GLBA compliance isn’t something to take lightly. These measures are strictly enforced by the Federal Trade Commission (FTC). In 2018, for instance, Venmo and its parent company PayPal reached a settlement after complaints about the company’s handling of privacy disclosures. The peer-to-peer payment app had 150 days to adhere to GLBA compliance, or it faced fines of up $41,484 per violation.
Fortunately, GLBA regulations are relatively straightforward; meeting GLBA compliance can be achieved with common-sense security measures, employee training, and regular privacy disclosures. Here’s what financial institutions need to know about GLBA compliance.
What is GLBA compliance?
First, what does GLBA stand for? GLBA is the Gramm-Leach-Bliley Act. This federal act was passed in 1999 under President Clinton. The goal of the GLBA was to update and modernize the financial industry. It is best known for repealing the Glass-Steagall Act, an act created in the wake of the stock market crash in 1929 to protect bank depositors from additional exposure to risk.
Among other things, GLBA includes measures to protect consumer financial privacy. GLBA requires “financial institutions” — e.g., any companies that offer financial products or services, such as loans, bank accounts, or investment advice — to explain their information-sharing practices to customers. GLBA compliance also requires putting measures in place to keep sensitive data secure.
The FTC, which oversees the GLBA, defines financial institutions as those which participate in:
- Loans, exchanges, money transfers, or investments for others, as well as safeguarding money or securities. “These activities cover services offered by lenders, check cashers, wire transfer services, and sellers of money orders,” according to the FTC.
- Offering financial, investment, or economic advice. “These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors,” wrote the FTC.
- Brokering and/or servicing loans
- Debt collection
- Real estate settlement services
- Career counseling for those seeking work in the financial services industry
There are penalties for not complying with GLBA requirements. Financial institutions that don’t adhere to the GLBA financial privacy rule are subject to civil penalties that can add up to $100,000 for each violation. In addition, officers or directors of the institution may be personally liable for civil penalties of up to $10,000 per violation. The most serious violations could be subject to further fines, and even imprisonment of up to five years.
GLBA compliance requirements
GLBA compliance requirements are divided into three sections: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.
The Financial Privacy Rule
The Financial Privacy Rule is the core component of the GLBA. The Privacy Rule requires a financial institution to notify customers about its privacy policies and protect the confidentiality of customer data. A privacy notice must be shared with a customer the moment the relationship is established or if the policy changes.
One of the tricky parts of the Privacy Rule is the distinction between a customer and a consumer. The financial institution is only responsible for protecting the information of a customer, not a consumer. A consumer, according to the rule, is “an individual who obtains or has obtained a financial product or service from a financial institution primarily for personal, family, or household purposes — or that individual’s legal representative.” A customer, on the other hand, is “a subclass of consumer who maintains a continuing relationship with a financial institution.”
The Privacy Rule covers a customer’s nonpublic personal information (NPI), which is, essentially, the same as PII. For more specifics about the Privacy Rule and what is consider NPI, read the detailed guide on the FTC website.
The Safeguards Rule
If the Financial Privacy Rule covers the “what” — what customer information a financial institution needs to protect — the Safeguards Rule covers the “how.” This rule outlines what security measures a financial institution needs to take to keep NPI from falling into the wrong hands.
A central component of the Safeguards Rule is the detailed, written security plan that financial institutions must create to ensure customer data is protected.
“The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. Since companies vary in size and complexity the requirements are flexible. That flexibility can make compliance complex.” explained one expert.
Notably, financial institutions must also work with any affiliates or third-party vendors with which they work to ensure they implement procedures to protect customer data.
The Pretexting Provisions
Finally, the Pretexting Provisions addresses social engineering, which is the practice of exploiting people to gain access to buildings, systems, or data. The GLBA expects organizations to reduce the risk of pretexting (social engineering) by implementing security measures to prevent unauthorized access to NPI.
[Read more: What is Social Engineering?]
Social engineering can include not only pretexting but also methods such as phishing, spoofing, and ransomware. One of the most effective ways to reduce the risk of social engineering is through employee training and data loss prevention tools.
GLBA compliance checklist
To make sure you’re compliant with GLBA requirements, make sure your financial institution meets the following criteria.
The Privacy Rule
- Send a clear, unambiguous Privacy Notice. This notice must include:
- Your company’s privacy practices
- The type of information it collects and retains on a consumer/customer
- Any partners or individuals with whom it shares the information with
- How the institution protects that information
- In your Privacy Notice, provide Opt-Out information: an explanation that customers/consumers do have a right to decline to share certain information with affiliate companies.
The Safeguards Rule
While the Safeguards Rule is relatively non-prescriptive, it does require the following elements:
- Assign one or more employees to develop and coordinate an information security program
- Perform a risk assessment to identify risks to customer information in every area of the company; evaluate existing safeguards to combat these risks
- Design and implement an information security program; regularly monitor and test the efficacy of your protections
- Offer regular employee data security training
- Work with service providers that are able to maintain safeguards; ensure contracts requires partners to implement and regularly maintain these safeguards
- Modify and update the security program as needed to ensure it is still effective at protecting customer data.
The Pretexting Rule
- Host regular employee training to help team members identify and avoid the risk of pretexting.
- Implement a safety net in the form of multi-factor authentication, spam filters, data loss prevention, and other security solutions.
A data loss prevention (DLP) platform that integrates into your cloud programs can help your IT team monitor for data leaks. Nightfall is one DLP platform that uses machine learning to scan data with over 150 machine learning-based detectors, alerting team members when they share NPI that is protected by GLBA compliance regulations in potentially unsafe ways across cloud applications, like Slack, GitHub, and Google Drive. The platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data.