Contents
Financial institutions often share their customers’ and consumers' financial information with business partners and affiliates. In order to protect citizens’ privacy and decrease the likelihood of identity theft, in 1999 the United States Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act.
The GLBA places a requirement on companies that operate as "financial institutions" to divulge their information-sharing practices and procedures, explain them to their customers, and safeguard and protect sensitive data.
The GLBA defines a financial institution as any company that offers and provides financial products and services to its customers, such as loans, insurance, or financial advice. It is a very broad definition – there are companies in the market that might not perceive themselves as financial institutions but are under the GLBA.
As a result, it is prudent for all executive-level officers and in-house legal counsel staff to be familiar with the foundations of GLBA compliance. Even if a company is GLBA compliant or does not fall under the scope of the act now, it risks becoming non-compliant with each change, transformation, or major business initiative. Such events might cause the company to stop being GLBA compliant, which could lead to protracted investigations, fines, and other repercussions.
For example, just earlier this year, in re FTC v. RCG Advances, the FTC settled allegations that a small-business financing firm and its principles violated the GLBA. The settlement amounted to $675,000. In another example, four years ago, the FTC settled with Venmo over the charges of misleading consumers. The peer-to-peer payment service provider is still facing the consequences of periodical external audits of its systems.
In an effort to provide comprehensive insight on the matter, we’ve created this article on the matter, as well as a downloadable GLBA compliance checklist. Read on to find out more.
See also:
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
GLBA Compliance Guide: What is the Scope?
Established over two decades ago, the GLBA was initially envisaged as a response to concerns that arose in the insurance, securities, and financial services sectors. However, the GLBA surpassed its initial purpose and went on to establish affirmative, ongoing obligations for companies that mandate consumer privacy and personal data safeguarding at all times.
The act delineates the limits for sharing and disclosing nonpublic personal information (“NPI”) by any company it considers a financial institution.
Essentially, the GLBA prescribes that:
Financial institutions must inform and notify their consumers about information-sharing practices.
Their customers must be offered the opportunity to opt-out.
Any entities in possession of sensitive consumer financial information obtained from a financial institution may be restricted when it comes to redisclosure and reuse.
Which Regulator Has GLBA Responsibility?
The US Federal Trade Commission (FTC) serves as the primary caretaker of the GLBA provisions. As the FTC explains, the GLBA applies to "all businesses, regardless of size, that is ‘significantly engaged’ in providing financial products or services." This broad approach means that some companies, not traditionally considered to be financial institutions, are also targeted. For example, these could include:
Payday lenders
Non-bank lenders
Check-cashing businesses
Mortgage brokers
Personal property or real estate appraisers
Professional tax preparers
Courier services,
Retailers that issue branded credit cards
Additionally, the GLBA also applies to entities like credit reporting agencies and ATM operators if they receive customer information from other financial institutions. GLBA compliance is mandatory whether or not a company actually discloses customer NPI. Strong policies must be in place to ensure the protection of such sensitive information from any foreseeable threats, be it from a security or a data integrity standpoint.
There is clearly ample room for debate or disagreement and case-by-case assessment analysis to determine whether the particular activities of a company constitute "significant engagement."
When assessing your GLBA compliance responsibilities it is paramount to engage both internal legal counsel and external expert assistance. To find out more about the GLBA Privacy Rule, stay alert for the next part of our article series on GLBA Compliance.
GLBA Privacy Rule
The GLBA Privacy Rule stipulates that, for a company to be considered a GLBA financial institution, it must be "significantly engaged" in financial activities. All circumstances and facts of your corporate operations connected to financial activities must be taken into account to determine whether "significant engagement" is taking place.
FTC ‘Significantly Engaged’ Standard
This standard, created by the FTC, intends to exclude some auxiliary activities that the GLBA Privacy Rule could otherwise cover.
Two factors stand out as distinctly necessary to define "significant engagement" in financial activity, according to the FTC.
First, it needs to be established if there is a formal arrangement. For example, a retail company offering its consumers credit via the issuance of its own credit card would fall under the GLBA Privacy Rule; Conversely, a store owner who, for example,” runs a tab” for customers would not be considered to be significantly engaging in financial activities.
Second, it must be determined how often the business engages in financial activities. For instance, if a company regularly transfers money from and to its consumers, it would be covered by the GLBA Privacy Rule; Conversely, a retailer that allows some consumers to make payments via an occasional layaway plan would not be significantly engaged.
Consumers vs. Customers
If your company is a financial institution, your responsibilities are directly tied to whether your clients are "consumers" or "customers."
Per the FTC's explanation, a consumer "is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative."
Customers are "a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines [a company's] customers."
Complying with the Privacy Rule (GLBA)
As mentioned before, a privacy notice must be provided when a customer relationship is formed and each following year after that.
This notice must clearly explain what information is being collected, where that information is being shared, how it is being used, and what is done to protect it. This privacy notice must underline the customer's right to opt-out and not have it shared with unaffiliated parties.
The GLBA Privacy Rule applies its protective provisions to a consumer's nonpublic personal information (“NPI”). NPI is any "personally identifiable financial information" of an individual that a financial institution collects in relation to providing financial services or products that are not otherwise publicly available.
On the other hand, NPI does not include any information for which there is a reasonable basis to believe it is "publicly available" in accordance with the law.
Privacy Notices
The GLBA Privacy Rule mandates that financial institutions provide their consumers with "clear and conspicuous" notices, in writing, regarding privacy policies and practices. These annual privacy notices must be delivered "for as long as the customer relationship lasts." In accordance with the Privacy Rule, the privacy notices must include certain pieces of information including, but not limited to:
NPI categories the company collects
NPI categories the company discloses to third parties
Company's policies for data confidentiality and data security
Any and all Fair Credit Reporting Act (FCRA)-required disclosures
Opt-Out Notices
Those financial institutions that share NPI with unaffiliated third parties are also obliged to provide their consumers with opt-out notices. These opt-out notices must give "reasonable means" to choose for the NPI not to be shared with anyone.
Companies are also required to provide for "reasonable opportunity" for their consumers to use this opt-out right.
The FTC suggests, for example, a period of 30 days after the opt-out notice is delivered.
Redisclosing and Reusing NPI
In addition to all requirements established with respect to NPI obtained directly from consumers, the GLBA Privacy Rule also institutes requirements for all the other cases in which a company obtains NPI from unaffiliated third parties.
The FTC points out that it is mindful of the fact that the ability of a financial institution to redisclose and reuse NPI received in such a way is "limited." Specific limitations are determined on the basis of "how the information is disclosed."
See also:
GLBA Safeguards Rule
While the GLBA Privacy Rule focuses primarily on notice and disclosure, the GLBA Safeguards Rule centers around how NPI is protected. It mandates that financial institutions develop an information security plan in writing that describes all of the procedures and processes seeking to protect client NPI.
Need help with fintech compliance?
Fill out the form below and our experts will get back to you.
GLBA Safeguards Rule Requirements
A thorough risk analysis of each department of the company that handles NPI is required. Other departments monitoring, developing, or testing programs to secure NPI will also be evaluated. Should any of the methods of information collecting, using, or storing be changed in any way, the safeguards must be updated as well.
How to Comply with Safeguards Rule
The FTC advises how best to comply with the GLBA safeguards rule, starting with the security plan itself. This plan must be appropriate to the size of the company, as well as its complexity, the breadth of its activities, and its nature, considering the sensitivity of all client information being handled.
According to the FTC, as part of the security plan, every company must:
Designate employees to coordinate the information security program;
Identify and assess the risks to customer information in each relevant operational area, and evaluate current safeguard effectiveness for controlling these risks;
Design and implement the NPI safeguards program;
Regularly monitor and test the NPI safeguards program;
Select service providers that maintain appropriate safeguards, ensure they are contractually obliged to maintain safeguards and oversee their handling of customer information; and
Evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or security testing and monitoring results.
The FTC's guidance for GLBA compliance in light of the Safeguards Rule covers items ranging from data encryption to document shredding. Within each of these broad approaches, companies could potentially encounter several individual risks and responsibilities.
The necessary course of action, of course, ultimately depends on the specific case-by-case risks each corporate operation structure presents.
Security and Encryption
In GLBA Section 501, which deals with the protection of NPI, a requirement is placed on financial institutions to initiate adequate standards regarding technical, administrative, and physical safeguards of client records and information. The GLBA Data Protection Rule defines the extent of these safeguards, requiring financial institutions to:
Ensure the security and confidentiality of customer data.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such data.
Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer.
While some federal agencies supervise financial institutions, the Federal Financial Institutions Examination Council (FFIEC) devises and oversees the audits for most of them.
The FFIEC publishes the IT Examination Handbook that provides guidance on IT security controls for protecting NPI. According to the handbook, financial institutions should use encryption to mitigate the risk of disclosure or alteration of sensitive information during transit or storage.
The implementations of encryption ought to include:
Validation that the encryption strength is sufficient to protect the information from disclosure until such a time when disclosure poses no material risk
Effective key management practices
Robust reliability
Appropriate protection of the encrypted communication's endpoints
GLBA 2023 Safeguards Rule Updates Include New Data Privacy Requirements
A decades-old financial services law is changing, raising the bar for cybersecurity and data privacy compliance and posing new challenges for a wide range of businesses that gather client financial data, including tax preparers, higher education institutions, car dealerships, travel agencies, career counselors, and more.
As of June 2023, the GLBA’s Safeguards Rule updates provide comprehensive guidelines for creating a strong information security program. These guidelines cover documentation, testing, reporting, and using methods like encryption and multifactor authentication.
The Safeguards Rule requires businesses that provide financial products or services to consumers to safeguard sensitive data and notify clients of their information-sharing policies. The revised GLBA Safeguards Rule broadened the list of covered enterprises to include "finders," or businesses that connect buyers and sellers of goods or services.
The new requirements also expand state data privacy rules. Amid those changes, some covered entities may not understand the extent of the GLBA shifts, while others — typically smaller accounting or brokerage firms — often lack the in-house resources to handle the accompanying cybersecurity requirements. Even larger organizations that track GLBA but whose focus lies outside financial services may not yet have programs in place to address the new requirements.
Failure to comply could be costly, with each violation potentially resulting in a fine of up to $100,000.
Below, we discuss the new rules, which types of entities are affected, and the steps organizations should take now to ensure compliance and avoid costly penalties.
GLBA Compliance Checklist
To help unpack the GLBA Safeguards Rule, we've compiled a short checklist of actionable key steps to ensure compliance with the Safeguards Rule.
Get to know the GLBA. A deep understanding of how the GLBA functions and how it affects your organization is paramount. Sitting down with an expert and reviewing the GLBA is most advisable. A compliance expert will provide a clear, accurate, and thorough overview of how the GLBA applies to your corporate operations.
Perform a vigorous risk assessment. A proper risk assessment allows you to map out your current situation with respect to GLBA compliance. The most efficient way to conduct this is to engage an experienced expert to help pinpoint the areas of (potential) GLBA weaknesses.
Establish a budget to ensure GLBA compliance. Companies must be ready to invest in security technology and solutions in case they don't have all the necessary protections.
Identify a qualified expert to manage the program. Identifying skilled cybersecurity professionals can be challenging and costly, as the field of cybersecurity is always changing. To comply with regulatory requirements, businesses should consider outsourcing specific tasks to external Chief Information Security Officer (CISO) services.
Improve internal controls. To achieve this goal, external help makes installing any cybersecurity safeguards more efficient and effective.
Manage internal threats. Consider outside threats ( hackers, or cyber criminals) first, then internal staff and employees that could — even accidentally — compromise your customer/consumer NPI. To prevent this scenario, make sure to conduct a thorough employee recruitment process that filters potential risks and have a continuous employee education program keeping them updated on security practices.
Vet your service providers. If you engage service providers of any kind for help with your operations, make sure to check if they are also GLBA compliant.
Stay on top of things. Keep updating your privacy rule requirements: Continuously revise, review, and update your privacy notices, making sure that things are up to date.
Disaster Recovery Plan. The GLBA mandates that organizations have an incident response plan in place. Ensure that you have an IT disaster recovery and business continuity plan readily available to be able to show you have considered all potential risks and have precautions in place to alleviate any issues.
Ongoing Compliance Monitoring. Be flexible in planning your annual cybersecurity assessments through continuous monitoring and preventive exercises. For example, penetration tests and vulnerability assessments should be conducted at least on a yearly basis, if not every six months. The best rule of thumb to keep in mind is that a significant material change in your business model or activities will trigger another mandatory test.
The bottom line is organizations must plan to incorporate all GLBA — existing and forthcoming — by setting aside funds, time, and resources to guarantee compliance in the upcoming years. Working with a trustworthy compliance and cybersecurity provider like InnReg can help your fintech expedite its compliance processes and enhance your overall security and compliance.
GLBA Fines
The GLBA applies both monetary penalties and imprisonment to sanction inviolate corporate behavior. Specifically, the scope of these fines includes:
Financial institutions are subject to a civil penalty, not over $100,000 per violation
Directors and Officers are subject to a civil penalty not over $10,000 for each violation in addition to being personally liable for each
Both the officers and the institution are subject to fines under Title 18 of the United States Code or imprisonment for not more than five years
The Venmo and RCG breaches make it clear that the aftermath of such fines encompasses much more than a financial burden, including reputational harm and loss of goodwill.
A Key Law for Most Financial Institutions
Even after two decades, GLBA enforcement continues to be a key consideration for financial institutions regarding safeguarding client data and privacy.
Still, while focusing on the GLBA itself is obligatory, it is critical to go beyond it. Various other federal, state, and international laws could apply as well. This means that, in addition to statutory requirements, companies could be required to take additional measures to protect their client's data and reduce other risks effectively.
Undertaking this task — achieving the status of a GLBA-compliant company — could be quite burdensome.
Given GLBA’s layers of complexity, the best strategy might be to engage outside help. An experienced outside compliance expert team, like that of InnReg, might be your best solution to efficiently reach and maintain a high level of compliance.
InnReg has extensive experience in helping financial institutions achieve outstanding levels of compliance. Get in touch today and find out how InnReg could aid your corporate operation flows today.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with compliance, reach out to our regulatory experts today:
Published on May 5, 2022
Last updated on Jan 23, 2024
Related Articles
All Fintech
Dec 11, 2024
·
8 min read
All Fintech
Oct 29, 2024
·
11 min read
All Fintech
Oct 22, 2024
·
9 min read
Latest LinkedIn Posts