Is Your Business GLBA Compliant for 2020?

GLBA, known as the Gramm-Leach-Bliley Act, (aka the Financial Services Modernization Act) repealed the long-standing Glass-Steagall Act which barred banks from providing investment and insurance services. GLBA now allows banks, investment security houses and insurance companies to merge, thus spurring competition among these services.

GLBA compliance regulations include the Financial Privacy Rule and the Safeguards Rule, which help protects customer data security and privacy, including threats from pretexting. GLBA compliance among banks and insurance companies is mandatory.

The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for evaluating institutions for compliance with GLBA (among other things). Enforcement falls to five agencies, the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

Specifically, Section 501(b) of the Gramm-Leach-Bliley Act require the FDIC, the FRB, the OCC, and the OTS to establish financial institution standards for protecting the security and confidentiality of consumer non-public personal information.

Gramm-Leach-Bliley Act Titles

The GLBA Act lists seven major requirements and responsibilities for all financial institutions, banks, securities firms, and insurance companies to protect consumer privacy.

For a copy of the full GLBA Act, see website.

TITLE I: Facilitating Affiliations Among Banks, Securities Firms, and Insurance Companies

TITLE II: Functional Regulation

TITLE III: Insurance

TITLE IV: Unitary Thrift Holding Company Provisions

TITLE V: Privacy
Subtitle A. Disclosure of Nonpublic Personal Information.
Subtitle B. Fraudulent Access to Financial Information.

TITLE VI: Federal Home Loan Bank System Modernizatio

TITLE VII: Other Provisions

GLBA Financial Privacy Rule

The GLBA Financial Privacy Rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer's personal nonpublic information.

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.

Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement.

6801. Protection of nonpublic personal information

(a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

GLBA Safeguards Rule

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect client nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution's products or services.) This plan must include:

Denoting at least one employee to manage the safeguards,

Constructing a thorough [risk management] on each department handling the nonpublic information,

Develop, monitor, and test a program to secure the information, and

Change the safeguards as needed with the changes in how information is collected, stored, and used.

This rule is intended to do what most businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLB.

6801. Protection of nonpublic personal information

(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards?
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

GLBA Pretexting Protection

Pretexting occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a phony website or email to collect data).

GLB encourages the organizations covered by the GLB to implement safeguards against pretexting. For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext.

In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot-checks, "outside the classroom", after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of "social engineering" -- perhaps even designed to focus attention on any new wrinkle that might have arisen after the [initial] effort to "develop" the curriculum for such employee training.