GLBA Compliance Requirements


The Gramm-Leach-Bliley Act which is also known as the Financial Modernization ACT OF 1999, is a United States federal law that requires all financial institutions to ensure the privacy and security of customer (non-public) information. The Act consists of three sections.

  1. The Privacy Rule that regulates the gathering and disclosure of private information.
  2. The Safeguards Rule which specifies that financial institutions must implement safety programs to safeguard such information. This safeguard also applies to ATM operators and companies like credit reporting agencies that collect private information of individuals from financial institutions.
  3. The Pretexting Provisions that prohibits the practice of obtaining private information and using it under false pretenses.

Who is covered by this Act?

The term ‘financial institution’ includes many organizations that describe themselves as financial institutions. These institutions include banks, credit unions, payday lenders, mortgage brokers, personal property or real estate appraisers, non-bank lenders among others. If your business deals with loans, the collection of debts, and financial advice, the GLBA applies to you as a financial institution. The law applies to all financial institutions regardless of the size. The Federal Trade Commission (FTC), as well as other government agencies, order financial institutions to implement regulations to meet the GLBA compliance requirements.

What are the GLBA Compliance Requirements?

As part of your GLBA compliance requirement, you are required to meet the three sections of the Act. These sections include The Financial Rule, The Safeguards Rule, and The Pretexting Provisions.

● The Privacy Rule is the first piece in your GLBA compliance requirements. It mandates that you provide proper notices of your privacy policies and practices to the individuals who are using your products or services. If an institution intends to disclose a client’s private information, it must provide the client with a privacy notice. This notice offers the clients the choice to opt in or out if they choose not to share their personal data with third parties.

● The Safeguards Rule requires financial institutions to keep customer information secure. They are also required to ensure that affiliates or 3rd party service providers also take steps to secure customer information. Often mentioned together with information and cybersecurity the Safeguards Rule requires you to perform a comprehensive risk assessment and design, implement and maintain a detailed information security program to protect customers’ private information in all areas of operation.

● The Pretexting Provisions section also involves cybersecurity. To comply with this rule, a written plan must be developed for monitoring account activities as well as educating your employees to recognize social engineering and phishing cons.

According to the Federal Trade Commission, the GLBA requirements are made flexible to enable every institution to implement an information security plan that is reasonable and makes sense with the scope and the activities of the company. Enforcement of the GLBA is performed through the member agencies of the Federal Financial Institutions Examination Council (FFIEC) which include the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Association (NCUA), Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB). GLBA also requires an incident response and disaster recovery plans to prepare for and respond to beaches and natural and man-made disasters. Maintaining GLBA compliance is significant to financial institutions as it helps them secure and defend their network while reducing reputation, regulatory and legal risks that can be both expensive and detrimental to continued operations.

Contact SCA Today to Learn More About GLBA Compliance Requirements

Security Compliance Associates (SCA) has more than 13 years of practice in delivering topnotch financial security compliance, Assessment, and Advisory services to financial institutions throughout the United States. Our assessments include a thorough review of your existing information security posture; the people, process and technology that may compromise sensitive information. SCA employs credentialed analysts and compliance professionals with decades of combined information security experience and will tailor an assessment program unique to your institution’s needs, size and culture.

Contact SCA today to schedule a no-cost consultation.