PRIA Logo
Back to search
Financial RegulationBanking & Privacy

Gramm-Leach-Bliley Act — Financial Modernization & Privacy

24 min read·Updated May 14, 2026

Gramm-Leach-Bliley Act — Financial Modernization & Privacy

The Gramm-Leach-Bliley Act of 1999 (GLBA) did two transformative things. First, it repealed the Glass-Steagall barriers that had separated commercial banking, investment banking, and insurance since 1933 — allowing the creation of financial holding companies (like Citigroup, JPMorgan Chase, and Bank of America) that combine all three. Second, it established the first comprehensive federal framework for financial privacy (15 U.S.C. §§ 6801–6827) — requiring financial institutions to disclose how they collect, share, and protect customers' nonpublic personal information (NPI) and giving customers the right to opt out of having their information shared with unaffiliated third parties. Every annual "privacy notice" you receive from your bank, credit card company, or insurance provider exists because of GLBA. The privacy provisions also make it a federal crime to use pretexting (false pretenses) to obtain someone's financial records — punishable by up to 5 years imprisonment (10 years if the information is used for other crimes).

Current Law (2026)

ParameterValue
Governing law15 U.S.C. §§ 6801–6827 (Title V of GLBA, 1999)
Implementing regulationRegulation P (12 CFR Part 1016, CFPB); SEC Regulation S-P; FTC Privacy Rule
Applies toAll "financial institutions" — banks, securities firms, insurance companies, mortgage brokers, tax preparers, financial advisors, debt collectors, and more
Privacy noticeRequired at account opening and annually thereafter (annual notice may be exempt if practices unchanged)
Opt-out rightCustomers may opt out of sharing NPI with unaffiliated third parties
Safeguards RuleFinancial institutions must implement security programs to protect customer information
Pretexting prohibitionFederal crime to obtain financial info through false pretenses — up to 5 years imprisonment
EnforcementCFPB, SEC, FTC, federal banking regulators, state insurance regulators
  • 15 U.S.C. § 6801 — Protection of nonpublic personal information (financial institutions must respect customer privacy; federal agencies must establish standards for safeguarding customer information)
  • 15 U.S.C. § 6802 — Obligations regarding disclosures (financial institutions may not disclose NPI to unaffiliated third parties unless the customer is given notice and a reasonable opportunity to opt out; exceptions for joint marketing, servicers, and legally required disclosures)
  • 15 U.S.C. § 6803 — Disclosure of privacy policy (financial institutions must provide a clear and conspicuous privacy notice at account opening and annually, describing information collection and sharing practices)
  • 15 U.S.C. § 6805 — Enforcement (CFPB, SEC, federal banking agencies, FTC, and state insurance regulators enforce the privacy and safeguards provisions within their respective jurisdictions)
  • 15 U.S.C. § 6821 — Pretexting prohibition (it is unlawful to obtain customer financial information through false pretenses, fraudulent statements, or impersonation)
  • 15 U.S.C. § 6823 — Criminal penalties (willful violation of the pretexting prohibition: up to $5,000 fine and 5 years imprisonment; enhanced to $50,000 and 10 years if the violation is committed in connection with another violation of law)

How It Works

Every financial institution must provide a clear and conspicuous notice under 15 U.S.C. § 6803 describing what categories of nonpublic personal information (NPI) it collects — account numbers, transaction history, credit scores, Social Security numbers — whether and with whom it shares that information, and how to opt out. This notice is required at account opening and annually thereafter (the FAST Act of 2015 exempted institutions from the annual notice if their sharing practices haven't changed and they don't share NPI with unaffiliated third parties). Before sharing your NPI with an unaffiliated third party, the institution must give you an opportunity to opt out under 15 U.S.C. § 6802 — and if you opt out, your information cannot be shared with those parties. The opt-out has significant limits: it doesn't apply to sharing with affiliates (companies under common ownership — your bank can share your data with its investment advisory or insurance subsidiaries without asking), joint marketing partners (under formal agreements), or service providers (companies performing services under contract). This means a financial conglomerate like JPMorgan Chase can share your data freely among Chase Bank, J.P. Morgan Securities, and Chase Insurance — the corporate structure created by GLBA's financial modernization provisions allows data flows that the privacy provisions don't restrict.

Beyond disclosure, GLBA requires financial institutions to implement a comprehensive information security program under the Safeguards Rule (FTC rule under 15 U.S.C. § 6801), significantly updated in 2023 to add specific technical requirements: designating a qualified individual to oversee the program, conducting risk assessments, implementing access controls and encryption of customer information in transit and at rest, continuous monitoring, staff training, and managing service providers' security practices. GLBA's other transformative impact — Title I — repealed key provisions of the Glass-Steagall Act (1933) and the Bank Holding Company Act (1956) that had prevented banks, securities firms, and insurance companies from affiliating. Under GLBA, bank holding companies meeting enhanced capital and management standards can become financial holding companies (FHCs) authorized to engage in securities underwriting, insurance underwriting, and merchant banking — creating the modern financial conglomerates. Critics argue this consolidation contributed to the 2008 financial crisis by creating "too big to fail" institutions with complex, interconnected risk profiles, a problem later addressed by the Dodd-Frank Act and FSOC.

How It Affects You

<!-- pria:personalize type="eligibility" -->

If you're a bank, credit union, or financial services customer: Those annual "privacy notice" mailers you've been ignoring since the early 2000s are GLBA's primary consumer-facing mechanism — and they contain information worth reading.

What the notice tells you: The notice describes (1) what categories of your nonpublic personal information (NPI) the institution collects — account numbers, transaction history, credit scores, Social Security numbers, payment history; (2) with whom they share it — affiliates, joint marketers, or unaffiliated third parties; and (3) how to opt out. GLBA requires the notice at account opening and — if your institution shares with non-affiliates — annually after that.

How to exercise your opt-out right: Your privacy notice will include a toll-free number, website link, or mail-in form. Call or click within the window specified (usually 30 days). Your opt-out instruction must be honored going forward and remains in effect until you rescind it. Important limitations:

  • The opt-out does not stop sharing with affiliates — companies under common ownership with your bank (e.g., Chase Bank sharing data with J.P. Morgan Securities or Chase Insurance). The financial conglomerate structure GLBA created is specifically exempt from the opt-out.
  • The opt-out does not stop sharing with service providers — companies the institution contracts with to perform services on its behalf (analytics vendors, marketing companies, processors).
  • The opt-out does not stop sharing required by law — fraud investigations, subpoenas, law enforcement.

California residents: California's CCPA/CPRA provides stronger opt-out rights than GLBA, including the ability to limit sharing with affiliates and to request deletion of your financial data. For institutions regulated by the California DFPI, California's privacy protections layer on top of GLBA.

Exercising meaningful control: If you want to minimize your financial data sharing, opt out of all GLBA-disclosed non-affiliate sharing AND (if your institution offers it) opt out of affiliated sharing. Then check whether your state provides stronger rights that override GLBA.

Data breach notification: If your financial institution suffers a breach that could harm you, GLBA's Safeguards Rule (updated 2023) requires them to notify affected customers. When you receive a breach notification: immediately freeze your credit at all three bureaus — Equifax, Experian, and TransUnion — at no cost under 15 U.S.C. § 1681c-1. A credit freeze prevents anyone from opening new accounts in your name without your unfreeze. This is more effective than a credit monitoring subscription.

If someone fraudulently obtained your financial records through pretexting: GLBA makes it a federal crime (up to 5 years imprisonment; up to 10 years if used in another crime) for someone to obtain your financial account information through false pretenses — calling your bank pretending to be you, impersonating a law enforcement officer, or using a fake identity. Report to:

  • Your bank's fraud department (dispute all unauthorized activity)
  • The FTC at reportfraud.ftc.gov or identitytheft.gov (for an identity theft report and personal recovery plan)
  • FBI Internet Crime Complaint Center at ic3.gov if the fraud was online
  • Your state attorney general

If you work at or run a bank, credit union, or depository institution supervised by Fed/OCC/FDIC/NCUA: Your privacy obligations run through Regulation P (12 CFR Part 1016 for CFPB-supervised institutions) and interagency guidelines (12 CFR Part 30 Appendix B for OCC-supervised banks).

Annual notice exemption: Under the FAST Act (2015), you don't need to send an annual privacy notice if (1) your information-sharing practices haven't changed since the last notice, AND (2) you share NPI only with affiliates or service providers, not with unaffiliated third parties. Document why you qualify each year. If you start sharing with non-affiliates, the exemption lapses immediately and annual notices resume.

Safeguards program: The interagency guidelines require a written information security program addressing: risk assessment, access controls (including MFA for systems with NPI), employee training, vendor oversight with contractual security requirements, testing and monitoring, and incident response. For large banks, this is extensively examined during safety and soundness reviews. A Safeguards failure that results in a breach will draw enforcement attention from your primary federal regulator.

If you're a non-bank financial institution supervised by the FTC (mortgage companies, auto dealers with in-house financing, tax preparers, financial advisors, debt collectors, payday lenders): You're covered by the FTC's Safeguards Rule (16 CFR Part 314, updated June 2023) and Privacy Rule (16 CFR Part 313). The 2023 Safeguards Rule update added specific mandatory technical requirements — and the FTC has begun enforcing them.

What the updated Safeguards Rule requires:

  • Designate a qualified individual (CISO-equivalent, can be a third party) to oversee your information security program
  • Conduct a written risk assessment identifying reasonably foreseeable threats to customer NPI
  • Implement access controls — limit who can access NPI to those with a business need; use multi-factor authentication for any system with NPI
  • Encrypt customer information in transit and at rest
  • Conduct annual penetration testing plus continuous vulnerability assessment
  • Maintain a written incident response plan
  • Oversee service providers: contracts must require them to implement appropriate safeguards; annually review their practices
  • Notify FTC within 30 days of any breach affecting 500+ customers

FTC enforcement is real: The Commission has brought actions against small mortgage companies, auto dealer groups, and tax preparers following data breaches, with settlements typically requiring $50K-$500K in civil penalties plus mandatory compliance programs. Don't wait for a breach to force compliance — implement the Safeguards program before an incident. FTC templates for small businesses are available at ftc.gov/business-guidance/resources/ftcs-safeguards-rule-your-business.

Privacy notice requirements for non-banks: If you share NPI with non-affiliated third parties (selling leads to other lenders, sharing data with marketing partners), you must provide initial and annual notices and honor opt-out requests. Even if you qualify for the FAST Act exemption, document it.

<!-- /pria:personalize -->

State Variations

<!-- pria:personalize type="state-specific" -->

GLBA sets a federal floor but preserves state authority:

  • State privacy laws — enforced alongside federal rules by the CFPB — may provide stronger protections than GLBA (California's CCPA/CPRA provides broader opt-out rights; compare HIPAA for health data privacy)
  • State insurance regulators enforce GLBA's privacy provisions for insurance companies
  • Some states have enacted financial privacy laws that go beyond GLBA's opt-out right to require opt-in consent
  • State data breach notification laws supplement GLBA's safeguards requirements
  • GLBA does not preempt state laws that provide greater privacy protection
<!-- /pria:personalize -->

Implementing Regulations

  • 12 CFR Part 1016 — CFPB Privacy of consumer financial information (Regulation P — privacy notices, opt-out rights, information sharing restrictions, exceptions for joint marketing)

  • 16 CFR Part 314 — FTC Standards for Safeguarding Customer Information (Safeguards Rule): the FTC's implementing regulation of GLBA Section 501 for non-bank financial institutions — the comprehensive information security program mandate for the 10,000+ companies (mortgage brokers, auto dealers with in-house financing, tax preparers, payday lenders, debt collectors, financial advisors) that are not supervised by a federal banking regulator. The 2021 updated rule (effective June 2023) significantly strengthened technical requirements. Key provisions:

    • § 314.3 — Information security program: every covered financial institution must develop, implement, and maintain a written comprehensive information security program with administrative, technical, and physical safeguards appropriate to the institution's size and complexity; the program must be based on a risk assessment and designed to (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats to security or integrity; and (3) protect against unauthorized access that could result in substantial harm to customers
    • § 314.4 — Required elements of the information security program: the 2021 rule added specific mandatory technical elements that were not in the original 2003 rule:
      • (a) Designate a qualified individual (Chief Information Security Officer or equivalent) responsible for overseeing and enforcing the program
      • (b)(1) Conduct a written risk assessment identifying reasonably foreseeable internal and external risks; evaluate the sufficiency of safeguards; document results and implement changes
      • (c) Design and implement safeguards to control identified risks including access controls, data inventory and classification, encryption, multi-factor authentication, and secure development practices
      • (d) Test or monitor effectiveness of safeguards through penetration testing (annually) or vulnerability assessments (continuous or biannual)
      • (f) Oversee service providers that access customer information — require service providers by contract to implement appropriate safeguards; periodically assess providers' security practices
      • (h) Establish an incident response plan covering: goals, internal processes for reporting and responding, recovery procedures, roles and responsibilities, communications with affected customers, documentation and post-incident review
      • (i) Report to the board of directors (or equivalent) annually on the status of the information security program, material risks, and results of testing
    • § 314.6 — Small institution exception: institutions maintaining customer information on fewer than 5,000 consumers are exempt from the written risk assessment requirement (§314.4(b)(1)), the penetration testing requirement (§314.4(d)(2)), the CISO designation requirement (§314.4(h)), and the board reporting requirement (§314.4(i)); they must still maintain a written security program with appropriate safeguards

    Part 314 is the FTC's principal cybersecurity regulation — more prescriptive than any prior iteration. The 2021 amendments were driven by high-profile data breaches at non-bank institutions and reflect NIST Cybersecurity Framework principles translated into binding regulatory requirements. The FTC enforces Part 314 through Section 5 of the FTC Act (unfair or deceptive practices) and its breach authority — civil penalties can reach hundreds of millions of dollars for systematic violations. The CISO designation and board reporting requirements in §314.4(a) and (i) push data security decisions to senior management and governance levels. Recent rulemakings: 86 FR 70272 (December 2021) — comprehensive update adding technical requirements effective June 9, 2023.

  • 12 CFR Part 30 — OCC Safety and Soundness Standards: the OCC's implementing regulation of Section 39 of the Federal Deposit Insurance Act (12 U.S.C. § 1831p-1), which requires OCC to establish operational and managerial safety and soundness standards for national banks, federal savings associations, and federal branches of foreign banks. Part 30's procedural provisions create the compliance plan enforcement mechanism; its Appendices contain the substantive standards. Key provisions:

    • § 30.3 — Determination and notification of failure: the OCC may, based on an examination or other information, determine that a bank fails to meet one or more safety and soundness standards; upon such determination, the OCC sends a notice to the bank's board identifying the deficiency and requesting a written compliance plan within 30 days (§30.4); the compliance plan must describe the steps the bank will take and a timeline for remediation
    • § 30.5 — Issuance of orders to correct deficiencies: if a bank fails to submit an acceptable compliance plan, or if the OCC determines after submission that the bank will not achieve compliance through the plan, the OCC may issue an order requiring specific corrective actions or prohibiting specific practices; banks receive notice and an opportunity to respond (typically 20 days) before an order is finalized
    • § 30.6 — Enforcement of orders: non-compliance with a Part 30 order triggers judicial enforcement in U.S. district court; the OCC may also use the enforcement mechanisms of FDI Act § 8 (12 U.S.C. § 1818), including civil money penalties
    • Appendix A — Interagency Guidelines Establishing Standards for Safety and Soundness: the core operational standards covering internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure management, asset growth, asset quality, earnings, and executive compensation; these guidelines define what constitutes unsafe or unsound practices for OCC-supervised institutions
    • Appendix B — Interagency Guidelines Establishing Information Security Standards (GLBA § 501(b)): the information security program requirements for national banks implementing GLBA's customer information protection mandate; requires a written security program with administrative, technical, and physical safeguards; periodic risk assessment, access controls, encryption (where appropriate), employee training, service provider oversight, and an incident response program; the bank version of the same framework that the FTC's Safeguards Rule (16 CFR Part 314) imposes on non-bank financial institutions
    • Appendix C — OCC Guidelines Establishing Heightened Standards: additional requirements for large financial institutions with $50+ billion in average total consolidated assets (or those the OCC determines should be subject to heightened standards); includes requirements for a front-line risk management framework, independent risk management function, and internal audit; reflects post-financial crisis recognition that large banks require more robust governance than smaller institutions
    • Appendix D/E — Recovery Planning Standards: OCC guidelines requiring covered banks to develop and maintain recovery plans — documents describing what the bank would do to restore viability in an adverse stress scenario; separate from resolution plans (living wills) required by the Fed/FDIC under Dodd-Frank; Appendix D applies to banks with $250B+ in assets, Appendix E to smaller institutions the OCC designates as covered

    Part 30's Appendix B information security standards are the banking regulator parallel to the FTC's Safeguards Rule — together they implement GLBA § 501(b)'s directive that financial institutions protect customer information. The bank version (Appendix B) and the non-bank version (16 CFR Part 314) are coordinated through the Federal Financial Institutions Examination Council (FFIEC) but administered by different regulators. OCC enforces Appendix B against national banks through its examination process; the 2021 FFIEC Cybersecurity Assessment Tool and 2022 interagency guidance on ransomware incorporate these standards into supervisory expectations.

  • 16 CFR Part 313 — FTC Privacy of Consumer Financial Information — the FTC's GLBA privacy rule for non-bank financial institutions not supervised by a federal banking regulator (mortgage brokers, auto dealers with in-house financing, tax preparers, non-bank lenders, financial advisors not registered with the SEC, debt collectors, payday lenders). Key provisions:

    • § 313.4 — Initial privacy notice: must be provided when a consumer becomes a customer — at the start of the relationship (before completing the first transaction for bank-like relationships); must be clear and conspicuous and accurately describe the institution's privacy policies
    • § 313.5 — Annual privacy notice: must be provided each year during the customer relationship; the FAST Act (2015) allows institutions to skip the annual notice if (1) their information-sharing practices have not changed since the last notice AND (2) they only share NPI with affiliates or service providers (not with unaffiliated third parties for other purposes)
    • § 313.6 — Required content of privacy notices: the notice must describe (1) the categories of NPI the institution collects (application data, transaction history, credit history, SSN); (2) the categories of NPI disclosed to affiliates and to nonaffiliated third parties; (3) the categories of nonaffiliated third parties to whom information is disclosed; (4) the consumer's opt-out right and how to exercise it; and (5) any disclosures made under the Fair Credit Reporting Act regarding affiliate marketing
    • § 313.7 — Opt-out notice and methods: if the institution shares NPI with nonaffiliated third parties (outside the service-provider exception), it must provide a clear opt-out notice and a reasonable means to exercise it; acceptable opt-out methods include toll-free phone numbers, reply forms, and website opt-out pages — calling must work; written opt-outs must be processed within a reasonable time
    • § 313.10 — Limits on third-party disclosure: without a consumer's opt-out exercised, an institution may share NPI with non-affiliated third parties only under specified exceptions; sharing for the institution's own purposes with service providers and joint marketers (§ 313.13), for processing transactions the consumer requested (§ 313.14), or to comply with law (§ 313.15) does not trigger opt-out rights
    • § 313.12 — Account number prohibition: institutions may NOT disclose account numbers or access codes to nonaffiliated third parties for marketing purposes — this is an absolute prohibition, regardless of opt-out status, protecting consumers from their account numbers being sold to marketers even if the consumer hasn't opted out
    • § 313.2 — Model privacy form: institutions may use the FTC-provided model privacy form (Appendix A) to satisfy the notice content requirements; the model form is a standardized two-page document designed for readability; use of the form provides a safe harbor from content-format challenges
    • § 313.17 — Relation to state laws: Part 313 does not preempt state financial privacy laws that provide greater protection; states may impose stricter opt-in requirements, broader opt-out rights, or more extensive notice content

    Part 313 and Regulation P (12 CFR Part 1016 for CFPB-supervised institutions) are parallel rules implementing the same GLBA provision — the only difference is which agency enforces them against which regulated entities. For the 10,000+ non-bank financial institutions under FTC jurisdiction, Part 313 compliance runs alongside Part 314 (Safeguards Rule) compliance. The FTC has begun active enforcement: Part 313 violations are unfair or deceptive acts or practices under Section 5 of the FTC Act, subject to civil penalties up to $53,088 per day per violation (2026 inflation-adjusted). The most common compliance failure is not providing opt-out rights before sharing NPI with marketing partners — a practice many non-bank financial firms assumed was routine but is directly prohibited absent proper notice and opt-out opportunity.

  • 17 CFR Part 248 — SEC Regulations S-P, S-AM, and S-ID (32 sections — the SEC's GLBA-implementing privacy and safeguards rules for broker-dealers, investment companies, and SEC-registered investment advisers; three subparts covering consumer financial privacy, affiliate marketing opt-out, and identity theft detection):

    Regulation S-P — Privacy of Consumer Financial Information (§§ 248.1–248.18):

    • § 248.1 — Scope: applies to broker-dealers, investment companies, and investment advisers in their dealings with consumers who obtain financial products or services for personal use; Reg S-P is the securities industry's parallel to CFPB Regulation P for banks
    • § 248.4 / § 248.5 — Initial and annual privacy notices: firms must provide a clear privacy notice at account opening describing information collection and sharing practices, and annually thereafter; the FAST Act (2015) allows an exemption from annual notices if sharing practices have not changed and the firm shares NPI only with affiliates or service providers
    • § 248.6 — Required notice content: categories of NPI collected; categories disclosed to affiliates and nonaffiliated third parties; identity of third party categories; opt-out rights and how to exercise them
    • § 248.10 — Opt-out rights for third-party sharing: before sharing NPI with nonaffiliated third parties (outside service provider and joint marketer exceptions), the firm must provide the consumer a reasonable opportunity to opt out; sharing with affiliates is addressed separately in Reg S-AM, not Reg S-P
    • § 248.13 — Service provider / joint marketing exception: a firm may share NPI with a nonaffiliated service provider without triggering opt-out obligations if it first discloses the sharing in its privacy notice and contractually restricts the service provider to using the information only for the disclosed purposes
    • § 248.30 — Safeguarding customer information (comprehensive security program): firms must maintain a written information security program appropriate to their size and the sensitivity of customer information they hold; required elements include risk assessment, administrative/technical/physical safeguards, testing and monitoring, employee training, and oversight of third-party service providers; in 2023, the SEC adopted an updated safeguarding rule (88 FR 20212) requiring specific incident response plans and customer notification within 30 days of discovering unauthorized access to sensitive customer records

    Regulation S-AM — Affiliate Marketing Opt-Out (§§ 248.101–248.128):

    • § 248.121 — Before a firm uses "eligibility information" received from an affiliate (credit history, transaction data, account balances) to market its own products to consumers, it must: (1) clearly disclose that it may use affiliate-provided information for marketing, (2) give consumers a reasonable opportunity to opt out, and (3) honor the opt-out for at least 5 years; the rule implements FCRA Section 624 for SEC-regulated entities

    Regulation S-ID — Identity Theft Prevention (§§ 248.201–248.202):

    • § 248.201 — Red Flags Rule: firms that maintain covered consumer accounts must adopt a written Identity Theft Prevention Program; the program must include policies to identify, detect, and respond to "red flags" — indicators of possible identity theft such as alerts from credit bureaus, suspicious documents, unusual account activity, or customer fraud notices; the program must be board-approved and updated annually; this implements FCRA Section 615(e)'s Red Flags mandate for securities firms

  • 12 CFR Part 332 — FDIC Privacy of Consumer Financial Information: the FDIC's implementation of GLBA Title V's financial privacy provisions for state-chartered non-member banks — institutions that hold a state charter but are not members of the Federal Reserve System. Part 332 is functionally identical to 16 CFR Part 313 (FTC rule for non-banks) and 12 CFR Part 1016 (CFPB Regulation P for large banks), implementing the same notice, opt-out, and information-sharing framework for the FDIC's supervised institutions. The FDIC, Fed, OCC, NCUA, and FTC each promulgated parallel privacy rules from the same interagency template — the differences are jurisdiction (which institutions each regulator supervises), not substance. Key provisions:

    • § 332.4 — Initial privacy notice: FDIC-supervised state non-member banks must provide a clear and conspicuous privacy notice at account opening describing the institution's NPI collection and sharing practices; notice must be provided before completing the first transaction for new customers
    • § 332.5 — Annual privacy notice: banks must provide an annual privacy notice during the customer relationship; the FAST Act (2015) exempts institutions from annual notices if their sharing practices have not changed AND they share NPI only with affiliates or service providers (not unaffiliated third parties)
    • § 332.10 — Limits on disclosure to nonaffiliated third parties: a bank may not share NPI with nonaffiliated third parties (beyond service providers and joint marketers) unless the consumer has been given opt-out rights and has not opted out; this is the core consumer protection — the right to prevent your bank from selling your data to outside companies
    • § 332.12 — Account number prohibition: banks may not disclose account numbers or access codes to any nonaffiliated third party for marketing purposes — an absolute rule with no opt-out bypass; a bank that sells customer account numbers to a marketing firm violates § 332.12 regardless of what the bank's privacy notice says
    • § 332.13 — Service provider / joint marketing exception: sharing NPI with a nonaffiliated third party that performs services on behalf of the bank (a data processor, a direct mail vendor, a jointly-marketed product partner) does not trigger opt-out obligations if the bank discloses the arrangement in its privacy notice and requires the third party to use information only for the disclosed purpose
    • § 332.17 — State law preemption: Part 332 does not preempt state financial privacy laws that give consumers greater protection; states may impose opt-in consent requirements, broader data rights, or more extensive disclosures — and those stronger state rules apply to FDIC-supervised institutions operating in those states alongside (not instead of) Part 332

    Part 332 applies to the approximately 4,000 state-chartered non-member banks supervised by the FDIC — a large portion of the U.S. community banking sector. Compliance is monitored through FDIC examinations; the FDIC has issued guidance on model privacy notices (Appendix A to Part 332 is a model privacy form providing safe harbor from format challenges). Original rule: 65 FR 35216 (June 2000) — part of the coordinated interagency rulemaking that implemented GLBA privacy provisions simultaneously across all federal banking regulators.

  • 17 CFR Part 160 — CFTC Privacy of Consumer Financial Information Under Title V of the Gramm-Leach-Bliley Act: the Commodity Futures Trading Commission's parallel implementation of GLBA's financial privacy requirements for futures commission merchants (FCMs), commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers, retail foreign exchange dealers, and other CFTC-regulated financial institutions that maintain consumer customer relationships. Part 160 is structurally identical to the FDIC's Part 332, the FTC's 16 CFR Part 313, and the SEC's Regulation S-P — all implementing the same GLBA Title V framework. The distinction is regulator jurisdiction: a commodity brokerage firm or retail forex dealer obtains its privacy rule compliance from Part 160 (enforced by CFTC) rather than from the CFPB, FTC, OCC, or SEC equivalents. Key provisions:

    • § 160.4 — Initial privacy notice: CFTC-regulated firms must provide a clear and conspicuous privacy notice when a consumer becomes a customer, describing NPI collection and sharing practices
    • § 160.5 — Annual privacy notice: must be provided annually during the customer relationship; FAST Act (2015) exemption applies if sharing practices are unchanged and limited to affiliates and service providers
    • § 160.10 — Limits on disclosure to nonaffiliated third parties: same opt-out framework as all other agencies' rules — customers must receive opt-out rights and honor those rights before NPI may be shared with non-affiliates
    • § 160.12 — Account number prohibition: absolute prohibition on sharing account numbers with nonaffiliated third parties for marketing purposes — no opt-out bypass
    • § 160.15 — Exceptions: law enforcement, legal process, fraud prevention, and consumer-requested transaction processing are all exceptions to opt-out and notice requirements — parallel to every other agency's rule

    Part 160 matters because commodity trading and retail forex involve consumers who have genuine financial privacy interests in their trading positions and financial data — a retail forex account can contain sensitive income and investment information that a firm's marketing partners would value. The CFTC coordinates Part 160 compliance through its examination program for registered commodity firms; violations are treated as violations of the Commodity Exchange Act. Original rule: 66 FR 21252 (April 2001) — promulgated as part of the coordinated interagency GLBA privacy rulemaking.

  • 12 CFR Part 218 — FRB Regulation R — Bank-Broker Functional Regulation Exceptions: GLBA Title III (the "functional regulation" title) overhauled the longstanding separation between banking and securities activities established by the Glass-Steagall Act. One key element was amending the Securities Exchange Act to create a set of statutory exceptions allowing banks to conduct certain securities brokerage activities without registering with the SEC as a broker-dealer under § 15(b). The Federal Reserve's Regulation R (jointly adopted with the SEC's 17 CFR Part 247) implements these exceptions. The practical effect: a bank that refers customers to a registered broker-dealer, conducts certain trust transactions, handles sweep account transactions, or processes custody-account orders under defined conditions does not need a broker-dealer license for those specific activities. The rule has seven exception groups:

    • §§ 218.700–218.701 — Networking exception: a bank may refer retail customers to a registered broker-dealer under a networking arrangement without becoming a broker, provided the bank's employees who make referrals receive only a one-time cash fee of a nominal amount (not transaction-based compensation), and the bank clearly discloses that securities products are offered by the broker-dealer (not the bank), are not FDIC-insured, and carry investment risk; "institutional referral" provisions in § 218.701 allow somewhat broader compensation arrangements when referring institutional clients (corporations, institutional investors)
    • §§ 218.721–218.723 — Trust and fiduciary exceptions: banks conducting trust, fiduciary, or custodial activities may execute securities transactions for those accounts without broker registration; § 218.721 defines the scope of trust accounts covered; § 218.722 allows bank-wide trust compensation arrangements that might otherwise look like transaction-based compensation; § 218.723 provides exceptions for special accounts (IRA and pension accounts held in trust) and foreign branch transactions
    • §§ 218.740–218.741 — Sweep account exception: banks may sweep customer deposit account balances into money market funds (registered investment companies) as a service to depositors; § 218.741 permits banks to execute these sweep transactions without broker registration, since the transaction is a deposit-management service rather than a retail securities sale
    • § 218.760 — Custody account order exception: banks holding customer securities in custody accounts may transmit customer orders to buy or sell those securities to a registered broker-dealer; the bank acts purely as a conduit and does not itself execute the trade
    • § 218.771 — Regulation S transactions: banks may conduct transactions in securities under Regulation S (offshore transactions not registered in the U.S.) without triggering broker registration

    Regulation R reflects the post-GLB architecture for bank-securities activities: banks conduct certain defined activities under Banking Act authorization, while broader retail brokerage must go through an affiliated registered broker-dealer. The Federal Reserve and SEC issued Regulation R jointly in 2007 (72 FR 56514) after Congress prodded regulators who had repeatedly missed statutory deadlines for finalizing the bank-broker rules.

Pending Legislation

No standalone GLBA reform bills have been introduced in the 119th Congress. Financial privacy and data security provisions appear in broader financial regulation and privacy legislation — see Dodd-Frank Wall Street Reform and Consumer Financial Protection.

Recent Developments

The FTC's major update to the Safeguards Rule (effective 2023) significantly strengthened information security requirements for non-bank financial institutions — adding specific technical standards, mandatory risk assessments, and incident response planning. The convergence of GLBA privacy with broader data privacy legislation (state laws like CCPA/CPRA and proposed federal privacy legislation) has raised questions about whether GLBA's financial privacy framework should be modernized or subsumed into a comprehensive federal privacy law. The growth of fintech companies and data aggregators that access consumer financial data through screen-scraping and API connections has tested the boundaries of GLBA's privacy and safeguards framework.

  • CFPB Section 1033 open banking rule and GLBA (2025): The CFPB's Section 1033 final rule (issued Oct 2024) requires banks and other financial institutions to provide consumers with access to their financial data — and to share that data with authorized third parties (budgeting apps, lenders). The rule interacts with GLBA's privacy framework: consumers' right to share their own data with third parties under 1033 coexists with GLBA's limits on financial institutions sharing data without consent. The Trump CFPB placed Section 1033 implementation on hold pending review; industry has challenged the rule's interaction with GLBA's consent framework.
  • Safeguards Rule FTC enforcement (2025): The FTC's 2023 Safeguards Rule updates created mandatory cybersecurity requirements — encryption, multi-factor authentication, penetration testing — for non-bank financial institutions (mortgage companies, auto dealers with financing, payday lenders). FTC enforcement actions under the updated Safeguards Rule began in 2024-2025 against companies that suffered data breaches without adequate security programs. Several large auto dealer groups and mortgage servicers settled for $1-10M over Safeguards Rule violations.
  • Salt Typhoon and GLBA financial data security: The Chinese state-sponsored Salt Typhoon hack — which breached AT&T, Verizon, and other telecom networks used by financial institutions — raised GLBA safeguards questions about whether telecommunications-dependent financial institutions had adequate vendor oversight. GLBA requires covered financial institutions to oversee third-party service providers' security; regulators issued guidance on telecom vendor security review after Salt Typhoon.
  • AI and GLBA privacy notices: Financial institutions are deploying AI systems that use customer financial data for marketing, credit decisions, and customer service. GLBA's requirement to provide annual privacy notices and honor opt-out requests extends to AI uses of consumer financial data. The FTC and banking regulators have not updated GLBA guidance specifically for AI, but existing rules apply — a financial institution using AI to make inferences about customer behavior based on account data must disclose and allow opt-out of sharing those inferences with non-affiliated third parties.

At My Address

See how Gramm-Leach-Bliley Act — Financial Modernization & Privacy plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address