LIBRARY
The Graham-Leach-Bliley
Act of 2001
The Gramm-Leach Bliley Act (GLBA) includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and Pretexting provisions.
The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule . These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC.
The Financial Privacy Rule
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.
The Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions — such as credit reporting agencies — that receive customer information from other financial institutions.
Pretexting Provisions
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting".
Requirements
- The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
- The privacy notice must be a clear, conspicuous, and accurate statement of the company's privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information.
- Consumers and customers have the right to opt out of — or say no to — having their information shared with certain third parties. The privacy notice must explain how — and offer a reasonable way — they can do that.
- If the privacy notice of the financial institution allows for disclosure to other unaffiliated financial institutions — like insurance providers — the recipient may re-disclose the information to an unaffiliated insurance provider.
- Prohibits "pretexting" — the practice of obtaining customer information from financial institutions under false pretenses.
GLBA (Gramm-Leach-Bliley Act of 2001)is one of the critical pieces of legislation from the USA, which, in the introductory words addresses, "enhanced protection of non-public personal information, including health information, and for other purposes." Its other name is the "Financial Institution Privacy Protection Act of 2001." As this name implies it is focused on the finance industry.
It is critical, in that it has created duties to provide adequate security, and rights for the consumer whilst their non-public personal data is being shared by financial institutions.
Protecting customer personal information is now a critical activity that the finance community has to achieve with some urgency if they are to avoid being accused of governance failures as so many other organizations have so recently. European legislation has often focused upon principles to be obeyed rather than specific actions to take. US legislation, by comparison, has often been more specific in terms of the method for compliance. As a result, for instance, GLBA does not say that passwords must be a specific length or that you must encrypt with a specific key length.
Having such standards available and implemented is very good in that they give management justification for making specific decisions and actions. That is essential where litigation in the event of a failure is a significant possibility. But such standards don't spell out which products to buy or how to operate them in order to deliver the results the standard (or the legislation) requires.
The regulations surrounding the financial services industry relate to customer privacy, record keeping, supervisory processes and review of correspondence. The regulations are defined in the following acts and rules:
- Gramm-Leach-Bliley Act's (GLBA) Title V: Privacy
- Securities Exchange Commission's (SEC) rules 240.17a-3 and 240.17a-4
- National Association of Securities Dealers' (NASD) rules 3010 and 3110
These regulations apply to all financial institutions. The term "financial institution" is defined in the GLBA regulation to mean "any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 USC 1843(k))" and the NASD purports to "regulate the securities industry and virtually all U.S. stockbrokers and brokerage firms".
Privacy Rights
GLBA imposes on financial institutions an obligation to protect the privacy rights of customers and ensure the security of non-public personal information. Non-public personally identifiable financial information means any information:
- A consumer provides to you to obtain a financial product or service from you;
- About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
- You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
Non-public personally identifiable financial information includes:
- Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
- Account balance information, payment history, overdraft history, and credit or debit card purchase information;
- The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
- Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
- Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on a loan or servicing a loan;
- Any information you collect through an Internet "cookie" (an information collecting device from a web server); and
- Information from a consumer report.
The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, integrity and accessibility of nonpublic personal information.
The legislation limits disclosure of information to non-affiliated third parties and calls on financial institutions agencies and regulators to set standards to insure the security and confidentiality of customer records and protect against unauthorized use of such records or information.
Seven different federal agencies have responsibility for enforcing this law: Federal Trade Commission (FTC), Department of Treasury, Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA) and the Securities and Exchange Commission (SEC).
Record Keeping
Financial firms are forced to maintain and store these communications in compliance with the SEC's Rule 240.17a-4 and NASD's rules 3010 and 3110. These rules require that all emails be preserved for a period of not less than six years, with the first two years in an easily accessible place. SEC 240.17a-4(f)(ii) defines the storage: The electronic storage media must:
- Preserve the records exclusively in a non-rewriteable, non-erasable format;
- Verify automatically the quality and accuracy of the storage media recording process;
- Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
- Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
NASD Conduct Rule 3110 dealing with books and records: "requires that correspondence with public customers, both written and electronic, be maintained in compliance with NASD rules and the SEC Rules 240.17a-3 and 240.17a-4. This means that a registered-representative email correspondence with the public relating to the firm's business, generated both at the office and at home, is subject to these provisions."
Firms must also be able to provide full audits of the email archive environment and be able to review both inbound and outbound email content.
More information affecting the financial industry is available in various independent analyst reports:
Legal and Regulatory issues in the security industry
Published April 12, 2002 by Datamonitor
Privacy, Security and Access to Information: Conference Highlights and Market Snapshot
Published May 01, 2002 by IDC
Security Technology News
Published July 01, 2002 by Business Communications Co.
The Changing Commercial Banking Industry Structure
Published June 01, 2002 by Business Communications Co.
Detailed texts:
Gramm-Leach-Bliley Act's (GLBA)Title V: Privacy
Subtitle A: Disclosure of Nonpublic Personal Information - Declares it is the policy of Congress that each financial institution has an affirmative, continuing obligation to respect the privacy and to protect the confidentiality of customer nonpublic personal information.
(Sec. 501) Instructs specified regulatory agencies to establish standards for financial institution safeguards that: (1) ensure security and confidentiality of customer records and information; and (2) protect against hazards or unauthorized access to such information.
(Sec. 502) Conditions financial institution disclosure of customer nonpublic personal information to a nonaffiliated third party upon compliance with consumer notification requirements that include: (1) clear, conspicuous disclosures that such information may be disseminated to third parties; and (2) consumer opportunity to prevent such dissemination.
Prohibits a financial institution from disclosing a consumer's access number or code to a nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
(Sec. 504) Requires selected Federal regulatory agencies to jointly prescribe implementing regulations. Confers enforcement authority upon designated Federal functional regulators, State insurance authorities, and the FTC.
(Sec. 506) Revamps the Fair Credit Reporting Act enforcement guidelines to require certain Federal banking agencies to jointly prescribe regulations governing dissemination by holding companies and their affiliates of customer nonpublic personal information.
(Sec. 508) Directs the Secretary of the Treasury, in conjunction with Federal functional regulators and the FTC, to study and report to Congress on information sharing practices among financial institutions and their affiliates.
Subtitle B: Fraudulent Access to Financial Information — Declares it is a violation of this Act to obtain, disclose, or provide documents under false pretenses pertaining to customer information of a financial institution. Exempts from such proscription: (1) law enforcement agencies; (2) financial institutions and insurance institutions which are engaged in specified activities; (3) customer information of financial institutions available as a public record under Federal securities laws; and (4) State-licensed private investigators acting under court authorization to collect child support from a person adjudged delinquent.
(Sec. 522) Grants the FTC enforcement powers under this Act. Subjects violations of this Act to Federal civil and criminal penalties.
(Sec. 525) Requires each Federal banking and securities regulatory agency to update guidelines applicable to the financial institutions under their respective jurisdictions to ensure such institutions have controls in place to deter and detect the activities proscribed by this Act.
(Sec. 526) Requires the Comptroller General to report to Congress on: (1) the efficacy and adequacy of the remedies provided in this Act; and (2) recommendations for additional action to address threats to financial information privacy. Directs the FTC and the Attorney General to report annually to Congress on enforcement actions taken pursuant to this Act.
Securities Exchange Commission's (SEC) rules 17a-3 and 17a-4
Rule 17a-3 — [Effective until May 2, 2003.] Records to Be Made by Certain Exchange Members, Brokers and Dealers
Rule 17a-3 — [Effective from May 2, 2003.] Records to Be Made by Certain Exchange Members, Brokers and Dealers
Rule 17a-4 — [Effective until May 2, 2003.] Records to Be Preserved by Certain Exchange Members, Brokers and Dealers
Rule 17a-4 — [Effective from May 2, 2003.] Records to Be Preserved by Certain Exchange Members, Brokers and Dealers
National Association of Securities Dealers' (NASD) rules 3010 and 3110
NASD Conduct Rules
