Pricing Contact Sales Book a Demo
Pricing Contact Sales Book a Demo
Blog
Article

GLBA: What Is the Gramm-Leach-Bliley Act? [2026 Guide]

SaltyCloud Research Team

Updated Feb 3, 2025 Read Time 19 min
Table of Contents
Join 1,500+ security and compliance professionals who get monthly regulatory updates, GRC strategies, and threat intel with actionable next steps.
Resource
GLBA Safeguards Rule Requirements Crosswalk
Quickly align the GLBA Safeguards Rule with frameworks like NIST CSF, NIST 800-171, and more with this crosswalk spreadsheet.
Request

What Is GLBA? The Complete Guide to the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) is a federal law requiring covered financial institutions to protect the privacy, confidentiality, and security of consumer financial information. Originally published in 1999 and enforced since 2001, the GLBA is still mandatory for many organizations today, including traditional financial institutions like banks, credit unions, investment firms, mortgage lenders, insurance companies, and certain non-traditional financial service providers like higher education institutions.

But GLBA compliance can also be complex. Simply figuring out what financial data it covers can be challenging, let alone securing that information across multiple systems, monitoring third-party vendors, and keeping pace with ongoing risk management activities.

To help organizations comply, the GLBA organizes its requirements under three main sections or “rules.” The GLBA’s rules are:

  1. The Privacy Rule: Institutions must inform customers how they collect, use, and share financial information and offer options to limit sharing.
  2. The Safeguards Rule: Institutions must create and follow a plan to protect customer information from breaches and unauthorized access.
  3. The Pretexting Rule: Individuals and institutions must not use false or dishonest methods to trick people into giving out their financial information.

Which GLBA rules and requirements an institution must meet depends on its size, complexity, and role in handling consumer financial data. But one thing is certain: if an organization handles consumer financial data, it probably needs to be at least partially GLBA-compliant.

This guide is for all organizations covered under the GLBA. It explains the law’s purpose and scope, identifies covered entities, defines the three rules, describes requirements, and summarizes enforcement penalties. Whether just curious, looking for GLBA compliance software, or in need of a total information security program overhaul, this is the right place to start.

What is the GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law requiring financial institutions to protect consumers’ nonpublic personal information (NPI). It’s organized into three “rules” outlining primary obligations that financial institutions must meet for GLBA compliance: the Privacy Rule, the Safeguards Rule, and the Pretexting Rule.

The Gramm-Leach-Bliley Act (GLBA) requires covered financial institutions to protect financial information under the Privacy Rule, the Safeguards Rule, and the Pretexting Rule.

Also known as the Financial Services Modernization Act, the GLBA was signed into law by President Clinton in 1999 with three simple goals: supporting modernization, stimulating competition, and protecting consumers. More than 25 years later, in 2026, it’s still an important information security and data privacy regulation for financial institutions in the U.S.

History of the GLBA

The story of the GLBA began decades before its creation with the Glass-Steagall Act of 1933. Also called the Banking Act, this law effectively separated commercial and investment financial services. Ultimately, it was intended to reduce the risky financial practices leading up to the Great Depression and to rebuild trust in the American financial system.

Yet, as the financial industry grew and consumer needs changed, many of its restrictions were relaxed to avoid becoming outdated. By the 1990s, some financial institutions even started offering combined services despite the law in anticipation of inevitable change. The Citigroup merger in 1998, for example, violated the Bank Holding Company Act (BHCA) but was given a two-year exception, assuming the law would change.

Just one year later, in 1999, the GLBA was signed into effect. Although its purpose has evolved over time, the GLBA’s long-lasting impact on the American financial system is perhaps most obvious in two critical areas: data privacy and security. More specifically, GLBA’s Title V: Privacy reimagined data privacy requirements in the American financial industry.

GLBA Timeline

Here’s a timeline summarizing important GLBA developments:

  • 1999: The GLBA is signed into law, repealing parts of the Glass-Steagall Act and introducing key privacy and security provisions for financial institutions.
  • 2001: The Safeguards Rule is issued by the FTC, requiring financial institutions to develop, implement, and maintain an information security program.
  • 2003: The Safeguards Rule becomes enforceable.
  • 2011: The Dodd-Frank Act transfers most GLBA rule-making authority to the CFPB.
  • 2021: The FTC updates the Safeguards Rule (the Final Rule) in response to evolving cybersecurity threats.
  • 2023: The Final Rule becomes effective, and the FTC issues the Breach Notification Rule.
  • 2024: The Breach Notification Rule takes effect, requiring financial institutions to report data breaches impacting 500+ customers within 30 days.

What Does GLBA Stand For?

GLBA refers to the Gramm-Leach-Bliley Act, which Congress named after its three sponsors: Senator Phil Gramm (R-TX), Representative Jim Leach (R-IA), and Representative Thomas J. Bliley Jr. (R-VA).

Who Must Comply with the GLBA?

Today, all covered financial institutions (as defined by the Bank Holding Company Act) must comply with the GLBA—including traditional financial institutions like banks, credit unions, investment firms, mortgage lenders, insurance companies, and certain non-traditional financial service providers like higher education organizations—so long as they are “significantly engaged” in financial activities and handle consumers’ NPI.

NPI, or personal information not available in public records, includes any personally identifiable financial data provided by consumers or collected by institutions, like account numbers, transaction histories, loan records, or social security numbers, to name a few.

Traditional Financial Institutions

Traditional financial institutions that must comply with the GLBA include:

  • Banks and credit unions
  • Mortgage lenders and brokers
  • Insurance companies
  • Investment firms and advisors
  • Title IV higher education institutions
  • Tax preparation services
  • Money transfer services
  • Real estate settlement providers

Non-Traditional Financial Institutions

Non-traditional financial institutions may be especially likely to find GLBA compliance challenging. Most of the time, that’s because they lack the security infrastructure required of traditional financial institutions under regulations like the Bank Secrecy Act (BSA), the Fair Credit Reporting Act (FCRA), and the Sarbanes-Oxley Act (SOX). Like the GLBA, these regulations impose strict requirements for data security, transaction monitoring, and consumer privacy—areas where non-traditional institutions have not historically been held to the same standards as their traditional counterparts.

What Are the Consequences of GLBA Non-Compliance?

The consequences of GLBA non-compliance are not always straightforward. Although many online sources claim specific penalties and fines for general GLBA non-compliance, there is no direct evidence to support this aside from the FTC’s published court documents.

Under the GLBA’s Privacy Rule, for instance, which does impose criminal penalties for violations of obtaining or disclosing NPI under false pretenses, fines can reach $100,000 per violation for financial institutions and $10,000 per violation and/or imprisonment for up to five years for individuals.

The Safeguards Rule, on the other hand, does not explicitly specify fines for non-compliance. Instead, compliance with the Safeguards Rule is examined on a case-by-case basis. For the most accurate projection of non-compliance consequences, we recommend reviewing actual complaints or legal cases brought against institutions like yours.

GLBA compliance does not supersede often stricter state data privacy laws, which could remove exemptions for data covered by the GLBA in the near future.

Who Enforces GLBA Compliance?

Enforcing GLBA compliance are multiple federal and state regulatory agencies, including the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC).

Although GLBA enforcement responsibilities were once shared among other agencies, too—including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration—rule-making power for most of the GLBA was transferred to the CFTC when the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) was enacted in 2011.

Examples of GLBA Non-Compliance

Examples of GLBA non-compliance enforcement action can be challenging to unearth due to the sensitivity of their nature. With some digging, however, you can find some recent examples of GLBA non-compliance.

Examples of non-compliance enforcement for GLBA include:

  • Greystar (2025): The FTC issued a complaint against this rental property manager after it violated the FTC Act, the GLBA, and the Colorado Consumer Protection Act by advertising deceptive costs in multiple venues and using those ads to obtain consumer financial information via inquiry forms.
  • Jonathan Braun (2023): A federal court entered a $20.3 million judgment against the merchant cash advance operator in the first jury trial ever conducted by the FTC after he knowingly deceived small businesses about how much funding his small business funding company would provide and collect.
  • Ascension Data & Analytics (2021): The FTC ordered this Texas-based mortgage industry data analytics firm to strengthen its security safeguards and conduct biennial assessments of its data security program in line with GLBA after a vendor, OpticsML, stored encrypted documents containing sensitive consumer financial information on a cloud-based server without access controls.

Beyond compliance, GLBA sends a clear message to consumers: We care about the security and privacy of our consumers’ financial data. Because GLBA compliance isn’t just about checking boxes to meet legal requirements or avoiding fines and criminal penalties—it’s about doing everything you can to protect those who have entrusted your business with their most sensitive information.

Most regulatory agencies—including the CFPBFTCOCCSEC, and CFTC—publish legal documentation for enforcement actions online.

What Are the GLBA Rules?

The GLBA is organized into three “rules,” or primary obligations financial institutions must meet for GLBA compliance: the Privacy Rule, the Safeguards Rule, and the Pretexting Rule. Attempting to understand these rules and identifying the right requirements for your institution are some of the very first proactive steps you can take to prepare for GLBA compliance.

Privacy Rule

The Privacy Rule, or Title V of the GLBA, requires financial institutions to clearly explain how they collect, use, and share sensitive financial information so customers and consumers can make informed decisions about their data. Here, transparency and consent are key—institutions must disclose their data-sharing practices and give customers explicit control over how their information is shared.

Key requirements for the Privacy Rule include:

  • Privacy Notices: Institutions must provide clear, easy-to-understand notices when a customer relationship begins and annually thereafter. These notices must explain what data is collected, how it’s used, and whether it’s shared with third parties.
  • Opt-Out Notices: Institutions must let customers and consumers opt out of sharing their financial data with nonaffiliated third parties, like marketing companies.

The Privacy Rule also limits how nonaffiliated third parties receiving NPI from financial institutions can reuse and re-disclose that information, depending on how it was disclosed. And it prohibits financial institutions from sharing account numbers, access numbers, or codes for marketing purposes.

There are some exceptions to the GLBA privacy notice requirements, too. Specifically, financial institutions can share NPI without permission in certain cases—if it’s the financial institution’s third-party service provider, for instance—but must disclose these information-sharing practices to consumers. Additionally, some financial institutions can use an alternative method for annual privacy notices if they meet certain requirements.

Financial institutions can use the FTC’s final model privacy notice form to comply with some of these requirements. Or, check out the FTC’s How to Comply with the Privacy Rule guide for an even deeper dive.

Safeguards Rule

The Safeguards Rule requires financial institutions to develop and implement a written information security plan to protect the confidentiality of sensitive financial information from data breaches, unauthorized access, and cyber threats. Here, the focus is security—financial institutions must implement a combination of administrative, technical, and physical safeguards to protect their customers’ information. Under the GLBA Safeguards Rule, information security programs must include the following ten elements to be compliant.

Key elements of an information security program under the Safeguards Rule:

  • Qualified Individual: Institutions must designate a qualified individual to implement and supervise the information security program.
  • Risk Assessments: Institutions must conduct periodic, written risk assessments to identify and evaluate risks.
  • Safeguards: Institutions must design and implement safeguards to mitigate the risks identified in the risk assessment.
  • Testing and Monitoring: Institutions must regularly test and monitor the effectiveness of safeguards.
  • Employee Training: Institutions must provide security awareness training, regular refreshers, and specialized sessions for stakeholders with hands-on responsibilities.
  • Policies and Procedures: Institutions must regularly test and monitor security measures for effectiveness, updating them to address emerging threats.
  • Vendor Management: Institutions must assess and continuously monitor service providers to make sure they maintain the appropriate safeguards.
  • Ongoing Improvements: Institutions must regularly update information security programs to accommodate changes with material impacts.
  • Incident Response: Institutions must create a written incident response and recovery plan for security events.
  • Reporting: Institutions must have the Qualified Individual report in writing regularly (at least annually) to the Board of Directors or another governing body.

Although it took effect in 2003, the Safeguards Rule was updated in 2021 to provide more detailed guidance for businesses navigating new technologies. Perhaps most importantly, this amendment introduced eight specific safeguards—or cybersecurity requirements—for GLBA compliance. At a high level, they include implementing access controls, an asset inventory, encryption, application security, MFA, secure data disposal, change management, and user activity monitoring.

Among other things, the revision also introduced mandatory risk assessments and reporting requirements for financial institutions with over 5,000 customer records and clarified requirements for vendor oversight, making financial institutions directly responsible for third-party compliance. It also made GLBA compliance enforceable for Title IV higher education institutions processing Federal Student Aid applicant information.

Most recently, the GLBA changed again in 2023 when the FTC introduced its breach notification requirement—which just took effect in May 2024. Now, if a financial institution suffers a security breach involving unauthorized access to the unencrypted information of at least 500 consumers, it must submit a completed Safeguards Rule Security Event Reporting Form to the FTC as soon as possible and no later than 30 days after the event.

The FTC’s How to Comply with the Safeguards Rule guide has much more to say about these elements and their requirements.

Pretexting Rule

The Pretexting Rule protects sensitive financial information by prohibiting the use of deceptive practices to obtain or disclose customer financial information. Introduced in 1998 as part of the original GLBA, the Pretexting Rule was created to combat rising fraud and identity theft via pretexting, or the practice of obtaining personal information under false pretenses.

Today, pretexting is more commonly known as social engineering and includes wildly successful tactics like phishing. And while the specific methods attackers use may have changed since 1999, the Pretexting Rule is still highly relevant today.

Key prohibitions of the Pretexting Rule include:

  • False Pretenses: Individuals must not obtain or disclose customer information under false pretenses.
  • Solicitation: Individuals must not ask another person to obtain customer information if they know they will do so under false pretenses.
  • Law Enforcement: Individuals must not misconstrue the pretexting provisions to prevent law enforcement agencies from obtaining customer information for official duties.

The Pretexting Rule also includes exceptions for obtaining customer information in certain cases, including for testing security systems, investigating allegations, recovering customer financial information, investigating insurance fraud, or collecting child support judgments.

Although it might seem a little out of left field, the Pretexting Rule does have some significant implications for financial institutions. For example, preventing individuals from obtaining your customers’ financial information will likely involve putting some identity and access management processes in place. You’ll also need to train your employees to recognize pretexting (aka phishing attempts) and educate your customers on the importance of good cyber hygiene.

How to Comply with the GLBA

Complying with the GLBA means protecting sensitive financial data and meeting certain requirements in the Privacy, Safeguards, and Pretexting Rules. Which requirements your financial institution must meet will depend on its nature, size, and complexity. As a result, the road to GLBA compliance will likely look different for everyone.

Fortunately, the following step-by-step instructions are just general enough to be of use at the earliest stages of almost any financial institution’s GLBA journey.

Here’s a step-by-step overview of the GLBA compliance process:

  1. Understand the Rules: Start by familiarizing yourself with the Privacy, Safeguards, and Pretexting Rules and how they apply to your institution.
  2. Deliver Privacy Notices: Create clear, accessible privacy notices to inform customers or students about how you collect, use, and share their data. Provide opt-out options for data sharing with nonaffiliated third parties.
  3. Develop a Security Plan: Conduct information security risk assessments and draft a written information security plan that addresses the Safeguard Rule’s elements, including the eight requirements for cybersecurity safeguards.
  4. Vet and Manage Vendors: Conduct risk assessments for all third-party vendors that access sensitive financial data to evaluate their security practices. Implement vendor agreements that align with GLBA requirements and monitor vendor compliance regularly.
  5. Prevent Pretexting: Put identity verification processes in place to make sure sensitive information is only shared with authorized individuals. Train staff to recognize social engineering schemes and encourage customers to protect their own information by sharing tips on common scams.

For most institutions, the Safeguards Rule—which requires ongoing efforts to design, implement, and maintain cybersecurity measures—will likely require the biggest compliance lift. Now, GLBA compliance software can make the entire process much more manageable.

With Isora GRC, financial institutions can finally ditch the spreadsheets and step into the future. In Isora, teams can collect, organize, store, analyze, collaborate, and take action on all the data they need for information security risk and compliance management—all in one place. The result? Simpler, superior security GRC processes for more manageable GLBA compliance.

Use Isora’s central inventory to access, manage, and track assets, third-party vendors, products, and applications all in one place in real-time. With instant, accurate, and actionable insights into your entire information security ecosystem, identifying GLBA compliance gaps is easy. Just use the assessment management dashboard to distribute, organize, and monitor GLBA risk assessments, questionnaires and surveys across units, assets, and third parties—without chasing down emails or waiting for status updates.

Then, track, prioritize, and manage risks as a team in Isora’s collaborative risk register, where you can link risks to assessments for context, conduct detailed risk analyses, visualize high-risk areas, and share risk data with ease. Plus, Isora can even generate and export detailed risk reports and scorecards so you can measure progress, celebrate wins, and demonstrate value every step of the way.

Discover how Isora can help your organization implement the security posture needed to protect every flavor of consumer financial information, from student loan information to credit scores, account history, transactions, and more.

See how Isora GRC helps organizations implement GLBA requirements at scale.

GLBA FAQs

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law enacted in 1999 that requires financial institutions to protect consumers’ nonpublic personal information (NPI).

Who does GLBA apply to?

GLBA applies to all financial institutions, broadly defined by the FTC as companies that offer financial products or services to individuals. This may include banks, credit unions, insurance companies, auto dealers, tax preparers, and colleges or universities that process federal student financial aid.

What are the three rules of GLBA?

The GLBA consists of three main sections or rules: the Privacy Rule, the Security Rule, and the Pretexting Rule. Each rule outlines specific requirements for protecting consumer financial information.

  • The Privacy Rule: Requires institutions to inform customers about how they collect, use, and share financial information and offer options to limit sharing.
  • The Safeguards Rule: Requires institutions to create and follow a written plan to secure customer information against threats, breaches, and unauthorized access.
  • The Pretexting Rule: Prohibits individuals from using false or dishonest methods to obtain or disclose customer financial information.

What is the purpose of the GLBA?

The purpose of the GLBA is to protect sensitive consumer financial information by making financial institutions legally responsible for securing it, being transparent about how they share it, and giving consumers more control over how they use it.

How do you comply with the GLBA?

To comply with the GLBA, familiarize yourself with its components—the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions—and identify the components that impact your organization. From there, you can find compliance checklists, such as the GLBA Safeguards Rule Compliance Checklist, to evaluate how well your organization complies with the GLBA.

Who enforces GLBA compliance?

Enforcing GLBA compliance are regulatory agencies, including the CFPB, the FTC, the SEC, and the CFTC. Consequences for GLBA violations are not always straightforward, with fines and penalties often issued on a case-by-case basis. GLBA compliance does not supersede state statutes, and in some states, laws may be stricter than the GLBA.

Who should comply with the GLBA?

The GLBA applies to traditional and non-traditional financial institutions, certain third-party providers, and any other businesses significantly involved in financial activities and handling NPI.

How does the FAST Act affect GLBA?

The Fixing America’s Surface Transportation (FAST) Act of 2015 introduced an “Eliminate Privacy Notice Confusion” section, allowing financial institutions to skip annual privacy notices (required by the GLBA) in certain circumstances. More specifically, financial institutions do not need to distribute annual privacy notices if they share NPI under limited circumstances and if it has not changed their privacy policy or practices since their most recent privacy notices.

How is the FCRA related to GLBA?

The Fair Credit Reporting Act (FCRA) is a U.S. privacy law requiring consumer reporting agencies to give consumers an opt-out right for information shared with affiliated and nonaffiliated third parties. The GLBA, on the other hand, gives consumers an opt-out right for information shared with nonaffiliated third parties only.

If your financial institution is a consumer reporting agency, it must comply with privacy requirements for both GLBA and FCRA.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

Other Relevant Content
GLBA Risk Assessment & Audit: Requirements & Checklist

GLBA Risk Assessment and Audit: Step-by-Step Guide A GLBA risk assessment evaluates risks to the security, confidentiality, and integrity of customer...

Learn More
Article GLBA Higher Education
GLBA Compliance: Requirements, Checklist & Guide [2026]

GLBA Compliance: What It Is and How to Achieve It GLBA compliance means meeting all requirements under the Gramm-Leach-Bliley Act, a federal law...

Learn More
Article Banks & Credit Unions GLBA Higher Education Banks & Credit Unions Higher Education
US State Information Security Regulations: Complete Guide

Information Security Regulations across the United States A Guide to State Cybersecurity Requirements Across the U.S., all fifty state governments...

Learn More
Article Arizona California SIMM 5300 Florida Cybersecurity Act North Carolina Ohio ORC 9.64 Pennsylvania Regulations State Regulations TAC 202 Virginia SEC530 Wisconsin Public Sector
The InfoSec GRC Brief
Join 1,500+ security and compliance professionals who get monthly regulatory updates, GRC strategies, and threat intel with actionable next steps.
Let’s Chat
Streamline every step of your org’s security GRC workflows
Book a Demo
Woot!
We got your request. Hang on tight and we'll get back to you!
Thanks!
You successfully subscribed to our newsletter