The ultimate GLBA compliance checklist for financial services

If your business provides financial services or products, you are required to comply with the Gramm-Leach-Bliley Act (GLBA). Many organizations mistakenly believe that the GLBA only applies to financial institutions like banks or credit unions, but that is an incorrect assumption.

Under the GLBA, the term “financial institution” applies to any business that partakes in financial activities like loans, debt collecting, real estate settlement or financial advisory. This definition widens the net of companies that are subject to GLBA compliance rules and regulations. A few examples of businesses that many wouldn’t think of as a “financial institution” but are considered one under the GLBA include:

  • Car dealerships that offer loans
  • Career counselors that provide financial advice
  • Colleges and universities with financial aid services

The consequences of GLBA non-compliance are significant. Businesses can face fines up to $100,000 for each violation. Individuals involved in non-compliance can face fines up to $10,000 per violation or imprisonment for up to five years.

Although the risks of violation can be intimidating, your organization can manage GLBA compliance with careful planning and execution. Use our checklist to ensure that your team is maintaining GLBA compliance.

Understand the 3 major sections of the GLBA

The GLBA was enacted to protect and increase consumer rights. It’s broken down into three sections, each with their own set of requirements that dictate how organizations handle their customers’ private information.

1. The Financial Privacy Rule

This section of the GLBA requires that organizations notify customers about their privacy policies and protect data confidentiality. A key area of this rule is when businesses need to provide notice of their privacy policies. The GLBA states that a privacy notice must be shared with the customer the moment a business-to-customer relationship is established, whenever the organization’s privacy policies have changed and/or annually.

A business-to-customer relationship is established when an ongoing relationship is created, which can be in the form of opening an account, enrolling in a recurring financial service, or a one-time transaction for an ongoing service. In some cases, consumers may not be considered “customers” if the nature of the relationship is not ongoing. However, organizations are still required to provide a privacy and opt-out notice to consumers if information will be shared with third parties, even if they are not an ongoing customer.

The privacy notice required by the GLBA must explain to the customer:

  • What information is collected
  • How that information is being shared
  • Who the information is shared with
  • How the organization protects that information

The privacy notice must offer customers an opportunity to opt-in or opt-out of sharing their personal data with third parties.

2. The Safeguards Rule

This section of the GLBA requires organizations to create and implement security programs that protect customers’ sensitive data. To fulfill GLBA requirements, the organization’s security programs should be contained in the form of a written plan.

Although there is some flexibility on how organizations develop their security programs, not just any old generic plan will do. According to the safeguards rule, an organization’s security plan needs to:

  • Have a dedicated team: One or more employees within your organization should be designated to coordinate and lead the company’s security program(s).
  • Address all types of data locations: Safeguards should be in place for both physical and digital forms of data. Some examples of safeguards for physical data include locking rooms and file cabinets where customer information is stored, ensuring that storage areas are protected against damage from hazards like fires or floods, and storing sensitive data records in secure areas with limited access. For digital data, safeguards on your GLBA checklist should include maintaining up-to-date firewalls, maintaining secure data backup, and storing electronic customer information on a secure, password-protected server.
  • Match the organization’s size and complexity: The protections and safeguards put in place need to match the organization’s total scope of financial activities and the sensitivity of customer information involved. An organization that collects a higher volume of sensitive data should have more safeguards in place than an organization that collects minimal sensitive data.
  • Be monitored and tested regularly: Continuous testing and monitoring is required to determine the effectiveness of the program and to control potential risks. Technology evolves — an organization’s security programs need to do the same to proactively protect their customers’ private information.
  • Be flexible and scalable: If corporate, industry, or even compliance regulations change, your organization’s security plan should be able to adapt to those changes.

3. Pretexting Provisions

Pretexting is the act of presenting oneself as someone else to obtain private information — essentially, fraud. The GLBA requires financial institutions to implement safeguards that prevent this from happening. One of the most common safeguards is requiring employee training so that an organization’s staff is aware of the signs of pretexting and what signals should raise concern for suspicious activity.

Since the GLBA’s pretexting provisions require implemented safeguards to prevent fraud, there’s some crossover between this section and the safeguards rule. The sections of the GLBA tend to overlap with one another, and the key behind successfully adhering to all of them is providing your security team with the right framework and resources so they can:

  1. Create company standard written notices and written security plans
  2. Help educate and train staff on data privacy and security best practices
  3. Continuously monitor, test, and update the organization’s data privacy efforts

Enable your information security team to do their best work

After fully understanding the three sections of the GLBA, the next step on your checklist is to make implementation easier for your organization’s security team. Here are the best practices for enabling your security team to perform at peak efficiency.

Create a privacy-forward company culture

Company leaders need to advocate for ongoing security training. When your organization’s entire team is knowledgeable about best practices, compliance basics, and the actions that should raise red flags, you are in a better position to prevent potential instances of fraud, cyber hacking, or private data leaks. Training and education are critical and should come not only from the organization’s security team, but from the C-suite on down.

Automate wherever possible

Security teams are often inundated with hours and hours of manual tasks. This bogs down teams and wastes your organization’s most valuable resource: time. By making the smart investment in software that automates important, yet time-consuming tasks like sensitive data discovery, classification and remediation, your security team can spend more time doing strategic work, rather than repetitive tasks that require extra hours.

Streamline GLBA reporting

Reports are an important part of maintaining GLBA compliance. You want thorough, detailed reports so your organization can make the right moves, but you don’t want to slow your security team down by digging for data in multiple places.

When your team has fewer manual tasks, they can spend more time truly understanding the data at hand. This is what leads to decision proposals that can help strengthen your company’s overall security initiatives. For this reason, having one data privacy solution that shows your security team everything they need to know on a clean, easy-to-navigate dashboard is game-changing.

Choose the right data privacy software for GLBA compliance

For any business that deals heavily in financial activity, GLBA compliance is essential. Not only is it important for regulatory and financial reasons, but it’s essential for your organization’s reputation. When you take the time to protect your customers’ data, you show that you care — which is critical for earning trust from your customers and potential customers.

Data privacy software like Spirion Data Privacy Manager makes it easier for businesses to take control of GLBA compliance. To learn more and see our compliance tool in action, you can request a free demo here.