rule sets forth specific rules for how consumers’ information must be protected. It mandates that financial institutions implement information security measures to ensure that customer information cannot be accessed or used without authorization. It also includes directives for the development, written documentation, and maintenance of information security programs.   
Usury laws are focused on preventing the exploitation of borrowers through excessive interest rates. Usury laws are designed to protect consumers from excessive interest rates and predatory lending practices. These laws set limits on the amount of interest that can be charged on loans to prevent lenders from exploiting borrowers with exorbitant interest rates.   

Usury laws and regulations are passed and enforced at the state level. These regulations can vary significantly from state to state.   

State-level regulations 
Usury laws vary by jurisdiction, and they are primarily regulated at the state level. Each state has its own set of usury laws that dictate the maximum allowable interest rates for different types of loans.   

State-level consumer protection 
Usury laws are intended to promote fair lending practices, prevent usurious interest rates, and protect consumers from predatory lending. Violations of usury laws can result in legal consequences for lenders.       

Why prioritize compliance with the Gramm-Leach-Bliley Act

Financial institutions that fail to comply with the Gramm-Leach-Bliley Act can face severe penalties and fines. Non-compliance penalties include: 

  • Financial institutions found in violation face fines of $100,000 for each violation. 
  • Individuals in charge found in violation face fines of $10,000 for each violation and can be put in prison for up to 5 years. 

In addition to avoiding penalties, achieving and maintaining compliance with the Gramm-Leach-Bliley Act affords financial institutions other benefits, such as the following. 

Competitive advantage 

Financial institutions that prioritize the Gramm-Leach-Bliley Act compliance can gain a competitive advantage by displaying their commitment to the best interests of their customers and a commitment to the privacy and security of their personal information. Customers tend to choose to work with financial institutions that they believe prioritize and invest in security and privacy protections. 

Consumer privacy protection

Prioritizing compliance with the Gramm-Leach-Bliley Act ensures that financial institutions have appropriate measures to meet expectations for how sensitive customer data is protected. It also gives customers control over how their personal information is used.   

Customer notification requirements

Under the Gramm-Leach-Bliley Act customer notification requirement, financial institutions must report a privacy or security breach to the FTC within 30 days after discovery of the incident and notify affected customers. While no organization wants to share bad news, transparency helps address consumer concerns and maintain customer trust. 

Enhanced security posture

The Gramm-Leach-Bliley Act Safeguards Rule provides financial institutions with guidelines for developing, implementing, and maintaining comprehensive information security programs to protect customer information from unauthorized access and use. Prioritizing compliance ensures that the most effective security systems, processes, and staffing are in place.  

This not only meets requirements, but also reduces cyber risks, including data breaches, ransomware, and advanced persistent threats that target financial institutions. 

Regulatory oversight

All financial institutions are subject to examinations by regulatory authorities on a regular basis. Following the rules set forth by the Gramm-Leach-Bliley Act prepares financial institutions for these reviews, ensuring that they are well-prepared for regulatory scrutiny and reducing the risk of regulatory actions for non-compliance. 

Risk management

Compliance with the Gramm-Leach-Bliley Act is a critical part of any financial institution’s risk management plan. Through the process of achieving and maintaining compliance, financial institutions can identify and mitigate risks related to the handling of customer information. This significantly reduces the likelihood of legal and reputational risks associated with non-compliance. 

Trust and reputation

Gramm-Leach-Bliley Act provisions help engender consumer trust, which is essential for financial services organizations. Compliance with the Gramm-Leach-Bliley Act bolsters organizations’ reputations by demonstrating a commitment to protecting consumers’ highly-valued privacy.

The Gramm-Leach-Bliley Act provides a comprehensive approach to ensuring the security and confidentiality of customers’ information even with the challenges that come with a financial landscape that is increasingly complex, data-centric, and information-driven. Taking steps to safeguard NPI and comply with the Gramm-Leach-Bliley Act not only avoids the troubles that non-compliance brings, but also enhances overall data security and privacy protections. 

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access

Take a product tour