Financial institutions process and store a substantial amount of sensitive data on a daily basis. This could be anywhere from payment cardholder data, like the cardholder’s name or zip code, to bank account numbers and investment account information. A great deal of responsibility, security challenges and federal regulations accompany this volume of sensitive financial data.
To protect consumer financial privacy, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, was enacted in the United States. This federal law governs and regulates the ways that financial institutions — any company that offers consumers financial products or services — handle and safeguard the private information of individuals.
Who does the GLBA apply to?
The GLBA applies to financial institutions, which are defined as any business that is significantly engaged with financial activities. This commonly includes businesses like banks, credit unions and investment firms. But, a business may also be deemed as a “financial institution” if they significantly engage in one of the following financial activities outlined by the Federal Reserve Board:
- Lending, exchanging, transferring, investing for others, or safeguarding money or securities
- Providing financial, investment or economic consulting or advisory services
- Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death
- Career counseling for individuals seeking employment in the financial services industry
- Underwriting, dealing in or making a market in securities
- Providing real estate settlement services
- Brokering or servicing loans
- Debt collections
What are the GLBA requirements?
The GLBA consists of three sections of requirements: The Financial Privacy Rule, the Safeguards Rule and the Pretexting Provisions.
The Financial Privacy Rule
This regulates the collection and disclosure of private financial information, and under this rule, financial institutions need to explain their organization’s information sharing practices to all customers with a privacy notice. This includes what types of information they collect and what types of third-parties they may share that information with. Accompanying the notice must be an accessible opportunity for customers to opt-out of this disclosure if they decide that they don’t want their information granted to certain third parties.
The Safeguards Rule
This stipulates that financial institutions must implement security programs to protect sensitive financial information in both physical and digital formats. These security programs must be developed specifically for the financial institution’s size and complexity, the scope of their financial activities, and the sensitivity of any customer information involved.
In addition to developing and implementing information security programs, the financial institution will also need to:
- Designate staff to coordinate and uphold the institution’s security program.
- Identify potential internal and external risks to the security of customer information that could result in unauthorized disclosure, misuse or any other type of compromise.
- Test, place and monitor safeguards to control identified risks.
- Train employees on data security and compliance best practices.
Pretexting Provisions
This prohibits the practice of accessing private information using false pretenses, which is referred to as “pretexting.” This rule is in place to mitigate the risk of unauthorized access to private consumer information.
Why was the GLBA created?
The purpose of the GLBA is to safeguard consumer information that makes its way into the hands of financial institutions. However, that alone was not the catalyst for how the GLBA came to fruition. The reason the GLBA was created was to update and modernize the financial industry — which is why the act is known to some as The Financial Modernization Act of 1999.
The GLBA was intended to repeal the Glass-Steagall Act of 1933, which stated that commercial banks were not allowed to offer financial services, primarily investments, as a part of their normal operations. At the time, this prohibition was to help restore public confidence in the U.S. banking system and to break the link between banking and investing activities that were believed to be at least partially responsible for the 1929 market crash.
Since the Glass-Steagall Act was put into motion, commercial banks could not act as brokers. This was fine until the 1980s when a few commercial banks underwent major mergers and acquisitions that violated the act. A largely publicized merger was Citicorp’s, which was a commercial bank that began to offer insurance services and a line of financial business securities, like stocks and bonds, after they merged with Travelers Group, an insurance firm.
These mergers that were in violation were initially granted temporary waivers until the GLBA was eventually created to allow commercial banks to offer financial services while still being able to ensure no conflicts of interest between banks and investment firms, and to provide consumers with great transparency and protection.
What types of data does GLBA protect?
Under the GLBA, financial institutions must ensure the confidentiality and security of consumers’ and customers’ personally identifiable financial information or nonpublic private information (NPI), whether it be in paper or electronic form. Examples of NPI include:
- Social security numbers
- Credit and income histories
- Credit and bank account numbers
- Account balances
- Financial transactions
- Tax return information
- Driver’s license number
- Phone numbers
- Addresses
- Date of birth
Whether NPI received by a financial institution came from a consumer or a customer will dictate the required action steps. In short, consumers are individuals who engage with a financial institution for general services, like making a wire transfer or applying for a loan, and customers are a subclass of consumers that have an ongoing relationship with a financial institution. A couple of examples of ongoing customer relationships include opening and using a credit card account or consulting with an investment advisor.
The nature of the relationship between the financial institution and the individual will guide the institution’s obligations under the GLBA. For instance, in regards to privacy notices, customers must always receive one whether or not customer NPI is shared with any third-party vendors. On the other hand, consumers who are not customers only need to receive privacy notices if their NPI will be shared with third parties.
Each of the three sections of the GLBA come with their own detailed requirements that differ for consumers and customers. If an institution is proven to be non-compliant with GLBA, the potential penalties could be:
- Fines up to $10,000 for each violation towards officers and directors responsible
- Fines of up to $100,000 for each violation towards the financial institution responsible
- Imprisonment of individuals in violation of GLBA for up to five years
What steps should a business take to ensure GLBA compliance?
Maintaining GLBA compliance is a critical goal for all financial institutions, as violations of the GLBA can result in hefty financial fines and long-lasting reputational damage. To proactively maintain GLBA compliance, financial institutions should conduct ongoing data discovery, classification and remediation. Since financial organizations receive, process and handle large quantities of nonpublic private information daily, these three steps are foundational to ensuring a strong data security framework that complies with the GLBA.
Spirion brings all of these core steps and more into one robust data privacy management platform that utilizes leading-edge technologies to discover and automatically classify all types of sensitive data across your organization’s data landscape — including those key pieces of NPI, like credit card information and account numbers, that may be hard to trace otherwise. This creates a complete view of your organization’s data so you can proceed with the proper protections and remediation tasks necessary to be GLBA compliant.
