The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional “financial institutions” are regulated by the FTC. For more information on the types of financial activities covered.
The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. For a summary overview of the Financial Privacy Rule, see In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions “such as credit reporting agencies” that receive customer information from other financial institutions.
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”
In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act
Protecting the privacy of consumer information held by “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some – but not all – sharing of their information.
Here’s a brief look at the basic financial privacy requirements of the law.
The GLB Act applies to “financial institutions” – companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities.
The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
Consumers and Customers
A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.
Why is the difference between consumers and customers so important? Because only customers are entitled to receive a financial institution’s privacy notice automatically. Consumers are entitled to receive a privacy notice from a financial institution only if the company shares the consumers’ information with companies not affiliated with it, with some exceptions. Customers must receive a notice every year for as long as the customer relationship lasts.
The privacy notice must be given to individual customers or consumers by mail or in-person delivery; it may not, say, be posted on a wall. Reasonable ways to deliver a notice may depend on the type of business the institution is in: for example, an online lender may post its notice on its website and require online consumers to acknowledge receipt as a necessary part of a loan application.
The Privacy Notice
The privacy notice must be a clear, conspicuous, and accurate statement of the company’s privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information. The notice applies to the “nonpublic personal information” the company gathers and discloses about its consumers and customers; in practice, that may be most – or all – of the information a company has about them. For example, nonpublic personal information could be information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the company, such as an account balance. Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is nonpublic person information. But information that the company has reason to believe is lawfully public – such as mortgage loan information in a jurisdiction where that information is publicly recorded – is not restricted by the GLB Act.
Consumers and customers have the right to opt out of – or say no to – having their information shared with certain third parties. The privacy notice must explain how – and offer a reasonable way – they can do that. For example, providing a toll-free telephone number or a detachable form with a pre-printed address is a reasonable way for consumers or customers to opt out; requiring someone to write a letter as the only way to opt out is not.
The privacy notice also must explain that consumers have a right to say no to the sharing of certain information – credit report or application information – with the financial institution’s affiliates. An affiliate is an entity that controls another company, is controlled by the company, or is under common control with the company. Consumers have this right under a different law, the Fair Credit Reporting Act. The GLB Act does not give consumers the right to opt out when the financial institution shares other information with its affiliates.
The GLB Act provides no opt-out right in several other situations: For example, an individual cannot opt out if:
- a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts;
- the disclosure is legally required;
- a financial institution shares customer data with outside service providers that market the financial company’s products or services.
Receiving Nonpublic Personal Information
The GLB Act puts some limits on how anyone that receives nonpublic personal information from a financial institution can use or re-disclose the information. Take the case of a lender that discloses customer information to a service provider responsible for mailing account statements, where the consumer has no right to opt out: The service provider may use the information for limited purposes – that is, for mailing account statements. It may not sell the information to other organizations or use it for marketing.
However, it’s a different scenario when a company receives nonpublic personal information from a financial institution that provided an opt-out notice — and the consumer didn’t opt out. In this case, the recipient steps into the shoes of the disclosing financial institution, and may use the information for its own purposes or re-disclose it to a third party, consistent with the financial institution’s privacy notice. That is, if the privacy notice of the financial institution allows for disclosure to other unaffiliated financial institutions – like insurance providers – the recipient may re-disclose the information to an unaffiliated insurance provider.
Other important provisions of the GLB Act also impact how a company conducts business. For example, financial institutions are prohibited from disclosing their customers’ account numbers to non-affiliated companies when it comes to telemarketing, direct mail marketing or other marketing through e-mail, even if the individuals have not opted out of sharing the information for marketing purposes.
Another provision prohibits “pretexting” – the practice of obtaining customer information from financial institutions under false pretenses. The FTC has brought several cases against information brokers who engage in pretexting.
For More Information
The FTC is one of eight federal regulatory agencies that has the authority to enforce the financial privacy law, along with the state insurance authorities. The federal banking agencies, the Securities and Exchange Commission and the Commodity Futures Trading Commission have jurisdiction over banks, thrifts, credit unions, brokerage firms and commodity traders.
The FTC has additional details on the GLB Act, the Commission’s Privacy Rule and a compliance guide for small business owners at www.ftc.gov/privacy.
For more information about the Financial Privacy Rule
requirements, please see the FTC’s Small Business Guide