Learn all about GLBA on this overview page including definition, requirements, best practices, and more.
The Gramm-Leach-Bliley Act (GLBA), otherwise known as the Financial Services Modernization Act, was enacted in November 1999 and requires that financial institutions safeguard the sensitive customer data they collect. Furthermore, financial institutions, under the Act, are required to share their information collection and sharing practices with their customers.
Today, GLBA compliance is a major priority for financial institutions. As cyber threats over the past 20+ years have evolved, so too has the GLBA. Even the term “financial institutions” has been considerably broadened over the years to expand the scope of the Act.
In this post, we will go deep on the GLPA, looking into the history and evolution of the Act, what exactly it entails, how to meet GLBA compliance requirements, penalties, best practices, and more.
GLBA compliance means that financial institutions must adhere to the requirements laid out in the GLBA – specifically, they are required to first protect customer personally identifiable information (PII) and personally identifiable financial information (PIFI) and, secondly, communicate with customers how they collect, share, and protect PII and PIFI.
Delving more deeply into the GLBA, the Act consists of three core sections comprising two rules and a set of provisions. The “three rules” of GLBA as they have mistakenly, albeit conveniently, become known as are the following:
Safeguards Rule: The FTC Safeguards Rule, which was updated as recently as 2023, dictates that financial institutions under the jurisdiction of GLBA must implement an information security policy that meets the guidelines established by the Safeguards Rule. The main focus of the Rule is to protect the personal information that financial institutions collect from consumers. One of the key aspects of GLBA Compliance is implementing an information security program that includes the 9 elements explicitly laid out by the FTC Safeguards Rule, they are:
Pretexting Provisions: This section of GLBA covers the unauthorized access of nonpublic personal information (NPI) and the steps financial institutions must take to avoid unauthorized access. Pretext, in this instance, refers to nefarious parties who use fictitious information or social engineering techniques to access NPI. Any individual found to engage in pretexting and fraudulent access of NPI can face a fine, imprisonment, or both.
GLBA compliance is not something companies should necessarily be fearful of. Granted, there are significant fines for non-compliance, but, in many ways, GLBA compliance is there to help companies. There are a number of ways companies can benefit from GLBA compliance.
While GLBA applies primarily to financial institutions, the definition of what is considered a “financial institution” under GLBA has been broadened considerably with the updated FTC Safeguards Rule. The important thing to remember here is that the FTC’s definition of “financial institution” is concerned with the activities a company engages in and not the way it classifies or categorizes itself. Companies outside of the financial realm that engage in financial activities such as a university that processes student loans are subject to GLBA compliance.
The FTC lists some examples of companies they consider to be “financial institutions” on their own website which include the following:
Non compliance with GLBA can have some pretty serious consequences for both individuals and companies. The penalties for non-compliance are as follows:
With over 120,000 users, PlanetVerify is used by companies from many different industries to collect and manage sensitive customer documents and information during the onboarding process.
When it comes to GLBA compliance, there are a number of best practices to keep in mind.
1 – Understand if you are considered a financial institution: First and foremost you need to figure out if your company meets the definition of “financial institution” as is laid out in the GLBA. You will need to consider the types of personal data you collect and how it is processed and shared. It is also important to remember that GLBA has undergone a number of updates which has broadened its scope, so even if your company was previously not under the jurisdiction of the GLBA, that does not mean it will still be the case.
2 – Build or update your infosec program to meet the requirements laid out in FTC Safeguards Rule: We have outlined the 9 key elements of a GLBA-compliant information security program above. Depending on what stage your company is at in terms of compliance, you will need to either build or update your information security program to ensure you meet all of these requirements satisfactorily.
3 – Assess your company’s systems and processes: As part of your infosec program, you will have conducted a risk assessment, but it is imperative you pay extra attention to the systems and processes used in your company. Try to identify high risk legacy processes that may open up the door to non compliance risk. One typical example is the use of email to collect documents and information from customers. Email is not built for the complexities of today’s high risk threat landscape and creates issues around encryption, permissioning, access, and data disposal – which are all essential GLBA requirements.
4 – Equip your company with the right tools: Identify weaknesses in your compliance processes and address them by equipping your team with the right tools. Prioritize features such as access control, data purging, and end-to-end encryption. Ideally, you want to avoid tools that come with lengthy implementation periods, instead look for those quick wins where possible.
5 – Continuous improvement: Achieving and maintaining GLBA compliance is a continuous process. As we have seen, GLBA has been updated as recently as June 2023, so you need to stay on our guard and seek out ways you can improve and update your compliance processes.
A better experience for your clients, fewer headaches for your team. You’ll be set up in minutes.