Enacted by Congress on November 4, 1999, to both reform the financial services industry and address issues of consumer financial privacy. Congress passed the legislation by a large bipartisan majority. GLBA supporters argued that the legislation would modernize U.S. finance, and make the U.S. competitive with the rest of the world. GLBA came after two decades of United States on the nature of financial competition and regulation.

At the time, privacy issues in the financial sector were the subject of heated debate and were leading. Before the GLBA's passage, there were distinct barriers between insurance companies that retained the individual's health records, the bank that mortgaged the individual's house, and the stockbroker that traded in the individual's stocks. If these companies were to merge, they could consolidate, analyze and sell the personal details of their consumers.

Combining several financial services in one company provides expanded opportunities for cross-selling. The large firms that either had recently merged or were contemplating a merger viewed the proposed new regulations as impediments. The firms argued that they could take advantage of significant efficiencies, greater scale, and provide better product information if they were allowed to freely merge and freely use the information from the merging companies. At the same time, there was widespread and increasing concern about how personal information would be used.

Supporters of the GLBA argued that it would stimulate competition in providing all types of financial services. They claimed that the likely benefits of the Act would include the following: the array of products would increase, become obtain, and perhaps less expensive. Larger businesses would benefit from being able to receive all their financial services from one provider, while smaller businesses and individuals may benefit from some economies of transactions. That could result in lower prices for some services for individual consumers. Consumer groups, however, expressed concern that some changes could lead to higher prices to consumers for checking accounts and small loans.

In the guise of modernizing the U.S. financial system, the GLBA would abolish the Glass-Steagall Act, which prohibited banks and securities firms affiliating with each other, and the Bank Holding Company Act, which prohibited banks and insurance companies from affiliating with each other. As a result, the GLBA was widely viewed as the most important banking legislation in sixty years.

The GLBA's privacy provisions

The GLBA is very complex and addresses a broad range of issues. This entry focuses on those matters relating to privacy. The GLBA requires the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement the regulations to implement the GLBA's financial privacy provisions. The GLBA required that covered businesses be in full compliance by July 1, 2001.

The GLBA's privacy protections only regulate financial institutions (those engaged in banking, insuring, stocks and bonds, financial advice, and investing). These financial institutions, whether they wish to disclose their personal consumer information or not, must develop precautions to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

Subtitle A: The GLBA Safeguarding Rule

Because of privacy risks due to mergers of financial institutions, the GLBA included three requirements to protect the personal data of individuals. Under Subtitle A, banks, brokerage companies, and insurance companies must securely store personal Financial information; advise the customers of their policies on sharing of personal financial data; and, provide consumers the choice to opt out of sharing of personal financial information.

Subtitle A governed the disclosure of nonpublic information. Under the GLBA “Safeguards Rule”, financial institutions under the FTC's jurisdiction are required to develop and implement appropriate safeguards to protect nonpublic consumer information, including within an organization's security plan. The rule provided that the financial institutions must designate one or more employees to coordinate the safeguards, identify and access the risks to consumer information in relevant areas of operations; design, implement, and regularly monitor a safeguards program; hire appropriate service providers and contract with them to implement the safeguards; and evaluate and adjust the program as needed.

The Act delegates to agencies such as the FTC the responsibility for issuing standards for financial institutions safeguards that: 1) ensure the security and confidentiality of customer records and information; and 2) protects against hazard so unauthorized access to such information.

For a financial institution to disclose the nonpublic information of its customer to a nonaffiliated third party, it must comply with the GLBA's consumer notification provisions, which requires, that the financial institution would provide the following to the consumer: 1) a clear and conspicuous disclosure that its customers' information may be disseminated to third parties and 2) the opportunity for consumers to prevent such disclosures.

Financial institutions must establish privacy policies and disclose them when a customer relationship is formed and send update policies not less than annually after that. These policies disclose how the institutions share information with affiliates as well as with third parties.

With some exceptions, these institutions are prohibited from disclosing nonpublic personal information (NPI) to nonaffiliated third parties unless they have given consumers the opportunity to “opt out.” Under the opt-out provision, the consumer would direct the financial institution not to share information with unaffiliated companies.

The GLBA also prohibited a financial institution from disclosing a consumer's account numbers, access number or code to a nonaffiliated third party for use through any marketing effort through any medium to the consumer. The enforcement of Subtitle A of the statute rests with certain designated federal agencies, state insurance authorities, and the FTC.

Financial institutions must provide their consumers with a notice of their information sharing policies when a person first become a customer, and annually after that. That notice must inform the consumer of the financial institution's policies on: disclosing nonpublic personal information (NPI) to affiliates and nonaffiliated third parties, disclosing NPI after the customer relationship is terminated, and protecting NPI. “Nonpublic personal information” means all information on applications to obtain financial services (credit card or loan applications), account histories (bank or credit card) and the fact that an individual is or was a customer. This interpretation of NPI makes names, addresses, telephone numbers, Social Security numbers and other data subject to the GLBA's data sharing restrictions.

Consumers have no right under the GLBA to prevent sharing of NPI among affiliates. An affiliate is any company that controls, is controlled by, or is under common control with another company. The individual consumer has absolutely no control over this kind of “corporate family” trading of personal information.

The GLBA has several exemptions that would permit information sharing despite objections of consumers. If a financial services company chooses to do transactions with an another company, it is within its rights to transfer its customer's personal information to that second company on the basis that such data is necessary to for the second company to be able to perform its services. It is allowable for the financial institution, for example, to share its customer's private information to a marketing firm to promote new products or services or jointly offered goods or services. Once the unaffiliated third party has a customer's personal information, they may legally share it with their “corporate family.” However, they cannot likewise transfer the information to other companies through this exemption.

Also, financial institutions may disclose the consumer's information to credit reporting agencies, financial regulators, if a business is sold, in compliance with laws or regulations governing the transaction, if the buyer requests such information.

Financial institutions may not disclose, except to consumer reporting agencies, certain information to any nonaffiliated third party for marketing. The significance of this is even if a consumer does not “opt out” of a financial institution's information transfers, his or her credit card numbers, and other such information may not be sold.

Subtitle B: Protection Against Pretexting

Subtitle B of the GLBA addresses fraudulent access to financial information and establishes guidelines about a financial institution's customer information. Violations of these prohibitions are subject to FTC enforcement actions, as well as civil and criminal penalties. This general prohibition, however, does not apply under certain circumstances, including when law enforcement agencies were acting under proper legal authority.

The GLBA also strengthened prohibitions on pretext calling (obtaining customer information by false pretenses). Pretexting is the practice of collecting personal information under false pretenses. Pretexters often pose as authority figures (such as law enforcement agents, social workers, and potential employers) and develop false stories to obtain personal information on the victim.

The GLBA also prohibits the use of false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution; the use of forged, counterfeit, lost or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution; and asking another person to get someone else's customer information using false, fictitious, or fraudulent documents or forged, counterfeit, lost or stolen documents.

Proposals to undo the GLBA

Over the past ten years, there have been efforts to undo some of the provisions of the GLBA, because of a series of high-profile cases involving banks selling consumer information with customers suffering losses due to marketing, credit fraud, and identity theft.

The privacy risks from mergers in the financial services industry became apparent after a series of international and domestic events. In 1995, the European Union (EU) enacted its Data Protection Directive, which requires that data exchanges transmitting te personal data of EU citizens provide the equivalent degree of protection as their home country would grant them. Thus, U.S. companies became required to ensure that when they use the personal data of citizens of EU nations, which these citizens be given the same level of protection that they would have within the EU. The EU expressed concerns with both the self-regulatory approach to privacy and absence of federal privacy legislation in the United States. Despite the “Safe Harbor proposal” (since struck down by an Irish court) between the United States and the European Union, which had allowed companies to regulate themselves while being subject to oversight by the FTC, the financial services sector was not included in the agreement.

In the aftermath of the financial crisis in 2008, several issues were raised in connection with GLBA: Is it prudent to let banks get too big in the first place? How big is too big to fail? To what extent will the government intervene when a financial services industry participant begins to melt down? Many observers began to question the deregulatory policies that underlay Gramm-Leach-Bliley and to urge reform of the banking regulatory system with more robust constraints on the activities and affiliations of financial institutions. Many liberal economic experts argue the repeal of Glass-Steagall encouraged the conditions that led to the financial crisis and that the Dodd-Frank Act was not sufficient to restore safety to the banking industry. Reform and repeal efforts have been gaining increasing support among members of Congress and the Obama administration. If the GLBA is repealed, liberal reformers such as Senators Bernie Sanders (I-VT and Elizabeth Warren (D-MA) proposed that it be replaced by a banking system with firewalls between banking, securities, and insurance activity as existed under Glass-Steagall.

Further Reading

See also: Consumer privacy; Data Protection Regimes; Federal Trade Commission (FTC); Financial information, privacy right to