<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">
 

Understanding the Gramm-Leach-Bliley Act (GLBA)

How GLBA Can Help Your Organization Secure Sensitive Data Like Financial Records and Other Non-Public Personal Info (NPI)

SOC 1 dashboard

What is GLBA?

glba

More than 20 years ago, the U.S. government passed the Gramm-Leach-Bliley Act (GLBA), which is also referred to as the Financial Modernization Act of 1999. GLBA’s purpose is to ensure that financial institutions properly manage sensitive and private customer information. It applies to any financial institution that provides financial services such as loans, investments, or insurance and covers three core areas: 

After announcing changes to the Safeguard Rule in 2021, the Federal Trade Commission (FTC) issued a final rule on privacy protections and required organizations to be compliant with all changes by June 9, 2023. Among the biggest changes is a new requirement that all relevant organizations implement an information security program aligned with the rule’s nine core elements.

In this GLBA guide, learn more about what GLBA is, whom it applies to, what the three core areas mean for your business, how to ensure compliance with the newest regulations, and more.

What You'll Discover:

What is GLBA?

GLBA ensures financial institutions properly manage sensitive and private customer information.

Learn More

Who Should Be GLBA Compliant?

All financial institutions that create, store, or transmit customer non-public personal information and financial information should be compliant.

Learn More

GLBA Data Protections and NPI

GLBA protects specific types of customer and consumer non-public personal information (NPI).

GLBA: Customer and Consumer Info

Determining who is a customer and who is a consumer of your business is a key part of understanding GLBA compliance.

What is the FTC Safeguarding Rule?

The FTC Safeguard Rule provides guidance to help institutions implement controls and processes to protect NPI.

Understanding Safeguarding Rule Requirements

The FTC has developed a list of nine steps institutions can take to develop an appropriate GLBA infosec program.

Understanding the Financial Privacy Rule

The Financial Privacy Rule requires institutions to create privacy notices and opt-out provisions for customers and consumers.

Understanding the Pretexting Protection Rule

The Pretexting Provisions specify that financial institutions and individuals can’t obtain NPI under false pretenses.

How to Become GLBA Compliant

Check out 15 steps you can take to ensure you’re compliant with all three key areas of the Gramm-Leach-Bliley Act.

GLBA Non-Compliance

Individuals and institutions that aren’t in compliance with GLBA can face a range of penalties.

GLBA Risk Assessments With Apptega

A risk assessment is a key step in ensuring GLBA compliance. See how Apptega’s Risk Manager can simplify it.

GLBA Audit

Acing a GLBA audit has never been easier, thanks to the power and functionality of Apptega’s Audit Manager.

GLBA FAQ

Check out answers to some common questions about the Gramm-Leach-Bliley Act.

The Apptega Solution for GLBA

Learn how Apptega can simplify risk assessment, risk management, and ongoing GLBA security and privacy compliance.

What is the Gramm Leach Bliley Act (GLBA) and why is it important?

The Gramm Leach Bliley Act (GLBA) is a U.S. law that requires all financial institutions to implement proper governance and controls to ensure these organizations protect the confidentiality, security, and integrity of customers’ private information.GLBA is part of the Financial Modernization Act of 1999, and many of its core provisions have been around for more than two decades:

  • Safeguard Rule: Also known as the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, this rule requires covered entities to protect the security of private customer information, which includes all paper, electronic, or other forms of records of non-public personal information. This rule went into effect in 2003, but was recently updated with new standards effective June 9, 2023.
  • Privacy Rule: The Privacy of Consumer Financial Information Rule went into effect in July 2001 and requires financial institutions to provide privacy notices and limit certain disclosures of customers’ private personal information. The rule also directs that customers have the right to opt out of disclosures to a non-affiliated third-party and that the institution should not generally disclose this information to a non-affiliated third-party for marketing purposes. There are also regulations guiding financial institutions on redisclosure and reuse of customer private information.
  • Pretexting Provisions: The pretexting provisions, Prohibition on Obtaining Customer Information by False Pretenses outlined in Section 521 of GLBA, prohibit financial institutions from accessing customer personal information under false pretenses. 

GLBA defines non-personal information as all non-public personally identifiable information a financial institution collects from customers while providing a service or product. Some examples include a name, address, phone number, or Social Security number, as well as account numbers, payment histories, consumer reports, or court records. 

GLBA standards are applicable to all organizations that provide financial services such as loans, investments, insurance, and more. The guidelines are applicable to more than just banks and lenders and can include debt collectors, real estate service providers, and businesses that manage tax returns. It even extends into auto sales, if the business gives credit or financial advice or offers customers leasing or financing options.

Apptega for GLBA Compliance

SOC 1 dashboard

If your organization creates, stores, or transmits personally identifiable information (PII) about your customers, you likely must be compliant with a range of industry regulations as well as federal, state, and local laws. Keeping pace with all of the requirements, especially as regulators make changes to keep up with the rapidly changing threat landscape, is challenging. It’s even more so if you’re trying to manage programs, policies, frameworks, and controls using paper documents or cumbersome spreadsheets.

Apptega makes GLBA compliance easy. Its cybersecurity and compliance platform streamlines and automates many manual, repetitive processes and can give you instant insight with real-time scoring on how well you're meeting compliance requirements, where you may have gaps, and even offer recommendations on how you can move closer to your GLBA compliance goals.

Who Needs to be GLBA Compliant?

glba

Does Your Organization Need to Compliant for GLBA?

All financial institutions that access customers’ non-public personal information must be GLBA compliant. While most people think of this in terms of banks and lenders, GLBA’s scope is much larger. It applies to all organizations that offer financial products and services. That can include anything from financial counseling and investment advice to real estate services, car dealers, credit unions, insurance and mortgage companies, savings and loan associations, debt collectors, and securities. Not sure if you are covered? Section 314.2(h) goes into greater detail with covered entity examples.

The FTC says “businesses that are significantly engaged in financial activities,” should be GLBA compliant and that all financial activities should be considered in determining if your organization meets the “significantly engaged” requirement. The primary two factors are:

  • Formal arrangements: For example, a retailer that offers consumers direct credit via a store credit card. 
  • Frequency of financial activities: For example, a business that regularly wires money to and from consumers. 

Take a deeper dive into FTC-defined financial activities, here.

There are some GLBA exemptions to some opt-out requirements, as well as notice regulations. According to 12 CFR 216.1, the provisions do “not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes.” It goes on to clarify that these types of organizations are not considered financial institutions:

  • Any person or entity with respect to any financial activity subject to the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.)
  • The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.)
  • Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer non-public personal information to a non-affiliated third party.

What is NPI for GLBA?

The FTC defines non-public personal information (NPI) as “personally identifiable financial information as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available. Here are some examples of NPI:

  • Names
  • Addresses
  • Account information

GLBA also defines personally identifiable financial information (PIFI) as any information a consumer provides to obtain a financial product or service, information about a consumer resulting from any transaction involving a financial product or service or information otherwise obtained about a consumer connected with providing a financial product or service to that consumer. Some examples of PIFI:

  • Information on a loan application
  • Account balance
  • Payment history
  • Purchasing information
  • Information about if a person has obtained your services

PIFI can also include information collected about your customers online, for example, if your website uses internet cookies to collect data about site visitors who use your services.

Since GLBA specifically relates to non-public information, it’s also worth noting how regulations define publicly available information: “Any information you have a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, widely distributed media; public disclosures required by federal, state, or local law.” Some examples of publicly available information:

  • Government real estate records
  • Security interest filings
  • Details in a phone book, newspaper, or public website

Steps to GLBA Compliance

Steps to GLBA Compliance

To be in compliance with GLBA, you must meet standards and other requirements outlined in the Safeguard Rule, Privacy Rule, and Pretexting Provisions. Each of these sections has specific standards that must be met (or conditions that you cannot violate). However, there are some basic steps you can take to help ensure you’re on the right path for GLBA compliance.

  • Understand if your business meets the GLBA definition of a “financial institution.”
  • Use FTC guidance to determine who your customers are, who your consumers are, and how you use their non-public personal information.
  • Study each section (Privacy, Safeguard, Pretexting) to clearly understand all requirements. Consider developing separate plans to ensure you’re achieving all three.
  • Select a qualified individual to oversee your GLBA compliance program.
  • Conduct a business impact analysis to determine your critical functions, processes, and systems that store, process, or transmit NPI.
  • Conduct a risk assessment to determine any risks you may have that could impact the security, confidentiality, or integrity of customer NPI.
  • Determine a risk threshold and risk appetite for NPI risks. 
  • Develop and implement an information security program to address and manage those risks.
  • Routinely evaluate safeguards for all third parties that handle your customer NPI.
  • Continuously monitor your organization for NPI risks.
  • Routinely evaluate and adjust your information security program to address GLBA compliance gaps. Consider working with third party consultants or using compliance-focused software to manage and evaluate program performance.
  • Develop a notice that outlines your privacy practices and make it available in your office and to the public. Understand distribution requirements based on consumer and customer NPI usage.
  • Develop an opt-out notice and processes for your customers and consumers.
  • Establish education and training policies and procedures for your employees and affiliates, including NPI risks, and privacy and opt-out notices.
  • Develop response and recovery plans to address potential NPI breaches or similar incidents and use a compliance management platform as a repository for all documentation.
Need help on your GLBA compliance journey? Contact an Apptega consultant or request a demo to see how Apptega can simplify your GLBA compliance strategies, help you conduct effective risk assessments, and manage your compliance program — all in a single, easy-to-use platform.

 

What Happens if My Financial Institution is Not GLBA-Compliant?

If you’re a GLBA-covered entity, you can face penalties for non-compliance. While GLBA rulemaking is overseen by the Consumer Financial Protection Bureau (CFPB), the FTC enforces the Safeguard Rule and can take court action for Privacy Rule violations. Other state and federal agencies may also play a role in GLBA enforcement and corrective actions. Through the FTC Act, the FTC can ultimately issue a cease and desist order for violations and in other instances can go to court to seek monetary relief for violations, which can include penalties. 

In 2020, for example, the FTC announced it had reached a settlement with a mortgage analytics company that failed to make sure one of its third-party affiliates had secured personal data about mortgage holders. As a result, the company had to implement a comprehensive data security program, must undergo biannual security program assessments from an FTC-approved third party, and have a senior executive certify each year the company is complying with FTC guidelines.

For more information about FTC enforcement authority, visit https://www.ftc.gov/about-ftc/mission/enforcement-authority.

 

Apptega and GLBA Risk Assessments

Risk assessments are a critical part of Gramm-Leach-Bliley Act compliance. Apptega’s Risk Manager can simplify everything you need to do for GLBA Safeguard, Privacy, and Pretexting requirements — all within a single platform.

With Apptega’s Risk Manager, you can:

  • Discover risks that may affect the confidentiality, security, and integrity of  consumer and customer NPI
  • Assign a risk rating and create a risk register
  • Evaluate your existing frameworks and controls against GLBA requirements
  • Identify missing or ineffective safeguards and make plans to address them
  • Document your risk, risk owners, risk impact, and response plans
  • Get comprehensive insight into your NPI risk landscape and see all of your risks in a single view and how they relate to your security and compliance frameworks

Consumer and Customer Information and GLBA

Another important component of GLBA compliance involves two key terms: customers and consumers. To be compliant, you must understand if your business has consumers or customers — or both — because different GLBA guidelines relate to this context. 

  • The FTC defines a consumer as “an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative.” A consumer is not a commercial client. Examples of consumers would be people who cash a check with a check-cashing company or those who apply for a loan (regardless of loan approval status.)
  • The FTC says a customer is a subclass of consumers. Customers have a continuing relationship with your business, and although the frequency of use of your services is not applicable, the relationship is. The FTC defines a customer relationship as a “continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.” Some customer examples are people who secure mortgage financing through a company, someone who opens a credit card account, or someone who purchases insurance from you.

What is the FTC Safeguarding Rule?

The FTC’s Standards for Safeguarding Customer Information (Safeguard Rule) requires covered entities to take steps to protect customer information. While the rule has been in place since 2003, the FTC recently amended it with new guidelines effective early June 2023.

The original guidelines, according to FTC, were designed to be flexible for implementation. The updated version still does that but also gives financial institutions more direct guidance on expectations, including core data security principles all covered entities must implement.

New in the Safeguard Rule is a directive for all covered institutions to develop, implement, and maintain an information security program that includes administrative, technical, and physical safeguards. 

The information security program is not prescriptive but must be “written and appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.” Under GLBA, every information security program should:

  • Ensure security and confidentiality of customer information
  • Protect against anticipated threats or hazards to the security of integrity of that information
  • Protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer

9 Ways to Establish an “Appropriate” GLBA InfoSec Program

What’s challenging about the Safeguard Rule is how you determine what an “appropriate” infosec program looks like. To help, the FTC has developed nine key guidelines that every compliant information security program should include:

  • Select a designated, qualified individual to oversee and implement the program. This person is also responsible for program enforcement and can be someone you employ, an affiliate, or a service provider.
  • Conduct periodic risk assessments to discover “reasonably foreseeable” internal and external risks that affect the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction, or other compromises. The risk assessment must evaluate existing safeguard effectiveness and include written documentation detailing how your organization and program will mitigate or accept identified risks.
  • Design and implement safeguards to control the risk identified in your risk assessment. This includes implementing and periodically reviewing access, technical, and physical controls including:
    1. Encrypting customer information in transit over external networks and at rest. 
    2. Adopting secure development practices for in-house developed applications used to transmit, access, or store customer information, as well as procedures to test the security of externally developed apps.
    3. Implementing multi-factor authentication for authorized access with limited exceptions.
    4. Developing, implementing, and maintaining procedures for secure disposal of customer information within two years after the last date of information usage related to a product or service, unless the information is necessary for business purposes or operations, is legally required for retention, or where disposal isn’t possible based on how you obtained the information. These procedures should be periodically reviewed.
    5. Adopting change management procedures.
    6. Implementing policies, procedures, and controls to monitor and log authorized user activity to detect unauthorized access or use of, or tampering with, customer information.
  • Regularly test and monitor effectiveness of key controls, systems, and procedures, including those to detect attacks or intrusions into information systems. This should include continuous monitoring or periodic penetration testing and vulnerability assessments. Organizations that don’t do continuous monitoring should conduct annual penetration testing based on relevant risks identified in a risk assessment and do vulnerability assessments at least every six months and whenever there are material changes to operations, business arrangements, or circumstances that might impact your information security program.
  • Implement policies and procedures for security awareness training including oversight for employees, affiliates, and service providers related to risk identification from your risk assessment.
  • Oversee service providers including vetting them to ensure they can take reasonable steps to protect customer information and then contractually require those you select to implement and maintain those safeguards. You should also periodically assess these providers to make sure safeguards are effective.
  • Whenever issues are identified through testing and monitoring, your business changes, or risk assessment results change, you must evaluate and adjust your existing security program.
  • Develop a written response plan that details how your organization will promptly respond to and recover from security events that may affect the security, integrity or confidentiality of your customer data, including goals, response processes, roles and responsibilities, external and internal communications plans, remediation strategies, documentation and reporting of all security events and response, and evaluation of the plans and adjustment if needed post-event. 

The person overseeing your program should regularly create written reports for your board or other key stakeholders, at least annually. These reports should include information about your program’s current status and compliance level, and other information relevant to addressing issues related to your risk assessment, risk management, security events, testing results, and other critical program information.

Learn More

Understanding the Privacy Rule

The GLBA Privacy of Consumer Financial Information rule requires all financial institutions to provide customers, and in some instances, consumers, written notice of your privacy policies and practices. All customers, regardless if you share their NPI, should get a privacy notice when you first establish your relationship (or if the customer agrees, within a reasonable time after it’s established). In addition, with some exceptions, if you share customer NPI with non-affiliated third parties, you must also provide:

  • Opt-out notice if the customer doesn’t want you to share NPI
  • Reasonable way to opt-out
  • Reasonable amount of time to opt-out before NPI disclosure

For consumers that you may share their NPI with non-affiliated third parties, they must also get a privacy notice and opt-out notice. For consumers that you don’t share NPI with non-affiliated third parties (or they’re exempt) you must:

  • Explain that your privacy notice is available on request
  • Explain how consumers can get a full privacy notice
  • Include the opt-out notice

Every privacy notice is expected to include information about how your business collects, protects, and discloses NPI. The Privacy Rule requires all notices to include:

  • Categories of information collected (example: NPI obtained from a consumer reporting agency)
  • Categories of information disclosed (example: NPI provided on an application such as name, address, and phone number or account information)
  • Categories of affiliates and non-affiliated third parties to whom you disclose NPI (example: insurance companies)
  • Categories of information disclosed and to whom under the joint marketing/service provider exception
  • When disclosing NPI to non-affiliated third parties under certain exceptions, a statement that the disclosures are made "as permitted by law."
  • When disclosing NPI to non-affiliated third parties not within the exceptions, an explanation of consumers' and customers' rights to opt out of disclosures
  • Any disclosures required by the Fair Credit Reporting Act
  • Policies and practices to protect the confidentiality and security of NPI

The Privacy Rule does more than just explain what you should include, it also details how the notices should look, primarily that it must be “clear and conspicuous” on paper or your website. It must also:

  • Be understandable
  • Direct attention to the type and significance of the information
  • Be easy to read
  • Be distinctive
  • If you put a notice on your website, it must go on a page consumers often use or on a page where they conduct transactions.

Finally, the Privacy Rule details how you should deliver your privacy notices. The notices must be in writing. They can be electronic, but only if your customer agrees. If you’re sending them electronically, the notice must be on your website and require receipt acknowledgement. 

If your notices are not written or posted in your office, you’re considered non-compliant.

Opt-Out Notices

Opt-out notices must “clearly and conspicuously” describe your customers’ opt-out rights. It can be a part of your privacy notice or delivered to your customers when you give them your privacy notice.

The rule outlines all notices must include a “reasonable” means to opt out (for example, call a specific phone number or return a form by mail) and they must get the notices in enough time to respond before you disclose NPI. Generally, that’s 30 days. Sometimes companies require this before a transaction. It’s important to note that your customers and consumers can opt out of NPI sharing at any time and you must comply within a reasonable time when you receive a notice. The customer notices are effective until they cancel in written form. A consumer notice can be canceled electronically.

Learn More

Understanding the Pretexting Protection Rule

In addition to safeguard controls, and the privacy and opt-out notices, GLBA also sets guidelines about how financial institutions get customer non-public information, specifically saying you cannot do so under false pretenses. That means someone from your institution or an affiliate can’t try to access this data by fooling the consumer or customer. This is an often-seen tactic of social engineering, like phishing schemes.

Prohibition on Obtaining Customer Information by False Pretenses in Section 521 of GLBA says that financial organizations cannot make false, fictitious, or fraudulent statements or representations to a customer. Further, you cannot provide a document to an officer, employee, or agent of your business if you know that document may be forged, counterfeit, lost, stolen, fraudulently obtained, or if it has false, fictitious, or fraudulent statements or representations.

The standards have a few exemptions:

  • When you’re testing your security procedures or systems to maintain customer NPI confidentiality
  • If you’re investigating misconduct or neglect of an employee, officer, or agent
  • If you’re recovering NPI that was obtained under false pretenses

The guidelines are also not applicable if a law enforcement agency is conducting official duties when an insurer is conducting an investigation into criminal activities, fraud, or misrepresentation, or related to collecting delinquent child support. They’re also not applicable if the information is reasonably available as a public record related to security laws.

Acing Your GLBA Audit

The FTC has the authority to conduct GLBA audits for the Privacy Rule, but, if you want to know how effective your GLBA compliance program is, especially with the new Safeguard Rule requirements, you should consider a GLBA audit by a third-party assessor or using software like Apptega to get real-time insight with compliance scoring.

Your audit, whether done by a person or a platform, should GLBA audit should:

  • Identify all of your important assets, systems, and processes that could impact the confidentiality, security, and integrity of NPI
  • Evaluate all of your NPI security and privacy risks and compare them against your internal risk assessment findings
  • Evaluate your policies, procedures, training, and implementation processes, including documentation and governance
  • Evaluate control effectiveness to mitigate NPI risks
  • Identify where you have safeguard and privacy gaps
  • Make recommendations, for example, other frameworks, controls, or sub-controls to close those gaps
  • Evaluate your incident response and recovery plans, with recommendations for improvements
  • Help routinely monitor and evaluate your program to ensure ongoing compliance

FAQs

What is GLBA?
The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires all financial institutions to implement proper governance and controls to ensure they protect the confidentiality, security, and integrity of customers’ private personal information.
What is the purpose of GLBA?
GLBA’s purpose is to ensure financial institutions properly secure and manage private non-public personal information via its Safeguard Rule, Privacy Rule, and Pretexting Provisions.
Who enforces GLBA compliance?
While a variety of agencies play a role in GLBA compliance, the FTC is the primary agency that conducts GLBA compliance audits and directs action against potential violations.
Should my organization be GLBA compliant?
All financial institutions that access customers’ non-public personal information must be GLBA compliant.
What are the three key rules for GLBA?
The three key rules for GLBA are the Safeguard Rule, the Privacy Rule, and Pretexting Provisions.
What is the FTC Safeguarding rule?
The FTC’s Standards for Safeguarding Customer Information is also known as the Safeguarding Rule. It requires covered entities to protect the security of private customer information, which includes all paper, electronic, or other forms of records of non-public personal information.
What is the Financial Privacy rule?
The Financial Privacy Rule is formally called the Privacy of Consumer Financial Information Rule. It requires financial institutions to provide privacy notices and limit certain disclosures of customers’ private personal information. It also gives customers the right to opt out of disclosures to a non-affiliated third party and says institutions should not generally disclose this information to a non-affiliated third party for marketing purposes. There are also regulations guiding financial institutions on re-disclosure and reuse of customer private information.
What is the Pretexting Protection rule?
GLBA’s pretexting protection rule is called Prohibition on Obtaining Customer Information by False Pretenses. It prohibits financial institutions from accessing customer personal information under false pretenses.
What are the main compliance requirements for GLBA?
To be compliant with GLBA, customers must meet all standards established in the Safeguard and Privacy rules and ensure they don’t violate pretexting regulations.
Is there a GLBA certification?
No. There is not a GLBA certification, but you can work with a third-party auditor to confirm your GLBA compliance status.
Do I need a GLBA audit?
If you’re required to be compliant for GLBA, it’s a good idea to have a third-party assess your compliance status. You can do this by working with a consultant or via software like Apptega, which can evaluate your compliance with real-time scoring.
Who conducts a GLBA audit?
The FTC has the authority to conduct official GLBA audits but, to ensure compliance before an FTC investigation, you can work with a third-party auditor to do a GLBA assessment for you.
What are some benefits of GLBA compliance?
There are many benefits of GLBA compliance. First, it’s a regulatory requirement, so you have to. Second, by complying with all GLBA standards, you can get insight into potential risks to all types of private and sensitive data in your environment, can make plans to address those risks and get insight into how effectively your existing controls protect and secure customer data. Compliance also will help decrease the likelihood of an NPI data breach, potential FTC investigation and audit, and hopefully lower your risk of facing penalties and other punitive actions.
What are some GLBA compliance best practices?
  • Identify all of your systems, assets, and procedures that can affect the security, confidentiality, and integrity of NPI
  • Conduct a risk assessment
  • Develop an information security program with safeguards that mitigate these risks
  • Develop a notice of privacy practices
  • Create an opt-out form for sharing NPI data to third-parties
  • Publish your notices in your office and ensure all new customers get copies
  • Conduct routine testing and vulnerability assessments to ensure program works effectively
  • Routinely train and educate your employees and affiliates about NPI privacy and safeguards
  • Vet all third-parties for NPI privacy and safeguard compliance
  • Work with third-party consultants for extra support and guidance
  • Implement a compliance framework management solution to streamline and automate GLBA processes and controls
Who is considered a consumer under GLBA?
A GLBA consumer is “an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative.”
Do customers covered by GLBA have the right to opt-out?
Yes. Customers, and in some cases consumers, have the right to opt out of you sharing their NPI with non-affiliated third parties.
What is NPI in GLBA?
NPI is non-public personal information (NPI). The FTC defines it as “personally identifiable financial information as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available.”
What data does GLBA protect?
GLBA protects a range of non-public personal information and personally identifiable financial information such as names, addresses, account numbers and balances, credit reports, payment history, and more.
What is a GLBA privacy notice?
Every GLBA privacy notice must include information about how financial institutions collect, protect, and disclose NPI.
What is GLBA Section 501(b)?
GLBA Section 501(b) outlines financial institution safeguards for the confidentiality, security and integrity of NPI, ensuring institutions protect this data against anticipated threats, and regulates unauthorized use or disclosure.
Is GLBA a law or regulation?
GLBA is a federal law that went into effect in 1999 as part of the Financial Services Modernization Act.