The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services.
The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, Citibank merged with Travelers Group, an insurance company, and in 1997 formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. Other major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination announced in 1993 and finalized in 1994 already violated the Glass-Steagall Act by combining insurance and securities companies. The law was passed to legalize these mergers. Historically, the combined industry has been known as the financial services industry.
Changes Caused by the Act
Many of the largest banks, brokerages, and insurance companies desired the Act at the time. The justification was that individuals usually put more money in investments when economy is good, but they put their money into savings accounts when it turns bad. With the new Act, they would do both with the same company, so it would be doing well in all economic times.
Prior to the Act, most financial services companies were doing this anyway. On the retail or consumer side, a bank called Norwest led the charge in offering all types of financial services products in 1986. American Express attempted to own almost every field of financial business (although there was little synergy between them). Things culminated in 1997 when Travelers, a financial services company with everything but a retail and commercial bank, bought out Citibank, creating the largest and the most profitable company in the world. The move was technically illegal and provided impetus for the passage of the Gramm-Leach-Bliley Act.
Also prior to the passage of the Act, there were many relaxations to the Glass-Steagall Act. For example, a few years earlier, commercial Banks were allowed to get into investment banking, and before that banks were also allowed to get into stock and insurance brokerage. Insurance underwriting was the only main operation they weren't allowed to do, something rarely done by banks even after the passage of the Act.
Much consolidation occurred in the financial services industry since, but not at the scale some had expected. Retail banks, for example, do not tend to buy insurance underwriters, as they seek to engage in a more profitable business of insurance brokerage by selling products of other insurance companies. Other retail banks were slow to market investments and insurance products and package those products in a convincing way. Brokerage companies had a hard time getting into banking, because they do not have a large branch and back-shop footprint. Banks have recently tended to buy other banks, such as the recent Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.
GLBA did not removed the restrictions on banks placed by the Bank Holding Company Act of 1940 which prevented financial institutions from owning non-financial corporations. This is significant because this restriction prevents an ownership structure similar to Japan or Germany in which banks own the majority of large industrial enterprises.
Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, licensed bankers must have separate business cards, eg. "Personal Banker, Wells Fargo Bank" and "Investment Consultant, Wells Fargo Private Client Services". Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.
In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.
- GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
- Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:
- Financial Privacy Rule
- Safeguards Rule
- Pretexting Protection
Financial Privacy Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:
- Denoting at least one employee to manage the safeguards
- Constructing a thorough [risk management] on each department handling the nonpublic information
- Develop, monitor, and test a program to secure the information
- Change the safeguards as needed with the changes in how information is collected, stored, and used
This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.
Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA.
Financial Institutions Defined
The GLBA defines financial institutions as: "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance." The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:
- Non-bank mortgage lenders
- Loan brokers
- Some financial or investment advisers
- Debt collectors
- Tax return preparers
- Real estate settlement service providers
These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".
Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.
Consumer vs. Customer Defined
The Gramm-Leach-Bliley Act defines a ‘consumer’ as: "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual."
A ‘customer’ is a consumer that has developed a relationship with privacy rights protected under the GLBA. A ‘customer’ is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘customer’ might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA. A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual’s personal nonpublic information.
Consumer Client Privacy Rights
Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to on-line acknowledgment agreements requiring the client to read or scroll through the notice and check a box to accept terms.
The privacy notice must also explain to the customer the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the customer of this right under the GLBA.
The client cannot opt-out of:
- Information shared with those providing priority service to the financial institution
- Marketing of products or services for the financial institution
- When the information is deemed legally required.
Violation of the GLBA may result in a civil action brought by the United States Attorney General. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003 (108th CONGRESS - 1st Session - S. 1458; To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes., In The Senate of the United States, July 25 (legislative day, JULY 21), 2003)include:
- The financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation
- The officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation
- Disclosure of Nonpublic Personal Information
- Financial Institutions and Customer Data: Complying with the Safeguards Rule
- Disclosure of Nonpublic Personal Information
- What Can You Do To Protect Your Privacy
- Privacy Choices for Your Personal Financial Information
- Pretexting: Your Personal Information Revealed
- History of the GLBA
- Financial Privacy: The Gramm-Leach Bliley Act, Federal Trade Commission, 1999
- Gramm-Leach-Bliley Act,15 USC, Subchapter I, Sec. 6801-6809, Disclosure of Nonpublic Personal Information, 1999
- Gramm-Leach-Bliley and You, Chapple, Mike, November 18, 2003
- Gramm-Leach-Bliley Act Financial Privacy Provisions:The Federal Government Imposes Broad Requirements to Address Consumer Privacy Concerns, Ledig, Robert H.
- The Gramm-Leach-Bliley Act: The Financial Privacy Rule, Federal Trade Commission
- In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, Federal Trade Commission
- The Gramm-Leach-Bliley Act – “History of the GLBA”, Electronic Privacy Information Center
- Financial Institution Privacy Protection Act of 2003 - 108th CONGRESS, 1st Session, S. 1458, “To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes.”, IN THE SENATE OF THE UNITED STATES; July 25 (legislative day, JULY 21), 2003