Key Takeaways
- GLBA requires financial institutions to protect consumer nonpublic personal information (NPI)
- Privacy notices must be provided at account opening and annually thereafter
- Consumers have the right to opt out of information sharing with non-affiliates
- The Safeguards Rule requires written information security programs
- Pretexting (obtaining NPI through false pretenses) is illegal
- MLOs must protect borrower information throughout the loan process
Last updated: January 2026
Gramm-Leach-Bliley Act (GLBA) Privacy
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, includes important privacy provisions that protect consumers' nonpublic personal information (NPI). Mortgage lenders and MLOs must comply with GLBA's privacy and security requirements.
What is Nonpublic Personal Information (NPI)?
NPI includes any personally identifiable financial information that is:
| NPI Category | Examples |
|---|---|
| Information provided by consumer | Social Security number, income, assets, debts |
| Information from transactions | Account numbers, payment history, loan balances |
| Information from other sources | Credit reports, employment verification |
What is NOT NPI?
| Public Information |
|---|
| Information available from public records (recorded deeds, court records) |
| Information lawfully made publicly available |
| Information consumer has authorized to be made public |
Privacy Notice Requirements
Financial institutions must provide privacy notices to consumers:
When to Provide Privacy Notices
| Timing | Requirement |
|---|---|
| Initial notice | At time of establishing customer relationship |
| Annual notice | Every 12 months for continuing relationships |
| Revised notice | When information-sharing practices change materially |
What Privacy Notices Must Include
| Required Element |
|---|
| Categories of NPI collected |
| Categories of NPI disclosed |
| Categories of affiliates and non-affiliates who receive NPI |
| Consumer's right to opt out of certain disclosures |
| How the institution protects NPI |
| How to opt out (if applicable) |
Opt-Out Rights
Consumers have the right to opt out of certain information sharing:
Sharing That Requires Opt-Out Opportunity
| Sharing Type | Opt-Out Right |
|---|---|
| Sharing NPI with non-affiliated third parties | Consumer can opt out |
| Sharing NPI for marketing by non-affiliates | Consumer can opt out |
Sharing That Does NOT Require Opt-Out
| Exception | Why Permitted |
|---|---|
| Sharing with affiliates | Same corporate family |
| Processing transactions | Necessary for service |
| Servicing accounts | Necessary for service |
| Protecting against fraud | Security purposes |
| Complying with law | Legal requirement |
| With consumer consent | Consumer agreed |
Opt-Out Process
| Requirement |
|---|
| Must provide reasonable means to opt out |
| Must give reasonable time to opt out before sharing |
| Must honor opt-out requests promptly |
| Cannot require opting out of all disclosures to opt out of one type |
The Safeguards Rule
The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive written information security program.
Required Elements of Security Program
| Element | Description |
|---|---|
| Designate coordinator | Assign employee(s) to oversee the program |
| Identify risks | Conduct risk assessments for each area handling NPI |
| Design safeguards | Implement safeguards to control identified risks |
| Select service providers | Require vendors to maintain appropriate safeguards |
| Evaluate and adjust | Regularly test and update the program |
Types of Safeguards
| Category | Examples |
|---|---|
| Administrative | Employee training, background checks, access controls |
| Technical | Encryption, firewalls, intrusion detection |
| Physical | Locked file cabinets, secure disposal, building security |
Pretexting Prohibition
Pretexting is the practice of obtaining NPI through false pretenses. GLBA makes it illegal to:
| Prohibited Conduct |
|---|
| Use false statements to obtain NPI |
| Impersonate a customer to get their information |
| Provide fraudulent documents to access NPI |
| Use stolen identity documents |
| Employ others to engage in pretexting |
Penalties for Pretexting
| Violation | Penalty |
|---|---|
| Individual | Up to $5,000 fine and/or 5 years imprisonment |
| Pattern of violations | Up to $100,000 fine and/or 10 years imprisonment |
MLO Responsibilities Under GLBA
As a mortgage loan originator, you must:
| Responsibility | Actions |
|---|---|
| Protect NPI | Keep borrower information confidential |
| Limit access | Only access NPI needed for your job |
| Secure transmission | Use encrypted email for sensitive information |
| Proper disposal | Shred documents containing NPI |
| Report breaches | Notify compliance of any suspected data breach |
| Complete training | Participate in required privacy training |
Practical Application for MLOs
During Application Process
| Best Practice |
|---|
| Collect only information needed for the loan |
| Verify identity of anyone requesting information |
| Use secure methods to transmit documents |
| Never share login credentials |
Document Handling
| Best Practice |
|---|
| Store documents in locked/secure locations |
| Use clean-desk policy |
| Shred documents with NPI before disposal |
| Log out of systems when away from desk |
Communication
| Best Practice |
|---|
| Verify recipient before sending sensitive information |
| Use encrypted email for NPI |
| Be cautious with voicemail containing NPI |
| Never discuss NPI in public places |
Loading diagram...
Test Your Knowledge
Under GLBA, when must a financial institution provide an initial privacy notice to a consumer?
A
B
C
D
Test Your Knowledge
A consumer wants to opt out of all information sharing. Under GLBA, can they prevent the lender from sharing their information with affiliated companies?
A
B
C
D
Test Your Knowledge
What is "pretexting" under GLBA?
A
B
C
D