Financial institutions often share their customers’ and consumers' financial information with business partners and affiliates. In order to protect citizens’ privacy and decrease the likelihood of identity theft, in 1999 the United States Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act.
The GLBA places a requirement on companies that operate as "financial institutions" to divulge their information-sharing practices and procedures, explain them to their customers, and safeguard and protect sensitive data.
The GLBA defines a financial institution as any company that offers and provides financial products and services to its customers, such as loans, insurance, or financial advice. It is a very broad definition – there are companies in the market that might not perceive themselves as financial institutions but are under the GLBA.
As a result, it is prudent for all executive-level officers and in-house legal counsel staff to be familiar with the foundations of GLBA compliance. Even if a company is GLBA compliant or does not fall under the scope of the act now, it risks becoming non-compliant with each change, transformation, or major business initiative. Such events might cause the company to stop being GLBA compliant, which could lead to protracted investigations, fines, and other repercussions.
For example, just earlier this year, in re FTC v. RCG Advances, the FTC settled allegations that a small-business financing firm and its principles violated the GLBA. The settlement amounted to $675,000. In another example, four years ago, the FTC settled with Venmo over the charges of misleading consumers. The peer-to-peer payment service provider is still facing the consequences of periodical external audits of its systems.
In an effort to provide comprehensive insight on the matter, we’ve created an article series on the matter, as well as a downloadable GLBA compliance checklist. Read on to find out more.
GLBA Compliance Guide: What is the Scope?
Established over two decades ago, the GLBA was initially envisaged as a response to concerns that arose in the insurance, securities, and financial services sectors. However, the GLBA surpassed its initial purpose and went on to establish affirmative, ongoing obligations for companies that mandate consumer privacy and personal data safeguarding at all times.
The act delineates the limits for sharing and disclosing nonpublic personal information (“NPI”) by any company it considers a financial institution.
Essentially, the GLBA prescribes that:
- Financial institutions must inform and notify their consumers about information-sharing practices.
- Their customers must be offered the opportunity to opt-out.
- Any entities in possession of sensitive consumer financial information obtained from a financial institution may be restricted when it comes to redisclosure and reuse.
Which Regulator Has GLBA Responsibility?
The US Federal Trade Commission (FTC) serves as the primary caretaker of the GLBA provisions. As the FTC explains, the GLBA applies to "all businesses, regardless of size, that is ‘significantly engaged’ in providing financial products or services." This broad approach means that some companies, not traditionally considered to be financial institutions, are also targeted. For example, these could include:
- Payday lenders
- Non-bank lenders
- Check-cashing businesses
- Mortgage brokers
- Personal property or real estate appraisers
- Professional tax preparers
- Courier services,
- Retailers that issue branded credit cards
Additionally, the GLBA also applies to entities like credit reporting agencies and ATM operators if they receive customer information from other financial institutions. GLBA compliance is mandatory whether or not a company actually discloses customer NPI. Strong policies must be in place to ensure the protection of such sensitive information from any foreseeable threats, be it from a security or a data integrity standpoint.
There is clearly ample room for debate or disagreement and case-by-case assessment analysis to determine whether the particular activities of a company constitute "significant engagement."
When assessing your GLBA compliance responsibilities it is paramount to engage both internal legal counsel and external expert assistance. To find out more about the GLBA Privacy Rule, stay alert for the next part of our article series on GLBA Compliance.