How GLBA Can Help Your Organization Secure Sensitive Data Like Financial Records and Other Non-Public Personal Info (NPI)
More than 20 years ago, the U.S. government passed the Gramm-Leach-Bliley Act (GLBA), which is also referred to as the Financial Modernization Act of 1999. GLBA’s purpose is to ensure that financial institutions properly manage sensitive and private customer information. It applies to any financial institution that provides financial services such as loans, investments, or insurance and covers three core areas:
After announcing changes to the Safeguard Rule in 2021, the Federal Trade Commission (FTC) issued a final rule on privacy protections and required organizations to be compliant with all changes by June 9, 2023. Among the biggest changes is a new requirement that all relevant organizations implement an information security program aligned with the rule’s nine core elements.
In this GLBA guide, learn more about what GLBA is, whom it applies to, what the three core areas mean for your business, how to ensure compliance with the newest regulations, and more.
GLBA ensures financial institutions properly manage sensitive and private customer information.
Learn MoreAll financial institutions that create, store, or transmit customer non-public personal information and financial information should be compliant.
Learn MoreGLBA protects specific types of customer and consumer non-public personal information (NPI).
Determining who is a customer and who is a consumer of your business is a key part of understanding GLBA compliance.
The FTC Safeguard Rule provides guidance to help institutions implement controls and processes to protect NPI.
The FTC has developed a list of nine steps institutions can take to develop an appropriate GLBA infosec program.
The Financial Privacy Rule requires institutions to create privacy notices and opt-out provisions for customers and consumers.
The Pretexting Provisions specify that financial institutions and individuals can’t obtain NPI under false pretenses.
Check out 15 steps you can take to ensure you’re compliant with all three key areas of the Gramm-Leach-Bliley Act.
Individuals and institutions that aren’t in compliance with GLBA can face a range of penalties.
A risk assessment is a key step in ensuring GLBA compliance. See how Apptega’s Risk Manager can simplify it.
Acing a GLBA audit has never been easier, thanks to the power and functionality of Apptega’s Audit Manager.
Check out answers to some common questions about the Gramm-Leach-Bliley Act.
Learn how Apptega can simplify risk assessment, risk management, and ongoing GLBA security and privacy compliance.
The Gramm Leach Bliley Act (GLBA) is a U.S. law that requires all financial institutions to implement proper governance and controls to ensure these organizations protect the confidentiality, security, and integrity of customers’ private information.GLBA is part of the Financial Modernization Act of 1999, and many of its core provisions have been around for more than two decades:
GLBA defines non-personal information as all non-public personally identifiable information a financial institution collects from customers while providing a service or product. Some examples include a name, address, phone number, or Social Security number, as well as account numbers, payment histories, consumer reports, or court records.
GLBA standards are applicable to all organizations that provide financial services such as loans, investments, insurance, and more. The guidelines are applicable to more than just banks and lenders and can include debt collectors, real estate service providers, and businesses that manage tax returns. It even extends into auto sales, if the business gives credit or financial advice or offers customers leasing or financing options.
If your organization creates, stores, or transmits personally identifiable information (PII) about your customers, you likely must be compliant with a range of industry regulations as well as federal, state, and local laws. Keeping pace with all of the requirements, especially as regulators make changes to keep up with the rapidly changing threat landscape, is challenging. It’s even more so if you’re trying to manage programs, policies, frameworks, and controls using paper documents or cumbersome spreadsheets.
Apptega makes GLBA compliance easy. Its cybersecurity and compliance platform streamlines and automates many manual, repetitive processes and can give you instant insight with real-time scoring on how well you're meeting compliance requirements, where you may have gaps, and even offer recommendations on how you can move closer to your GLBA compliance goals.
All financial institutions that access customers’ non-public personal information must be GLBA compliant. While most people think of this in terms of banks and lenders, GLBA’s scope is much larger. It applies to all organizations that offer financial products and services. That can include anything from financial counseling and investment advice to real estate services, car dealers, credit unions, insurance and mortgage companies, savings and loan associations, debt collectors, and securities. Not sure if you are covered? Section 314.2(h) goes into greater detail with covered entity examples.
The FTC says “businesses that are significantly engaged in financial activities,” should be GLBA compliant and that all financial activities should be considered in determining if your organization meets the “significantly engaged” requirement. The primary two factors are:
Take a deeper dive into FTC-defined financial activities, here.
There are some GLBA exemptions to some opt-out requirements, as well as notice regulations. According to 12 CFR 216.1, the provisions do “not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes.” It goes on to clarify that these types of organizations are not considered financial institutions:
The FTC defines non-public personal information (NPI) as “personally identifiable financial information as well as any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available. Here are some examples of NPI:
GLBA also defines personally identifiable financial information (PIFI) as any information a consumer provides to obtain a financial product or service, information about a consumer resulting from any transaction involving a financial product or service or information otherwise obtained about a consumer connected with providing a financial product or service to that consumer. Some examples of PIFI:
PIFI can also include information collected about your customers online, for example, if your website uses internet cookies to collect data about site visitors who use your services.
Since GLBA specifically relates to non-public information, it’s also worth noting how regulations define publicly available information: “Any information you have a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records, widely distributed media; public disclosures required by federal, state, or local law.” Some examples of publicly available information:
To be in compliance with GLBA, you must meet standards and other requirements outlined in the Safeguard Rule, Privacy Rule, and Pretexting Provisions. Each of these sections has specific standards that must be met (or conditions that you cannot violate). However, there are some basic steps you can take to help ensure you’re on the right path for GLBA compliance.
If you’re a GLBA-covered entity, you can face penalties for non-compliance. While GLBA rulemaking is overseen by the Consumer Financial Protection Bureau (CFPB), the FTC enforces the Safeguard Rule and can take court action for Privacy Rule violations. Other state and federal agencies may also play a role in GLBA enforcement and corrective actions. Through the FTC Act, the FTC can ultimately issue a cease and desist order for violations and in other instances can go to court to seek monetary relief for violations, which can include penalties.
In 2020, for example, the FTC announced it had reached a settlement with a mortgage analytics company that failed to make sure one of its third-party affiliates had secured personal data about mortgage holders. As a result, the company had to implement a comprehensive data security program, must undergo biannual security program assessments from an FTC-approved third party, and have a senior executive certify each year the company is complying with FTC guidelines.
For more information about FTC enforcement authority, visit https://www.ftc.gov/about-ftc/mission/enforcement-authority.
Risk assessments are a critical part of Gramm-Leach-Bliley Act compliance. Apptega’s Risk Manager can simplify everything you need to do for GLBA Safeguard, Privacy, and Pretexting requirements — all within a single platform.
With Apptega’s Risk Manager, you can:
Another important component of GLBA compliance involves two key terms: customers and consumers. To be compliant, you must understand if your business has consumers or customers — or both — because different GLBA guidelines relate to this context.
The FTC’s Standards for Safeguarding Customer Information (Safeguard Rule) requires covered entities to take steps to protect customer information. While the rule has been in place since 2003, the FTC recently amended it with new guidelines effective early June 2023.
The original guidelines, according to FTC, were designed to be flexible for implementation. The updated version still does that but also gives financial institutions more direct guidance on expectations, including core data security principles all covered entities must implement.
New in the Safeguard Rule is a directive for all covered institutions to develop, implement, and maintain an information security program that includes administrative, technical, and physical safeguards.
The information security program is not prescriptive but must be “written and appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.” Under GLBA, every information security program should:
What’s challenging about the Safeguard Rule is how you determine what an “appropriate” infosec program looks like. To help, the FTC has developed nine key guidelines that every compliant information security program should include:
The person overseeing your program should regularly create written reports for your board or other key stakeholders, at least annually. These reports should include information about your program’s current status and compliance level, and other information relevant to addressing issues related to your risk assessment, risk management, security events, testing results, and other critical program information.
The GLBA Privacy of Consumer Financial Information rule requires all financial institutions to provide customers, and in some instances, consumers, written notice of your privacy policies and practices. All customers, regardless if you share their NPI, should get a privacy notice when you first establish your relationship (or if the customer agrees, within a reasonable time after it’s established). In addition, with some exceptions, if you share customer NPI with non-affiliated third parties, you must also provide:
For consumers that you may share their NPI with non-affiliated third parties, they must also get a privacy notice and opt-out notice. For consumers that you don’t share NPI with non-affiliated third parties (or they’re exempt) you must:
Every privacy notice is expected to include information about how your business collects, protects, and discloses NPI. The Privacy Rule requires all notices to include:
The Privacy Rule does more than just explain what you should include, it also details how the notices should look, primarily that it must be “clear and conspicuous” on paper or your website. It must also:
Finally, the Privacy Rule details how you should deliver your privacy notices. The notices must be in writing. They can be electronic, but only if your customer agrees. If you’re sending them electronically, the notice must be on your website and require receipt acknowledgement.
If your notices are not written or posted in your office, you’re considered non-compliant.
Opt-Out Notices
Opt-out notices must “clearly and conspicuously” describe your customers’ opt-out rights. It can be a part of your privacy notice or delivered to your customers when you give them your privacy notice.
The rule outlines all notices must include a “reasonable” means to opt out (for example, call a specific phone number or return a form by mail) and they must get the notices in enough time to respond before you disclose NPI. Generally, that’s 30 days. Sometimes companies require this before a transaction. It’s important to note that your customers and consumers can opt out of NPI sharing at any time and you must comply within a reasonable time when you receive a notice. The customer notices are effective until they cancel in written form. A consumer notice can be canceled electronically.
In addition to safeguard controls, and the privacy and opt-out notices, GLBA also sets guidelines about how financial institutions get customer non-public information, specifically saying you cannot do so under false pretenses. That means someone from your institution or an affiliate can’t try to access this data by fooling the consumer or customer. This is an often-seen tactic of social engineering, like phishing schemes.
Prohibition on Obtaining Customer Information by False Pretenses in Section 521 of GLBA says that financial organizations cannot make false, fictitious, or fraudulent statements or representations to a customer. Further, you cannot provide a document to an officer, employee, or agent of your business if you know that document may be forged, counterfeit, lost, stolen, fraudulently obtained, or if it has false, fictitious, or fraudulent statements or representations.
The standards have a few exemptions:
The guidelines are also not applicable if a law enforcement agency is conducting official duties when an insurer is conducting an investigation into criminal activities, fraud, or misrepresentation, or related to collecting delinquent child support. They’re also not applicable if the information is reasonably available as a public record related to security laws.
The FTC has the authority to conduct GLBA audits for the Privacy Rule, but, if you want to know how effective your GLBA compliance program is, especially with the new Safeguard Rule requirements, you should consider a GLBA audit by a third-party assessor or using software like Apptega to get real-time insight with compliance scoring.
Your audit, whether done by a person or a platform, should GLBA audit should:
©2023 All Rights Reserved. Apptega® is a registered trademark Apptega, Inc. | Privacy Policy