Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies.

[2] A year before the law was passed, Citicorp, a commercial bank holding company, merged with the insurance company Travelers Group in 1998 to form the conglomerate Citigroup, a corporation combining banking, securities and insurance services under a house of brands that included Citibank, Smith Barney, Primerica, and Travelers.

[7] Respective versions of the Financial Services Act were introduced in the U.S. Senate by Phil Gramm (Republican of Texas) and in the U.S. House of Representatives by Jim Leach (R-Iowa).

During debate in the House of Representatives, Rep. John Dingell (Democrat of Michigan) argued that the bill would result in banks becoming "too big to fail."

[note 3] The bill then moved to a joint conference committee to work out the differences between the Senate and House versions.

The merger violated the Bank Holding Company Act (BHCA), but Citibank was given a two-year forbearance that was based on an assumption that they would be able to force a change in the law.

The Act further enacted three provisions that allow for bank holding companies to engage in physical commodity activities.

Crucial to the passing of this Act was an amendment made to the GLBA, stating that no merger may go ahead if any of the financial holding institutions, or affiliates thereof, received a "less than satisfactory [sic] rating at its most recent CRA exam", essentially meaning that any merger may only go ahead with the strict approval of the regulatory bodies responsible for the Community Reinvestment Act (CRA).

[22] This was an issue of hot contention, and the Clinton Administration stressed that it "would veto any legislation that would scale back minority-lending requirements.

Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.

The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.

The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.

There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis.

This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The Fair Credit Reporting Act is responsible for the 'opt-out' opportunity, but the privacy notice must inform the customer of this right under the GLB.

[25][26][27] A consumer may react to service of a GLBA notice by: The European Union's General Data Protection Regulation (GDPR) became enforceable on 25 May 2018.

§§ 6801–6809) The Safeguards Rule implements data security requirements from the GLBA and requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect its clients' nonpublic personal information.

The Safeguards Rule applies to information of any consumer's past or present regarding the financial institution's products or services.

The written plan must include:[citation needed] The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.

In December 2021, the Safeguards Rule was updated, amid some controversy,[29] by the FTC to include specific criteria requiring financial institutions to introduce new security controls and to increase the accountability of boards of directors,[30] with a six-month compliance extension, from January to June 2023, granted for some types of institutions in November 2022.

§§ 6821–6827) Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so.

This may entail requesting private information while impersonating the account holder, by telephone, by mail, by e-mail, or even by "phishing" (i.e., using a phony website or email to collect data).

For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext.

[36] In an article in The Nation, Mark Sumner asserted that the Gramm–Leach–Bliley Act was responsible for the creation of entities that took on more risk due to their being considered "too big to fail".

[38] In February 2009, one of the act's co-authors, former Senator Phil Gramm, also defended his bill: [I]f GLB was the problem, the crisis would have been expected to have originated in Europe where they never had Glass–Steagall requirements to begin with.

[39]Bill Clinton, as well as economists Brad DeLong and Tyler Cowen have all argued that the Gramm–Leach–Bliley Act softened the impact of the crisis.

[42] An article in the conservative publication National Review has made the same argument, calling allegations about the Act "folk economics.