Gramm-Leach-Bliley Act

The US Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires US-based financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive personal data.

The GLBA primarily seeks to "modernize" financial services by ending regulations which prevented the merger of banks, stock brokerage companies, and insurance companies. Removal of these regulations, however, have raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.

Prior to the Gramm-Leach-Bliley Act, an insurance company that maintained your health records was different from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these financial institutions merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives.

Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals:

  • (1) Banks, brokerage companies, and insurance companies must securely store personal financial information.
  • (2) They must advise you of their policies on sharing of personal financial information.
  • (3) They must give consumers the option to opt-out of some sharing of personal financial information.

Definition of financial institution

The definition of “financial institution” under the Gramm-Leach-Bliley Act includes many businesses that may not normally describe themselves that way. The law applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, and courier services.

The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

Gramm-Leach-Bliley Act compliance

In order to comply with the Gramm-Leach-Bliley Act Safeguards Rule, organisations can adopt the ISO 27001 Information Security Management Standard. The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.

The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.

As part of its plan, each company must:

  • designate one or more employees to coordinate its information security programme;
  • identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • design and implement a safeguards program, and regularly monitor and test it;
  • select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Gramm-Leach-Bliley Act in the UK

It stands to reason that any UK financial institutions with US subsidiaries will need to comply with the Gramm-Leach-Bliley Act. This will put pressure on those directors responsible for IT compliance to ensure that their online business systems comply with the Act's information sharing and data protection requirements.

Further information


Gramm-Leach-Bliley Act (GLBA)

Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999