Financial Privacy

The Gramm-Leach-Bliley-Act

The federal Financial Services Modernization Act of 1999, commonly known as the Gramm-Leach-Bliley Act, provides limited protections over how financial institutions -- businesses engaged in the banking, insurance, and investing industry -- protect consumers’ nonpublic personal information.  "Nonpublic personal information" covers the information on a consumer’s financial application, the information regarding a consumer’s account history, as well as the fact that a consumer is or was a customer.

What the GLBA Requires

Financial institutions regulated under the GLBA must:

  1. develop precautions to ensure the security and confidentiality of customer records and information.  The institution must protect the records or information from any use that could result in substantial harm or inconvenience to a customer.
  2. provide customers with a notice of the financial institution’s information sharing policies when the customer first becomes a customer.  Annual notices are required thereafter. The notice must inform the customer of the financial institution's policies on:
    1. disclosing nonpublic personal information to affiliates and nonaffiliated third parties,  (GLBA defines ''affiliate'' to mean any company that controls, is controlled by, or is under common control with another company.)
    2. disclosing nonpublic information after the customer relationship ends, and
    3. protecting the customer’s nonpublic information.
  3. give customers the right to opt-out from a limited amount of information sharing. A customer can direct the financial institution to never share information with unaffiliated companies.  A customer cannot prevent the institution from sharing information with affiliates, however.  The GLBA permits financial institutions to share a customer’s nonpublic information with several other business entities, including consumer reporting agencies.
  4. not disclose, other than to a consumer reporting agency, access codes or account numbers to any nonaffiliated third party for use in telemarketing, direct mail marketing, or email marketing.  This prohibition applies even if a customer fails to "opt-out."
  5. not engage in false, fictitious, or fraudulent attempts to obtain customer information. 

Who Enforces the GLBA?

The agency responsible for enforcing the GLBA depends upon the type of financial institution involved in the specified activity.

Banks, bank and financial holding companies, credit unions, and other affiliated financial institutions are regulated by multiple federal agencies, including:

  • Office of the Comptroller of the Currency
  • Federal Reserve Board
  • Federal Deposit Insurance Corporation
  • Office of Thrift Supervision
  • National Credit Union Administration

The Securities and Exchange Commission is the designated agency for brokers, dealers, investment advisers registered under the Investment Advisers Act of 1940, and investment companies.

Under state law, the Idaho Department of Insurance regulates any person who provides insurance and is domiciled in Idaho.

The Federal Trade Commission is responsible for regulating the consumer privacy practices of all other financial institutions not otherwise subject to the enforcement authority of another regulator under the GLBA.

Where Can I Get More Information about the GLBA’s Protections?

Federal Deposit Insurance Corporation: Privacy Act Issues under Gramm-Leach-Bliley

Federal Trade Commission: Privacy Choices for Your Personal Financial Information

Fair Credit Reporting Act

Enforced by the Federal Trade Commission, the Fair Credit Reporting Act (FCRA) was enacted to ensure that consumer reporting agencies report accurate credit-related information regarding consumers, while also protecting consumers’ financial privacy.

Unless consumers consent to the release of their credit report, the consumer reporting agency may not release the contents of the report.  An exception to this rule is that creditors and insurers may use a consumer reporting agency’s file as a basis for sending a consumer unsolicited offers, such as offers for credit cards. These offers must include a toll-free number that consumers can call to opt-out from receiving these offers.  Consumers also can complete the consumer reporting agency’s form to request permanent removal from such marketing lists.

The Attorney General’s Office accepts consumer complaints regarding consumer reporting agencies that fail to comply with the FCRA. Click here to download a consumer complaint form.

For additional information about requesting your credit report, removing negative credit information, and other credit-related issues, read the Attorney General’s Credit and Debt manual.