Gramm Leach Bliley Act (GLBA)

    United States of America (USA)

    Gramm Leach Bliley Act (GLBA)

    15 U.S.C. §§6801-6827

    The Gramm Leach Bliley Act (GLBA) was enacted on November 12, 1999. Along with addressing other consumer financial issues, the GLBA also addressed concerns related to financial privacy. The Federal Trade Commission (FTC) promulgated the Privacy Rule and Safeguards Rule implementation regulations to carry out the GLBA’s privacy and security provisions. With the passage of the Dodd-Frank Act in 2011, the Consumer Financial Protection Bureau(CFPB) assumed rule-making and enforcement authority for the GLBA Privacy and Security Rules.

    Last Updated: July 30, 2019


  • General

    Scope

    GLBA  applies to “financial institutions.” A business’s activities determine whether the business is a “financial institution.” Examples include:

    • lending, exchanging, transferring, investing for others, or safeguarding money or securities.
    • providing financial, investment or economic advisory services.
    • brokering loans.
    • servicing loans.
    • debt collecting.
    • providing real estate settlement services.
    • career counseling (of individuals seeking employment in the financial services industry).

    Thus financial institutions include lenders, check cashers, wire transfer services, and sellers of money orders, credit counselors, financial planners, tax preparers, accountants, and investment advisors.

    Who is protected?

    GLBA aims to protect “consumers” and “customers.” A “consumer” is someone who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. A “customer” is a type of consumer. Specifically, a customer is a consumer that the financial institution has a relationship with. The Privacy Rule explains that a “customer relationship” means “a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household expenses.”

    What is protected?

    Both the Privacy Rule and Security Rule protect a consumer’s “nonpublic personal information” (NPI). NPI is any “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service unless that information is “publicly available.” This definition is wide in scope so information such as an individual’s name may be considered NPI since it is collected by the financial institution in connection with providing a product or service.

  • Lawfulness, Fairness, and Nondiscrimination

    Under the GLBA Privacy Rule, a financial institution may only collect NPI from a consumer or customer pursuant to a relationship with the same to provide a financial product or service.

  • Transparency and Free Access

    Depending on a financial institution’s use of NPI, it may be required to deliver notice to either a consumer or consumer customer. In some cases a full privacy notice is required in others a financial institution may use a short form privacy notice. Regardless of form, however, the privacy notice must be “clear and conspicuous,” whether it is on paper or on a website. It must be reasonably understandable and designed to call attention to the nature and significance of the information. The notice should use plain language, be easy to read and be distinctive in appearance. A notice on a website should be placed on a page that consumers use often, or it should be hyperlinked directly from a page where transactions are conducted.

    Notice to Customers

    Subject to certain exceptions discussed below, customers must receive both an “initial notice” and an “annual notice.”

    Initial Notice

    A customer must receive an initial notice at the time the customer relationship is established. There are exceptions for subsequent delivery and for existing customers.

    Annual Notice

    A financial institution must provide clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship.  Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

    For customers only, a financial institution must provide the initial notice required by §313.4(a)(1), the annual notice required by §313.5(a), and the revised notice required by §313.8 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.

    Notice to Consumers

    The notice to consumers depends on whether or not the financial institution shares NPI subject to an exception (see below). If yes, then not notice is required. If no, then the financial institution must provide both a privacy notice and an opt-out notice.


    Elements of a Full Privacy Notice

    A financial institution must include the following elements in its full privacy notice:

    • Categories of information collected.
    • Categories of information disclosed.
    • Categories of affiliates and nonaffiliated third parties to whom you disclose the information.
    • Categories of information disclosed and to whom under the joint marketing/ service provider exception in section 313.13 of the Privacy Rule
    • If disclosing NPI to nonaffiliated third parties under the exceptions in sections 313.14 (exceptions for processing or administering a financial transaction) and 313.15 (exceptions, including fraud prevention or complying with federal or state law and others) of the Privacy Rule,  a statement that the disclosures are made “as permitted by law.”
    • If disclosing NPI to nonaffiliated third parties, and that disclosure does not fall within any of the exceptions in sections 313.14 and 313.15, an explanation of consumers’ and customers’ right to opt out of these disclosures.
    • Any disclosures required by the Fair Credit Reporting Act (see “Fair Credit Reporting Act”).
    •  Policies and practices with respect to protecting the confidentiality and security of NPI

    Elements of a Short-Form Notice

    A short-form notice must:

    • be clear and conspicuous;
    • state that the financial institution’s privacy notice is available upon request; and
    • explain a reasonable means by which the consumer may obtain that notice
  • Purpose specification, Use Limitation, and Suitability

    Aside from privacy and opt out notices, the other major facet of the GLBA Privacy Rule is its limits on the use and reuse of NPI both, disclosed to, and received from, a nonaffiliated financial institution.

    Limits on Disclosure 

    • A financial institution may not directly or through any affiliate, disclose any NPI about a consumer to a nonaffiliated third party, unless:
      • The financial institution provides the consumer an initial notice; and
      • The financial institution provides the consumer an opt-out notice; and
      • The consumer is given a reasonable opportunity, before the financial institution discloses the information, to opt out of the disclosure; and
      • The consumer does not opt out.

    Limits on Redisclosure and Reuse

    Information Received Under an Exception

      • A financial institution that receives information from a nonaffiliated financial institution under an exception in §313.14 or §313.15, may:
        • Disclose the information to the affiliates of the financial institution from which the financial institution received the information;
        • Disclose the information to the financial institution’s affiliates, but such affiliates may disclose and use the information only to the extent that the financial institution may disclose and use the information
        • Disclose and use the information pursuant to an exception in §313.14 or §313.15, in the ordinary course of business to carry out the activity covered by the exception under which the financial institution received the information
    • Information Received Outside of an Exception
      • A financial institution that receives information from a nonaffiliated financial institution other than an exception in §313.14 or §313.15, may disclose the information only:
        • To the affiliates of the financial institution from which the receiving financial institution received the information;
        • To the financial institution’s affiliates, but such affiliates may, in turn, disclose the information only to the extent that the financial institution can disclose the information
        • To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the information was received.
    • Information Disclosed Under an Exception
      • A financial institution that discloses nonpublic information to a nonaffiliated third party under an exception in §313.14 or §313.15, the third party may only:
        • Disclose the information to the financial institution’s affiliates;
        • Disclose the information to its affiliates, but its affiliates may disclose and use the information only to the extent that the third party may disclose and use the information
        • Disclose and use the information pursuant to an exception in §313.14 or §313.15 in the ordinary course of business to carry out the activities covered by the exception under which it received the information
    • Information Disclosed Outside of an Exception
      • A financial institution that discloses nonpublic information to a nonaffiliated third party other than under an exception in §313.14 or §313.15, the third party may disclose the information only:
        • To the financial institutions’ affiliates;
        • To its affiliates, but it’s affiliates may disclose the information only to the extent the third party can disclose the information; and

    To any other person, if the disclosure would be lawful if you made it directly to that person


    General Prohibition on Disclosure of Account Numbers

    A financial institution must not (subject to certain exceptions below), directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer’s credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

    The general prohibition on disclosure of account numbers does not apply if the disclosure is:

    • To the financial institution’s agent or service provider solely in order to perform marketing for the financial institution’s own product or services, as long as the agent or service provider is not authorized to directly initiate charges to the account;
    • To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program

     


    Exceptions

    There a significant number of exceptions to most of the notice and opt-out requirements and it is important to understand where and how they are applied.

     

    Exception to Opt Out requirements for Service Providers and Joint Marketing (§313.13)

    The opt-out requirements do not apply if the financial institution provides NPI to a third party to perform services (such as marketing the financial institutions’ products or services pursuant to joint agreements between one or more financial institutions), and as long as it:

    • Provides the initial notice, and
    • Enters into a contractual agreement with the third party that limits their ability to disclose and use the information other than to carry out the purposes for which it was shared\

    Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions (§313.14)

    The initial notice, opt out and for service providers and joint marketing do not apply if the financial institution discloses NPI as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:

    • Servicing or processing a financial product or service that a consumer requests or authorizes;
    • Maintaining or servicing the consumer’s account, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
    • A proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer.

    Exceptions to Notice and Opt Out Requirements for Certain Other Circumstances (§313.15) 

    The initial notice, opt out and for service providers and joint marketing do not apply if the financial institution discloses NPI:

    • With the consent or are at the direction of the consumer;
    • To protect the confidentiality or security of the financial institution’s records;
    • To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
    • For required institutional risk control or for resolving consumer disputes or inquiries
    • To persons holding a legal or beneficial interest relating to the consumer; or
    • To personal acting in a fiduciary or representative capacity on behalf of the consumer;
    • To provide information to insurance rate advisory organizations and the financial institution’s attorneys, accountants and auditors
    • To the extent specifically permitted or required under other provisions of law
    • To a consumer reporting agency in accordance with the Fair Credit Reporting Act
    • From a consumer report reported by a consumer reporting agency
    • In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit
    • To comply with Federal, State, or Local laws, rules and other applicable legal requirements
    • To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, State, or local authorities; or
    • To respond to judicial process or government regulatory authorities
  • Data Minimization, Storage Limitation, and Accuracy

    While there is no specific provision related to accuracy, the GLBA requires that all privacy notices and opt-out notices “accurately reflect” the financial institutions “privacy policy and practices” and “accurately explains the right to opt out”

  • Security and Prevention

    Under the Security Rule, a financial institution must l develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.

    The financial institution must:

    • Ensure the security and confidentiality of customer information;
    • Protect against any anticipated threats or hazards to the security or integrity of such information; and
    • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

    In order to develop, implement, and maintain an information security program, a financial institution must:

    • Designate an employee or employees to coordinate your information security program.
    • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:
      • Employee training and management;
      • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
      • Detecting, preventing and responding to attacks, intrusions, or other systems failures.
    • Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

    Information Security Officer

    Under the Security Rule, a financial institution must designate an employee or employees to coordinate the  financial institution’s information security program. §314.4(a)

    Risk Assessments

    The Security Rule requires continual risk assessments, many of which may include the assessments of new products or services. Additionally based on the risk assessment, a financial institution must “design and implement information safeguards to control the [identified] risks.” §314,4(b)-(c )

  • Accountability and Recordkeeping

    While there is not an explicit recordkeeping requirement, the Federal Trade Commission (FTC) has enforcement authority over the GLBA and of course the Privacy and Security Rule. Therefore, it becomes incumbent upon financial institutions to be able to demonstrate the NPI was collected, used, disclosed, and disposed of in a consistent manner.

  • Privacy by Design

    There is no explicit reference to “privacy by design,” however the Security Rule requires continual risk assessments, many of which may include the assessments of new products or services. Additionally based on the risk assessment, a financial institution must “design and implement information safeguards to control the [identified] risks.”

  • Privacy Impact Assessments

    Under the privacy rule, a financial institution must conduct assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. §314.4(b)

  • Data Subject Rights

    Customers and consumers may be able to exercise their right to opt out as permitted under §313.7.

  • Vendor Management

    Under the Security Rule, a financial institution must “oversee service providers” by:

    • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
    • Requiring service providers by contract to implement and maintain such safeguards.
  • Cross-Border Data Transfer and Localization

    GLBA does not contain specific references to cross-border data transfer and localization.

  • Incident and Breach

    While there are no specific incident and breach notification provisions in GLBA, an incident or breach that violates the Security Rule is subject to enforcement by the CFPB. With respect to incident and breach notification, several federal banking regulators issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice “ in 2005 establishing breach response program and notification standards to be implemented by federal banks.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.