Financial Privacy: GLBA Privacy & Safeguards Rules and the FCRA/FACTA

The Gramm-Leach-Bliley Act, GLBA, governs how financial institutions handle personal information, and the exam wants you to know how broad financial institution really is. It's not just banks; it reaches anyone significantly engaged in financial activities, lenders, brokers, insurers, tax preparers, even some auto dealers and mortgage servicers. The data it protects is nonpublic personal information, N-P-I: the personally identifiable financial information a customer gives to obtain a product or service.

GLBA has two engines. The Privacy Rule controls disclosure of N-P-I to nonaffiliated third parties and runs on notice and opt-out. The Safeguards Rule requires a written information-security program.

Keep those two rules distinct; questions often test which one applies.

The Privacy Rule's mechanic is notice plus opt-out, and the exam tests its edges. A financial institution must give customers a clear privacy notice when the relationship begins and, in many cases, periodically after. Customers then have a right to opt out of the institution sharing their N-P-I with nonaffiliated third parties.

But notice the limits. The opt-out does not reach every disclosure, sharing needed to service the account, to process transactions, or under certain joint-marketing and legal exceptions proceeds regardless. And sharing among affiliates, companies under common ownership, is largely outside GLBA's opt-out, though the Fair Credit Reporting Act adds a separate affiliate-marketing opt-out.

So GLBA gives an opt-out, not an opt-in, and it has real carve-outs that distractors will ignore.

The Safeguards Rule is GLBA's security half, found at sixteen C-F-R part three fourteen for F-T-C-regulated institutions. It requires a written information-security program with administrative, technical, and physical safeguards appropriate to the institution's size and risk, built on a risk assessment, the same risk-based logic we saw in HIPAA. The F-T-C strengthened the rule in twenty twenty-one with concrete requirements: encryption of customer data, multi-factor authentication, access controls, a designated qualified individual to run the program, and continuous monitoring or testing.

Institutions must also oversee their service providers by contract. When a financial-sector scenario is about how data is protected rather than how it's shared, you're in Safeguards-Rule territory.

Now the Fair Credit Reporting Act, F-C-R-A, fifteen U.S.C.

sixteen eighty-one, which is heavily tested. It governs consumer reports, think credit reports, the credit-reporting agencies that compile them, the users who pull them, and the furnishers who feed them data. Three rules dominate.

First, you may obtain a consumer report only for a permissible purpose, like extending credit, employment screening with consent, or insurance underwriting. Second, when information in a report leads to an adverse action, such as denying credit or a job, you must give the consumer an adverse-action notice telling them which agency supplied the report so they can check it. Third, consumers have rights to access their file and to dispute inaccuracies, and agencies and furnishers must investigate and correct errors.

One F-C-R-A application shows up so often that it deserves its own beat, and we'll revisit it in the workplace domain: employment background checks. When an employer hires a screening company to run a background check, that report is a consumer report, so the F-C-R-A applies in full. Before pulling it, the employer must give the applicant a clear, standalone disclosure and obtain written authorization.

If the employer then intends to take an adverse action, like rescinding an offer, based even partly on the report, it must first send a pre-adverse-action notice that includes a copy of the report and a summary of the applicant's F-C-R-A rights, giving the person a chance to dispute errors. Only after a reasonable waiting period does the final adverse-action notice go out. This disclose, authorize, pre-adverse, then adverse sequence is one of the most-tested procedures on the whole exam, so commit it to memory now.

FACTA, the Fair and Accurate Credit Transactions Act, amended F-C-R-A and adds pieces the exam likes. The Red Flags Rule requires certain creditors and financial institutions to maintain a program to detect and respond to identity-theft warning signs. The Disposal Rule requires reasonable measures to destroy consumer-report information so it can't be reconstructed.

And FACTA gave consumers free annual credit reports. Now the reasoning: keep the lanes apart. GLBA is about sharing N-P-I and securing it; F-C-R-A and FACTA are about consumer reports and identity theft.

A common distractor stretches F-C-R-A to ordinary customer data that isn't a consumer report from a reporting agency, F-C-R-A only bites when there's an actual consumer report involved. Recap: GLBA notice-and-opt-out plus the Safeguards program, then F-C-R-A's permissible purpose, adverse-action, and dispute rights, plus FACTA. Now go test yourself, then on to education privacy.