Skip to Main Content
Main Menu

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Are you subject to the GLBA?

The GLBA covers various financial institutions and entities that either operate in the U.S. or have customers in the U.S. It encompasses a range of financial institutions, like:

  • Banks and credit unions
  • Mortgage brokers
  • Insurance companies
  • Securities firms
  • Investment advisors
  • Mortgage lenders and brokers
  • Tax preparers
  • Consumer reporting agencies

Obligations under GLBA

Privacy policy

Financial institutions are required to provide customers with clear and conspicuous notice of their privacy policies.

Opt-out provision

Customers must be given the opportunity to opt out of the sharing of their nonpublic personal information with non-affiliated third parties.

Safeguarding personal information

Financial institutions must establish safeguards to protect the security and confidentiality of customer information.

Pretexting prohibition

Prohibits the practice of pretexting, which involves obtaining personal information through false pretenses.

Compliance requirements

Financial institutions are required to develop and implement a comprehensive information security program.

Industry Brief

State of Privacy Management in Financial Services

To compete in today’s world, financial services companies need to embrace privacy to create more personalized experiences for consumers.


  • Are there any exceptions to the GLBA’s privacy notice requirements?

    Yes, there are exceptions for certain types of information sharing, such as sharing information with affiliates, processing transactions, and servicing accounts. However, financial institutions must still provide privacy notices and opt-out provisions for non-affiliated third-party sharing.

  • How does the GLBA affect small businesses or financial institutions with limited resources?

    The GLBA recognizes that smaller institutions may have limited resources to comply with its requirements. As such, regulatory agencies provide guidance and assistance to help smaller entities develop and implement appropriate privacy and security measures.

  • How does the GLBA address emerging technologies and digital financial services?

    The GLBA’s requirements for safeguarding customer information and implementing information security programs are technology-neutral, meaning they apply regardless of the specific technologies used by financial institutions. However, regulators may issue guidance or updates to address evolving cybersecurity threats and technological advancements in the financial industry.

  • What are the penalties for non-compliance with the GLBA?

    Non-compliance with the GLBA can result in significant penalties, including fines imposed by regulatory agencies such as the Federal Trade Commission (FTC), civil lawsuits from affected individuals, and reputational damage to the financial institution. Additionally, regulators may require remedial actions or impose restrictions on the institution’s operations.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top