Title V of the Financial Services Modernization Act of 1999 (known as the Gramm-Leach-Bliley Act or “GLBA”) established Privacy and Security rules for financial institutions with respect to consumer personal information.
The GLBA applies broadly to financial institutions “significantly engaged” in financial activities and covers banks, securities firms, mortgage lenders, insurance providers, credit counselors, and check-cashing services, among others.
Under the GLBA, financial institutions must comply with certain privacy and security requirements concerning consumers’ “nonpublic personal information.” Such information includes personal information provided by a consumer to a financial institution (including via a transaction) as well as to information otherwise obtained by the financial institution.
The GLBA’s Privacy Rule requires that financial institutions:
- Provide customers with clear and conspicuous notice of their information-sharing policies and procedures at the point that a customer relationship is established and annually thereafter.
- Provide customers with the right to opt-out of the sharing of nonpublic personal information with nonaffiliated third parties.
- Refrain from disclosing to any non-affiliated third party marketer, other than a consumer reporting agency, an account number or similar access code to consumer’s credit card, deposit or transaction account.
- Comply with regulatory standards in protecting the security and confidentiality of consumer records and protect against security threats and unauthorized access to or use of such information.
Privacy notices required by the GLBA must include the following:
- The information the financial institution collects
- The parties with whom it shares information
- How it protects or safeguards information
- How a consumer may opt-out of the sharing of information through a reasonable opt-out process
A consumer request to opt-out must be processed within 30 days.
Compliance Tip: Consumers are not entitled to opt-out for disclosures that are legally required or made to service providers.
The GLBA’s Safeguard Rule requires financial institutions to maintain security controls to protect the confidentiality and integrity of consumer personal information. The obligation extends to both electronic and analogue records.
Under the Safeguards Rule, financial institutions must implement a comprehensive written information security program that includes administrative, physical, and technical controls. Such program must be appropriate to the size, complexity, nature, and scope of the activities engaged in by the institution.
The Safeguards Rule further requires financial institutions to:
- designate an employee to coordinate the program;
- audit systems to determine risk; and
- implement procedures to ensure that service providers maintain the security of consumer information.
Compliance Tip: The application of GLBA’s privacy protections may vary based on whether the financial institution’s relationship with an individual is that of a “consumer” or a “customer,” as defined by the law. A customer is generally defined as a consumer with whom the institution has an ongoing relationship.
Enforcement of GLBA is split between the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC). State attorneys general may also bring enforcement actions for GLBA violations.
Compliance Tip: Stricter state laws are not fully preempted by GLBA and many states maintain laws independent of GLBA, some of which include private rights of action.
Penalties for noncompliance can range from a minimum of $5,500 to a maximum of $27,500 per each violation.