Gramm-Leach-Bliley Act – Background, Key Reforms & Provisions

  • By: Staff Editor
  • Date: July 01, 2009
Webinar All Access Pass Subscription


The Gramm-Leach-Bliley Act was enacted into law on November 12, 1999. It was a result of decades of lobbying by the banking industry to relax the more stringent Glass Steagall Act that restricted the functioning of financial institutions. With the changing economic environment and investor habits, the banking industry argued that consumers would find it more convenient to choose between saving and investment opportunities if financial institutions were allowed to offer both.   

The most important reforms included in the Act are:

Repeals key provisions of the Glass Steagall Act:
The Glass Steagall Act of 1933 specifically prohibited any one financial institution from acting as any combination of investment bank, commercial bank and insurance company. The Gramm-Leach-Bliley Act now made it possible for commercial banks to affiliate with investment banks.

Modifies Bank Holding Company Act of 1956:
The Gramm-Leach-Bliley act made it possible for companies that own commercial banks to engage in any type of financial activity.

Allows more leeway for bank subsidiaries:
The Act allows subsidiaries of banks to engage in a broad range of financial activities that are not permitted for banks themselves.

With the passage of the Gramm-Leach-Bliley Act, banking companies and other types of financial companies – securities, insurance, and financial technology companies, for example – can combine with greater ease and offer a wider range of services. The Act eliminates the authority of commercial companies to acquire thrift institutions through the unitary thrift holding company vehicle. It also includes important new provisions regarding the privacy of customer information; increased access by community banks to the Federal Home Loan Bank System; and significant changes to the requirements imposed by the Community Reinvestment Act.

Gramm-Leach-Bliley Act Sections and Sub-sections:

1. Protection of nonpublic personal information.
  • Privacy obligation policy
  • Financial institutions safeguards
2. Obligations with respect to disclosures of personal information.
  • Notice requirements.
  • Opt out.
  • Limits on reuse of information.
  • Limitations on the sharing of account number information for marketing purposes.
  • General exceptions.
3. Disclosure of institution privacy policy.
  • Disclosure required.
  • Information to be included.
4. Rulemaking.
  • Regulatory authority.
  • Authority to grant exceptions
5. Enforcement.
  • In general.
  • Enforcement of section 6801.
  • Absence of State action
  • Definitions.
6. Relation to other provisions.
7. Relation to State laws.
  •  In general
  • Greater protection under State law.
8. Study of information sharing among financial affiliates.
  • In general.
  • Consultation.
  • Report.


Key Provisions:

Financial Holding Company:
The Act allows banks to create a Financial Holding Company that can engage in a statutorily provided list of financial activities including:

  • insurance and securities underwriting and agency activities
  • merchant banking
  • insurance company portfolio investment activities

To form a financial holding company, an organization has to be:

  • well capitalized
  • well managed
  • rated at least satisfactory in their most recent (Community Reinvestment Act) CRA exam

Financial Subsidiaries
National banks can create financial subsidiaries for new financial activities. The subsidiary cannot engage in activities like insurance underwriting, merchant banking, insurance company portfolio investments, real estate development and real estate investment. A financial subsidiary can be created as long as aggregate assets of all financial subsidiaries do not exceed 45% of the parent bank’s assets of $50 billion, whichever is less.  The national bank should also be well capitalized and well managed in order to establish a financial subsidiary.

Compliance with the Act is mandatory. Whether a financial institution discloses nonpublic information or not, it must have a policy in place to protect the information from foreseeable threats in security and data integrity. Major components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information and personally identifiable information, include:

  • Financial Privacy Rule
  • Safeguards Rule
  • Pre-texting Protection

Financial Privacy Rule
The financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information. The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. 

This notice must:

  • Explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
  • Identify the consumer’s right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.

If the privacy policy changes at any point in time, the consumer must be notified again for acceptance and should have the option to opt out each time it is re-established. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.

Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. This plan must include:

  • Denoting at least one employee to manage the safeguards,
  • Constructing a thorough risk management plan for each department handling nonpublic information,
  • Develop, monitor, and test a program to secure the information, and
  • Change the safeguards as needed with the changes in how information is collected, stored, and used.

The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.

Pre-texting Protection
Pre-texting occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a phony website or email to collect data). Under United States law, pre-texting by individuals is punishable as a crime of False Pretenses.

The Gramm-Leach-Bliley Act:

  • Provides for functional regulation of insurance activities
  • Establishes which insurance products banks and bank subsidiaries may provide as principal.
  • Prohibits national banks not currently engaged in underwriting or sale of title insurance from commencing that activity. However, sales activities by banks are permitted in States that specifically authorize such sales for State banks, but only on the same conditions. National bank subsidiaries are permitted to sell all types of insurance including title insurance. Affiliates may underwrite or sell all types of insurance including title insurance.
  • The Federal banking agencies are directed to establish consumer protections governing bank insurance sales.
  • Allows mutual insurance companies to re-domesticate.
  • Allows multi-state insurance agency licensing.

Community Reinvestment Act (CRA)
The Gramm-Leach-Bliley Act:

  • Clarifies that nothing in the act repeals any provision of the CRA.
  • Requires full public disclosure of all CRA agreements.
  • Requires each bank and each non-bank party to a CRA agreement to make a public report each year on how the money and other resources involved in the agreement were used.
  • Grants regulatory relief regarding the frequency of CRA exams to small banks and savings and loans (those with no more than $250 million in assets).
  • Directs the Federal Reserve Board to conduct a study of the default rates, delinquency rates, and profitability of CRA loans.
  • Directs the Treasury, in consultation with the bank regulators, to study the extent to which adequate services are being provided as intended by the CRA.

Additional Resources

Read the complete Gramm-Leach-Bliley Act here.

Need to know more about the Gramm-Leach-Bliley Act? Then attend any of the following ComplianceOnline webinars:

Suggestions for individuals to check and safeguard confidential data
Data Security - Seven Crucial Steps to Achieving Legislative Compliance

Best Sellers
You Recently Viewed