Databases Reference
In-Depth Information
11.1.2
Gramm-Leach-Bliley Act of 1999 (GLBA)
The GLBA was enacted on November 12, 1999, approximately seven
months after the merger between Citicorp and Travelers Group to form
Citigroup. GLBA—sometimes also called the “Citigroup Relief Act”—
allows financial holding companies like Citigroup to own banks, insurance
companies, and securities firms. Before GLBA, operation of an insurance
underwriter (Travelers) was not allowed for a bank holding company. To
make matters even more complex, Travelers owned Salomon Smith Barney,
and its bank-ineligible activities comprised more than the allowed 25%.
When GLBA came along, it created a new definition of a Financial Holding
Company (FHC) that allowed Citigroup to exist.
Luckily, GLBA is not one-sided. It did allow for the creation of mega-
financial companies, but it went on to define limitations and requirements
on these FHCs. Some of these requirements are based on capitalization
(e.g., the need to remain well-capitalized and maintain a high rating).
Other limitations, which are more relevant to the topic of this topic, are in
the area of privacy.
One of the main reasons for creating mega-financial companies is to
leverage a knowledge base and be able to do cross-selling within the FHC.
If I am an insurance company that just merged with a large bank, I can try
to market my products to all customers of the bank—I know their names,
addresses, and even their net worth. The other risk involves the fact that the
collective set of data that exists within the FHC about individuals can be
large, in which case any leakage can be more damaging to the individual.
To combat extreme misuse of such cross-selling and the risks to privacy,
Congress adopted Title V of GLBA, which defines various requirements
designed to protect the privacy of customers of financial institutions. This is
the main relevance GLBA has in the context of database security and audit-
ing. Title V includes both the Financial Privacy Rule and the Safeguard
Rule. The Financial Privacy Rule discusses operations and practices, while
the Safeguard Rule has a more technical interpretation and includes
requirements for the following activities:
Ensure the security and privacy of customer information
Protect against threats to the security and integrity of customer infor-
mation
Protect against unauthorized access and/or usage of this information
that could result in harm or inconvenience to the customer
Search WWH ::
Custom Search