The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Modernization Act of 1999, is a US federal law to protect the privacy and security of personally identifiable financial information.


GLBA applies to US financial institutions, including their affiliated partners (such as ATM operators and credit reporting agencies which collect private information from financial institutions). The information it covers includes financial records and other personal data.


The Act itself has 3 main elements:

  1. The Privacy Rule regulates the gathering and disclosure of private information.

  2. The Safeguards Rule specifies that safety programs must be implemented to safeguard such information.

  3. The Pretexting Provisions prohibit the practice of obtaining private information and using it under false pretenses. 


In order to comply with GLBA, the provisions of the three sections must be met:

  • The Privacy Rule mandates provision of proper notices of privacy policies and practices to the individuals using products or services.

  • The Safeguards Rule requires financial institutions (and their affiliates) to keep customer information secure. This includes a written IT security plan with a designated coordinator, conduct risk audits and assessments, construct and implement a safeguards program, to be proactively monitored and adapted as required by the changing IT security landscape.

  • The Pretexting Provisions require a written plan for monitoring account activities as well as educating employees to recognize social engineering and phishing cons.

Failure to comply with GLBA can result in fines and imprisonment. Institutions can face a civil penalty of up to $100,000 for each violation, while officers and directors are personally liable up to $10,000 for each violation and/ or imprisonment up to five years.