The Gramm–Leach–Bliley Act (GLBA)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, (enacted November 12, 1999) is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton. A year before the law was passed, Citicorp, a commercial bank holding company, merged with the insurance company Travelers Group in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica, and Travelers. Because this merger was a violation of the Glass–Steagall Act and the Bank Holding Company Act of 1956, the Federal Reserve gave Citigroup a temporary waiver in September 1998. Less than a year later, GLBA was passed to legalize these types of mergers on a permanent basis. The law also repealed Glass–Steagall's conflict of interest prohibitions "against simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank".[1]

The Gramm-Leach-Bliley Act also required financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to "opt-out" if they do not want their sensitive information shared. While many consider critical information, such as bank balances and account numbers, to be confidential, in reality, this data is consistently bought and sold by banks, credit card companies, and others. Gramm-Leach-Bliley required limited privacy protections against such personal data sales, along with pretexting (obtaining personal information through false pretenses).[2]

The act has three main sections, consisting of two rules and a set of provisions. The term “3 rules” seems to have been adopted to help people better understand the requirements of the legislation. Each of these three measures are designed to inform and guide organizations covered by the legislation about:

  • The types of data to protect
  • Specific measures expected from the bill
  • Preventing and lessening the number of opportunities for unauthorized access

Here are brief descriptions of each of those 3 components in the GLBA:

  • Financial Privacy Rule: A company that is either a “financial institution” or receives “nonpublic personal information (NPI)” regarding consumers from a financial institution must adhere to the privacy rule of the GLBA. This rule covers most personal information (name, date of birth, Social Security number, etc.) as well as transactional data (card, bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). The FTC has a page detailing every aspect of the privacy rule, right here.
  • Safeguards Rule: This rule ensures that those under the jurisdiction of the GLBA have specific means to protect private information. According to the text of the rule itself, GLBA adherents must have “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Many of these techniques are outlined in the text as well. Notable requirements include:
    • Employee training
    • Proper software
    • Testing and monitoring of vulnerabilities
  • Pretexting Provisions: In addition to protecting nonpublic personal information (NPI), organizations that fall under the GLBA must also take measures to detect and prevent as many instances of unauthorized access as possible. There are a number of nefarious scams trying to access personal data by phone, email or even in person. Pretexting provisions aim to mitigate this data loss and protect more consumers.

The main focus of the GLBA is to expand and tighten consumer data privacy safeguards and restrictions. The primary concern, related to the GLBA, of IT professionals and financial institutions is to secure and ensure the confidentiality of customers’ private and financial information. Maintaining GLBA compliance is critical for any financial institution, as violations can be both costly and detrimental to continued operations. However, by taking steps to safeguard NPI and comply with the GLBA, organizations will not only benefit from improved security and the avoidance of penalties, but also from increased customer trust and loyalty.

See Also


  1. What is The Gramm–Leach–Bliley Act (GLBA)? Wikipedia
  2. The Gramm-Leach-Bliley Act and Consumer Privacy Investopedia