- March 11, 2020
- Posted by: Keith Frechette
- Category: Blog
The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act, is a federal law that protects consumer privacy. It governs how financial institutions collect and disclose their customers’ personal information.
In this post, we’re going to discuss:
- Whether or not GLBA compliance is mandatory
- Who GLBA compliance applies to
- The benefits and potential penalties of GLBA compliance
- How a GLBA audit with a firm like GoldSky Security will help with GLBA Compliance
What is GLBA?
GLBA is a law that protects the sensitive information that consumers provide to financial institutions. Think things like:
- Credit Histories
- Social Security Numbers
- Credit and Income Histories
- Credit and Bank Card Account Numbers
- Phone Numbers
- and more
The GLBA requires financial organizations, like banks and financial planners, to inform their clients of their right to request that their data remain unavailable to unaffiliated third parties. It also says that financial institutions must develop and document an information security plan that addresses how the organization protects its clients’ personal information.
But Is GLBA Compliance Mandatory?
Yes, it is!
GLBA compliance is mandatory and enforced by the Federal Trade Commission (FTC). All reputable financial institutions must comply with the FTC standards outlined in the GLBA provisions for sharing and protecting customers’ non-public personal information. Any company that fails to meet the GLBA requirements could not only face steep fines and judicial action but also cause irreparable damage to your brand and reputation.
Who Does GLBA Compliance Apply To?
GLBA is actually important for more than just the financial sector. That’s because GLBA applies to all companies who receive personal financial information, regardless of their primary business and industry. This includes banking, mortgage, investment, and securities companies, as well as reporting agencies, appraisers, and mortgage brokers.
Of course, all financial institutions will need to design, implement, and maintain safeguards to protect their customer information.
If you’re still unsure if GLBA standards apply to your organization, consider that the following actions typically mandate GLBA compliance. If your company…
- Collects debts as a service
- Offers real estate settlement services
- Provides career counseling to financial service professionals
- Delivers investment, economic, or financial advice services
- Brokers or services loans
- Lends, transfers, invests, or exchanges funds as a service
If any of these financial activities is a small component of your business operations, your company may be exempt from FTC regulations, but you’ll need to check/have someone check for you to be safe.
What Are The Benefits of GLBA Compliance?
If you comply with the GLBA, you put your financial institution at a lower risk for penalties or reputational damage.
The GLBA Safeguards Rule includes privacy and security benefits for customers, including
- Securing private information against unauthorized access.
- If any private information is going to be shared between financial institutions and third parties, customers must be notified and have the option to opt-out
- Financial institutions must track user activity, and notify the customer if there are any attempts to access protected records
- User activity must be tracked, including any attempts to access protected records.
By following the GLBA guidelines, consumer and customer records will be protected and will help companies build reliability and trust. Security is incredibly important to the consumer, especially when it comes to their financials. Keeping their information safe and secure will, therefore, build loyalty, boost reputation, and increase the likelihood of repeat business.
On the other hand…
Potential Penalties of GLBA Non-compliance
If your company is found to be non-compliant with GLBA, the consequences can be quite severe. Non-compliance penalties can be in the form of:
- $100,000 fines for financial institutions found in violation for each violation.
- $10,000 fines for those individuals in charge found in violation for each violation.
- Individuals found in violation may also face jail time up to a maximum sentence of five years.
How To Become GLBA Compliant
The best way to become GLBA compliant is to secure your customers’ private financial information. In order to avoid those harsh penalties listed above, you can take steps to safeguard your customer information and improve your security.
To reach compliance, there are three major rules you’ll need to follow: the Safeguards Rule, the Financial Privacy Rule, and the Pretexting Provisions.
The Safeguards Rule requires financial institutions to create a written security plan that describes how they will protect their customers’ information. This information security plan must meet certain specifications according to the company’s size, operations, and complexity, as well as the level of sensitivity of the customers’ information.
The Safeguards Rule also requires financial institutions to:
- Designate one or more employees to coordinate the information security program
- Conduct an assessment of the risks to customer information in each relevant area of the company’s operation
- Evaluate the effectiveness of the safeguards currently in place for these risks
- Design, implement, regularly monitor and test a safeguards program
- Make sure your service providers maintain appropriate safeguards and have it in your contract
- Make changes to the program should circumstances require it
To meet the requirements of the Safeguards Rule, companies must pay close attention to employee training and management, the company information systems, and security management.
The Financial Privacy Rule requires that companies provide appropriate notices of privacy policies and practices to anyone who uses your product or service for personal applications. Customers also must be offered the option to opt-in or out of having their NPI disclosed to non-affiliated third parties.
The final major rule within GLBA — the Pretexting Provisions — requires some social engineering to safeguard pretexting. Organizations must develop a written plan to monitor their account activity and train staff on how to identify a fraudulent entity.
How Working With GoldSky Security Can Help
As you can see, some of the rules and requirements of GLBA are a bit complex. A cyber security solutions company like GoldSky can conduct an audit to see where your company stands and then develop a security and privacy program to comply with the GLBA.
- Assess your existing program and identify gaps, then recommend and implement improvements
- Develop and maintain risk management documentation
- Help you monitor and test the safeguards in place and make changes as needed
- Provide defense against social engineering hacks
GoldSky Security has resources in Orlando, Denver, Nashville, Washington D.C., Tampa and Phoenix who can help your company meet the GLBA compliance requirements. Don’t leave your company’s reputation and livelihood at risk by not being GLBA compliant. Reach out to email@example.com for a free consultation today.