At Legal writing experts, we would be happy to assist in preparing any legal document you need. We are international lawyers and attorneys with significant experience in legal drafting, Commercial-Corporate practice and consulting. In the last few years, we have successfully undertaken similar assignments for clients from different jurisdictions. If given this opportunity, The LegalPen will be able to prepare the legal document within the shortest time possible. You can send us your quick enquiry ( here )



Welcome to the GLBA course. The purpose of this course is to arm you, the insurance adjuster and insurance agent, with relevant and adequate knowledge on matters pertaining to GLBA. At the end of this GLBA course, you should be capable of understanding the basics of GLBA.

Please be guided that the contents of this course should only serve as guidance and an overview of the course. All the materials covering GLBA cannot be exhaustively covered under the course due to its dynamic nature. You are therefore encouraged to use supplementary materials on the topic to equip yourself further.

The content of the course shall be as hereunder:

  1. Introduction
  2. Glass-Steagall Act
  3. Bank Holding Company Act
  4. Privacy under GLBA


President Clinton signed the Gramm-Leach-Bliley Act (“GLBA”) into law, which had received overwhelming bipartisan support from both houses of Congress. The passage of the Glass-Steagall Act, was a watershed moment in the history of the financial services. For that industry, the GLBA signaled the conclusion of regulations that sought to rectify the perceived flaws in the banking system, which were attributed to the Great Depression. For consumers, it represented a first hesitant step by Congress toward ensuring that private financial companies protect the financial information of their customers. The GLBA was passed by Congress in response to the need for enhanced competition in the financial services industry at the time. The Act also recognizes the need of protecting the privacy of financial information about consumers and preventing unauthorized access. In addition to the review or exchange of information collected by a financial institution in connection with a consumer’s request or application for a financial product or service, a “financial service” encompasses a variety of other activities.

The Gramm-Leach-Bliley Act (GLBA) sought to “modernize” financial services by repealing laws (such as the Glass-Steagall Act of 1933 and the Bank Holding Company Act of 1956) that banned banks, stock brokerage firms, and insurance firms from merging. The GLBA only applies to financial institutions (e.g., banking, insurance, stocks and bonds, financial advice, and investing).

One of the changes brought about by the law was the establishment of a new type of financial institution: the financial holding company (FHC). A financial holding company (FHC) was simply an expansion of the notion of a bank holding company, an umbrella organization that could own subsidiaries engaged in a variety of financial operations. This was a sort of middle-of-the-road solution, in that depository institutions’ ability to engage in security and insurance underwriting and sales would remain restricted, but banks could be a part of a bigger organization that was engaged in those operations.

Although allowing this kind of affiliation repealed portions of the Glass-Steagall and Bank Holding Company Acts, it resulted in the creation of new laws for financial holding companies (FHCs). Cross-marketing limits were imposed by the statute in order to prevent a bank and a nonbank subsidiary of an FHC from promoting the products or services of the other organization. Aiming to prohibit banks from pushing securities underwritten by other subsidiaries to their consumers, these limitations were put in place. Additionally, prohibitions on financial transactions between banks and their nonbank subsidiaries remained in place.

In addition, the law established restrictions on the size of financial subsidiaries of banks. At the time of the law’s implementation, the total assets of a national bank’s financial subsidiaries were limited to the lesser of $50 billion or 45 percent of the bank’s total assets. It was important to appoint a regulator who would have the authority to enforce these standards in order to give them substance. The duty fell largely on the Federal Reserve.

When a company decides to become an FHC, it must file a written declaration with the Federal Reserve Board stating that it wishes to do so and certifying that it complies with the conditions. The certification requirements were designed to hold FHC’s to a higher level of performance. Under the Community Reinvestment Act, they must have at least acceptable ratings, and be sufficiently financed and well managed in compliance with existing bank standards. If any of the subsidiaries fails to maintain proper management and capitalization, the FHC will be subject to corrective supervisory action and will be barred from engaging in new financial activities until the issues are solved. Financial holding companies (FHCs) have 180 days to fix their deficiencies, otherwise they risk being ordered by the Federal Reserve to dispose their depository subsidiaries or cease engaging in other financial operations. When an FHC begins an approved financial activity, it must notify the Federal Reserve Board of the activity within thirty days of the activity’s commencement date.

The Federal Reserve’s supervision of FHCs is based on the concept of functional regulation. The Fed oversees the consolidated organization, but relies heavily on the reports and supervision provided by the competent state and federal authorities for the FHC subsidiaries. To give just a few examples, the Securities and Exchange Commission would regulate the registered securities brokers, dealers, and investment advisers, while the state insurance commissioners would supervise the licensed insurance companies, and the appropriate state and federal banking agencies would supervise the banks and thrifts. Therefore, the current regulators for financial subsidiaries of FHCs were retained, but the Federal Reserve was designated as “umbrella supervisor” under the statute.

This position was deemed required since these vast and intricate financial organizations had risk dispersed among various subsidiaries, yet handled it as a consolidated entity; someone had to oversee the operation of all the moving components. A further goal of this legislation was to protect banks and their customers from risks assumed by financial subsidiaries while also designed to ensure that protections for banks (e.g., deposit insurance) were not stretched to nonbank affiliates, thus generating perverse incentives for risk management.

The History of GLBA

The Glass-Steagall Act, which had segregated commercial and investment banking since 1933, was repealed in substantial portions by the GLBA, which was signed into law by President Bill Clinton in November 1999. As a result, financial holding corporations were formed, and the Fed was given new supervisory authority over them. Consolidation in the banking business had been going on for twenty years by the late 1990s. The number of commercial banks in the United States had decreased from over 14,000 in 1984 to less than 9,000 in 1999, and the average size of the said banks had increased. This was part of a broader trend of financial services industries consolidation.

A further development was the increased integration of financial services that had previously been separated for much of the latter half of the twentieth century (commercial banking, investment banking, and insurance). Commencing in the late 1980s, certain commercial banking organizations began to diversify their operations into the underwriting of securities (stocks and corporate bonds), and a small number of them began to offer insurance products. Financial integration had advanced to a significant degree by 1999, and Congress resolved to take action. In November, the Financial Services Modernization Act (commonly known as Gramm-Leach-Bliley, in recognition of its key proponents in Congress) was approved and signed by President Clinton, rewriting the financial regulation rulebook and granting the Federal Reserve unprecedented supervisory powers.

Because of the Glass-Steagall Act of 1933, a wall of separation between some sectors of the financial services industry had been established. It was believed that commercial and investment banking had become too interconnected in the run-up to the 1929 stock market crash, and that banks had taken on unnecessary risk with depositors’ savings in the financial markets, or that banks had been promoting the securities they underwrote to their customers, resulting in conflicts of interest and this led to the restrictions that had been imposed. The Glass-Steagall Act was enacted in response to the widely held assumption that the stock market crash was caused by a lack of separation between lending and underwriting activities, which had allowed banks to engage in speculative investments. Congress passage of the Glass-Steagall Act divided commercial banking from investment banking, effectively outlawing. Commercial banks from underwriting the majority of securities. In order to avoid conflicts of interest, Congress attempted to restrict these companies from engaging in similar activities.

The Glass-Steafall Act was unable to keep these legal barriers in place. If the Act had been effective, it would have reduced direct competition between commercial banks and securities firms but by 1990, the largest banks were able to participate in nearly all of the securities operations that they had previously engaged in before to the passage of the Glass-Steagall Act. The shortcomings of the Glass-Steagall Act can be attributed to a number of issues. First, since it was designed to be corrective law, the Glass-Steagall Act was unable to predict the emergence of new financial services and instruments. Investment banks began to provide new products that offered basically identical service to those offered by traditional commercial banking products. Checkable interest-earning money market funds, for example, were introduced by investment banks as a product that competes with traditional non-interest-earning checking accounts. Second, , the slower growth in traditional lending activities pushed commercial banks to engage in securities activities that were not specifically prohibited by the Glass-Steagall Act.

The Glass-Steagall Act also contained language that allowed for some degree of financial integration. A significant provision of the law was Section 20, which distinguished between commercial and investment banking. The law forbade bank association with companies that were “primarily engaged in the business of underwriting and dealing in securities.” Consequently, bank holding corporations were able to establish subsidiaries or purchase companies that were engaged in some form of underwriting or dealing, so long as the majority of their activities were otherwise permitted. The Federal Reserve approved the first of these Section 20 subsidiaries in 1987, and by 2000, there were fifty-one of them operating throughout the nation.

Insurance sales were mostly conducted under state legislation for state-chartered banks, but national banks were permitted to provide credit-related insurance and operate insurance agencies in small towns where they maintained branch offices. These restrictions restricted the actions of banks engaged in insurance, but in 1998, Citicorp, a big bank holding company, announced plans to merge with Travelers Insurance, resulting in the formation of Citigroup. This merger was not permitted under existing regulations at the time it was completed in anticipation of a change in the legislation that was then being debated in Congress. In response to these shifts in the financial industry, the Gramm-Leach-Bliley Act was enacted. Its goal was to promote the benefits of financial integration for consumers and investors while also ensuring the soundness of the banking and financial systems in the process. Senator Paul Sarbanes (D-MD), the then-ranking Democrat on the Senate Banking, Housing, and Urban Affairs Committee, provided an explanation in his address asking fellow senators to vote for the GLBA, stating “Very frankly, the issue for Congress is not whether these affiliations should occur, because they have occurred in one way or another, but whether they should take place on an orderly basis in the context of a responsible statutory framework, or instead, on an ad hoc basis as permitted by the regulators.”

Glass-Steagall Act

When the Glass-Steagall Act was passed in 1933 as part of the Banking Act of 1933, it marked the beginning of the separation of Wall Street from Main Street by providing safety to those who put their savings in the hands of commercial banks. In the Great Depression, millions of Americans lost their employment and one in every four lost their life savings as a result of more than 4,000 bank failures in the United States between 1929 and 1933, resulting in depositors suffering losses of about $400 million. The Glass-Steagall Act barred banks from utilizing depositor funds to make high-risk investments. However, in the deregulated environment of the 1980s and 1990s, the act was effectively undercut by the looser restrictions in that period.

As the Great Depression of the 1930s wreaked havoc on the United States economy, many accused the financial industry’s antics and lax banking rules for contributing to the economic disaster. It was first introduced in January 1932 by U.S. Senator Carter Glass (a Democrat from Virginia), and co-sponsored by Democratic Alabama Representative Henry Steagall. President Franklin D. Roosevelt signed the Glass-Steagall Act into law on June 16, 1933, as part of a series of measures enacted during his first 100 days in office to revive the nation’s economy and restore public confidence in the nation’s banking systems.

With the passage of the Glass-Steagall Act, a barrier was established between commercial banks, which accept deposits and give loans, and investment banks, which negotiate the sale of bonds and shares. The Federal Deposit Insurance Corporation (FDIC) was also established by the Banking Act of 1933, which insured bank deposits up to $2,500 at the time as a result of the Dodd-Frank Act of 2010. According to the bill’s language, it was intended to promote the safer and more efficient use of bank assets, to govern interbank control, to prevent the undue diversion of money into speculative operations, and for other purposes. Some of those “undue diversions” and “speculative operations” had been exposed in congressional investigations led by a prosecutor named Ferdinand Pecora.

During his tenure as chief counsel to the United States Senate’s Committee on Banking and Currency, Pecora investigated the actions of top bank executives and discovered widespread reckless behavior, corruption, and cronyism. Pecora and his research team discovered, one of the problems was that banks may lend money to a firm and then issue stock in that same company without disclosing to shareholders the bank’s underlying conflict of interest. If the company went out of business, the bank would have incurred no losses, while its investors would have been left baring the responsibility unfairly.

The actions of people like as Charles Mitchell, who was the head of National City Bank, and earned more than $1 million in bonuses in 1929 but paid no taxes, were revealed by Pecora in a series of dramatic hearings. According to testimony unearthed, National City Bank had taken on bundles of bad loans, packaged them as securities, and then issued them to naïve consumers. In the meantime, a top executive of Chase National Bank, had made a fortune by short-selling the shares of his company during the 1929 stock market crash. The public heard that financier J.P. Morgan had issued stocks at discounted rates to a limited circle of privileged clientele, which included former President Calvin Coolidge, during J.P. Morgan’s testimony.

In addition to capturing the attention of an increasingly disillusioned American public, Pecora’s hearings also drew the attention of financial elites who had put the nation’s economy at peril while pocketing profits, a word used to refer to these men as “banksters “was coined. It was reported on February 24, 1933, by a Chicago Tribune editor that “the only difference between a bank burglar and a bank president is that one works at night.” The Glass-Steagall Act, which President Roosevelt signed into law on June 16, 1933, was a result of this outpouring of rage against the banking industry, which was harnessed to push through the Glass-Steagall Act.

According to the statute, bankers could accept deposits and provide loans, and brokers at investment banks could raise money and sell securities, but no banker could at a single firm could handle both. The obstacles erected by Glass-Steagall, however, were steadily eroded away over time. Huge banks started to resist the Glass-Steagall Act’s rules, alleging that they made them less competitive versus foreign securities businesses at the start of the 1970s.  An argument was made and supported by Federal Reserve Chairman Alan Greenspan, who was appointed by President Ronald Reagan in 1987; the argument went that if banks were allowed to engage in investment strategies, they would be able to increase returns for their banking customers while avoiding risk by diversifying their businesses. Soon after, some banks began exploiting vulnerabilities in the Glass–Steagall Act to breach the line that had previously been set by the act. For example, the legislation provided that while a Federal Reserve member bank was prohibited from dealing in securities, a bank could affiliate with a corporation that did so as long as the company was not primarily engaged in such operations. One of the most notable transactions to take advantage of this loophole was the 1998 merger of Citicorp with Travel Insurance.

One year later, President Bill Clinton signed the Financial Services Modernization Act, also known as Gramm-Leach-Bliley, which essentially repealed major provisions of the Glass-Steagall Act, neutralizing it. According to President Clinton, the law would “enhance the stability of our financial services system” by permitting financial firms to “diversify their product offerings and thus their sources of revenue” and make financial firms “better equipped to compete in global financial markets.”

Some economic believe that repealing the Glass-Steagall Act was a significant influence in the housing market bubble and subsequent Great Recession, the financial crisis of 2007-2008. A Nobel laureate in economics, Joseph E. Stiglitz, who is also a professor at Columbia University, said in a 2009 opinion piece that bringing “investment and commercial banks together, the investment bank culture came out on top. There was a demand for the kind of high returns that could be obtained only through high leverage and big risk-taking.” Another school of thought held by economists, including former Treasury Secretary Tim Geithner, asserted that the expansion of sub-prime mortgage lending, inflated credit-rating agencies, and an out-of-control securitization market were more significant factors than any dismantling in federal regulation. It has been noted that, in any case, less than a decade after the repeal of provisions of the Glass-Steagall Act, the United States was hit by the Great Recession, the worst financial crisis experienced since the 1929 stock market crash that was the inspiration for the legislation in the first place.  Many people have questioned the effectiveness with which the Glass-Steagall Act achieved its objectives in the wake of the aforementioned financial crisis of 2007-08. Some of the questions that have been raised on the issue include:

  • Gramm-Leach-Bliley has been said to encourage increased consolidation in financial services, however as previously stated, this trend began far before the law was established. To what extent was the law responsible for the concentration that followed, as opposed to underlying forces that the law responded to?
  • When we consider that most big Wall Street investment banks did not reorganize into financial holding companies (FHCs) prior to the financial crisis, what do we draw from this fact? Is it possible that they came to the conclusion that the benefits of operating in commercial banking were outweighed by the increased scrutiny and capital requirements that would have been imposed on them by under their new status?
  • Is it possible to determine how much Gramm-Leach-Bliley actually helped to alleviate the crisis, for example, by allowing distressed investment banks such as Bear Stearns and Merrill Lynch to be acquired by financial holding companies rather than going bankrupt, or by allowing others such as Goldman Sachs and Morgan Stanley to reorganize as financial holding companies and improve their market reputations?
  • Is it possible that enabling traditional banks to integrate with other financial services, despite the intention not to, has resulted in an implicit extension of the banking safety net to them? Is it possible that increased concentration exacerbated the problem of too big to fail?

Bank Holding Company Act

It was passed in 1956 that the Bank Holding Company Act (BHCA) came into effect. The statute created standards for bank holding companies and delegated regulatory responsibility over bank holding companies to the Federal Reserve Board. Additionally, the law prevented these companies from owning non-banking companies. The Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994, for example, repealed several of the provisions of the act. The Bank Holding Company Act, was intended primarily to govern the expansion of bank holding companies as well as to insure the separation of banking and nonbanking firms.

Several actions of bank holding companies were forbidden by the Bank Holding Company Act, which also handed the Federal Reserve Board supervisory authority over the companies in question. According to the statute, a bank holding company was defined as any company that owned 25 percent or more of the capital in two or more banks. Stake holdings included outright ownership as well as control over, or the capacity to vote on, shares. Any entity that accepts deposits and offers loans was defined as a bank for the purposes of the legislation. In this case, as we will see, the definition of a bank and the restriction on holding company status to corporations who controlled more than one bank resulted in significant gaps that had to be closed later. However, with the definition of bank holding companies, it was possible that regulation could have some effect.

This legislation granted the Federal Reserve greater regulatory authority over bank holding companies. They were required to register with the Board and submit to oversight. As originally enacted, the law required bank holding firms seeking to grow to acquire approval from the Federal Reserve Board, which had the authority to deny authorization of the expansion. The truth, on the other hand, was more complicated. The Board was obligated to get opinions from the Office of the Comptroller of the Currency and state banking regulators before making a decision on whether to approve or deny applications for expansion. Furthermore, there was disagreement among the members of the Board as to what the goal of executing the legislation should be. It was not prohibited in the statute that bank holding companies could expand; nevertheless, the Board of Directors must assess whether the expansion is in the best interests of the community and of good banking. With the enactment of the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994, this restriction was abolished. Moreover, under the Bank Holding Company Act, bank holding firms were compelled to divest themselves of any stake in non-banking corporations. As a result of the enactment of the Gramm-Leach-Bliley Act in 1999, this provision was also abolished.

The thought above of whether an expansion is in the best interests of the community and of good banking indicated a tradeoff. A bank’s expansion could promote increased competition and render available services that were previously unavailable in a certain community. However, if bank holding corporations became too large, they could represent a risk to the stability of the banking system. It is inevitable that assessing these tradeoffs would produce conflicts. One difficulty in enforcing nonbank divestiture mentioned above emerged with the definition of bank holding corporations being limited to those with a stake in two or more banks. This definition permitted single-bank holding companies to continue to own interests in nonbanking corporations. Numerous holding companies qualified for this exemption. The inclusion of single-bank holding businesses in the exception was made possible by the large number of single-bank holding companies that possessed stakes in nonbanking corporations, making passage of the bill nearly impossible.

Another significant limitation imposed by the law was the classification of banks as businesses that accepted deposits and made loans. The result was a grey area for businesses that either accepted deposits or only provided loans. The so-called nonbank banks were able to engage in interstate branching with greater ease. It would be necessary to pass legislation to remedy these two oversights. When Congress passed an amendment in 1970, it eliminated the loophole allowing single-bank holding companies to be regulated by the Board. It was more difficult to deal with the issue of nonbank banks at first, but the Competitive Equality Banking Act of 1987 eventually addressed the issue.

Bank holding corporations had evolved by the mid-1950s, allowing them to circumvent the numerous prohibitions on bank branching, which is the operation by a bank of a number of branches. In 1956, Congress responded by granting the Federal Reserve significantly increased authority over the banking industry through the Act.  There had been a long-standing opposition to bank branching in the United States. For instance, it was widely believed that branching enabled huge banks from major cities to compete against state banks in small towns as well as against national banks, (which originally were only allowed to operate a single branch). Yet another factor was a long-standing concern that major banks would concentrate financial power. Despite these reservations, multiple-unit banking had been practiced in many locations around the United States as early as the 1830s (Fischer 1986).

State regulations prohibited out-of-state banks from operating within their state and, in certain cases, restricted branching within a state, so restricting the ability of state banks to branch. National banks were initially restricted in their ability to branch because of administrative regulations that normally confined national banks to one branch. After the McFadden Act of 1927, which permitted national banks to operate branches in their states in compliance with state branching regulations, but prohibited them from opening branches in more than one state, this restriction was relaxed further.

Some of these branching limits were circumvented by banks forming chain or group banks.

Generally speaking, a chain bank is a collection of banks owned by a single person or by a group of individuals. A group bank, which is the historical word for a bank holding company, is a grouping of banks held by a holding company or a trust that is controlled by the holding company or trust (Savage 1978). A bank holding company could have branches in a number of states. The branches might be deemed independent banks, and as a result would be in compliance with applicable legislation.

Bank holding companies also had an advantage in that they could own nonbank companies like manufacturing, transportation, or retail businesses in addition to banking. This raised concerns that holding companies could use deposits in their bank subsidiaries to make loans to their other businesses, giving them an unfair advantage, or that they could use their influence in making loans to persuade borrowers to patronize their other businesses. (Willit 1930) which was another issue that regulators wished to addressed.

The Federal Reserve Board had seen these developments for some time and recommended congressional action. However, legislation was sluggish to form, and it took several years to adopt a law. On June 14, 1955, the act was passed by the House by a vote of 371 to 24. When the bill reached the United States Senate, it was passed on April 24, 1956, by a vote of 58 to 18. The act was signed into law by President Dwight D. Eisenhower (R) on May 9, 1956. The first thing the law did was to clarify what was a bank holding company. These corporations had been there for a long time; the Glass-Steagall Act acknowledged bank holding companies and allowed for their oversight, but the Board’s authority to limit branching was easily bypassed by treating branches as independent entities of whom the larger holding company owned shares.

Privacy under GLBA

Representative Ed Markey (D-Massachusetts) proposed an amendment that became Title V of the act. The Gramm-Leach-Bliley Act (“GLBA”), specifically Title V, Subtitle A, controls how financial institutions treat nonpublic personal information about their customers that is not publicly available. Subsection 502 of the Subtitle prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, with certain exceptions. This prohibition applies unless the financial institution satisfies a variety of notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Customers must be given notice of the institution’s privacy policies and practices under Section 503. Section 504 enables the issuance of rules to carry out the provisions of the provisions. A “nonaffiliated third party” is defined as any person other than an affiliate of a financial institution or a person employed jointly by a financial institution and a corporation that is not an affiliate of the financial institution. Any corporation that controls, is controlled by, or is under common control with a financial institution is referred to as a “affiliate” of the financial institution in question.

The Markey amendment offers individuals notice and some opportunity to take charge of distribution of their personal information. Despite the fact that the Gramm-Leach-Bliley Act is primarily concerned with financial institutions, its enactment enhanced the obligations of the 1974 Privacy Act. The distinguishing features of this law, are the requirements implemented to govern the collection, disclosure, and protection of nonpublic personal information of the consumer. Gramm-Leach-Bliley is enforced by the United States Attorney General. It has provisions for financial institutions to be fined for each infraction, as well as civil penalties for the officers and directors of an organization that violate the law.

Financial institutions are required to follow regulations implementing provisions of the Gramm-Leach-Bliley Act (GLBA) governing the treatment of nonpublic personal information about consumers by financial institutions that were published by the four federal banking agencies and the National Credit Union Administration (“NCUA”) in 2000. The regulations create rules controlling the obligations of a financial institution to provide specific notices and the limitations on the disclosure of nonpublic personal information.

The rule-making authority for the majority of Subtitle A of Title V of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6802-6809) was given by the Dodd-Frank Act regarding many financial institutions to the Consumer Financial Protection Bureau (CFPB), and regarding entities under its jurisdiction, given power to the CFPB to supervise for and enforce compliance with the statutory provisions and their implementing regulations. In December 2011 the CFPB restated the regulations of transferor agencies at 12 CFR Part 1016 (76 Fed. Reg. 79025) (December 21, 2011).

In accordance with the Act, institutions are required to provide consumers with privacy notices when the consumer relationship is established and when policies change, as well as to provide consumers with a privacy notice every year that explains how the institution uses, collects, and maintains private information. An explanation of how to opt out of permitting the institution to share nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions in Sections 13, 14, or 15 of the regulations must also be made available. A financial institution must provide a notice of its privacy policies and allow the consumer to opt out of the disclosure. The option to “opt out,” essentially implies that the client information will not be shared with anyone. Whenever a privacy policy is changed, clients must be told and given another option to opt out. When a customer has been given a reasonable opportunity to opt out will depend on the circumstances surrounding the transaction; nonetheless, the consumer must be provided with a reasonable period of time to exercise his or her opt-out right. Depending on the circumstances surrounding the consumer’s transaction, a reasonable means of opting out may include check-off boxes, a reply form, or a toll-free telephone number, among other things. It may be regarded as unreasonable to demand a consumer to compose his or her own letter as the only option of opting out.

Sections 13, 14, and 15 of the regulations provide specifics on the exceptions to the opt-out right as aforementioned. If financial institutions limit the disclosure of nonpublic personal information, they are exempt from opt-out requirements:

  • In order for a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution’s own products or services or those offered jointly by the institution and another financial institution, the exception is only permissible if the financial institution gives notice of these arrangements and through a contract bans the third party from disclosing or using the information for other purposes other than the one specified. The contract must state that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. Section 14 and 15 exceptions exclude financial institutions from complying with the additional disclosure and confidentiality requirements of Section 13 if the service or function is covered by those exceptions. The outsourcing of marketing to an advertising business could be disclosure under this exception (Section 13).  
  • Under Section 14, in order to effect, administer, or enforce a transaction that a consumer asks for or authorizes, or under some other circumstances dealing with existing relationships with customers, disclosures under this exception could be regarding the audit of credit information, administration of a rewards program, or to provide an account statement.
  • In Section 15; for certain other disclosures that a financial institution regularly makes, such as those made to protect against or prevent actual or potential fraud; to the financial institution’s attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators.

Regardless of whether or not a financial institution discloses nonpublic personal information, it must notify its consumers about its privacy policies. The privacy notice must generally outline a financial institution’s policies and practices for disclosing nonpublic personal information about a customer to affiliated and nonaffiliated third parties. In addition, the notice must give a consumer a reasonable opportunity to direct the institution not to share nonpublic personal information about them with nonaffiliated third parties (that is, to “opt out”) except as permitted by law (for example, sharing for everyday business purposes like processing transactions and maintaining customers’ accounts, and responding to properly executed governmental requests). Where appropriate under the Fair Credit Reporting Act (“FCRA”), the privacy notice must additionally include a notice and an opportunity for a consumer to opt out of some information sharing across affiliates.

The Agencies were required by Section 728 of the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act” or “Act”) to produce a model privacy form that financial institutions could use as a safe harbor for providing disclosures under the privacy rules. On December 1, 2009, four federal banking agencies and four more federal regulatory agencies collaborated to produce a voluntary standard privacy notice form to help customers better understand how financial institutions gather and disclose nonpublic personal information (74 Fed. Reg. 62890). The final rule adopting the model privacy form went into effect on December 31, 2009, with the exception that notices given on or before December 31, 2010, using sample clauses from Appendix B to the 2000 rule, received a one-year extension of the safe harbor for compliance with the regulation’s notice requirements. The sample clauses and Appendix B were removed from the agencies’ rules on January 1, 2012.

If a financial institution gets nonpublic personal information from a nonaffiliated financial institution, it must adhere to reuse and redisclosure restrictions. Provisions in the Act call for greater security, including mandates that financial institutions put in place measures to protect information from predictable threats to security and data integrity. Written information security plans must also be developed and implemented. It necessitates the establishment of standards by financial institutions for the protection of the security, integrity, and confidentiality of nonpublic personal information about their customers. Nonpublic personal information (NPI) is any “personally identifiable financial information” about an individual that the financial institution gathers on an individual in connection with the provision of a financial product or service, unless the information is otherwise made available to the public. The objectives of these standards are specified in Section 501(b) of the Act:

  • Secure the confidentiality of consumer information and records under the Financial Privacy Rule. The Financial Privacy Rule establishes a privacy agreement between a financial institution and its customers for the protection of nonpublic personal information (NPI) about the latter.
  • Ensure that customers’ information is protected against threats to its security and integrity on an ongoing basis under the Safeguards Rule. Under the Safeguards Rule, financial institutions are mandated to develop, implement and maintain a comprehensive information security plan that shows the  administrative, technical and physical protections that are appropriate for the size and complexity of the organization and its financial activities.
  • To prevent unauthorized access and use of customer information through the use of false pretenses to obtain private information (e.g., phishing, social engineering) under the Pretexting provisions. Pretexting is also known as social engineering. Impersonating a customer over the phone, email, or by email spoofing phishing or spear phishing campaigns could be the result of Pretexting.

If an institution has a reasonable ground to conclude that information is lawfully made available to the general public from government records, widely dispersed media, or legally compelled disclosures to the general public, the information is considered publicly available. Information from a telephone book or a publicly recorded document, such as a mortgage or securities filing. Individual bits of information, as well as lists of information, may be included as nonpublic personal information. Names, addresses, phone numbers, social security numbers, income, credit score, and information gathered through Internet collection devices such as cookies are examples of nonpublic personal information.

When it comes to lists, there are some specific guidelines to follow. If publicly available information was put on a list of consumers produced from nonpublic personal information, it would be considered nonpublic. A list of a financial institution’s depositors name and addresses, for example, would be nonpublic personal information even if the names and addresses might be published in local phone directories because the list is resultant from the fact that a person has a deposit account with the institution, which is not publicly available information. Where the financial institution, on the other hand, has a reasonable ground to think that some customer ties are a matter of public record, any list of these relationships would be regarded as publicly available information.

Customers must be informed of any information-sharing rules involving the disclosure of nonpublic personal information (NPI) to affiliates and third parties on an annual basis. Consumers have the option of opting out of having their NPI shared with unaffiliated businesses. Institutions, on the other hand, can share information with unaffiliated organizations that provide services to the organization (for example, marketing or jointly offered products), thereafter, that company can share the information with their own affiliates.

Even if individuals do not exercise their right to opt out, their access codes and account numbers may not be shared to unaffiliated third parties for the purposes of telemarketing, direct mail marketing, or electronic mail marketing. Pretexting, which is the collecting of personal information under false pretenses, is likewise prohibited under the GLBA. The Gramm-Leach-Bliley Act/ the Financial Modernization Act of 1999, makes pretexting a crime. Anyone who violates the federal law is subject to prosecution if they:

  • Make use of fictitious, or fraudulent claims or documents to obtain customer information from a financial institution or directly from a financial institution’s clientele.
  • In order to obtain client information from a financial institution or directly from a customer of a financial institution, uses forged, counterfeit, lost, or stolen documents.
  • Use false, fictitious, or fraudulent claims or false, fictitious, fraudulent, or forged documents to ask another person to obtain someone else’s ‘customer information.

Pretexting for sensitive customer information is also prohibited by the Federal Trade Commission Act. Investigators, on the other hand, can make calls to entities that are not covered by the GLBA in order to obtain personal information about a victim under false pretenses.

Numerous companies that are not traditionally considered financial institutions because they engage in some “financial activities” covered by the law, which covers many different types of financial institutions. In accordance with Section 4(k) of the Bank Holding Company Act, the privacy rule applies to firms that are “significantly involved” in “financial activities,”. As defined by the Section, a “financial institution is any institution whose business is engaged in activities of a financial manner or activities related to such financial activities. Banks, securities brokers and dealers, insurance underwriters and agents, financing businesses, mortgage bankers, and travel agencies are examples of financial institutions.

Financial institutions are required to consider the use of encryption to protect client information while it is in transit and at rest, according to GLBA rules. “The Federal Financial Institutions Examination Council” is a formal interagency body of the United States government composed of five banking regulators, among them the Federal Reserve Board of Governors and others, that is “authorized to prescribe uniform principles, standards, and report forms for financial institutions as well as to promote uniformity in the supervision of such institutions” (FFIEC, 2014). According to the council, financial institutions should use encryption to reduce the risk of disclosure or manipulation of sensitive information while it is in storage or transit, and they should use appropriate key management practices to safeguard encryption keys.

The Gramm-Leach-Bliley Act (GLBA) bans the disclosure of certain types of customer financial information to parties that are not affiliated with the company. Due to the possibility that a cloud storage company may be regarded as an unaffiliated party, it is recommended that client information be encrypted before being transmitted to the cloud provider for storage. Some cloud providers allow their clients, in this case the financial institution, to give and manage their own encryption keys. This would be in compliance with the intent of the GLBA if the encryption is completed prior to leaving the financial institution’s premises and the cloud provider does not have access to the key; otherwise, there is a risk that cloud provider employees may gain access to covered data. The encryption of data prior to transfer reduces the chance of sensitive information being disclosed or altered while in transit, even though most, if not all, cloud storage service providers utilize SSL for data in motion. Additionally, the Gramm-Leach-Bliley Act compels financial institutions to provide clients with written privacy notifications that describe their information-sharing policies.

A financial institution’s sensitive client information must be protected by administrative, technical, and physical safeguards in line with the Gramm-Leach-Bliley Act (GLBA), of 1999. As a result, maintaining the public’s confidence is highly dependent on the protection of the confidential financial information pertaining to the company’s clients. Employees are expected to keep all confidential information acquired throughout the course of their employment in the strictest confidence, according to the Company’s policy. Such information is to be kept solely for the purpose of the company and not for the purpose of obtaining personal gain by any member of the company’s employees. Such information must also be safeguarded against misuse, which could result in identity theft. As a general rule, apart from routine credit inquiries, information about a customer can only be released to private parties, organizations, or governmental organizations that have made such a request, and with the consent of the customer involved or upon receipt of legal process, such as a subpoena or court order.

Because financial institutions have additional disclosure obligations with respect to customers, it is important to distinguish between consumers and customers. All customers covered by the rule are consumers, but not all consumers are customers. A “consumer” is defined as an individual, or that individual’s legal representative, who acquires or has gotten a financial product or service from a financial institution that is intended to be used principally for personal, family, or household purposes. If a financial institution wishes to share nonpublic personal information about a consumer with a nonaffiliated third party outside of the exceptions, a consumer who is not a customer is entitled to an initial privacy and opt-out notice. Customers of financial institutions are defined as consumers who have a “customer relationship” with the institution. A “customer relationship” is an ongoing relationship between a consumer and a financial institution, in which the institution provides the consumer with one or more financial products or services that are intended to be used primarily for personal, family, and household purposes. Customers are entitled to receive initial and yearly privacy notices, regardless their financial institution’s information disclosure practices.


As above stated, the Gramm-Leach-Bliley Act (GLBA, GLB Act, or the Financial Services Modernization Act of 1999) is a federal law that requires financial organizations to explain how they disclose and safeguard nonpublic personal information (NPI). about their customers.  The GLBA also repealed the portions of the Glass-Steagall Act that prohibited commercial banks from affiliating with securities firms. In addition, the GLBA amended the Bank Holding Company Act of 1956 (“BHCA”), which previously compelled banks to divest themselves of their nonbanking interests. Prior to the passage of the GLBA, banks were only permitted to engage in activities that were closely related to the business of banking. According to the law, affiliations between banking and securities firms, as well as the formation of financial holding companies that can engage in a wide range of financial operations, are permitted. Due to this, commercial banks, securities firms, and insurance companies are no longer formally bound to a limited set of financial activities. Moreover, because the GLBA allows for these financial institutions to merge, corporations now have the option of pursuing new product lines and services on their own or collaborating with a well-established firm. The end effect is that the GLBA restructures the marketplace by allowing a one-stop shop for financial services.

A significant advantage of such one-stop shopping is the boost in efficiency it brings with it. Because of the ability to provide a comprehensive range of financial services, consumers should be able to enjoy lower average costs as a result of economies of scale. Companies already have the capital resources necessary to engage in these types of business activities. The GLBA also lets corporations to benefit from information by allowing financial supermarkets to share information among their affiliates. In the words of one banking executive, “[t]he Act eliminates [legal] barriers without imposing significant obstacles to customer information sharing … thereby enabling a financial holding company efficiently to provide a broader range of services to its overall customer base.” This means that a company that conducts both banking and insurance operations might combine the information obtained from both activities in order to make even better decisions regarding its consumers. Because of the GLBA, resources, such as information, are to be used more efficiently.

Due to the fact that the GLBA encourages the use of information, it was inevitable that privacy activists would argue for the inclusion of restrictions on the use and disclosure of information under the Act. After extensive debate over the usage of financial information, drafters of the GLBA included a several privacy measures. These measures were the first piece of federal law to set a minimum federal standard of privacy for financial information. The GLBA places restrictions on how much reliance businesses may place on information. Several provisions in Subtitle A, which addresses the disclosure of nonpublic personal information about customers, are required to be implemented by financial institutions; financial institutions must establish restrictions on the disclosure of nonpublic information about customers to nonaffiliated third parties and provide their customers with a notice of the company’s privacy policy.

A total of three sections are in place to protect this information: Section 501 requires institutions to establish a privacy policy, most of them for the first, Section 503 necessitates that privacy policies be disclosed at the time of establishing a customer relationship, and Section 502 prohibits firms from disclosing information to nonaffiliated third parties, with some exceptions. As a result, customers must take affirmative steps to prevent companies from sharing their nonpublic personal information with nonaffiliated entities. If consumers do not exercise their right to opt-out, their failure to do so gives corporations an implied agreement to share information with any nonaffiliated entity but this criterion of implied permission is subject to a slew of exceptions.

Compliance with the Gramm-Leach-Bliley Act (GLBA) is required for the vast majority of financial institutions in the United States. Data breaches and data leaks penalties and reputational damage risks are also decreased. GLBA compliance can also assist with compliance with the European Union’s General Data Protection Regulation (GDPR), that was enforceable on May 25, 2018, and governs the processing of personal data in the European Union. The General Data Protection Regulation (GDPR) contains regulations on data collection, access rights, erasure rights, the right to restriction of processing, and the right to data portability.

Penalties for failing to comply with the GLBA can be quite costly for financial institutions. They can involve monetary fines as well as imprisonment. Examples of GLBA non-compliance penalties include:

  • For each infraction, a fine of up to $100,000 may be imposed.
  • Officers and directors of the financial institution may be subject to a fine of up to $10,000.
  • Individuals who commit a significant breach may face a prison sentence of up to five years in prison.
  • Licenses may get revoked.

The GLBA provides entities with the authority to adopt further regulations to ensure proper privacy provisions and security. These entities include the: Consumer Financial Protection Bureau (CFPB), Securities Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), Federal Trade Commission (FTC), Federal banking agencies, Federal regulatory agencies, and State insurance oversight agencies. State law may impose stricter compliance requirements than the GLBA, but they may not be less stringent than the GLBA’s minimum standards.

GLBA does not apply to financial institutions that only provide services to other firms, due to the fact that the law is primarily concerned with customer data. A person who uses an ATM or cashes a check is also not covered due to the fact that there is no continuous customer relationship.

Case Law

In Wells Fargo Bank, N.A. v. Jenkins, No. S12G1110, 2013 WL 2927096 (Ga. June 17, 2013), the Georgia Supreme Court reversed a plaintiff’s state law claim for negligence against the defendant bank, which was founded on an alleged Gramm-Leach-Bliley violation concluding that the statutory provision used as the ground for the claim did not give a legal duty under Georgia negligence law. A bank teller was accused of disclosing confidential information about the plaintiff to the teller’s husband, which resulted in the plaintiff being a victim of identity theft, according to the lawsuit. Using 15 U.S.C. 6801(a), which is part of the Gramm-Leach-Bliley Act (“GLBA”) to establish a legal duty, the plaintiff filed a lawsuit against the bank for negligence. This is what the provision says: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”

According to the Georgia Supreme Court, this clause of the GLBA did not support a negligence claim under Georgia law because “there must be the alleged breach of a legal duty with some ascertainable standard of conduct.” The court determined that this section of the GLBA was merely a policy statement that “does not provide for certain duties or the performance of or refraining from any specific acts on the part of financial institutions, nor does it articulate or imply a standard of conduct or care, ordinary or otherwise.” Plaintiffs have attempted to assert negligence or other state law claims (e.g., unfair business practices) on the basis of federal acts such as the GLBA, neither of which provides a private right of action. Although several states permit a plaintiff to borrow from another law (including federal laws that do not provide for a private right of action) in order to plead a state law claim, the existence of federal laws does not guarantee that the plaintiff will be able to successfully plead a cause of action.

According to an announcement issued on February 27, 2018, the Federal Trade Commission (“FTC”) reached a settlement with PayPal, Inc. to resolve allegations that the its Venmo peer-to-peer payment service misled consumers about their privacy and the extent to which their financial accounts were protected. It signaled a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules. According to the FTC’s lawsuit, Venmo violated the Privacy Rule in three different ways. First and foremost, Venmo failed to offer a clear and visible privacy notice that failed to draw attention to the nature and relevance of the nature of the notice.” The privacy notice included in Venmo’s mobile application (the “Venmo App”) was displayed in grey lettering on a light grey backdrop, making it inconspicuous to Venmo users. Second, Venmo failed to provide an accurate notice that elaborates how Venmo shared the user’s personal information.

Users’ personal information was only shared with members of their Venmo “social web” if they set their account transactions as “public,” according to Venmo’s privacy notice. The information was instead shared by default with everyone on the internet, even persons who did not have a Venmo account. Finally, Venmo did not distribute the initial privacy notice in a way that could be reasonably expected to reach every consumer. Despite the fact that the privacy notice was featured in the Venmo App as a hyperlink, users were not required to confirm its receipt as an essential step in order to get a financial product or service.

Venmo was also accused of misrepresenting about its information security methods by claiming that it “uses bank-grade security systems and data encryption to protect your financial information,” but according to the Federal Trade Commission, Venmo was violating the Safeguards Rule by failing to:

  • Have an information security program written down;
  • Evaluate the risks to the security, confidentiality and integrity of customer information; and
  • Implement basic protections such as giving security notifications to users that their passwords were changed.

Venmo was banned from misrepresenting the level of safeguard afforded by its privacy settings or the extent to which Venmo adopts or conforms to a particular level of security under the terms of the settlement. It was also forbidden that the Privacy Rule and the Safeguards Rule be violated forbidden by Venmo, and the company was forced to seek biennial third-party assessments of its compliance with those rules for ten years. Venmo’s misrepresentations caused significant injury to customers, according to the acting FTC Chairwoman Maureen K. Ohlhausen, who remarked that the settlement sends a strong message that financial institutions like Venmo ought to focus on privacy and security from the beginning.