Gramm-Leach-Bliley Act

From Academic Kids

The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 repealed the Glass-Steagall Act opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services. The Gramm-Leach-Bliley Act allowed investment and commercial banks to consolidate, for example Citigroup and Salomon. The combined industry is known as the financial services industry.

This act was desired by most of the largest banks, brokerages, and insurance companies in the country at the time. The justification was that people usually put more money in investments in a good economy, but when it turns bad, they put their money into savings accounts. With the new act, they would do both with the same company, so the company would be doing well in all economic times. This has to some extent proven out.

Prior to the passage of the act, most financial services companies were doing this anyway. On the retail/consumer side, a bank called Norwest led the charge in offering all types of financial services products in 1986. Also at the time American Express attempted to own almost every genre of financial business (although there was little synergy between them). Things culminated in 1997 when Travelers, a financial services company with everything but a retail/commercial bank, bought out Citibank, creating the largest and most profitable company in the world. At the time this was technically illegal, and was a large impetus for the passage of the Gramm-Leach-Bliley.

Also prior to the passage of the act, there were many relaxations to the Glass-Steagal law. For example, a few years before, Commercial Banks were allowed to get into investment banking, and before that banks were also allowed to get into stock and insurance brokerage. The only main operation they weren't allowed to do was insurance underwriting (something rarely done by banks even after the passage of the act).

Since the passage of the act, a lot of consolidation has occurred in the financial services industry, but not as much as was expected. Retail Banks for example, do not tend to buy Insurance underwriters, since they expect they can make more money selling other companies insurance products in their branches (this is called insurance brokerage). Many other retail banks have been slow to adopt investments and insurance products, and to package those products in a convincing way. Brokerage companies have had a hard time getting into banking, because they do not have a large branch and backshop footprint. Banks have recently tended to buy other banks, such as the recent Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.

Senator Phil Gramm led the Senate Banking Committee which sponsored the bill for the act; he later joined UBS Warburg, the U.S. investment arm of the largest Swiss bank.

Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, the commercial banks aren't allowed to pay commission to their employees who convince customers to also use some investment services. They are only allowed to pay them a small fee for simply setting up appointments to meet with a fincancial advisor. Much of the debates about financial privacy are spefically centered around allowing or preventing the banking brokerage and insurances divisions of a company from working together.

In terms of compliance the key rules under the act include The Financial Privacy Rule which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.



  • GLBA compliance is not voluntary; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
  • Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:

Financial Privacy Rule

[Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. § 6801-6809]

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.

Safeguards Rule

[Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. § 6801-6809]

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include: (1)denoting at least one employee to manage the safeguards, (2)constructing a thorough risk management on each department handling the nonpublic information, (3)develop, monitor, and test a program to secure the information, and (4)change the safeguards as needed with the changes in how information is collected, stored, and used. This rule is intended to do what most businesses ought already to be doing; protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.

Pretexting Protection

[Subtitle B: Fraudulent Access to Financial Information 15 U.S.C. § 6821-6827]

Pretexting is a form of social engineering. Someone tries to gain access to personal nonpublic information without having permission or privilege to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by phishing (phony website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA.

Financial Institutions Defined

The GLBA defines “financial institutions” as: …”companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these: (1)non-bank mortgage lenders, (2)loan brokers, (3)some financial or investment advisers, (4)debt collectors, (5)tax preparers, (6)banks, and (7)real estate settlement service providers. These companies must also be considered significantly engaged in the financial service or production that defines them as a “financial institution”.

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.

Consumer vs. Customer Defined

Section 6809 of the Gramm-Leach-Bliley Act defines a ‘consumer’ as: “…an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.” A ‘customer’ is usually a short-term client without having developed a consumer relationship with privacy rights protected under the GLBA. An example of a ‘customer’ might be someone using an ATM or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘consumer’ might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA. A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual’s personal nonpublic information.

Consumer/Client Privacy Rights

Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the consumer of the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the consumer of this right under the GLBA. The client cannot opt-out of:

    • information shared with those providing priority service to the financial institution
    • marketing of products or services for the financial institution
    • when the information is deemed legally required.

GLBA Enforced

The consequence of noncompliance to the GLBA that results in a formal violation is processed through a civil action brought by the Attorney General of the United States. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003 (108th CONGRESS - 1st Session - S. 1458; To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes., In The Senate of the United States, July 25 (legislative day, JULY 21), 2003)include,

  • ”the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation”
  • “the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation”.


For more about the history of financial privacy governances and the GLBA, see “History of the GLBA” at

FYI: Websites for Compliance Information

FYI: Websites for Consumer/Client Rights Information


  • Financial Institution Privacy Protection Act of 2003 - 108th CONGRESS, 1st Session, S. 1458, “To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes.”, IN THE SENATE OF THE UNITED STATES; July 25 (legislative day, JULY 21), 2003 -

See also


Academic Kids Menu

  • Art and Cultures
    • Art (
    • Architecture (
    • Cultures (
    • Music (
    • Musical Instruments (
  • Biographies (
  • Clipart (
  • Geography (
    • Countries of the World (
    • Maps (
    • Flags (
    • Continents (
  • History (
    • Ancient Civilizations (
    • Industrial Revolution (
    • Middle Ages (
    • Prehistory (
    • Renaissance (
    • Timelines (
    • United States (
    • Wars (
    • World History (
  • Human Body (
  • Mathematics (
  • Reference (
  • Science (
    • Animals (
    • Aviation (
    • Dinosaurs (
    • Earth (
    • Inventions (
    • Physical Science (
    • Plants (
    • Scientists (
  • Social Studies (
    • Anthropology (
    • Economics (
    • Government (
    • Religion (
    • Holidays (
  • Space and Astronomy
    • Solar System (
    • Planets (
  • Sports (
  • Timelines (
  • Weather (
  • US States (


  • Home Page (
  • Contact Us (

  • Clip Art (
Personal tools