What is the GLBA Act?
The Gramm-Leach-Bliley Act (GLBA), also recognized as the Financial Modernization Act of 1999, is a federal law in the United States that requires the protection of personally identifiable financial information relating to individuals. The GBLA is overseen by the Federal Trade Commission (FTC).
The GLBA regulates financial institutions, which are any businesses that provide individuals with financial services and products such as loans, investment advice, insurance or financial advice. In addition, certain third-party recipients of Nonpublic Personal Information (NPI) from GLBA-regulated financial institutions are subject to limited obligations.
Nonpublic personal information is any personally identifiable financial information offered by a customer to a financial institution as a result of a transaction with the customer or a service rendered to the customer, or acquired by a financial organization in just about any other way. The definition excludes data that is freely available to the public.
Financial institutions that must comply with the GLBA include:
- Mortgage lenders who are not banks
- Appraisers of real estate
- Loan brokers
- Some financial or investment consultants
- Debt collectors
- Tax return preparers
- Banking Institutions
- Service providers for real estate settlements
Because GLBA is concerned with the protection of customer data, financial institutions that only provide services to other companies are exempt. Individuals who use an ATM or cash a check but do not maintain an ongoing customer relationship are also not covered.
What are the requirements for GLBA compliance?
The GLBA is divided into three major components that work together to govern the disclosure, collection and protection of nonpublic personal information about customers, namely:
- The Privacy Rule is the first requirement for GLBA compliance. It requires you to provide appropriate notices of your privacy policies and practices to individuals who use your products or services. If an institution seeks to reveal a client’s personal information, the client must be given a privacy notice. This notice gives clients the option to opt in or out of sharing their personal information with third parties.
- Financial institutions are required by the Safeguards Rule to keep user data secure. They are also required to ensure that affiliates or third-party service providers take similar precautions to protect user data. The Safeguards Rule, which is frequently mentioned in conjunction with information and cybersecurity, requires you to conduct a comprehensive risk assessment and create, implement and maintain a comprehensive information security program to safeguard customers’ private information in all areas of operation.
- The Pretexting Provisions section also addresses cybersecurity. To ensure compliance with this rule, you must prepare a comprehensive policy for tracking account activity and raising awareness of your employees on how to identify social engineering and phishing scams.
Nevertheless, the GLBA requires financial institutions to provide their customers with a written privacy notice that details their information-sharing habits.
Why should you be GLBA compliant?
Most financial institutions in the United States are expected to comply with the GLBA, which reduces the risk of fines and reputational harm as a result of data breaches and leaks. With the global total cost of a data breach approaching $3.92 million, it sure pays to prevent data breaches.
Complying with the GLBA may also help with the General Data Protection Regulation (GDPR) of the European Union, which became effective on May 25, 2018. The GDPR includes provisions on data collection, access, erasure, processing limitation and data portability.
The privacy and security protections of the GLBA, include consumer protection benefits such as:
- Data that is private or confidential is protected from unauthorized access
- Customers are informed when their personal information is shared between financial institutions and third parties, and they have the option to opt out if they so wish
- Any attempts to access classified information or protected data are monitored by users and employees
These advantages boost the company’s credibility and boost consumer confidence, resulting in higher customer satisfaction, lower turnover, higher lifetime value and less regulatory fines.
Financial institutions must take privacy and data protection laws seriously due to the international nature of banking and the possibility of corresponding legislation in some US states.
All punishments for noncompliance, including fines and incarceration, are covered by the GLBA. If a financial institution violates the GLBA, it will face the following penalties:
- Each breach will result in a civil penalty of up to $100,000 for the organization
- For each breach, the institution’s directors and officers would be subject to and legally responsible for a civil penalty of not more than $10,000
- Fines or prison time up to five years, or both, can be imposed on the financial institution and its directors and officers under Title 18 of the United States Code
How to achieve compliance?
The GLBA mandates that financial institutions take steps to protect their customers’ NPI. In a nutshell, the following are some of the most important requirements:
- Providing appropriate notices of your implemented privacy policies and practices to individuals who use your products or services
- Conducting a comprehensive risk assessment and implementing and maintaining a comprehensive information security program to safeguard customers’ private information in all areas of operation
- Preparing a comprehensive policy for tracking account activity and raising awareness of your employees on how to identify social engineering and phishing scams
The Centraleyes cyber risk and compliance platform empowers organizations to understand their cyber risks and how to best manage them during the GLBA compliance process.
Organizations can automate and simplify their compliance processes by using the Centraleyes platform’s streamlined data collection and analysis, automation gap remediation and access to real-time compliance scoring.
Furthermore, Centraleyes includes a pre-populated GLBA questionnaire that is linked to the platform’s extensive control inventory, allowing data to be shared across multiple frameworks, resulting in time and money saved, and ease of mind while working towards compliance.
It’s natural to be concerned about ensuring your company complies with all of these requirements. Centraleyes works with financial institutions on a regular basis to establish the security of their data, and is the subject matter expert on how to expedite the process of becoming compliant with the GLBA. By simply incorporating Centraleyes into your system, you are well on your way to compliance.