All About the Gramm Leach Bliley Act (GLBA)

February 23, 2022
If you run a company that engages with client data, especially in the financial industry, you need to be compliant with the GLBA. Let’s walk through what the means in this blog.

All About the GLBA (Gramm Leach Bliley Act)

Financial organizations are required to provide yearly privacy notifications to consumers under the Gramm Leach Bliley Act (commonly known as the GLBA). These notifications must explain financial organizations' privacy policies, including the conditions around their allowed disclosure of nonpublic personal information about their clients. If the institution distributes personal information with unaffiliated third parties in methods not permitted by the GLBA, consumers are usually informed of their ability to opt-out of having their information shared including steps on how to do this. The GLBA is yet another instance where consumers are given the right to understand how their information is being used and have some agency over that process.

While the GLBA has been around for several decades, it is still highly relevant to financial organizations that deal with sensitive client data today. In this guide, we’ll explore everything financial institution leaders need to know about GLBA compliance rules, GLBA requirements, GLBA exceptions, and everything else needed to stay compliant.

Everything You Need to Know About the GLBA :

What is the GLBA? 

The GLBA stands for the Gramm Leach Bliley Act. Many firms have financial information on their clients and share that data with their business partners regularly for a whole host of reasons. The Act was officially passed by the United States Congress at the end of the 20th century to shield the financial privacy of consumers. It was enacted due to the sensitive nature of data held by financial organizations. Companies that act as "financial organizations", or money-focused businesses that offer their customers financial services such as loans, personal finance advice, or various forms of insurance, are required by the GLBA to let their customers know about their data-sharing practices and to shield their clients’ sensitive data.

The legislation places restrictions on when a financial institution may release a customer's nonpublic personal information (NPI) to unaffiliated third parties. Customers must be informed about financial organizations' information-sharing policies, as well as their ability to opt-out if they do not want their information shared with certain nonaffiliated third parties. Furthermore, any company that gets consumer financial information from a financial institution may be limited in its ability to reuse and re-disclose such information.

There are three main components of the GLBA– the financial privacy rule, the safeguards rule, and pretexting provisions.

Financial Privacy Rule

This rule, often known as the Privacy Rule, imposes restrictions on how businesses gather and share private financial data. At the start of a client relationship, a firm must make its privacy policy plain and visible. Customers must then get an annual notification for the length of the partnership unless the company satisfies specific conditions.

The Privacy Rule specifies which data will be collected, how it will be used and shared, who will have access to it, and the rules and procedures that will be utilized to safeguard it. Customers must be advised of the privacy policy once a year, as required by the Fair Credit Reporting Act, including the choice to opt-out of sharing information with unaffiliated third-party companies. When a client chooses to disclose information, the company must follow the terms of the original privacy notice.

Safeguards Rule

The GLBA safeguards rule includes measures to guarantee that information security is a top priority. This regulation was established by the Federal Trade Commission in 2002 and is still in effect. The regulation requires businesses to put in place administrative, physical, and technical precautions to defend against cyber assaults, email spoofing, phishing scams, and other cybersecurity threats.

The guideline also mandates that a company appoint at least one person to be responsible for all components of the information security plan, including creation and testing on a regular basis. Although data encryption and key management are advised as best practices, the Safeguard Rule does not necessitate them.

Pretexting Provisions 

This regulation is intended to prohibit workers or business partners from gathering client information under false pretenses, such as through social engineering. Although the GLBA does not have explicit criteria for pretexting, prevention typically requires including pretexting prevention training within the written information security document.

Who does GLBA apply to? 

The Gramm Leach Bliley Act covers any organizations that are "significantly engaged" in providing financial goods or services to customers, regardless of size. Check cashing firms, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, merchants that issue branded credit cards, professional tax preparers, and courier services are all examples of nontraditional financial organizations. The regulation also applies to organizations that obtain information about clients from other financial organizations. Companies subject to the regulation must take efforts to guarantee that their affiliates and service providers preserve client information in their care, in addition to creating their own safeguards.

How does GLBA Compliance work? 

To comply with the GLBA, financial organizations must inform customers about how they share sensitive data, inform customers about their right to opt-out if they do not want their personal data shared with third parties, and apply specific protections to customers' private data in accordance with a written information security plan created by the institution. It might be beneficial for larger financial organizations to work with a risk and compliance company like Accountable HQ to ensure that the right protocols and processes are in place for GLBA compliance.

Compliance with the GLBA is required. Regardless of whether a financial institution publishes NPI, it must have a policy in place to secure the data from anticipated security and data integrity issues.

Penalties for Violating GLBA

All sanctions for noncompliance with this regulation, which include fines and jail time, are covered under the Gramm Leach Bliley Act. If an organization breaks the GLBA, it will be liable for a number of penalties. Each breach will result in a penalty of up to $100,000 for the institution. For each infraction, the institution's officers and directors could be personally accountable for a penalty of not more than $10,000. Fines under Title 18 of the United States Code or imprisonment for not more than five years, or both, will be imposed on the institution and its officials and directors.

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals