Start your Gramm Leach Bliley Act training
The Gramm-Leach-Bliley Act: Safeguarding Nonpublic Personal Information
On November 12, 1999 the Gramm-Leach-Bliley Act (15 USC, Subchapter I, Sec. 6801-6809) was enacted by Congress in order to repeal part of the Glass-Steagall Act of 1933 and allow commercial banks, investment banks, securities firms, and insurance companies to consolidate. The combined sectors are today referred to as the financial services industry.
The Gramm-Leach-Bliley Act (GLBA) includes provisions affirming that all financial institutions including mortgage lenders have a continuing obligation to respect the privacy of their customers and to protect the security and confidentiality of their nonpublic personal information. In section 501(b), GLBA mandates that the relevant federal agencies (in the case of the mortgage industry, the Federal Trade Commission) shall establish appropriate standards relating to administrative, technical, and physical safeguards.
The FTC directives regulating financial institutions, including mortgage originators (MOs), take the form of three rules.
Financial Privacy Rule
This rule requires that MOs provide each borrower with a privacy notice describing how they use and disclose the borrower’s personal information. The notice must be provided to the customer at the time the consumer relationship is established and annually thereafter. The notice must also let the borrower know about their right to opt-out of having their information shared with unaffiliated parties. The unaffiliated parties receiving the nonpublic information must affirm their acceptance of the terms under the original relationship agreement.
MOs are required to have reasonable policies and procedures ensuring the security and confidentiality of customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions (such as credit reporting agencies) that receive customer information from other financial institutions. The rule applies to the nonpublic information of any customer, past or present, of the financial institution’s products or services.
The written information security plan must describe how the lender protects clients’ nonpublic personal information. Companies must:
Designate at least one employee to manage the safeguards,
Construct a thorough risk management plan on each department handling the nonpublic information,
Develop, monitor, and test a program to secure the information, and
Change the safeguards as needed with the changes in how information is collected, stored, and used.
For ethical mortgage lenders, the rule is intended to accomplish what they are already striving to do: protect the privacy of their clients. But the rule forces lenders to take a closer look at how they manage private data and to do a risk analysis on their current processes. Even in a well-managed office no process is perfect, and nearly every financial institution has had to make some effort to comply with GLBA.
For example, consider the fact that nowadays the vast majority of lenders use email to communicate both internally and externally. Sensitive client information including Social Security numbers and bank account numbers are sent in emails which may not be secure. It is critical to ensure that the management of such communications complies with GLBA.
Pretexting occurs when someone tries to gain access to an individual’s personal information using a false name or other subterfuge. This may include requesting private information while impersonating the account holder, by phone, by mail, by email, or even by phishing (i.e., using a phony website or email to collect data). The financial institution must take all precautions necessary to protect and defend the consumer and associated nonpublic information.
GLBA compliance is mandatory. Violation of GLBA may result in a civil action brought by the U.S. Attorney General. The penalties include those for the financial institution of up to $100,000 for each violation. In addition, “the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation. Criminal penalties may include up to five years in prison.
Protecting the personal information of your customers is serious business. Ignorance of the law is not a defense. As a mortgage loan originator, you should get the education that you need to professionally serve your customers and avoid making a serious and costly mistake.