The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is the US federal law imposed with the goal of protecting consumers’ financial privacy. According to this regulation, financial institutions have a limited right to disclose consumer's nonpublic personal information (NPI).
This data privacy and protection law aims to safeguard the most sensitive NPI, which certainly includes personal finances. The financial NPI consists of banking details as well as your ID number, which is a key target for most hackers.
Financial institutions are required to inform their customers about data collection, processing, and storing of their personal data at the beginning of the interaction and any time they make changes to the customer agreement. Changes can include employment of new technology or intention to share the data with third-parties.
It’s important to note that this law extends beyond traditional financial institutions to include some unexpected companies.
As such, we will be exploring not only the key principles of GLBA, but also who is subject to the various fines and benefits.
Let’s dive in!
1. Who does the GLBA apply to?
All financial institutions are subject to the GLBA law. However, how the lawmakers defined “financial institutions” is where this regulation gets a bit tricky.
Under the GLBA, a financial institution is any institution that offers financial products or services, including banks, insurance companies, brokers, and retailers that offer financial solutions. It is also relevant if you serve customers or consumers, which will be explained later on.
To be considered as a financial institution, your business should be significantly engaged in the following financial activities:
- Exchanging, lending, transferring, and/or investing for customers
- Safeguarding money or securities of others, which are usually the services offered by lenders, check cashers, wire transfer services, and sellers of money orders
- Providing financial, investment or economic advisory services offered by financial planners, credit counselors, accountants, tax preparers, and investment advisors
- Brokering loans
- Servicing loans
- Debt collecting
- Provision of real estate settlement services
- Career counseling for job hunters in the financial industry
A. Who is significantly engaged in financial activities?
It is important to understand exactly what “significantly engaged in financial activities” means here. To be significantly engaged, there needs to exist an official agreement that witnesses such activities. For instance, a restaurant who runs a “tab” for customers is not significantly engaged. However, a retailer that issues its own credit card falls under the GLBA privacy policy.
Another factor that determines the business engagement is the frequency of financial activities. A retailer that occasionally lets its customers use a payment lay-away plan is not seen as significantly engaged. In contrast, companies that regularly wire money to and from their customers are considered significantly engaged. This leads to another key point of differentiation: customers vs. consumers.
B. The difference between a customer and consumer
If you are the financial institution, your obligations may depend on whether your buyers are customers or consumers. You need to inform your customers about any action that relates to processing of their NPI whereas consumers are notified only in certain circumstances. Thus, it’s important to know the difference.
A customer is any individual that directly purchases your financial services and has a signed contract that outlines obligations of both sides, which makes the whole agreement legitimate.
On the other hand, consumers are individuals that obtain, or have obtained in the past, your financial product for personal, family or household purposes, or if they’re acting as that person's legal representative. That said, consumers are not companies or sole proprietorships that use your financial products for business purposes. If this is your case, the GLBA principles do not apply to you.
Another notable aspect is that occasional buyers who are not your continuous client are classified as consumers, not customers.. For example, if a customer of a bank withdraws money from your ATM, that only makes them your consumer, not your customer. Also, the previous customers' NPI needs to be protected as they are still your consumers.
2. What is NPI?
Identifying NPI is the core of your GLBA compliance. This implies any "personally identifiable financial information" collected by a financial institution about a specific individual. Financial institutions collect NPI in connection with providing a financial product or service. This rule does not apply to the cases where the sensitive information is already "publicly available" or has been disclosed by other parties.
NPI is:
- any data an individual shares with you to get a financial product or service, such as their name, address, income, or Social Security number
- any data you receive about an individual from a transaction involving your financial product or service, such as their payment history, account number(s), loan or deposit balance(s), and credit or debit card purchase(s)
- any data you get about an individual in connection with providing a financial product or service, such as the information from a consumer report or court records
However, there are NPI cases where GLBA doesn’t concern you. When you have determined that NPI is generally made lawfully available to the public, such as telephone numbers in city listings, you don’t have any GLBA obligation to that individual. That being said, when a customer or relevant consumer can prove that their sensitive data has not been made public, you are required to protect it.
3.The Key Principles of GLBA
Once you’ve determined that you fall under the GLBA’s financial institution category, and that you have customers and/or consumers, you will need to comply completely. There are two key principles of GLBA that your business needs to follow to be in compliance: privacy rules and protection procedures.
a. NPI Privacy Rules
Financial institutions are expected to provide a clear and concise notice to their customers and certain consumers regarding the use of their data. They should provide an option to give consent as well as to opt-out of the agreement at any time, especially in cases when a company’s intention is to disclose that data to a nonaffiliated third party.
The notice should include details on the company’s privacy policy and practices while respecting the agreements with both affiliated and nonaffiliated third parties. This is how companies guarantee the complete confidentiality of the individual’s NPI.
b. GLBA Security Policy
The GLBA requires that significantly engaged financial institutions guarantee the security of their customer and consumer NPI. As part of the enforcement of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires companies recognized as financial institutions under FTC jurisdiction to establish measures and procedures for safeguarding their customers’ personal data.
However, protecting customer information isn’t the only regulation you need to follow. Being in compliance with the GLBA also makes good business sense. Your brand will look so much better in your customers’ eyes if they know that you take the security of their NPI seriously. This is a measure that will help you drastically increase their confidence in your company.
The main thing that you should focus on here is the authorized access to your customer NPI database. You should have practices that ensure that only authorized employees or departments can access certain data records.
The same way you should protect the NPI database within your company, you should safeguard it against any other outside threats such as hackers. These types of malicious attacks can compromise your business integrity. And it’s not just your business reputation that’s at stake, there are also serious penalties.
4. GLBA’s Penalties
When a GLBA non-compliance allegation is proven, the punishment can have a catastrophic impact with business-altering, and even life-altering, consequences.
Some GLBA non-compliance penalties include:
● $100,000 for each violation made by a financial institution
● $10,000 for each violation made by customers or consumers
● Customers and consumers found in violation can face 5 years prison time
One of the more well-known GLBA allegations was against PayPal for violating both the Federal Trade Act and the GLBA. Additionally, two mortgage companies were accused of misusing millions of customer NPI records.
6.GLBA Best Practices
This is a win-win. You can avoid massive GLBA fines while also increasing the trust and loyalty of your customers. To make this happen, you should consider empowering both your IT and customer support department with the right tools that eliminate any chance for GLBA non-compliance.
On today’s market, helpdesk software that collects and protects your customer data simultaneously is the best solution for GLBA compliance, not to mention GDPR and CCPA too! The only thing left now is to employ such a solution and never worry about the GLBA again!