The Catholic University of America

Summary of Federal Laws

Financial Aid Programs

Financial Services Modernization Act (The Gramm-Leach-Bliley Act or GLB)

15 U.S.C. § 6801 et seq.; 16 CFR 313 and 314

This law requires a financial institution to provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to a customer before establishing a customer relationship, and to a consumer before the financial institution discloses any non-public personal information to a nonaffiliated third party. The distinction between consumers and customers determines what notices a financial institution must provide.  Schools that provide Title IV student aid come under the purview of this law.

There are two different sets of rules under this law; the safeguarding rules at 16 CFR Part 314 and the privacy rules at 16 CFR Part 313. Institutions of higher education, while not exempt from the definition of "financial institutions," are generally excluded from the requirement to comply with the GLB privacy policy regulations as long as the institution complies with the Family Educational Rights and Privacy Act. IHEs are not exempt from the safeguards requirements of the law.

Schools must develop, implement and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards that are appropriate to the school's size and complexity, the nature and scope of the IHE's activities, and the sensitivity of any customer information at issue. The written program does not have to be all in one document, e.g. it can be a combination of policies, (perhaps some already in existence) that together equal a comprehensive policy. 

GLB also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement because they already do so under the Federal Educational Rights and Privacy Act (FERPA). Colleges and universities complying with FERPA are considered in compliance with GLB.

At the end of 2017, the Department of Education announced that it would be requiring insitutions of higher education to report any security breach of personally identifiable information. The Department is taking this position under Title IV Program Participation Agreements (which include Gramm-Leach-Bliley Act commitments) and Student Aid Internet Gateway agreements. A recorded session presented at the Federal Student Aid Conference in Nov-Dec. 2017 is online. The presenter is Tiina K.O. Rodrigue. (spelling not a typo) The power point can be found at item 37 in the program link. The definition of breach is not completely clear. 



Gramm Leach Bliley Training Brochure



updated 1-4-18 mlo