In the regular course of business, many companies that possess consumer’s financial information share it with their affiliates and other business partners. Owing to the sensitive nature of such financial information, the U.S. Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, to protect consumer financial privacy. GLBA requires companies acting as “financial institutions” – i.e., companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
The provisions of the law limit when a company acting as a financial institution may disclose a consumer’s nonpublic personal information (NPI) to nonaffiliated third parties. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to opt-out of the practice if they don’t want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
Who must comply with this law
GLBA applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services to consumers. This includes many companies not traditionally considered to be financial institution such as check-cashing businesses, payday lenders, mortgage brokers, non bank lenders, personal property or real estate appraisers, retailers that issue branded credit cards, professional tax preparers, and courier services. The law also applies to companies like credit reporting agencies and ATM operators that receive information about customers of other financial institutions. In addition to developing their own safeguards, companies covered by the law are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The Penalties for non-compliance with GLBA
GLBA calls for severe civil and criminal penalties for noncompliance, including fines and imprisonment. If a financial institution violates GLBA:
The institution will be subject to a civil penalty of not more than $100,000 for each violation.
Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both.
GLBA has three sections:
The Financial Privacy Rule – Collection and disclosure of private financial information.
The safeguards Rule – Implementation of security programs to protect financial information.
Pretexting provisions- To prohibit accessing private information using false pretenses.Share This: