Understanding GLBA Compliance [w/ Free Checklist!]

The Gramm-Leach Bliley Act (GLBA) — also known as the Financial Services Modernization Act of 1999 — was enacted by the United States Congress to protect consumer financial privacy. Per the Federal Trade Commission (FTC), GLBA:

 “…requires financial institutions — companies that offer consumers financial products or services like loans, financial or investment advice, or insurance — to explain their information-sharing practices to their customers and to safeguard sensitive data.”

To fully understand how and why GLBA came to be, we’ll need to review a little history.

In 1933, Congress enacted the Banking Act as a response to the U.S. stock market crash in 1929. The Banking Act imposed numerous banking reforms, established the Federal Deposit Insurance Corporation and, perhaps most notably, included four central provisions collectively referred to as the Glass-Steagall Act. The provisions included in the Glass-Steagall Act prohibited commercial banks for engaging in investment banking activities, and vice versa.

In 1998, Citicorp, a commercial bank holding company, merged with Travelers Group, an insurance company, to form Citigroup. The merger was deemed a violation of both the Glass-Steagall Act and the Bank Holding Company Act of 1956; however, the Federal Reserve issued Citigroup a temporary waiver. This merger — as well as financial institutions’ claims that Glass-Steagall prevented them from competing with foreign financial firms — prompted legislators to reconsider Glass-Steagall’s provisions.

There was one major problem: Allowing commercial banks, investment banks, securities firms and insurance companies to merge would give financial institutions unfettered access to massive quantities of personal financial and health information, thereby increasing the risk to consumers in the event of a possible data breach. In light of that, GLBA — which ultimately repealed Glass-Steagall, making such mergers legal — includes strict security provisions and enforces severe penalties for non-compliance.

GLBA includes three key measures designed to ensure data security. Before we discuss those measures, let’s first establish some basic GLBA compliance-related terminology

• Financial Institutions: This essentially refers to any institution that engages in financial activities as defined by the Banking Holding Company Act, including exchanging, transferring or safeguarding money, providing financial advisory services and brokering or servicing loans.
• Nonpublic Personal Information (NPI): The FTC defines NPI as “any ‘personally identifiable financial information’ that a financial institution collects about an individual in connection with providing a financial product or service.” Common examples of NPI include name, date of birth, Social Security number and transactional data. NPI does not include publicly available information — that is, any information included in federal, state or local government records made available to the public, or information that is in “widely distributed media.”
• Consumer: Per the FTC, a consumer is “someone who obtains a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative.” As such, commercial clients are not considered “consumers.”
• Customer: The terms “consumer” and “customer” are not used interchangeably in GLBA parlance. Instead, a “customer” is a subset of consumer, specifically one that has a continuing relationship with a financial institution.

To help illustrate the difference, an individual who withdraws cash from a bank’s ATM is a consumer, while someone who opens a credit card account with that same bank is a customer. Another example: An individual who applies for a loan with a mortgage lender is a consumer, but if they’re approved for that loan, they become a customer — and so on.

Now let’s talk GLBA compliance measures. As noted, there are three:

• The Financial Privacy Rule requires financial institutions to issue a written notice to customers explaining their privacy policies and practices. Financial institutions must remind customers of these privacy policies and practices on an annual basis for the remainder of the customer relationship.The Financial Privacy Rule also stipulates that — barring certain exceptions — should a financial institution disclose a customer’s NPI to a nonaffiliated third party, they must notify the customer of said disclosure and offer the customer the ability to opt out of the disclosure.

  The rule is slightly different for consumers: If a financial institution were to disclose a consumer’s NPI to a nonaffiliated third party, they would have to issue a privacy notice and opt-out notice to that consumer, same as they would a customer; however, the institution could choose to issue a short-form notice instead of a full privacy notice. Financial institutions that don’t share consumer NPI with nonaffiliated third parties, or that only share NPI within the exceptions, are under no obligation to issue a privacy notice to consumers.

• The Safeguards Rule “requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.” These “measures” specifically refer to a written information security program. According to part 314 of 16 CFR, in order to achieve GLBA compliance, a financial institution’s information security program must:
  • Designate an employee (or employees) to coordinate the program
  • Include a complete assessment of all internal and external risks to the security, confidentiality and integrity of customer information; this risk assessment should extend to all relevant operations, including employee training and management, information systems, threat detection systems and disaster recovery
  • Design and implement information safeguards to control any risks identified during the assessment
  • Oversee service providers by partnering with providers capable of maintaining the appropriate safeguards for customer information and requiring service providers by contract to implement and maintain such safeguards
  • Be regularly evaluated and updated based on the results of testing and monitoring

As is evident from the information security program requirements, the GLBA Safeguards Rule applies not only to financial institutions, but to any service providers or third-party affiliates they might partner with.

• Finally, the GLBA’s Pretexting Provisions are designed to prevent unauthorized individuals from gaining access to customer information under false pretenses. To comply with these provisions, financial institutions are required implement security measures to detect and mitigate unauthorized access, such as training employees to recognize phishing, social engineering and other pretexting scams.

Although there isn’t a direct correlation between GLBA and the Health Information Portability and Accountability Act (HIPAA), there’s quite a bit of overlap between their respective data protection requirements. For example, both regulations require organizations to establish written information security programs, to communicate privacy policies and procedures to customers or patients and to conduct routine compliance monitoring.

Certain financial institutions might participate in “non-banking activities,” such as insurance and underwriting, which involve handling protected health information. As a result, these organizations are subject to both GLBA and HIPAA. For institutions that find themselves in this situation, it’s typically best to start by developing a HIPAA compliance policy and then expanding it to include GLBA compliance.

It is the duty of every financial institution to be a good steward of data security and to ensure the privacy of its customers and consumers, and GLBA compliance is integral to that mission. What’s more, GLBA compliance also comes with clear benefits for financial institutions, such as increased customer satisfaction and loyalty and a stronger brand reputation.

On the flip side, institutions that fail to comply with GLBA could find themselves subject to severe penalties, including fines of up to $100,000 for each infraction. And institutions aren’t the only ones at risk: If found in violation of GLBA, an officer or director could also face fines of up to $100,000 per infraction, imprisonment for up to five years or both.

Considering both the benefits of GLBA compliance and the risks of non-compliance, it’s in financial institutions’ best interest to carefully study the letter of the law and implement a GLBA compliance strategy accordingly.

To further illustrate the importance of GLBA compliance, let’s look at some high-profile GLBA violation examples:

• On December 15, 2020, Ascension Data & Analytics, a data analytics company serving the mortgage industry, settled with the FTC over charges that it had violated the GLBA Safeguards Rule.
  According to the allegations, Ascension failed to properly vet the security practices of OpticsML, a third-party vendor the institution had hired to perform text recognition scanning on mortgage documents. The documents in question — which OpticsML stored on a cloud-based server in plain text without any protections to block unauthorized access — allegedly contained large quantities of NPI, including the names, dates of birth, Social Security numbers, loan information, credit and debit account numbers and more of over 60,000 mortgage holders.

  According to the terms of the settlement, Ascension is required to implement a data security program, undergo biennial assessments of said program until 2030 and report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies. Additionally, a senior company executive is expected to certify annually that the company is compliant with the FTC’s order.

• Online tax preparation service TaxSlayer agreed to settle with the FTC on August 29, 2017 over charges related to a 2015 data breach. According to the FTC’s official statement, “malicious hackers were able to gain full access to nearly 9,000 TaxSlayer accounts between October 2015 and December 2015,” which they then used to engage in tax identity theft.

  TaxSlayer was charged with violating both the Safeguards Rule for failing to develop and implement an adequate information security program until November 2015 and the Privacy Rule for failing to provide customers with a conspicuous initial privacy notice.

  Much like Ascension, TaxSlayer is now required to undergo biennial assessment for its data security program until 2027; the FTC also placed a 20-year moratorium on Safeguards Rule and Privacy Rule violations for the company.

• PayPal (operating as Venmo) settled with the FTC on February 27, 2018 over multiple charges — among them, that the popular mobile payment service violated the Privacy Rule by:

  “…failing to provide users with a clear initial privacy notice, failing to deliver it in a way that each consumer could be reasonably expected to receive it, and by distributing a notice that didn’t accurately affect its practices.”

  The FTC also alleged that Venmo violated the Safeguards Rule by failing to have a written information security program in place prior to August 2014 and failing to implement security safeguards until March 2015. Per the terms of the settlement, Venmo is required to disclose its transaction and privacy practices and comply with the Safeguards Rule and Privacy Rule; the company is also required to undergo biennial assessments of its GLBA compliance until 2028.

Achieving and maintaining GLBA compliance doesn’t have to be an uphill battle. Here’s a list of best practices to help ensure that your financial institution adequately protects your customers’ privacy:

• Develop a comprehensive understanding of GLBA requirements — after all, you can’t know what you don’t know. Be sure to conduct careful research and consult compliance experts for additional guidance.
• Hold regular briefings with your board to address trending topics related to information security in order to enhance overall awareness and capitalize on the latest advancements.
• Establish a Privacy Notice detailing your company’s privacy practices and make it available to the public.
• Notify both customers and consumers of any and all NPI disclosures to nonaffiliated third parties, demonstrably giving them the opportunity to opt out of each disclosure.
• Conduct an in-depth assessment to identify any potential risks to the security, confidentiality and integrity of customers’ NPI. Once your assessment is complete, develop an information security program that accounts for these potential risks.
• Develop a comprehensive information security program that not only accounts for risks identified during your assessment, but also leverages the latest security technology, such as firewalls, spam filtering, multi-factor authentication and encryption.
• Invest in a secure information archiving solution to help ensure that any NPI shared over email or text/SMS message is kept confidential.
• Appoint a compliance officer with GLBA-specific expertise to help develop and coordinate your institution’s information security program.
• Add language to contracts with third-party service providers requiring them to implement and maintain appropriate safeguards for customer information.
• Update employee training based on new information security program guidance and lead routine data security and privacy policy training sessions to help make privacy an embedded part of company culture.
• Develop a comprehensive disaster recovery plan to ensure the security of customer data in the event of systems failure.
• Introduce automation wherever possible to help free up your security team and streamline GLBA reporting.
• Review and update your GLBA compliance strategy on a routine basis, making adjustments based on any regulatory changes and incorporating the latest security advancements.

No need to memorize all of these best practices — you can download this free GLBA compliance checklist by simply clicking the button below:

Get the Checklist >>

When you operate in an industry as heavily regulated as the financial services sector, it’s essential that every solution within your software ecosystem be designed to support compliance — including your electronic archiving platform.

That’s why all of Intradyn’s archiving solutions include robust security features, such as easy redaction tools, role-based permissions and authentication, 256-bit Advanced Encryption Standard technology and more. Whether it’s GLBA, FINRA, SOX or any other industry-specific regulations, Intradyn has what it takes to help financial institutions remain compliant.

Contact us today to learn more.