Regulations help to maintain stability in the financial system by setting standards for sound risk management and by providing oversight of key financial institutions and markets. This helps to reduce the likelihood of financial crises and to mitigate the impact of crises when they do occur.
One of the most important laws that has been passed to keep the financial system stable is the Gramm-Leach-Bliley Act that mostly focuses on the three aspects of the financial system – Stability, Integrity, and Fairness of the financial system. GLBA compliance plays a critical role in protecting the rights of consumers and investors.
This blog looks at different aspects of GLBA compliance and how understanding it can be useful for an organization.
The Gramm-Leach-Bliley Act (GLBA) is a federal law that was enacted in the United States in 1999. The GLBA is also known as the Financial Services Modernization Act. It regulates the collection, use, and sharing of personal financial information by financial institutions and their service providers. The act requires these institutions to give consumers privacy notices that explain their information-sharing practices, and to protect the security and confidentiality of their customers’ nonpublic personal information.
It also reminds them of their right to opt-out if they prefer their sensitive data to be kept confidential and not shared with third parties.
The Federal Deposit Insurance Corporation (FDIC) is an independent agency tasked with imposing the standards established by the GLBA. To be GLBA compliant, Financial institutions must develop privacy policies and enforce best practices that comply with the main components of the Gramm-Leach-Bliley Act, which include the following:
The GLBA Financial Privacy Rule:
The GLBA Safeguard Rule:
The GLBA Safeguard Rule, as the name implies, requires financial institutions to have set rules in place to “safeguard ” Non-personal Public Information (NPI). The Safeguard Rule has two main components. The first is to establish safeguards or security protocols to protect all Non-personal Public Information, and the second is to notify customers if a customer’s NPI has been compromised. The Safeguard Rule also required institutions to designate at least one person responsible for all aspects of information security.
The GLBA Pretexting Rule:
The Pretexting rule lays down a set of provisions that prevent organizations from collecting customer information under false pretenses.
To be GLBA compliant as a financial institution, you must adhere to the above rules prescribed by the GLBA by creating bespoke privacy policies and procedures that work best for your organization.
Requirements of GLBA Compliance
The GLBA requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect Non-public Personal Information from unauthorized access or disclosure.
Being GLBA compliant also includes providing customers with an annual privacy notice, having procedures for responding to customer inquiries and complaints, and having an incident response and business continuity plan.
It’s important to note that compliance with the GLBA is an ongoing process, and frequent review is required to ensure that your institution is still in compliance with the GLBA.
Data Covered by GLBA
Non-personal Public Information (NPI) is the primary goal of the GLBA. The following data falls under the purview of the GLBA:
- Personal information such as names, birthdates, addresses, social security data, biometric data, and data about education and academic performance, as well as employment data.
- Financial information such as personal income, data on bank accounts, tax information, and credit history.
- Other forms of data such as those obtained from the internet, geolocation data, and the dates generated by inferences drawn from all of the above data.
Organizations Regulated by GLBA
Any company or entity, no matter its size, that is engaged in providing financial products or services in any shape or form falls under the purview of the GLBA. These entities designed as “Financial Institutions” as per lay may include the following:
- Insurance Agencies
- Non-Banking Credit
- Payday lenders
- Investment Management Companies
- Credit facilities
- Debt Collection Agencies
- Courier Services
- Rental Services
- Mortgage Brokers
- Real Estate Appraisers
Penalties for GLBA Non-Compliance
Penalties for GLBA non-compliance can be in the form of fines and imprisonment.
- Institutions can be subjected to a civil penalty of not more than $100,000 per violation.
- Officers or directors of institutions that are non-compliant with the rules prescribed by the GLBA are liable for a civil penalty of $10,000 per violation.
- Non-compliance with GLBA rules can lead to imprisonment of not more than a period of five years under Title 18 of the United States Code.
GLBA and GDPR
The European Union’s General Data Protection Regulation (GDPR) is a law similar to the GLBA, with the difference being that it applies to any organization that processes the personal data of any citizen that belongs to the E.U., regardless of which part of the globe the organization is located in.
While the end goals of the two laws are the same, there are a few differences between the two.
- Scope: GLBA applies only to financial institutions, while GDPR applies to any organization that processes the personal data of E.U. citizens.
- Penalties: GDPR has much higher fines for non-compliance, up to 4% of a company’s annual global revenue or €20 million (whichever is greater)
- Right to be forgotten: GDPR gives individuals the right to have their personal data erased, while there is no such provision in GLBA.
Criticism and Problems with the GLBA
Some common criticisms of the GLBA include the following:
- The GLBA is an oddity, to say the least. On one side, it is complex, and on the other, it does not provide specific standards to protect NPI, making it difficult for financial institutions to understand and comply with it.
- The GLBA also only applies to financial institutions operating in the U.S., which means that financial and foreign financial institutions may not be subject to the law even if they are doing business with U.S. customers.
- Another common criticism of the GLBA is that it was enacted in 1999 and has not been updated to address new technologies and forms of data collection and sharing and new forms of data breaches, such as data breaches on the cloud.
Overall, GLBA’s critics argue that the law is outdated and needs to be updated to address new technologies, new forms of data breaches, new forms of data use and access, and improved enforcement.
Best Practices for GLBA Compliance
The best practices for GLBA compliance include developing a comprehensive Written Information Security Program (WISP) that addresses administrative, technical, and physical safeguards.
Here are the three best practices that help in adhering to GLBA compliance.
Conduct regular risk assessments to identify potential threats to the security and confidentiality of customer information. This includes assessing physical, technical, and administrative controls in place to protect this information.
Here are some steps that can be taken to assess risk:
- Identify the types of customer information that is collected, stored, and processed by your organization. This includes personal identifying information (PII), financial information, and sensitive personal information.
- Determine where and how this information is stored and transmitted. This includes both physical and digital locations and systems.
- Evaluate the current controls in place to protect this information, including physical security measures, technical controls such as encryption and access controls, and administrative policies and procedures.
- Identify potential vulnerabilities and assess the likelihood and impact of a security breach or unauthorized access to customer information.
Identify and Prioritize Vulnerabilities:
Identify potential vulnerabilities and assess the likelihood and impact of a security breach or unauthorized access to customer information.
Here are some methods that can be used to identify vulnerabilities:
- Conducting internal and external vulnerability assessments: Internal vulnerability assessments can be conducted by your organization’s IT or security team, while external vulnerability assessments can be performed by a third-party security firm. These assessments can identify vulnerabilities in your organization’s systems, networks, and applications.
- Penetration testing: Penetration testing simulates an attack on your organization’s systems and networks to identify vulnerabilities that could be exploited by attackers.
- Regularly monitoring and analyzing security logs: Regularly monitoring and analyzing security logs can help identify unusual or suspicious activity that may indicate a vulnerability or attempted attack.
- Employee feedback: Employee feedback can also be used to identify vulnerabilities. Employee training and awareness programs can help employees identify and report potential vulnerabilities.
Test effectiveness of Controls:
Here are some methods that can be used to review and test the effectiveness of controls:
- Auditing: Auditing involves reviewing and evaluating the effectiveness of controls by assessing the design, implementation and operational effectiveness of the controls.
- Compliance monitoring: Regular monitoring of compliance with GLBA regulations and industry standards can help identify areas where controls may not be effective.
- Incident response testing: Regularly testing incident response plans and procedures can help identify any gaps or weaknesses in your incident response capabilities and ensure that your organization is prepared to respond to security incidents.
- Continuous monitoring: A continuous monitoring program allows you to keep track of the security of your systems, networks, and applications, and identify new vulnerabilities as they arise.
Institutions should also implement safeguards to prevent unauthorized access, disclosure, alteration, or destruction of non-public personal information (NPI). They should also review and update the WISP regularly, train employees on the WISP and their responsibilities, conduct regular risk assessments, and put incident response and business continuity plans in place.
The GLBA’s primary goal is to safeguard sensitive NPI. It is important to note that GLBA compliance is an ongoing process. Financial institutions should review their information security programs regularly to ensure that they comply with the GLBA and effectively protect customer information. This will not only save organizations money in penalties and reputational damage but will also increase customer trust.
The AppSealing mobile app security platform was created to help financial institutions, or any organization selling financial products or services, to securely collect, share and use customers’ PII and Nonpublic Personal Information (NPI). AppSealing’s top-notch encryption architectures offer companies complete protection for all sensitive data in their networks.