What is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act (GLBA) is the foundational federal privacy law for financial institutions. Enacted in 1999, it establishes the baseline requirements for how financial institutions collect, share, and protect customer information. Every bank, credit union, securities firm, insurance company, mortgage broker, and non-bank financial institution, including fintechs, payment companies, and lending platforms, falls under its scope if the company is significantly engaged in financial activities.
GLBA compliance is not a checkbox exercise. It is examined by federal and state regulators as part of every safety and soundness and compliance examination. Failures result in enforcement actions, civil penalties, and in the BaaS and embedded finance world, the loss of bank partnerships that depend on demonstrated data protection.
This guide covers what GLBA requires, how it interacts with state privacy laws like CCPA, and where most financial institution privacy programs fall short.
The three pillars of GLBA compliance
GLBA compliance is built around three core requirements. Each addresses a different dimension of customer information protection.
Financial Privacy Rule
The Financial Privacy Rule governs how financial institutions communicate their data practices to customers and how they share customer information with third parties.
The rule requires financial institutions to:
- Provide initial and annual privacy notices to customers describing what information is collected, how it is used, and who it is shared with
- Give customers the right to opt out of certain information sharing with non-affiliated third parties
- Honor opt-out requests and maintain processes to track and enforce customer preferences
- Disclose data-sharing arrangements with affiliates and service providers
The privacy notice is not just a disclosure document. It is a regulatory commitment. If your notice says you protect customer data in specific ways, regulators will hold you to that standard. Inconsistencies between your privacy notice and your actual data practices are a common examination finding.
Safeguards Rule
The Safeguards Rule is the operational core of GLBA compliance. It requires financial institutions to develop, implement, and maintain a comprehensive information security program with administrative, technical, and physical safeguards appropriate to the institution’s size, complexity, and the sensitivity of the customer information it handles.
The FTC’s updated Safeguards Rule, which took effect in June 2023, moved well beyond the original “reasonable safeguards” standard. The updated rule now requires:
- A designated qualified individual responsible for overseeing the information security program
- A written risk assessment that identifies threats to customer information confidentiality, integrity, and availability
- Access controls that limit who can access customer information based on business need
- Encryption of customer information both in transit and at rest
- Multi-factor authentication for accessing customer information systems
- Secure development practices for in-house applications
- Change management procedures
- An incident response plan that covers detection, response, recovery, and notification
- Periodic penetration testing and vulnerability assessments
- Regular reporting to the board or governing body on the security program’s effectiveness
For fintechs, the updated Safeguards Rule is particularly significant. Many fintechs that previously operated under informal security practices now face specific, prescriptive requirements. And for fintechs operating through sponsor bank partnerships, the bank partner will often contractually require GLBA-level security controls regardless of whether the fintech independently meets the FTC’s threshold.
Pretexting protection
The third pillar prohibits the use of false pretenses to obtain customer financial information. This covers social engineering attacks, pretextual phone calls, and fraudulent information requests. While less operationally complex than the Privacy Rule or Safeguards Rule, pretexting protection requires employee training, authentication procedures for information requests, and incident reporting mechanisms.
Who does GLBA apply to?
GLBA applies to “financial institutions,” which the law defines broadly. It covers any company that is “significantly engaged” in financial activities, including:
- Banks and credit unions
- Securities firms and investment advisors
- Insurance companies
- Mortgage brokers and lenders
- Check cashers and payday lenders
- Collection agencies
- Financial advisors and tax preparers
- Non-bank lenders, including marketplace and BNPL platforms
- Payment companies and money transmitters
- Fintechs that facilitate lending, payments, or financial advisory services
The “significantly engaged” standard catches companies that do not think of themselves as financial institutions. If your fintech processes payments, facilitates loans, or provides financial advisory services, GLBA likely applies to you.
CCPA, state privacy laws, and how they interact with GLBA
The CCPA/CPRA exemption, and its limits
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state privacy law in the United States. It provides consumers with rights to know what data is collected, request deletion, correct inaccuracies, and opt out of data sales or sharing.
CCPA includes a partial exemption for personal information collected, processed, sold, or disclosed pursuant to GLBA. But this exemption is narrower than many financial institutions assume. It applies only to the specific information governed by GLBA, not to all data the institution collects. Data that falls outside the exemption typically includes:
- Marketing and advertising data: Website analytics, cookie data, ad targeting information
- Employee and HR data: Job applicant and employee personal information
- Non-financial customer data: Information collected outside the scope of the financial relationship
- Prospect data: Information collected from individuals who are not yet customers
Most financial institutions have data that straddles the line. A coordinated compliance approach that addresses both GLBA and CCPA is essential.
The state privacy patchwork
Beyond California, a growing number of states have enacted comprehensive privacy laws: Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others, with more in the pipeline. Each has distinct requirements around consumer rights, data processing assessments, opt-out mechanisms, and enforcement.
For financial institutions operating across state lines, the compliance challenge is real. Each state law has different thresholds, different consumer rights, different enforcement mechanisms, and different interactions with GLBA. Building separate compliance programs for each state is unsustainable. The practical approach is a unified privacy compliance framework that addresses the most stringent requirements and adjusts for state-specific variations.
Data privacy compliance versus data security compliance
Data privacy and data security are related but distinct disciplines. Confusing them, or treating them as a single program, creates gaps that regulators find during examinations.
Data privacy compliance governs the rules around data: what you collect, why you collect it, who you share it with, how long you keep it, and what rights consumers have over their information. Privacy compliance is about the policies, notices, and processes that control data use.
Data security compliance governs the protections around data: how you prevent unauthorized access, detect breaches, encrypt information, manage vulnerabilities, and respond to incidents. Security compliance is about the controls, technologies, and procedures that protect data from threats.
Both are required under GLBA and most state privacy laws. An effective program integrates them. Your privacy notices make commitments about data protection. Your security program fulfills those commitments. When privacy and security operate in silos, the commitments and the controls drift apart.
Financial data privacy: why it is different from general data privacy
Financial data privacy is a specialized discipline within the broader privacy landscape. It addresses the unique sensitivity and regulatory treatment of customer financial information: account numbers, transaction histories, credit data, income information, Social Security numbers, and other personally identifiable financial information.
Financial data privacy requirements come from multiple overlapping sources:
- GLBA: The baseline for all financial institution data privacy
- Fair Credit Reporting Act (FCRA): Governs the collection, use, and sharing of consumer credit information
- Right to Financial Privacy Act: Governs government access to customer financial records at financial institutions
- State financial privacy laws: State-specific requirements that may exceed federal standards
- Regulatory guidance: OCC, FDIC, Federal Reserve, and CFPB guidance on data privacy and information security
For fintechs operating through APIs, open banking integrations, or embedded finance partnerships, financial data privacy controls are both a regulatory requirement and a commercial necessity. Bank partners evaluate your data privacy posture as part of onboarding due diligence and ongoing oversight. Weaknesses in financial data privacy controls are a partnership risk, not just a compliance risk.
Where most GLBA compliance programs fall short
Regulators do not just check whether a GLBA program exists. They evaluate whether it operates effectively. The most common gaps include:
Privacy notices that do not match actual practices. The privacy notice describes one set of data-sharing practices. The institution’s actual data flows tell a different story. This disconnect is one of the most frequent examination findings.
Safeguards Rule compliance that stops at the checklist. The updated rule requires specific controls, but examiners evaluate whether those controls are implemented, tested, and maintained, not just documented.
Incomplete data inventories. You cannot protect data you do not know you have. Many institutions lack a comprehensive map of what customer data they collect, where it is stored, who has access, and how it flows to third parties.
Third-party oversight gaps. GLBA requires oversight of service providers that access customer information. Many institutions have vendor contracts in place but lack the ongoing monitoring, testing, and reporting that demonstrates actual oversight.
No integration between privacy and security. Privacy and security programs operate independently, with different teams, different reporting lines, and different priorities. The result is gaps that neither team owns.
State law blind spots. The institution has a GLBA program but has not assessed applicability of CCPA, state breach notification laws, or other state privacy requirements that apply to portions of its data.
Building a privacy and data security program that holds up
A defensible program starts with four foundational elements:
- Data inventory and mapping: Identify what customer data you collect, where it lives, how it flows, who has access, and what legal basis applies. This is the foundation for both privacy and security compliance.
- Integrated privacy and security framework: Design a single program that coordinates privacy notices, consumer rights management, access controls, encryption, monitoring, incident response, and vendor oversight. Privacy and security should report through a unified governance structure.
- Risk assessment: Conduct a GLBA-compliant risk assessment that evaluates threats to customer information across all channels, systems, and third-party relationships. Use the results to prioritize controls and allocate resources.
- Ongoing management: Privacy and security compliance is not a project. It requires continuous monitoring, periodic assessments, regulatory change tracking, incident response readiness, and regular board reporting.
Ready to build your privacy and data security program?
Whether you need a GLBA compliance program, a multi-state privacy framework, CCPA compliance infrastructure, or a comprehensive data security program, Equinox Compliance delivers the design, implementation, and ongoing management your institution requires. Book a privacy and data security consultation
