GLBA

The Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act of 1999, Public Law 106-102) is a US federal statute enacted 12 November 1999 that imposes privacy + safeguarding + anti-pretexting obligations on FINANCIAL INSTITUTIONS handling nonpublic personal information (NPI). KEY PROVISIONS: (a) SUBCHAPTER I - DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION (15 USC 6801-6809): policy of privacy obligation + safeguarding standard (Sec. 6801); notice + opt-out obligations on disclosure to nonaffiliated third parties (Sec. 6802); annual privacy notice obligation (Sec. 6803); rulemaking authority delegated to Bureau of Consumer Financial Protection (CFPB) + Securities and Exchange Commission (SEC) + Commodity Futures Trading Commission (CFTC) (Sec. 6804); enforcement by federal banking agencies (OCC + Federal Reserve + FDIC + NCUA + OTS) + SEC + CFTC + FTC + State insurance authorities (Sec. 6805); state insurance preemption (Sec. 6806); relation to other Acts (Sec. 6807); study of information sharing (Sec. 6808); definitions (Sec. 6809). (b) SUBCHAPTER II - FRAUDULENT ACCESS TO FINANCIAL INFORMATION (15 USC 6821-6827): PRETEXTING prohibition (Sec. 6821) - obtaining customer information by false pretenses + including phone + internet + impersonation prohibited; administrative enforcement by FTC + federal banking agencies (Sec. 6822); criminal penalties up to 5 years imprisonment or 10 years if aggravated (Sec. 6823); relation to other laws (Sec. 6824); agency guidance (Sec. 6825); reports (Sec. 6826); definitions (Sec. 6827). OPERATIONALISATION: GLBA establishes the statutory umbrella; substantive operational controls are issued by regulators via subordinate rules: (a) FTC Safeguards Rule 16 CFR Part 314 (last major revision 2021 + 2023 breach-notification amendment effective 2024 + further 2024-2025 amendments - verified separately); (b) FTC Privacy Rule 16 CFR Part 313 + model privacy form; (c) SEC Regulation S-P (17 CFR Part 248) - amended March 2024 + effective 2025-2026 with incident-response + breach-notification + 30-day individual notification + supervisory + record-keeping requirements; (d) BANKING-AGENCY RULES (Interagency Guidelines Establishing Standards for Safeguarding Customer Information + Interagency Guidance on Response Programs for Unauthorized Access to Customer Information + Customer Notice) issued by OCC + Federal Reserve + FDIC + NCUA + OTS - see 12 CFR Part 30 + Part 208 + Part 364 + Part 748; (e) NAIC Insurance Data Security Model Law (NAIC #668) adopted by 20+ states; (f) CFPB enforcement under Dodd-Frank for non-bank financial institutions; (g) HIGHER EDUCATION institutions participating in Title IV (FSA - Federal Student Aid) are FTC Safeguards Rule covered + tracked separately as a sectoral application. 2024-2025 PIPELINE: SEC Reg S-P amendments effective 2025-12-03 large + 2026-06-03 small institutions; FTC Safeguards 2024 30-day FTC notification rule effective; CFPB Section 1033 Open Banking Rule (October 2024) imposes additional safeguarding obligations on screen-scrapers; NAIC Model Bulletin on AI 2023; state privacy laws (CCPA + state DP laws) coordinate. ENGAGEMENT: GLBA is the statutory umbrella - cross-mapping to substantive controls + auditor evidence should target the subordinate FTC Safeguards Rule + FTC Privacy Rule + SEC Reg S-P + banking-agency rule frameworks.