What is the Gramm-Leach-Bliley Act?
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a landmark piece of legislation signed into law by our 42nd President, William Jefferson Clinton. We’ll discuss the history that led to its passage, what the act is about, the three key rules in the law, how it’s affected the insurance industry, and how you can stay in compliance with it.
GLBA repealed two parts of the Glass-Steagall Act, also known as the Banking Act of 1933, by allowing commercial banks to merge with investment banks and insurance companies. In addition to this, GLBA addressed privacy issues concerning consumer financial data. This allowed the insurance industry to reap the benefits of cross-selling financial products, however, it also set in place new privacy regulations.
What are the precursors leading up to the Gramm-Leach-Bliley Act?
There were several laws enacted prior to GLBA that had aimed to stabilize the economy in response to adverse events.
Emerging from the Great Depression: the Glass-Steagall Act
Glass-Steagall was a response to the 1929 stock market meltdown, now colloquially referred to as Black Tuesday. Glass-Steagall was legislation signed into law as a response to what lawmakers felt led to the Great Depression. This infamous event ravaged the U.S. economy but ultimately led to legislation still in effect. For example, the Social Security Act of 1935, signed into law by President Franklin Delano Roosevelt, created a retirement safety net millions rely on in the United States to this very day.
In addition, Glass-Steagall separated commercial and investment banking and created the FDIC (Federal Deposit Insurance Corporation). This emergency legislation worked to restore confidence in the American banking system and limited commercial banks from selling stocks, insurance, and other financial products. Another important aspect of the law was to move banks into more productive areas like agriculture and restrict the use of credit for speculative ventures.
Increasing oversight: The Bank Holding Company Act of 1956
Another important legislative milestone was the The Bank Holding Company Act of 1956, which was another precursor to GLBA.
Regulation was at the core of the Bank Holding Company Act of 1956. Lawmakers agreed to give the Federal Reserve more oversight of the banking industry. The law restricted bank holding companies from engaging in non-banking activities and prohibited banks from acquiring banks in other states. Non-banking activities included such things as insurance underwriting and brokerage activities. Over time, these rules became a burden to the financial industry and by the 1980’s there was a loud Wall Street chorus singing, “We want change.” The stage was being set for GLBA.
What did the Gramm-Leach-Bliley Act do?
As we mentioned, GLBA was passed to repeal portions of Glass-Steagall. It also repealed major portions of the Bank Holding Company Act of 1956. As with most laws, there are sections dealing with various issues. GLBA issued three important rules: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Rule.
First, the law addressed how financial institutions handle private individual data. Second, the law changed the rules (first put in place by Glass-Steagall and the Bank Holding Company Act of 1956) to allow insurance companies, commercial banks, and investment brokerages to merge.
History of the Gramm-Leach-Bliley Act
For many years prior to the passage of GLBA, the financial industry was clamoring for a repeal of Glass-Steagall. In 1998, Citicorp, then a commercial bank, merged with insurance company Travelers Group, to form Citigroup in defiance of the law at that time. This deal created a financial supermarket where insurance, securities, and general commercial banking business could all transact under one roof (kind of like a financial industry Costco).
In a somewhat surprising move, the Federal Reserve granted the companies involved a temporary waiver and this consolidation laid the groundwork leading up to the passing of GLBA. Once passed, Citigroup became officially legitimate in the eyes of the law and thus set in motion further consolidation within the industry.
The three key rules of the Gramm-Leach-Bliley Act
There are three key rules included in the GLBA as it pertains to private customer financial information. The authors of this bill had the foresight, in the early stages of the personal data privacy revolution, to put together a framework to protect customer data.
Data privacy protections were novel in the late ‘90s. Remember, Mark Zuckerberg, the braintrust of Facebook and controversial overlord of all things regarding personal data, was only 15 years old in 1998, and Google had just been born in the proverbial garage in Menlo Park, California (aren’t they all born out of a garage?).
Let’s dive deeper into these three rules, as they have major implications for today’s insurance industry.
1. Financial Privacy Rule:
Have you ever heard of Nonpublic Personal Information (NPI)? This is personal data like social security number, date of birth, etc. Financial institutions retain huge amounts of this information, which resulted in legislators adding this rule to GLBA.
If you’re a financial institution, and thus subject to GBLA, this law requires you to abide by requirements on how your organization may collect and disclose private financial information.
Also included in this rule was a requirement to mail a yearly privacy notice to customers to inform them how their NPI is used, what information is collected, and what they can do to limit NPI sharing beyond the institution. The Federal Trade Commission (FTC) officially oversees the Financial Privacy Rule.
2. Safeguard Rule:
This rule requires that physical, technical, and administrative safeguards are in place when handling customer information. This includes implementing the correct software and testing for vulnerabilities, which means IT/SecOps needs to be up on strict security protocol. Employee training is also necessary for companies to fully comply with the Safeguard Rule.
3. Pretexting Rule:
The Pretexting rule is designed to combat social engineering and/or phishing attacks. These are malicious actions where a person and/or entity tricks an individual into giving up personal information. An example we’re all familiar with would be a fake email sent by the “CEO” of a company requesting sensitive information or someone calling and impersonating someone in order to get the victim to divulge personal data.
These types of scams have exploded in recent years. The rule is designed to stop identity theft and institutions must implement specific safeguards to protect customer data.
Did the Gramm-Leach-Bliley Act lead to the Financial Crisis of 2007-2008?
This law did not come without a good amount of controversy after the Financial Crisis of 2007-2008, which led to the Great Recession. Many argued that repealing a large portion of Glass-Steagall directly contributed to this financial crisis. President Barack Obama was the most vocal detractor of what he felt was a “deregulation” of the banking industry. He argued this deregulation directly led to banks taking on more risk, which ultimately brought the whole world’s financial system to its knees.
During debates on the Floor of the House of Representatives prior to GLBA’s passage, some lawmakers, namely John Dingell, a Democrat from Michigan, voiced concern about creating institutions that were “too big to fail.” Does that quote sound familiar? In ten short years, this phrase became synonymous with federal bailouts of major banking institutions, arguably saving our whole financial system from a catastrophic collapse. Dingell also said, in a spot on premonition, “The bill’s supporters tout all the benefits to consumers, but woe to the American people when they have to pick up the tab for one of these failures.” Dingell seemed to have that proverbial crystal ball.
On the other hand, President Clinton, who, as we mentioned, signed GBLA into law, claimed to have spent considerable time pondering the evidence, and came to the conclusion that GLBA actually helped lessen the pain of the banking crisis. He argued that it was not a “complete deregulation at all” and that, in fact, there was substantial regulation still in place at the time of the collapse. President Clinton said that the act actually helped streamline the process of financial industry consolidation during the crisis which resulted in market stabilization (i.e. Bank of America buying Merrill Lynch).
The Gramm-Leach-Bliley Act passed in the U.S. Senate 90-8 and in the House 362-57, so it clearly passed with overwhelming support from legislators who didn’t anticipate this law causing a major economic calamity.
The Gramm-Leach-Bliley Act Enabled Financial Diversification
GLBA allows insurance companies, as well as commercial and investment banks, to diversify into other financial areas, which can potentially boost profits and hedge against risk. These company consolidations can result in sales of a variety of products, such as CDs and annuities, in hopes that it will increase revenue. In some cases, that may be true, but not in all.
The Citicorp/Travelers Group merger illustrates how insurance and banking came together to form a multinational corporate giant. Travelers incorporated its massive insurance business into this new entity, which allowed Travelers to offer insurance to Citicorp’s retail customers.
Interestingly enough, Citigroup divested its Travelers P&C insurance underwriting business due to its negative impact on its stock price. Why? Some reasons were the losses incurred during the 9/11 attacks and the lack of growth in the insurance business.
“It was a good idea at the time, but when you live with insurance for a while, you find that the returns aren’t that great,” said Mike Dion, an analyst with Sandler O’Neill & Partners.
Respectfully, we beg to differ with Mr. Dion.
How can you stay in compliance with GLBA?
Staying in compliance with GLBA, namely the privacy section, requires adequate personnel, educational programs, and software. As we mentioned in the Safeguards Rule section above, training and overall security management are imperative to avoid fines and other penalties associated with non-compliance. GLBA is enforced by different agencies including the FTC, the Federal Reserve Board, state insurance regulators, and a host of other federal agencies.
This isn’t a complete list and we won’t claim to speak for regulators, so please consult with the necessary compliance professionals before implementing anything within your organization, however, it helps to pay attention to these areas:
- Select vendors who have appropriate security certifications and maintain correct safeguards when handling sensitive information. A cloud provider like Amazon Web Services (AWS) or Microsoft would be a good example.
- Choose multiple qualified employees to oversee information security efforts and implement ongoing training programs. Additionally, test and constantly monitor important safeguard initiatives.
- When sending out the privacy notice mailer, be sure to include a “reasonable way and amount of time to opt out” before you disclose any customers’ NPI.
While our elected officials debate legislation on Capitol Hill, we’re focused on helping you streamline and automate your producer onboarding process. See how AgentSync can help you obtain peak producer performance while reducing expenses and delivering growth.