GLBA Compliance & Standards

Whether an individual is opening up their first bank account, picking investments for their portfolio, or seeking financial advice prior to retirement, financial professionals are available to guide them through the process. 

The Gramm-Leach-Bliley Act (GLBA) enables finance pros to walk consumers through a variety of banking, investment, and insurance decisions, but more importantly, the law holds these professionals to certain ethics and standards while they work with personal and financial data. 

Let’s examine how GLBA became federal law, who the law applies to and how it is enforced, and how financial institutions can manage their compliance with the right security and privacy moves.

A Closer Look at the Gramm-Leach-Bliley Act

• GLBA
• GLBA data protection rules
  • Safeguards Rule
  • Privacy Rule
• GLBA compliance
• GLBA enforcement
• Benefits of GLBA

GLBA

Congress passed the Gramm-Leach-Bliley Act in 1999, which repealed parts of the Glass-Steagall Act and the Bank Holding Company Act, both laws that placed limits on blending the roles of banks, insurance companies, and security companies. Several mergers and acquisitions toed the line of breaking these acts prior to the passing of GLBA, but the merger of Citicorp, a bank, with Travelers Group, an insurance firm, in 1998 was a major and obvious violation. The Federal Reserve allowed the merger to proceed on a temporary basis, but this noteworthy merger ultimately ushered in GLBA the following year.

With GLBA, members of any of these individual financial sectors can advise their clients on a combination of banking, investment, and insurance decisions, as long as they comply with data protection and privacy rules outlined in GLBA. This change means that customers can choose to work with one financial institution/specialist to satisfy their financial needs in all of these categories.

The idea behind GLBA is to give financial institutions more freedom to practice in multiple areas of finance simultaneously, while requiring them to take consistent, significant steps to protect the privacy of customers’ personal and financial information. Through a combination of key rules, GLBA creates more ethical data practices for the consumer and more business opportunities for the financial professional.

Another major data regulation: GDPR Compliance & Requirements 2021

GLBA data protection rules

GLBA serves to protect the personal data, or nonpublic personal information (NPI), of customers at financial institutions. This data goes beyond traditional personal information and includes details like income, credit, and loan history, as well as bank and credit account numbers and Social Security numbers. Customers have to disclose this type of information to financial professionals in order for them to consult on financial matters, but GLBA mandates several protective measures so finance professionals use the data ethically and openly. The Safeguards Rule and the Privacy Rule are the two primary regulation groups that make up GLBA.

Safeguards Rule

The Safeguards Rule focuses on the policies, procedures, employee management and training, and security measures that financial institutions need to safeguard the personal information of their customers. GLBA instructs financial institutions to develop a written information security plan with the steps they’re taking to protect private financial information from security breaches, unauthorized internal access or use, and unauthorized distribution outside of the institution.

Creating the information security plan

GLBA delineates several expectations of what finance companies need to include in their information security plan. These organizations must:

• Select an employee or a team to lead an internal information security program.
• Inventory customer data and its locations, identifying and responding to any potential risks to customer information, while also analyzing the effectiveness of safeguards in those areas.
• Develop a safeguards program that fits the organization’s data security needs, while regularly monitoring and updating the safeguards as necessary.
• Appropriately train employees on proper data security and privacy measures for customer data.
• Ensure that third-party service providers understand the purpose of these safeguards and are capable of developing the appropriate safeguard infrastructure.
• Monitor how third-party service providers handle their customers’ information.
• Adjust the safeguards according to organizational changes and security pain points over time.
• Select service providers that can maintain appropriate safeguards, make sure contracts require them to maintain safeguards, and oversee their handling of customer information; and
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The Safeguards Rule offers few specifics about what types of safeguards a company needs and what security tools to use to enact them. It is up to the organization’s discretion to determine what protections are necessary to safeguard personal data across all nodes and users within its corporate network.

Know your data: Best Data Analysis Methods 2021

Privacy Rule

GLBA lays out the Privacy Rule to empower consumers with the upfront knowledge of how their data can be used and the option to opt out of instances in which their sensitive personal data could be distributed. Covered GLBA organizations and financial practitioners are required to tell their customers how their data can be used and communicate this information via a privacy notice and an opt-out notice as soon as the relationship begins.

The privacy notice is intended to communicate with customers exactly what data is being collected, where it could be shared and how it could be used, and the protections the organization uses to keep the data safe. The opt-out notice usually accompanies this document, though it can be distributed separately. Both documents have to be distributed to all customers, and if any changes are made to the privacy notice, customers must be alerted and given the opportunity to opt out of the changed privacy notice. 

Learn more: A privacy notice sample from the federal government 

GLBA compliance

Who is required to comply?

GLBA applies to any companies that are actively and intensively engaged in “financial activities,” according to the Bank Holding Company Act. The FTC provides these details about what constitutes intensive financial activities:

• Lending, exchanging, transferring, investing for others, or safeguarding money or securities
• Providing financial, investment, or economic advisory services
• Brokering and servicing loans
• Debt collecting
• Providing real estate settlement services
• Career counseling

Tips for compliance

The FTC and data security experts make several recommendations for how an organization should build up its infrastructure and processes to follow GLBA:

• Establish data and metadata analysis best practices and consider using database management system software to stay organized.
• Set up internal audits and network audit checklists to make sure data practices are up to privacy and security standards.
• Train and retrain employees on GLBA best practices. Several learning management systems offer templated training, or an internal information security leader can develop training.
• Find reputable security providers and evaluate network security options that will fit the company’s digital environment.

Especially at smaller organizations with limited data management and technical expertise on staff, it may also be worthwhile to hire a third-party data manager to help stay in compliance:

“In my opinion, the best tip for complying with GLBA as a financial institution is to hire a managed data service,” said Lyle D. Solomon, an attorney at Oak View Law Group. 

“While larger institutions can dedicate massive resources to internal systems, many smaller institutions, such as auto dealerships and debt collectors, cannot manage the massive burden of keeping data safe on-premises, so working with a managed services partner is the smartest thing you can do.” 

“In this way, you let experts in data security and GLBA keep you in compliance. They maintain infrastructure, and they keep data secure, while accessing it remotely when there are several other regulations regarding on-site storage.”

GLBA enforcement

GLBA is primarily enforced by the Federal Trade Commission (FTC), but also by other groups like federal banking agencies, federal regulatory authorities, the Office of the Comptroller of the Currency (OCC), and state insurance oversight agencies.

Besides providing detailed information about the law and compliance best practices on its website, the FTC is also responsible for responding to violation complaints, issuing warning letters, and imposing fines and criminal charges if an organization is found in violation.

Non-compliance can have both financial and criminal penalties for the organizations in violation. Individuals who are found in violation can be fined up to $10,000 per violation and receive a prison sentence of up to five years. Organizations can also be held accountable and receive fines of up to $100,000 for each violation.

Benefits of GLBA

Although GLBA appears to be a regulation that mostly favors consumer wants and needs, in many ways, the law also benefits the institutions that it covers. 

Here are some ways that covered organizations and individuals benefit under GLBA:

• Financial institutions and professionals can now offer services across banking, investment, and insurance needs, which expands their portfolio and potential revenue streams.
• Customers feel that their financial institutions are being transparent with them, which helps build a relationship of trust with existing and future customers.
• The safeguards that companies put in place to comply with GLBA improve business security infrastructure.
• GLBA builds in requirements for better training and accountability for an institution’s employees at all levels.

These benefits improve the business intelligence and planning of a financial institution, but perhaps the biggest benefit of GLBA comes with its requirement that finance companies organize and truly know the whereabouts and contents of their data:

“Beyond the requirement to inventory and provide transparency into the usage of each piece of covered consumer data, organizations with a robust handle on their data can do so much more than attest to X amount of customer data used in Y ways,” said David Buckler, VP of product development at Flying Phase, a financial services consultancy. 

“Cataloging and context on each data element can give every analyst, from the mailroom to the boardroom, the tools to find and leverage data to make the organization smarter.”

Read Next: Best Threat Intelligence Platforms for 2021