Gramm-Leach-Bliley Act: Financial Data Protection Rules

The Gramm-Leach-Bliley Act (GLBA), enacted by Congress in 1999, establishes the primary federal framework for how financial institutions collect, use, and protect the nonpublic personal information of consumers. The Act imposes mandatory privacy notice requirements, restricts information-sharing practices, and — through its Safeguards Rule — compels institutions to implement documented information security programs. GLBA compliance intersects directly with Federal Trade Commission enforcement, banking regulator oversight, and the broader landscape of US data protection laws.

Definition and scope

GLBA applies to "financial institutions" as defined broadly under the Act — a category that extends well beyond banks and credit unions to include mortgage brokers, auto dealers, tax preparers, payday lenders, investment advisors, and insurance companies. The FTC has jurisdiction over non-bank financial institutions; federal banking regulators (the OCC, Federal Reserve, FDIC, and NCUA) oversee depository institutions under parallel Interagency Guidelines.

The Act's protections attach to nonpublic personal information (NPI), defined by the FTC as any personally identifiable financial information that a consumer provides to obtain a financial product or service, that results from a transaction, or that the institution otherwise obtains. This definition is materially broader than common usage — it encompasses account numbers, payment history, credit scores, and social security numbers collected in a financial services context. The definitions of personally identifiable information vary across statutes, and GLBA's NPI category is among the more expansive in federal law.

GLBA is structured around three operative rules:

  1. The Privacy Rule (16 C.F.R. Part 313 for FTC-regulated entities) — governs notice and opt-out rights regarding NPI sharing with nonaffiliated third parties.
  2. The Safeguards Rule (16 C.F.R. Part 314) — requires a written information security program calibrated to institutional size and complexity.
  3. The Pretexting Provisions (15 U.S.C. § 6821) — prohibit obtaining customer financial information under false pretenses.

How it works

GLBA compliance operates across two primary tracks: consumer-facing privacy obligations and internal security program requirements.

Privacy Rule mechanics: Financial institutions must deliver an initial privacy notice to consumers at the time a customer relationship is established, and annually thereafter for the duration of that relationship. The notice must describe the categories of NPI collected, the categories of parties with whom it is shared, and the consumer's right to opt out of sharing with nonaffiliated third parties. Sharing with affiliated entities is permitted unless state law restricts it further — a distinction that matters when comparing GLBA to stricter frameworks like CCPA/CPRA.

Safeguards Rule mechanics (2023 amendments): The FTC issued significantly expanded Safeguards Rule amendments effective June 9, 2023 (FTC Safeguards Rule, 16 C.F.R. Part 314). These amendments require FTC-supervised financial institutions to:

  1. Designate a qualified individual to oversee the information security program.
  2. Conduct a written risk assessment.
  3. Implement technical safeguards including encryption of NPI in transit and at rest.
  4. Deploy multi-factor authentication for any individual accessing customer information systems.
  5. Develop and test an incident response plan.
  6. Conduct periodic penetration testing and vulnerability assessments.
  7. Oversee service providers through contractual security requirements.
  8. Report to the board of directors (or senior officer equivalent) at least annually.

Institutions with fewer than 5,000 consumer records are exempt from certain written program and reporting requirements under the 2023 amendments, per 16 C.F.R. § 314.6.

Breach notification was added to the Safeguards Rule framework: covered institutions must notify the FTC within 30 days of discovering a breach affecting 500 or more customers. This intersects with the broader data breach notification requirements landscape, where state laws may impose shorter timelines or additional obligations.

Common scenarios

Mortgage originators and servicers: Mortgage companies collect extensive NPI — income, assets, credit history, social security numbers — and share it with appraisers, title companies, and secondary market purchasers. GLBA requires that sharing with nonaffiliated parties be disclosed and, where applicable, subject to opt-out rights, and that service provider contracts include security provisions consistent with the Safeguards Rule. See third-party vendor data security for the contracting framework.

Tax preparation firms: The IRS treats GLBA compliance as applicable to tax preparers who handle financial data. The FTC Safeguards Rule explicitly covers tax preparation services, requiring the same written security program framework as a bank.

Auto dealers with financing operations: Dealers who facilitate financing arrangements are financial institutions under GLBA. The FTC's jurisdiction extends to these entities, and the 2023 Safeguards Rule amendments imposed upgraded technical requirements that many smaller dealers had not previously addressed.

Fintech and non-bank lenders: Digital lending platforms, buy-now-pay-later services, and peer-to-peer payment processors fall within GLBA's scope where they engage in financial activities. Their financial sector data protection obligations under GLBA are concurrent with, not displaced by, any applicable state law.

Decision boundaries

GLBA vs. HIPAA: Where a financial institution also handles protected health information (such as an insurance company processing medical claims), GLBA and HIPAA data protection requirements may apply simultaneously. HIPAA governs the health information component; GLBA governs the financial transaction records. The two frameworks do not preempt each other.

GLBA vs. state privacy laws: GLBA does not preempt state privacy laws that afford consumers greater protection. California's financial privacy statute (California Financial Information Privacy Act) imposes opt-in requirements stricter than GLBA's opt-out standard for certain data categories.

Affiliated vs. nonaffiliated sharing: Sharing NPI with affiliated companies (those under common control) is subject to a more permissive standard than sharing with nonaffiliated third parties. Affiliated sharing requires disclosure but not opt-out rights, while nonaffiliated sharing triggers both. This distinction does not apply to data sold for marketing purposes, which carries additional restrictions.

FTC enforcement vs. banking regulator enforcement: Non-bank financial institutions are subject to FTC data security enforcement, which can impose civil penalties. Penalties for Safeguards Rule violations can reach $51,744 per violation per day (FTC civil penalty authority, 15 U.S.C. § 45(m)). Banking institutions answer to their primary federal regulator under the parallel Interagency Guidelines framework.

References

📜 9 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator