GLBA, sometimes called the Financial Services Modernization Act of 1999, is a U.S. banking law that has important privacy and data security requirements for institutions that are subject to the law.  The law applies to “any institution the business of which is engaging in financial activities.”

GLBA’s primary purpose was to remove the barriers in the Glass-Steagall Act of 1933 and the Bank Holding Company Act that prevented organizations from functioning in any combination of a commercial bank, an investment bank, and an insurance company.  Nevertheless, concerns arose over the need to protect consumer information as institutions merged these traditionally separate functions, thereby aggregating massive amounts of customer data.  Therefore, GLBA provided for a Safeguards Rule and a Privacy Rule to help protect customer data.

First, the Safeguards Rule requires financial institutions to put in place administrative, technical, and physical safeguards to protect personal information.  This rule requires financial institutions to develop a comprehensive, written information security program that is appropriate for the size and scope of the institution and the sensitivity of the personal information at issue.  Institutions must specifically designate an employee or employees to coordinate this program.  The information security program must identify risks to the security, confidentiality, and integrity of personal information and implement controls to guard against those risks.  The rule also requires institutions to test and evaluate the controls they put in place and appropriately modify their information security program in light of the results.

Next, the Privacy Rule requires financial institutions to provide certain notices with regard to how they share information.  The rule distinguishes between consumers and customers.  For example, an individual who discloses nonpublic personal information on a loan application is a consumer of the institution under GLBA, regardless of whether the institution ultimately approves the loan.  If the institution approves the loan and extends the requested credit, thereby establishing an ongoing relationship with the individual, the individual becomes a customer of the institution.

Under the Privacy Rule, financial institutions must provide “clear and conspicuous” notice of their privacy policies in several situations.  They must provide notice to a consumer before they share any nonpublic personal information about that consumer to an unaffiliated third party.  They must provide notice to a customer no later than the time at which the customer relationship is established, and at least annually thereafter for as long as the customer relationship continues.

In general, these notices must describe the categories of nonpublic personal information the institution collects and shares with affiliated and nonaffiliated third parties and explain the right to opt out of certain disclosures.  With limited exceptions, an institution cannot share an individual’s nonpublic personal information with a nonaffiliated third party without providing the required notice and affording the individual a reasonable opportunity to exercise his or her opt out rights.  Additionally, if an institution revises its privacy policy to allow it to disclose nonpublic personal information that it did not disclose under the old policy, the institution must provide a new privacy notice and afford consumers a reasonable opportunity to opt out before disclosing their information.

GLBA disperses enforcement power across a number of agencies, depending on the institution at issue.  For example, the Board of Governors of the Federal Reserve System has enforcement authority over member banks of the Federal Reserve System, the Securities and Exchange Commission has enforcement authority over brokers and dealers, and the Board of the National Credit Union Administration has enforcement authority over federally insured credit unions.  The Federal Trade Commission has enforcement authority over any financial institution that is not specifically under the authority of any other agency.  State insurance regulators have enforcement authority over insurance providers domiciled in their state.  In addition, while the Consumer Financial Protection Bureau does not have explicit power to enforce the GLBA Safeguards Rule or Privacy Rule, it has used its general authority over unfair, deceptive, or abusive acts or practices to bring enforcement actions against regulated entities that fail to abide by those rules.