Financial institutions of all sizes must become familiar with the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), because the consequences of violating it, even inadvertently, can be severe.
The GLBA mandates safeguards for companies that process, transfer or store consumer financial information. It prescribes steep penalties for companies that fall out of compliance, including six-figure fines and even jail time. Violations can also result in catastrophic data loss and a steep drop-off in customer trust.
To avoid these consequences, financial organizations must maintain strict guidelines and practices around the access, monitoring and logging of financial information. They should also perform rigorous compliance audits using the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook.
GLBA Basics
What is the GLBA?
In 1999, the GLBA was established to protect consumers’ right to data protection within the financial industry. It removed regulations preventing the merger of different types of financial institutions, such as banks and insurance companies. By modernizing the financial services industry and opening up competition among companies, the GLBA has allowed financial organizations to pursue growth opportunities that wouldn’t otherwise be available to them.
One part of the GLBA — section 501(b) — focuses on the protection of consumer information. It requires financial institutions to increase their prioritization of consumer security. By doing so, financial organizations also help ensure that they establish and maintain trust with customers and guard their reputations.
The GLBA has been formally updated several times. In 2011, the supplement “Authentication in an Internet Banking Environment” was added to address issues of authentication, layered security and other strategies for ensuring strong protection of consumer financial information.
Who must comply with the GLBA?
A wide range of companies are subject to the law. The GLBA defines financial institutions as entities that are “significantly engaged” in the “financial activities” outlined in section 4(k) of the Bank Holding Company Act. There are two guidelines for determining “significant engagement” in financial activity: There must be a formal arrangement around the financial services provided, and the activity must happen on a regular basis.
The “financial activities” of concern include:
- Lending, exchanging, or transferring funds for others, investing for others or safeguarding money or securities. Lenders, check cashers, wire transfer services and money order sellers all fall into the category of financial institutions due to these activities.
- Providing financial, investment, or economic advisory services. Credit counselors, financial planners, tax preparers, accountants, and investment advisors are also considered to be financial institutions according to the GLBA because of these activities.
- Brokering loans, servicing loans and collecting debts.
- Providing real estate settlement services.
- Career counseling of individuals seeking employment in the financial services industry.
What types of data are protected?
The GLBA protects “nonpublic personal information” (NPI) for any consumer who receives products or services from your organization. Nonpublic personal information includes any “personally identifiable financial information” that financial institutions collect from consumers. It does not include any information that is otherwise “publicly available.”
Examples of NPI include income, Social Security numbers, account numbers, payment history, loan balances, and credit or debit card purchases. Even the fact that an individual is a consumer of your business is considered NPI.
GLBA Compliance Requirements
To comply with the Gramm-Leach-Bliley Act, financial institutions must meet two rules related to information sharing and confidentiality of sensitive customer data: the Safeguards Rule and the Privacy Rule.
The GLBA Safeguards Rule
The GLBA Safeguards Rule refers to 16 CFR Part 314 of the GLBA, a comprehensive guideline that covers access to and use of customer NPI throughout all financial transactions.
The rule requires financial institutions to implement safeguards around the information systems that transmit and store customer NPI. They must outline their information security programs in a written plan, which should be specific to the organization and the sensitivity level of customer information. The plan should designate who is responsible for safeguarding information security within the organization, how effective current safeguards are and how they can be improved, and how employees and systems will be managed to improve overall information security.
The GLBA Safeguards Rule is not limited to requiring financial institutions to implement security programs; it also includes ensuring that their affiliates and service providers take necessary steps to safeguard any customer information they store or process against security risks.
The GLBA Privacy Rule
The Privacy Rule refers to 16 CFR Part 313 of the GLBA. The application of this rule depends in part on whether an individual is a “consumer” or a “customer”:
- Consumer — An individual who obtains financial products or services for personal use
- Customer — A subset of consumers with an ongoing relationship with the financial institution.
Under the Privacy Rule, financial institutions must provide all customers with a privacy notice explaining their privacy policies and practices, including those of both affiliated and nonaffiliated third parties. In addition, if you share NPI with nonaffiliated third parties (outside of certain exceptions) the Privacy Rule requires you to inform customers of their right to opt out of that sharing.
If you share NPI with nonaffiliated third parties, the opt-out and privacy policy notice requirements apply to consumers as well as customers.
GLBA Penalties
Penalties for non-compliance with the GLBA can include steep fines and even jail time.
For example, an FTC complaint against California mortgage broker Mortgage Solutions FCS found that the company violated several sections of the GLBA. As a result, Mortgage Solutions was fined $120,000 and ordered to implement a comprehensive data security program.
In 2019, Equifax Inc. was fined up to $700 million in a global settlement with the FTC, the Consumer Financial Protection Bureau, and 50 U.S. states and territories because of allegations that it failed to secure its network.
GLBA Compliance Best Practices
What do financial institutions need to do to comply with the GLBA? Adhering to the following best practices can reduce your risk of compliance failures and associated penalties.
- Understand how the GLBA applies to your organization.
Determine whether your business is considered a financial institution under the GLBA. Consider whether your institution primarily serves consumers as customers, and what kinds of data you process and store that is considered to be nonpublic personal information. You will also want to check what kinds of data you share with affiliated and nonaffiliated service providers.
Remember that GLBA regulations are periodically updated, so the scope of institutions and protected data types that fall under the law may change. Regular review of your organization’s policies and practices in relation to GLBA updates is essential to ensuring you remain in compliance.
- Conduct a regular risk assessment.
The best way to get ahead of any compliance issues is to perform rigorous internal assessments. Implement an information security risk assessment checklist. Since your IT ecosystem, the threat landscape and compliance requirements are constantly changing, repeat the risk assessment on a regular basis.
- Implement security controls to mitigate risks.
Deploy security controls to protect data privacy and integrity throughout all transactions. Access controls, data encryption, password security, activity logging, intrusion detection, firewalls, antivirus software and timely patching are all important measures for ensuring data security.
- Protect your organization from insider threats.
Insider threats pose the biggest data security risk to financial institutions because they have access to critical data and systems. Insider threats include malicious employees, former employees and contractors, but remember that even employees who don’t mean harm can inadvertently compromise sensitive data. Protect yourself by following best practices for insider threat prevention.
- Coordinate GLBA compliance with service providers.
The GLBA holds financial institutions accountable for not just their own data practices, but also the data practices of affiliated and nonaffiliated service providers. Ask third-party providers how they will safeguard your customers’ data and ensure compliance with GLBA standards.
- Prepare necessary documentation.
To meet GLBA compliance requirements, you need to create and maintain a written information security plan, a privacy notice, a disaster recovery plan, a business continuity plan and an annual report to the Board.
- Review and improve processes.
A strategy of continual improvement is the best approach to ensuring your organization remains in compliance with GLBA requirements. Periodically conduct a review of your processes and develop strategies for improvement. This includes regular risk assessment, threat detection and monitoring, third-party compliance audits, employee training programs, and adjustments to policies and documents.
Conclusion
Considering the steep penalties associated with falling out of compliance with the GLBA, having solutions in place that help your financial organization optimize data protection is essential.
Netwrix GLBA Compliance Software can help you achieve, maintain and prove GLBA compliance. It reduces the stress of regulatory audits by helping you ensure the confidentiality, integrity and availability of sensitive financial data in both on-premises and cloud-based IT systems and applications. The platform provides the security intelligence you need to identify security gaps, analyze user behavior and investigate threat patterns to protect customer personal information from unauthorized disclosures.
FAQ
What does the Gramm-Leach-Bliley Act protect?
The GLBA protects consumers of financial institutions from unauthorized disclosure of their nonpublic personal information. It holds financial institutions accountable for safeguarding consumer data and notifying customers of their right to privacy.
What are the requirements of the GLBA?
The act requires companies that offer financial products or services to consumers to be transparent about their information-sharing practices and to safeguard sensitive consumer data.
Who is subject to the GLBA?
The GLBA applies to financial institutions that process, transfer or store large amounts of personal information about consumers.
How must financial institutions protect personal information?
Financial institutions must adopt comprehensive measures to protect customers’ personal information, including written information security plans and disaster recovery plans. They must also ensure that any third-party affiliates adhere to GLBA guidelines for handling sensitive customer data.
What are the penalties for violating the GLBA?
Penalties include large fines and potentially jail time in aggravated cases.
