Gramm-Leach-Billy Act The History of the GLBA

Elements of GLBA

Privacy Protections under the GLBA

GLBA & the State Laws

With an aim to upgrade and modernize the existing laws in the financial industry, the Gramm-Leach-Bliley Act of 1999 also known by the acronym GLBA was passed by the U.S. Congress as a financial regulatory bill on November 12, 1999.

The Glass-Steagall Act of 1933 that prevented banks and other similar financial institutions, securities companies and insurance companies from offering financial services such as investments and services related to insurance to customers as a part of their normal operations was essentially repealed by the GLBA. The Glass-Steagall act prevented such institutions from acting as anything more than a commercial bank, an investment bank and as an insurance company. This is considered to be the main function of the act (Natter, n.d.).

The act is also known popularly as the Financial Services Modernization Act of 1999 and is an act enacted by the 106th United State Congress. The passing of the Gramm--Leach -- Bliley act allowed the consolidation of the investment banks, securities firms, commercial banks, and insurance companies. Furthermore, the SEC or any other type of federal or state regulatory agency were not given any powers or authority to conduct regulatory acts on the investment banks and the holding companies of the investment and financial institutions. This law which opened up the financial sector and brought in a sea change in the regulatory framework for financial institutions was signed and passed during the tenure of President Bill Clinton.

The background to the enactment of the act was the formation of Citigroup by the merger of Citicorp, a holding company of a commercial bank with an insurance company - Travelers Group in 1998 -- roughly a year before the passing of the act. After the merger Citigroup acted as one company which offered banking, securities and insurance services to customers from under one roof through a number of brands that included Citibank, Smith Barney, Primerica and Travelers. However this merger was against the provision of the Glass -- Steagall Act as well as the Bank Holding Company Act of 1956 and there was much furor and debate in the financial industry and the polity. A year later the GLBA was passed that legalized such types of mergers in the financial industry (Filson & Olfati, 2014).

The History of the GLBA

The debate over the separation of banks, the brokerage companies as well as the insurance companies is the root of the formation and passage of the GLBA. Following the Great Depression the Glass-Steagall Act of 1933, the Bank Holding Company Act of 1956 and the amendment to the Bank Holding Act of 1982 were all enacted to prevent banks and financial institutions from engaging in multi-disciplinary financial activities like offering insurance or mortgage products and vice versa. The GLBA essentially repealed all of these impediments and allowed banks the scope to offer and engage in the varied range of financial services and activities (Neale & Peterson, n.d.).

The perceived risk to privacy that occurs from such mergers was another section of concern and was in a debate at the time before the passing of the act. The EU passed the Data Protection Directive in 1995 tried to ensure the protection of private information of Europeans outside of EU at the same level as that of people of the home country where the information was being taken to including the U.S. Financial services were however not included in the Safe Harbor proposal agreed upon between the EU and the U.S. This coupled with internal pressures with the U.S. about increased threats to the privacy of data led to subsequent studies which also formed the basis of the inclusion of privacy and data protection provision in the GLBA. The privacy provisions have been included in the Title V of the GLBA that details limited privacy protections applicable for the financial information.

Elements of GLBA

Initial Privacy Notice - two privacy notices need to be given by financial institutions to customers -- one at the time of commencement of relationship and another one for 'opt-out' option before disclosing personal information to a nonaffiliated third party.

Annual Privacy Notice -- clear and conspicuous notice of privacy policies of the financial institutions need to be given annually to customers under Section 503 of GLBA for as long as the customer remains with the institution.

Information to be Included in Initial and Annual Notices -- focus is on various broad categories of information and the recipients and description of the third parties who are to be...

Most financial institutions believe that the information required can be fitted in a tri-fold brochure.
Opt Out Notice -- such notice needs to accurately explain customer's right to opt out along with a reasonable means that can be used to opt out. Once an opt-out declaration is made it remains for the length of the customer relationship unless changed by the customer.

Revising Privacy Notices -- a revised privacy policy can be made by the financial institution in case it feels that the disclosure information is not adequately described in the policy notices.

Delivery of Privacy and Opt Out Notices -- such notices need to be provided do that the customers are able to receive them in actual and in writing or even electronically. It is not sufficient to simply post a notice on the web and expect the customers to receive the notice. If customers agree to receive the notice on the web and they are in the habit of making electronic transactions, the notices need to be clearly and continuously posted in a manner that it is conspicuous on the website.

Customers can also request through a notice from their side to the financial institution that no communications be made by the financial institution be made.

The nature of transaction would decide the amount of time that is required to be provided to the customer and it should be such that it provides a reasonable opportunity for customers to opt out. generally in the case of electronically received privacy notices and where an opportunity to opt out is provided, the time period is generally short. In general, 30 days are allowed for notices and for requests of opting out of information sharing that are provided through mail.

Limits on Disclosure in Different Types of Relationships -- data and personal information can be given to the nonaffiliated third party for certain services and in cases of joint marketing arrangements under the exceptions that are provided for under Section 502(e) (Sorokina, n.d.).

Privacy Protections under the GLBA

Only the entities that are associated with the financial market are under the purview of the GLBA's privacy protections and are intended for financial institutions with interests in banking, stocks, insurance and bonds, financial advice and in investments (Freeman, 2003).

The financial institutions are mandatorily required to take all measures that are necessary to protect the personal information and must ensure the security and confidentiality of customer data and records and information regardless of the fact whether the institutions intend to or plan to disclose the personal data or not. The companies would have to take all measures so that the security and the integrity of such records are protected against all and any anticipated threats and against unauthorized access.

The customers also are required to be furnished with details of the information sharing policies of the companies by the financial institutions at the time of first inclusion of an individual or group as a customer. In addition, the companies also require furnishing annual updates of the policy including any change in the policies to the existing customers (Freeman, 2003). The financial institutions have to declare their policy on disclosure of nonpublic personal information (NPI) to nonaffiliated third parties, the disclosure of NPI after termination of customer relationship and the measures for the protection of NPI. This essentially prevents data sharing between financial institutions and other non-financial companies (Mamun, Hassan & Van Lai, 2004).

The right to opt out of the limited amount of NPI sharing by the customers has also been granted by the GLBA. A financial institution can be directed by a customer not to share any of the private information with unaffiliated companies.

However, the GLBA does not grant customers any right to halt the sharing of information between affiliated companies of a financial institution groups. An affiliate has been defined as a company that is controlled by and is under the common control of another company. Therefore, this "corporate family" trading of personal information cannot be stopped by the customer according to the Act.

However, there are loopholes in the law that allow passing on of personal information to third parties that are not affiliated. Financial institutions can transfer personal data of its customers to a company that has been appointed or hired to gain its services. The argument is that the transfer of information is required to enabled the outside company to deliver the services. Thus, marketing companies selling a new product or a joint product of the financial institution and hired by the…