Is Your Business GLBA Compliant for 2020?
GLBA, known as the Gramm-Leach-Bliley Act, (aka the Financial Services Modernization Act) repealed the long-standing Glass-Steagall Act which barred banks from providing investment and insurance services. GLBA now allows banks, investment security houses and insurance companies to merge, thus spurring competition among these services.
GLBA compliance regulations include the Financial Privacy Rule and the Safeguards Rule, which help protects customer data security and privacy, including threats from pretexting. GLBA compliance among banks and insurance companies is mandatory.
The Federal Financial Institutions Examination Council (FFIEC) is charged with providing specific guidelines for evaluating institutions for compliance with GLBA (among other things). Enforcement falls to five agencies, the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).
Specifically, Section 501(b) of the Gramm-Leach-Bliley Act require the FDIC, the FRB, the OCC, and the OTS to establish financial institution standards for protecting the security and confidentiality of consumer non-public personal information.
Gramm-Leach-Bliley Act Titles
The GLBA Act lists seven major requirements and responsibilities for all financial institutions, banks, securities firms, and insurance companies to protect consumer privacy.
For a copy of the full GLBA Act, see FFIEC.gov website.
TITLE I: Facilitating Affiliations Among Banks, Securities Firms, and Insurance Companies
TITLE II: Functional Regulation
TITLE III: Insurance
TITLE IV: Unitary Thrift Holding Company Provisions
TITLE V: Privacy
Subtitle A. Disclosure of Nonpublic Personal Information.
Subtitle B. Fraudulent Access to Financial Information.
TITLE VI: Federal Home Loan Bank System Modernizatio
TITLE VII: Other Provisions
GLBA Financial Privacy Rule
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act.
6801. Protection of nonpublic personal information
(a) Privacy obligation policy
It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.
GLBA Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect client nonpublic personal information. (The Safeguards Rule applies to information of any consumers past or present of the financial institution's products or services.) This plan must include:
Denoting at least one employee to manage the safeguards,
Constructing a thorough [risk management] on each department handling the nonpublic information,
Develop, monitor, and test a program to secure the information, and
Change the safeguards as needed with the changes in how information is collected, stored, and used.
This rule is intended to do what most businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLB.
6801. Protection of nonpublic personal information
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards?
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
GLBA Pretexting Protection
Pretexting occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a phony website or email to collect data).
GLB encourages the organizations covered by the GLB to implement safeguards against pretexting. For example, a well-written plan designed to meet GLB's Safeguards Rule ("develop, monitor, and test a program to secure the information") would likely include a section on training employees to recognize and deflect inquiries made under pretext.
In fact, the evaluation of the effectiveness of such employee training probably should include a follow-up program of random spot-checks, "outside the classroom", after completion of the [initial] employee training, in order to check on the resistance of a given (randomly chosen) student to various types of "social engineering" -- perhaps even designed to focus attention on any new wrinkle that might have arisen after the [initial] effort to "develop" the curriculum for such employee training.