Gramm-Leach-Bliley Act: Difference between revisions
imported>Howard C. Berkowitz No edit summary |
imported>Russell D. Jones (copy edits) |
||
(5 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{subpages}}{{TOC|right}} | |||
The colloquial name for the '''Financial Services Modernization Act of 1999''', U.S. banking legislation. | |||
Before the passage of the U.S. '''Gramm-Leach-Bliley Act of 1999 (GLBA)''', banks, insurers, securities brokers, and other financial institutions had to maintain separation of financial assets. Banks were regulated by the [[Banking Act of 1933]], and the [[Bank Holding Company Act]] of 1956, portions of which GLBA effectively repealed. It allowed institutions meeting certain criteria to become '''Financial Holding Companies''' (FHC). | |||
Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways | It is inaccurate to say, however, that GLBA suddenly let financial institutions go wild; there had been mergers and other changes between 1933 and 1999, and changes such as <ref name=PBS-Fed>{{citation | ||
| title = The Long Demise of Glass-Steagall | |||
| journal = PBS Frontline | |||
| contribution = Fed begins reinterpreting Glass-Steagall; Greenspan becomes Fed chairman | |||
| url = http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/weill/demise.html}}</ref> a Federal Reserve Bank reinterpretation, in , which let banks have restricted involvement in speculative securities. Nevertheless, when the legislation passed, [[John Reed (banker)|John Reed]] and [[Sanford Weill]] the co-CEOs of [[Citigroup]], issued "a statement congratulating Congress and President Clinton, including 19 administration officials and lawmakers by name." The creation of Citigroup, from the merger of Reed's Citibank and Weill's Travelers Insurance, would technically have been illegal without GLBA. | |||
In 2009, the retired Reed wrote to the New York Times, <blockquote>As another older banker and one who has experienced both the pre- and post-Glass-Steagall world, I would agree with Paul A. Volcker (and also Mervyn King, governor of the Bank of England) that some kind of separation between institutions that deal primarily in the capital markets and those involved in more traditional deposit-taking and working-capital finance makes sense. | |||
This, in conjunction with more demanding capital requirements, would go a long way toward building a more robust financial sector.<ref name=NYT2009-10-23>{{citation | |||
| date = October 23, 2009 | |||
| title = Re “Volcker’s Voice, Often Heeded, Fails to Sell a Bank Strategy” (front page, Oct. 21): | |||
| journal = New York Times | |||
| url = http://www.nytimes.com/2009/10/23/opinion/l23volcker.html?_r=2&pagewanted=print}}</ref></blockquote> | |||
==Scope of GLBA== | |||
Underlying the passage of GLBA was a goal of making U.S. financial institutions more competitive in the international financial system, in a political environment that generally supported greater [[deregulation]]. | |||
===Financial Holding Companies=== | |||
To become a FHC, a bank or Bank Holding Company (BHC) must be well-capitalized and well-managed; the Federal Researve Board was required to establish comparable capital and management standards for foreign banks that operate a branch or agency, or control a commercial lending company, in the U.S. "If a FHC or foreign bank subsequently fails to meet any applicable capital and managerial standards and does not correct the deficiency within 180 days, the Board may order the company or bank to divest or terminate the financial activities or divest its depository institution subsidiaries." All subsidiaries must have a satisfactory or better rating under the [[Community Reinvestment Act]] (CRA). Failure to hold such a rating requires the Board to "prohibit the company from acquiring any additional companies or engaging de novo in any additional financial activities until the CRA rating is restored to satisfactory," but does not require it to stop existing activities. <ref name=FRBSF-Overview-FHCcriteria>{{citation | |||
| title = Overview of the Gramm-Leach-Bliley Act | |||
| contribution = Criteria to be a FHC | |||
| url = http://www.frbsf.org/publications/banking/gramm/grammpg1.html#criteria | |||
| publisher = Federal Reserve Bank of San Francisco}}</ref> | |||
==Financial privacy== | |||
While some consider GLBA a hunting license for financial sharks, it also has strong provisions about maintaining privacy and security of financial data. An organization under its coverage must have compliant policies for financial privacy, safeguards, and pretexting protection ("social engineering") and be able to document that these policies actively are enforced. | |||
Not only must staff be trained, you must make annual disclosure to your customerss on what information collected on them, how it is shared and used, and how you protect it. This is its Financial Privacy Rule. There are, however, interacting laws, such as the [[Bank Secrecy Act]] and [[Right to Financial Privacy Act]] which require that the collection of certain information, provided to law enforcement, must ''not'' be disclosed to customers. | |||
Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways the data are used. | |||
The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites. | The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites. | ||
Be sure the security policy has a clear section on cautions against being "[[social engineering|socially engineered]]", and be able to document that precautions cqan be taken. Many policies cover actions by employees, but not necessarily their interaction with the public -- a public which contains [[miscreant]]s out to do no good. | Be sure the security policy has a clear section on cautions against being "[[social engineering|socially engineered]]", and be able to document that precautions cqan be taken. Many policies cover actions by employees, but not necessarily their interaction with the public -- a public which contains [[miscreant]]s out to do no good. | ||
==References== | |||
{{reflist|2}} |
Revision as of 16:10, 22 June 2010
The colloquial name for the Financial Services Modernization Act of 1999, U.S. banking legislation.
Before the passage of the U.S. Gramm-Leach-Bliley Act of 1999 (GLBA), banks, insurers, securities brokers, and other financial institutions had to maintain separation of financial assets. Banks were regulated by the Banking Act of 1933, and the Bank Holding Company Act of 1956, portions of which GLBA effectively repealed. It allowed institutions meeting certain criteria to become Financial Holding Companies (FHC).
It is inaccurate to say, however, that GLBA suddenly let financial institutions go wild; there had been mergers and other changes between 1933 and 1999, and changes such as [1] a Federal Reserve Bank reinterpretation, in , which let banks have restricted involvement in speculative securities. Nevertheless, when the legislation passed, John Reed and Sanford Weill the co-CEOs of Citigroup, issued "a statement congratulating Congress and President Clinton, including 19 administration officials and lawmakers by name." The creation of Citigroup, from the merger of Reed's Citibank and Weill's Travelers Insurance, would technically have been illegal without GLBA.
In 2009, the retired Reed wrote to the New York Times,
As another older banker and one who has experienced both the pre- and post-Glass-Steagall world, I would agree with Paul A. Volcker (and also Mervyn King, governor of the Bank of England) that some kind of separation between institutions that deal primarily in the capital markets and those involved in more traditional deposit-taking and working-capital finance makes sense. This, in conjunction with more demanding capital requirements, would go a long way toward building a more robust financial sector.[2]
Scope of GLBA
Underlying the passage of GLBA was a goal of making U.S. financial institutions more competitive in the international financial system, in a political environment that generally supported greater deregulation.
Financial Holding Companies
To become a FHC, a bank or Bank Holding Company (BHC) must be well-capitalized and well-managed; the Federal Researve Board was required to establish comparable capital and management standards for foreign banks that operate a branch or agency, or control a commercial lending company, in the U.S. "If a FHC or foreign bank subsequently fails to meet any applicable capital and managerial standards and does not correct the deficiency within 180 days, the Board may order the company or bank to divest or terminate the financial activities or divest its depository institution subsidiaries." All subsidiaries must have a satisfactory or better rating under the Community Reinvestment Act (CRA). Failure to hold such a rating requires the Board to "prohibit the company from acquiring any additional companies or engaging de novo in any additional financial activities until the CRA rating is restored to satisfactory," but does not require it to stop existing activities. [3]
Financial privacy
While some consider GLBA a hunting license for financial sharks, it also has strong provisions about maintaining privacy and security of financial data. An organization under its coverage must have compliant policies for financial privacy, safeguards, and pretexting protection ("social engineering") and be able to document that these policies actively are enforced.
Not only must staff be trained, you must make annual disclosure to your customerss on what information collected on them, how it is shared and used, and how you protect it. This is its Financial Privacy Rule. There are, however, interacting laws, such as the Bank Secrecy Act and Right to Financial Privacy Act which require that the collection of certain information, provided to law enforcement, must not be disclosed to customers.
Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways the data are used.
The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites.
Be sure the security policy has a clear section on cautions against being "socially engineered", and be able to document that precautions cqan be taken. Many policies cover actions by employees, but not necessarily their interaction with the public -- a public which contains miscreants out to do no good.
References
- ↑ , Fed begins reinterpreting Glass-Steagall; Greenspan becomes Fed chairman"The Long Demise of Glass-Steagall", PBS Frontline
- ↑ "Re “Volcker’s Voice, Often Heeded, Fails to Sell a Bank Strategy” (front page, Oct. 21):", New York Times, October 23, 2009
- ↑ , Criteria to be a FHC, Overview of the Gramm-Leach-Bliley Act, Federal Reserve Bank of San Francisco