Gramm-Leach-Bliley Act

Introduction to the the Gramm-Leach-Bliley Act

Information that many would consider private--including bank balances and account numbers--is regularly bought and sold by banks, credit card companies, and other financial institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: First, banks, brokerage companies, and insurance companies must securely store personal financial information. Second, they must advise you of their policies on sharing of personal financial information. Third, they must give consumers the option to opt-out of some sharing of personal financial information.

History of the the Gramm-Leach-Bliley Act

The history of the GLBA has its roots in the separation of banks, brokerage companies, and insurance companies. As a result of the financial failures of the Great Depression, Congress in 1933 passed the Glass-Steagall Act prohibiting national and state banks from affiliating with securities companies. In 1956, Congress passed the Bank Holding Company Act that prohibited a bank from controlling a non-bank company. In 1982 Congress amended the Bank Holding Act to further forbid banks from conducting general insurance underwriting or agency activities. This changed, however, in 1999, when the GLBA repealed sections of these acts and allowed banks to engage in a wide range of financial services.

The privacy risks from such mergers were put onto the agenda by a series of international and domestic events. On the international front, in 1995, the EU passed the Data Protection Directive, which required that international data exchanges that used EU citizens' personal data be accorded the same level of protection that their home country would afford them. This meant that US companies would have to ensure that when they used EU citizens' personal data they provided the same level of protection these citizens were afforded within the EU. The EU was especially concerned with the US government's preference for self-regulatory approaches to privacy and the lack of federal privacy legislation. While the EU-US agreed to a Safe Harbor proposal, which allowed for companies to self-regulate under FTC oversight, financial services industries were not included in the original agreement.

In the United States, privacy was increasingly cited as being at risk. Public polls at the time indicated citizen privacy awareness and unhappiness with the banking industry's lack of concern for consumer privacy issues. These poll responses led to subsequent studies that indicated how much consumers were concerned with ineffectual bank privacy standards and the lack of consumer protections against unwanted information sharing.

These attitudes were further fueled by a series of high profile cases involving banks selling consumer information with adverse consequences for customers including marketing, credit fraud, and identity theft.

In November 1997, Charter Pacific Bank of Agoura Hills, California sold millions of credit card numbers to an adult web site company, which then proceeded to bill customers for access to Internet porn sites and other services they did not request. Some of the customers billed did not even own a computer. The web site company had set up numerous merchant accounts under different names to avoid detection. In September 2000, the FTC announced that it has won a $37.5 million judgment against the web site company. While the bank maintained that it did not do anything wrong, it has since then stopped selling credit card numbers to merchants.

In 1998, Nations Bank (later merged with Bank of America) was fined millions for securities law violations because it shared customer information with its affiliate subsidiary Nations Securities. The subsidiary then convinced low risk customers to buy high-risk investments. Many Nations Bank customers lost large amounts and many senior citizens lost large amounts of their life savings.

In June 1999, the Minnesota Attorney General initiated a lawsuit against U.S. Bankcorp for sharing customer information with third party marketers in violation of its own policies without customer knowledge or authorization. The telemarketers then illicitly charged those customers. US Bankcorp eventually settled that case, along with those brought by 39 other state attorneys general. In April 2000, Minnesota settled with the third party telemarketer, Memberworks, that US Bankcorp used. According to Memberworks' SEC filings, 19 out of the 25 largest banks in the US had contracts with it. Other prominent banks, including Chase Manhattan and Citibank, have been involved in schemes where personal account information is sold to telemarketers.

This confluence of international and domestic events prompted Congress to include Title V in its GLBA provisions, which contains limited privacy protections for financial information. The GLBA was introduced in the Senate by Senator Phil Gramm (R-TX) as 106 S. 900 and in the House of Representatives by Representative James Leach (R-IA) as 106 H.R. 10. It was signed by President Clinton and became Public Law 106-102 (113 Stat. 1338) on November 11, 1999. The privacy protections are codified at 15 USC § 6801-6810.

Privacy protections under the Gramm-Leach-Bliley Act

The GLBA's privacy protections only regulate financial institutions--businesses that are engaged in banking, insuring, stocks and bonds, financial advice, and investing.

First, these financial institutions, whether they wish to disclose your personal information or not, must develop precautions to ensure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Second, financial institutions are required to provide you with a notice of their information sharing policies when you first become a customer, and annually thereafter. That notice must inform the consumer of the financial institutions' policies on: disclosing nonpublic personal information (NPI) to affiliates and nonaffiliated third parties, disclosing NPI after the customer relationship is terminated, and protecting NPI. "Nonpublic personal information" means all information on applications to obtain financial services (credit card or loan applications), account histories (bank or credit card) and the fact that an individual is or was a customer. This interpretation of NPI makes names, addresses, telephone numbers, Social Security Numbers and other data subject to the GLBA's data sharing restrictions.

Third, the GLBA gives consumers the right to opt-out from a limited amount of NPI sharing. Specifically, a consumer can direct the financial institution to not share information with unaffiliated companies.

Consumers have no right under the GLBA to stop sharing of NPI among affiliates. An affiliate is any company that controls, is controlled by, or is under common control with another company. The individual consumer has absolutely no control over this kind of "corporate family" trading of personal information.

There are several exemptions under the GLBA that can permit information sharing over the consumer's objection. For instance, if a financial institution wishes to engage the services of a separate company, they can transfer personal information to that company by arguing that the information is necessary to the services that the company will perform. A financial institution can transfer information to a marketing or sales company to sell new products (different stocks) or jointly offered products (co-sponsored credit cards). Once this unaffiliated third party has your personal information, they can share it with their own "corporate family." However, they themselves cannot likewise transfer the information to further companies through this exemption.

In addition, financial institutions can disclose your information to credit reporting agencies, financial regulatory agencies, as part of the sale of a business, to comply with any other laws or regulations, or as necessary for a transaction requested by the consumer.

Fourth, financial institutions are prohibited from disclosing, other than to a consumer reporting agency, access codes or account numbers to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail. Thus, even if a consumer fails to "opt-out" of a financial institutions' transfers, your credit card numbers, pins or other access codes cannot be sold, as they had been in some previous cases.

Fifth, certain types of "pretexting" were prohibited by the GLBA. Pretexting is the practice of collecting personal information under false pretenses. Pretexters pose as authority figures (law enforcement agents, social workers, potential employers, etc.) and manufacture seductive stories (that the victim is about to receive a sweepstakes award or insurance payment) in order to elicit personal information about the victim. The GLBA prohibits the use of false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution; the use of forged, counterfeit, lost or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution; and asking another person to get someone else's customer information using false, fictitious, or fraudulent documents or forged, counterfeit, lost or stolen documents.

However, investigators still can call friends, relatives, or entities not covered by the GLBA under false pretenses in order to gain information on the victim.

Problems with the Gramm-Leach-Bliley Act

First, the GLBA does not protect consumers. It unfairly places the burden on the individual to protect privacy with an opt-out standard. By placing the burden on the customer to protect their data, GLBA weakens customer power to control their financial information. The agreement's opt-out provisions do not require institutions to provide a standard of protection for their customers regardless of whether they opt-out of the agreement. This provision is based on the assumption that financial companies will share information unless expressly told not to by their customers and if customers neglect to respond, it gives institutions that freedom to disclose customer nonpublic personal information.

Second, the GLBA notices are confusing and limit the transparency of information practices. GLBA assumes a company will explain a complex set of legal definitions added to numerous exceptions to the law in a way that will allow for an informed choice and in transparent language. There are reservations about a company's desire to do this.

Moreover, according to recent studies, most privacy and opt-out policies are usually convoluted, confusing, and misleading since they are created by entities whose interests are better served when there is no effective notice. GLBA does little to deal with the lack of transparency in the privacy notices themselves. Typical privacy notices do not include any specific information about how the data is actually used. GLBA notices do inform consumers that their personal information will be shared, but they generally do not inform the individual of who will receive the information or the purposes for which it will be used.

Third, the GLBA fails to enhance consumers' control over affiliate information sharing. Consumers have no opt-out right against affiliate information sharing. In today's world of mega-mergers, a bank may have over one thousand affiliates, some of which may be completely unrelated to financial services.

Fourth, financial institutions can evade opt-out requirements by exploiting the exceptions in the GLBA. The service provider/joint marketing exemption allows financial institutions to share information with non-affiliated third parties despite a consumer's opt-out.

Fifth, the GLBA has weak enforcement and compensation mechanisms. GLBA's enforcement mechanisms are inadequate to assure compliance with even existing weak privacy protections. Enforcement rests solely with federal government agencies, leaving the individual no private right of action.

How the Gramm-Leach-Bliley Act could be improved

Privacy advocates and industry groups have asked for some substantial changes to the GLBA to ensure greater protection and consumer security. Some of these changes include:

1. Financial institutions should implement an opt-in approach to the use of personal information because this minimizes any unwanted or unknowing disclosure of information and places the burden of responsibility on those actors who will gain from the disclosure of information.
2. If an opt-out framework is maintained, financial institutions should be obligated to give and accept alternative opt-out methods. They should be required to provide simple opt-out processes including easy access to privacy policies at branch offices and online through a single web site with opt-out information,
3. In order to ensure greater transparency and accountability, financial institutions should include in their privacy reports what information is going to be used for. Financial institutions should be required to provide customers with a statutory right of access to learn more about industry practices in order to know how the information is collected, who its affiliates are, and what the information collected for is used.
4. Financial institutions should provide simply stated and clear privacy policies. Financial institutions should be required to follow acceptable standards for readability by displaying clearer and more transparent privacy reports.
5. Expand enforcement authority to give states concurrent jurisdiction to enforce the provisions of GLBA in order to ensure a more efficient enforcement program.
6. Individuals should have the right to protect their privacy and seek remedies and redress under GLBA. As GLBA currently stands, there is no private right of action.
7. Give individuals the right to review information that is disclosed or to correct inaccurate or incomplete data.




    Fannie Mae
    Freddie Mac
Ginnie Mae


 Discussion Forum

Recent Posts -


Home Loans
Homeowners - get fast, easy & free online mortgage answers.

Compare Mortgages

Search MortgageSector for Low Rate Loans! Get Info & Apply online here.

Save Online

Compare offers on interest on adjustable mortgages. Get Started now!


By visiting Allie Mae you have taken your first step toward becoming an educated borrower. Allie Mae is an objective, independent source of information for the mortgage consumer. Whether you are buying a home, refinancing, taking a home equity loan, building a home or in need of a mortgage for any purpose, Allie Mae is here to help. Allie Mae has helped thousands of people with their mortgage needs. We have a complete selection of articles, charts, calculators, and checklists designed to help you through the mortgage and home buying process.

© 2004 Copyright AllieMae. All Rights Reserved.
Privacy Policy   Legal  Terms & Conditions   Webmaster   Site Map    Application
About   Contact Us   Forum   Dictionary   Calculators   Articles   Free Content