There's a common refrain among fintech leaders that regulatory oversight doesn't apply to them because they don't directly manage funds. However, this assumption overlooks a crucial aspect of financial regulation. If you're developing software atop payment processors or extracting insights from transaction data, you remain within the regulatory framework regardless.
Understanding GLBA's Broad Definition
The Gramm-Leach-Bliley Act represents federal legislation typically associated with banks. What surprises many tech companies is its expansive definition of "financial institution." The law encompasses any organisation significantly engaged in financial activities, plus those whose services enable financial operations for regulated entities.
The FTC enforced this interpretation when targeting Dealerbuilt, a software company serving car dealerships. Despite not lending or accepting deposits directly, the firm enabled dealer credit extensions to consumers. The agency determined Dealerbuilt qualified as a financial institution under GLBA, triggering compliance obligations around privacy, security, consumer notices, and since 2024, mandatory breach reporting to the FTC within 30 days for incidents affecting 500 or more customers.
Payment infrastructure developers, lending facilitators, and financial data aggregators likely fall within GLBA's scope.
Where State Laws Come Into It
Complexity intensifies when examining state privacy frameworks. Most states carve out exemptions for GLBA-regulated entities, but these vary significantly.
California's CCPA doesn't grant full entity-level exemptions. Rather, it exempts specific data categories covered by GLBA, not entire organisations. Fintech companies processing information beyond GLBA's scope, such as website visitor data or employee records, may still face CCPA obligations. The state law exemption extends only as far as GLBA's coverage reaches.
States including Virginia, Colorado, and Utah provide broader entity-level exemptions. GLBA-regulated institutions may gain complete relief from state privacy laws within these jurisdictions. However, this protection isn't universal, and emerging state regulations continue reshaping this landscape.
The practical implication: GLBA applicability doesn't necessarily eliminate state law responsibilities, nor does GLBA's absence exempt companies from state requirements. Both frameworks demand simultaneous analysis and compliance strategy.
Why This Matters for Your Privacy Program
The FTC actively pursues non-bank entities classified as financial institutions. State attorneys general investigating fintech compliance remain vigilant. Enterprise clients, particularly financial institutions themselves, increasingly scrutinise vendor privacy and security credentials through detailed assessments.
The foundational step involves determining GLBA applicability and scope. Subsequently, layer state privacy obligations not displaced by federal law, then construct a unified program addressing both. Though not ideal, this dual framework represents the current regulatory reality.
Financial services counsel proves invaluable for nuanced classification decisions. Privacy engineering work, including data mapping, security architecture, consumer notification systems, and incident response protocols, completes the implementation.
Fintech leaders uncertain about their regulatory obligations should pursue guidance. Collaborative discussions among product, engineering, and legal teams typically prove most productive for navigating this environment.