The Gramm-Leach-Bliley Act: What You Need to Know

Working in the financial services industry, you and your team must ensure that you are complying with all applicable federal and state laws. This is especially true after the Global Financial Crisis of 2008. Quite obviously, investing in a robust compliance program can help your organization avoid any fines—or even civil or criminal liability. If you don’t pay close attention to current and potential federal and state legislation, you and your company are at a higher risk of being subject to these onerous penalties. Ultimately, this is an ongoing task that requires consistent vigilance.

While financial institutions must safeguard their customers' deposits, they must also tread lightly when handling customer data. This isn’t exactly breaking news, but this task is even more pressing due to recent pushback on how corporations use customer data. To prevent potential litigation by some of these active consumers, it is critical for your legal, IT, and other relevant departments to come together and discuss how your financial institution uses, analyzes, and shares user data.

One law that you and your team will have to consider is the Gramm-Leach-Bliley Act (the “GLBA”). The GLBA, which was passed in 1999, requires financial institutions to explain their information-sharing practices to their customers and safeguard their customers’ data. While there are several other important components of this act, financial institutions must ensure that they are taking all necessary steps to comply with the act. Therefore, in this article, we are going to further explore some of the basics of the GLBA and how financial institutions can effectively comply with this law.

Some Basics About the Gramm-Leach-Bliley Act

The GLBA, which is also referred to as the Financial Modernization Act of 1999, was a bipartisan piece of legislation that came into effect on November 12, 1999. It was a massive piece of legislation that made several important changes in the financial services world, including the repeal of the Glass-Steagall Act of 1933. Following the passage of the GLBA and the repeal of Glass-Steagall, commercial banks, investment banks, securities firms, and insurance companies were no longer legally prohibited from consolidating.

While that change itself was momentous, the GLBA empowered consumers by requiring financial services firms to be more transparent about their use of customers’ information. Financial institutions under the GLBA must share with their customers how they use customers’ sensitive data, let customers know of their right to opt-out if they don’t want their personal data shared with third parties, and apply particular protections to customers’ private data in accordance with the financial institution’s written information security plan.

The general idea of these provisions of the GLBA, therefore, is to open the doors of transparency for customers. Before passage of the GLBA, customers of banks and other financial institutions weren’t entirely clear on how that bank was using their information behind the scenes. After the passage of the GLBA, however, the Federal Trade Commission (“FTC”), federal banking agencies, state insurance oversight agencies, and other federal regulatory authorities were granted the authority to ensure that customers of financial institutions really understood what was happening with their data.

As part of the GLBA’s passage, the FTC issued the so-called Safeguards Rule. This rule forces financial institutions under FTC jurisdiction to have certain measures in place to secure their customers’ information. To further comply with the GLBA, the FTC also released its Privacy of Consumer Financial Information Rule (also called the Privacy Rule) which helped further drive compliance with the GLBA. All of these rules are designed to help financial organizations better understand their compliance obligations under the GLBA.

Ultimately, there are some severe penalties for noncompliance with the GLBA. For instance, financial institutions that are found to be in violation of the law can face fines of $100,000 for each violation of the GLBA. The fine for individuals in charge can be up to $10,000 per violation and a prison sentence of up to five years. Clearly, these penalties are onerous, so it is in your organization’s best interest to comply with the GLBA as necessary.

How Your Business Can Comply with the Gramm-Leach-Bliley Act

This naturally leads to the question of how your business can comply with the GLBA. When talking about compliance with such a complex statute, it is imperative that you speak with your company’s attorney. We cannot provide personalized legal advice and the following does not represent legal advice in any form. Because of this, it is in your best interest to meet with corporate counsel to discuss compliance with this statute in more detail. The sooner that you can schedule this meeting, the better.

Having said that, there are several things to keep in mind when determining how to comply with the GLBA.

First, as with any statute, it is important to understand whether you must comply with the GLBA. One helpful source for this question is the FTC Safeguards Rule. Basically, if your organization is deemed to be a “financial institution,” you must comply. But what is a financial institution? According to the Safeguards Rule, a financial institution includes many businesses that may not describe themselves in that way. The Safeguards Rule applies to “all businesses, regardless of size, that are ‘significantly engaged’ in providing financial products or services.” Some examples include payday lenders, mortgage brokers, check-cashing businesses, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. If your business does not fit any of these examples, you and your attorney must still determine whether your business is “significantly engaged in” providing financial products or services.

If you determine that you must comply, you should next develop a written information security plan that describes your organization’s program to protect consumer information. This plan must be tailored to your organization’s size, operations, complexity, and the sensitivity of your customers’ information. For more information on how to comply with this requirement, you can view the FTC’s guidance by clicking here.

Finally, don’t forget that you must secure consumer information. Developing this written information security plan isn’t enough. The FTC requires these financial institutions to reduce the risks to consumer information by taking proactive steps to protect this data. One suggestion by the FTC is to implement employee management and training. Whether or not it is actually required by the FTC, this is generally a good idea. Identify employees who handle or work with consumer data on a regular basis. Sit them down with your legal and/or compliance teams and determine how you will further safeguard customer data. While this can be a complex process for larger institutions, it will go a long way in complying with the GLBA.

Protecting Your Customers’ Information

The GLBA isn’t a brand new piece of legislation, yet it continues to be important in today’s world. Growing calls for privacy and data protection only increase the pressure on you and your organization. If you work for a financial institution that must comply with the GLBA, it is critical to take action today. Speak with your organization’s attorney and develop a plan on how you will comply with this federal law.

While you likely have many other pressing items on your to-do list, we highly encourage you to get started today. Doing so will significantly decrease the chances that you face a steep fine for noncompliance.