Gramm-Leach-Bliley Act (GLBA) - What is GLBA Compliance?

Learn all about GLBA on this overview page including definition, requirements, best practices, and more.

The Gramm-Leach-Bliley Act (GLBA), otherwise known as the Financial Services Modernization Act, was enacted in November 1999 and requires that financial institutions safeguard the sensitive customer data they collect. Furthermore, financial institutions, under the Act, are required to share their information collection and sharing practices with their customers. 

Today, GLBA compliance is a major priority for financial institutions. As cyber threats over the past 20+ years have evolved, so too has the GLBA. Even the term “financial institutions” has been considerably broadened over the years to expand the scope of the Act. 

In this post, we will go deep on the GLPA, looking into the history and evolution of the Act, what exactly it entails, how to meet GLBA compliance requirements, penalties, best practices, and more.

GLBA Compliance Definition - What is GLBA Compliance?

GLBA compliance means that financial institutions must adhere to the requirements laid out in the GLBA – specifically, they are required to first protect customer personally identifiable information (PII) and personally identifiable financial information (PIFI) and, secondly, communicate with customers how they collect, share, and protect PII and PIFI.

Delving more deeply into the GLBA, the Act consists of three core sections comprising two rules and a set of provisions. The “three rules” of GLBA as they have mistakenly, albeit conveniently, become known as are the following:

Financial Privacy Rule: This Rule covers 2 types of companies. Firstly, if your company is a “financial institution” you must adhere to this Rule, and, secondly, if your company receives “nonpublic personal information (NPI)” from a financial institution with which you are not affiliated, then there are limitations to the way in which you can use that information. The FTC has issued guidance on what it considers a “financial institution” here. The main obligation of the Financial Privacy Rule for financial institutions is that they must share their privacy policy with consumers as well as provide an option for the consumer to opt out of any sharing of their NPI with nonaffiliated third parties.

Safeguards Rule: The FTC Safeguards Rule, which was updated as recently as 2023, dictates that financial institutions under the jurisdiction of GLBA must implement an information security policy that meets the guidelines established by the Safeguards Rule. The main focus of the Rule is to protect the personal information that financial institutions collect from consumers. One of the key aspects of GLBA Compliance is implementing an information security program that includes the 9 elements explicitly laid out by the FTC Safeguards Rule, they are:

  1. Designate a qualified individual to implement and manage your company’s information security program.
  2. Run a risk assessment.
  3. Implement safeguards that will help to control risks.
  4. Test your safeguards.
  5. Train your employees.
  6. Monitor all your service providers.
  7. Keep your information security program up to date.
  8. Create a written incident response plan.
  9. Require your information security program owner to report to the Board of Directors.   

 

Pretexting Provisions: This section of GLBA covers the unauthorized access of nonpublic personal information (NPI) and the steps financial institutions must take to avoid unauthorized access. Pretext, in this instance, refers to nefarious parties who use fictitious information or social engineering techniques to access NPI. Any individual found to engage in pretexting and fraudulent access of NPI can face a fine, imprisonment, or both.

What are the Benefits of GLBA Compliance?

GLBA compliance is not something companies should necessarily be fearful of. Granted, there are significant fines for non-compliance, but, in many ways, GLBA compliance is there to help companies. There are a number of ways companies can benefit from GLBA compliance.

  1. Information Security Template: The GLBA and specifically the information security program requirements laid out in the FTC Safeguards Rule provide an element of structure or a template from which companies can build their own information security programs. It is much easier to build an information security program that meets the FTC Safeguard requirements than to try and build one from scratch.
  2. Safer Customer Data: Meeting GLBA compliance means your customer data will be safer and you will reduce the likelihood of a data breach at your company.
  3. Meet Customer Expectations: Customers today are increasingly tech savvy and risk aware. There is now a level of expectancy around the way personal data is handled. By adhering to GLBA, you can help to meet these expectations.
  4. Mitigate Insider Threats: The GLBA sets out clear requirements around unauthorized access. By meeting these standards, you can significantly reduce the risk of insider threats at your company.
  5. Avoid Financial and Reputational Damage: Apart from the fines associated with GLBA non-compliance, the damage a data breach can cause both in terms of reputation and cost is enormous. GLBA compliance helps you keep your customers’ personal information secure and will help you avoid a damaging security breach.

PLANETVERIFY FOR GLBA COMPLIANCE

Who Does GLBA Compliance Apply to?

glba who does it apply to

While GLBA applies primarily to financial institutions, the definition of what is considered a “financial institution” under GLBA has been broadened considerably with the updated FTC Safeguards Rule. The important thing to remember here is that the FTC’s definition of “financial institution” is concerned with the activities a company engages in and not the way it classifies or categorizes itself. Companies outside of the financial realm that engage in financial activities such as a university that processes student loans are subject to GLBA compliance. 

The FTC lists some examples of companies they consider to be “financial institutions” on their own website which include the following: 

  • Mortgage lenders 
  • Payday lenders 
  • Finance companies 
  • Mortgage brokers
  • Account servicers 
  • Check cashers
  • Wire transferors 
  • Collection agencies
  • Credit counselors 
  • Financial advisors 
  • Tax preparation firms 
  • Non-federally insured credit unions
  • Investment advisors exempt from SEC registration
  • “Finders” or intermediaries that bring buyers and sellers together

What are the Penalties for GLBA Non-Compliance?

Non compliance with GLBA can have some pretty serious consequences for both individuals and companies. The penalties for non-compliance are as follows:

  • Financial institutions found to be in breach of GLBA face a fine of up to $100,000 for each violation.
  • Officers and directors at a company that fails to comply with GLBA can be fined up to $10,000 for each violation.
  • Officers and directors at a company that fails to comply with GLBA can face up to 5 years in prison.

TRUSTED PLATFORM

With over 120,000 users, PlanetVerify is used by companies from many different industries to collect and manage sensitive customer documents and information during the onboarding process.  

5 GLBA Compliance Best Practices

When it comes to GLBA compliance, there are a number of best practices to keep in mind.

1 – Understand if you are considered a financial institution: First and foremost you need to figure out if your company meets the definition of “financial institution” as is laid out in the GLBA. You will need to consider the types of personal data you collect and how it is processed and shared. It is also important to remember that GLBA has undergone a number of updates which has broadened its scope, so even if your company was previously not under the jurisdiction of the GLBA, that does not mean it will still be the case. 

2 – Build or update your infosec program to meet the requirements laid out in FTC Safeguards Rule: We have outlined the 9 key elements of a GLBA-compliant information security program above. Depending on what stage your company is at in terms of compliance, you will need to either build or update your information security program to ensure you meet all of these requirements satisfactorily. 

3 – Assess your company’s systems and processes: As part of your infosec program, you will have conducted a risk assessment, but it is imperative you pay extra attention to the systems and processes used in your company. Try to identify high risk legacy processes that may open up the door to non compliance risk. One typical example is the use of email to collect documents and information from customers. Email is not built for the complexities of today’s high risk threat landscape and creates issues around encryption, permissioning, access, and data disposal – which are all essential GLBA requirements. 

4 – Equip your company with the right tools: Identify weaknesses in your compliance processes and address them by equipping your team with the right tools. Prioritize features such as access control, data purging, and end-to-end encryption. Ideally, you want to avoid tools that come with lengthy implementation periods, instead look for those quick wins where possible. 

5 – Continuous improvement: Achieving and maintaining GLBA compliance is a continuous process. As we have seen, GLBA has been updated as recently as June 2023, so you need to stay on our guard and seek out ways you can improve and update your compliance processes.  

Get started with us

A better experience for your clients, fewer headaches for your team. You’ll be set up in minutes.