The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 (15 USC §§ 6801 et seq.), was designed to regulate the disclosure and protection of nonpublic personal information (NPI) collected by a financial institution from an individual in order to obtain a financial product or service from the institution for personal, family, or household purposes.

The three major components of the GLBA include:

  • The “Pretexting Provision” (15 USC § 6821), which prohibits the solicitation or disclosure of NPI by false pretenses or deception;
  • The “Financial Privacy Rule” (16 CFR Part 313), which governs the collection and disclosure of NPI and requires written notice of the institution’s privacy practices and policies; and
  • The “Safeguards Rule” (16 CFR Part 314), which requires a documented assessment of internal and external risks to NPI and implementation and maintenance of a comprehensive information security program that addresses these risks. The Safeguards Rule was effective May 23, 2003.

The Pretexting Provision of the GLBA is addressed in the Federal Trade Commission’s “Red Flags Rule” (16 CFR § 681.1), that was established after the Financial Privacy and Safeguards Rules in connection with amendments to the Fair Credit Reporting Act (FCRA) (15 U.S.C. § 1681). CU must also comply with this distinct, but related, rule that requires implementation of an identity theft prevention program related to “covered accounts.”  The original Red Flags Rule was effective November 1, 2008.

For more information about the Red Flags Rule, see the Administrative Policy Statement Collection of Personal Data from Students and Customers (Red Flags Rule).

The Financial Privacy Rule provides that institutions of higher education that comply with the Family Educational Rights and Privacy Act (FERPA) to protect the privacy of education records – including student financial aid records – are deemed to comply with the rule. For more information about FERPA, see: