Listen to: "4 Tips for Consistently and Confidently Meeting GLBA Compliance Requirements"
What Is GLBA?
Businesses regularly handle consumer financial information, making it crucial to find the most reliable possible ways to keep that information secure. Since businesses need to collect, store, process and share vital financial information for its customers amid ever-changing technologies and potential vulnerabilities, the U.S. Congress passed the Financial Services Modernization Act of 1999, which is more commonly known as the Gramm-Leach-Billey Act (GLBA or the Act).
The Act was passed to protect consumer privacy in our fast-paced financial world, requiring any business that acts as a “financial institution” to safeguard sensitive data and to explain all information-sharing practices to customers. Organizations considered financial institutions include those that provide consumers with financial or investment advice and financial products and services like loans.
GLBA focuses on the protection of sensitive consumer information that includes full legal names, addresses and credit histories that customers provide to financial institutions that may include banks, financial planners and mortgage brokers.
One of the key provisions of the Act limits the ability of a company acting as a financial institution as to when it may disclose a customer’s nonpublic personal information (NPI) to non-affiliated third-parties to the core business under the Privacy Rule. Financial institutions need to notify customers regarding their information-sharing practices and tell customers their right to opt-out of any information-sharing practices if they would rather not have that information shared with non-affiliated third-parties. Further, per the Safeguards Rule, financial institutions must adopt and implement a security program to protect NPI.
Who Needs to Comply with GLBA Requirements?
Any business, regardless of size, that offers financial services or products to consumers must comply with the GLBA. Different types of financial-oriented businesses include the following:
- Banks or other traditional financial institutions
- Check-cashing businesses
- Payday lenders
- Mortgage brokers
- Non-bank lenders
- Personal property or real estate appraisers
- Retailers that issue their own branded credit cards
- Professional tax preparers
- Courier services
- Credit reporting agencies
- ATM operators that receive consumer information from other financial institutions
Are There Penalties for GLBA Non-Compliance?
There are severe criminal and civil penalties associated with non-compliance with GLBA requirements, which include possible fines and imprisonment.
Here are a few specific penalties a financial institution may face for violating GLBA requirements:
- The bank or other financial institution is subject to a civil penalty of not more than $100,000 per violation.
- Directors and officers of the institution are potentially subject to, and personally liable for, a civil penalty of not more than $10,000 per violation.
- The institution, along with its directors and officers, is also subject to fines in accordance with Title 18 of the U.S. Code, or they may face imprisonment for not more than five years or both.
4 Steps to Consistently Meet GLBA Compliance Requirements
If your financial institution performs tasks that may include collecting debts as a service, offering real estate settlement services, providing career counseling to financial service professionals, or brokering or servicing loans, you need to become and remain GLBA compliant to protect your customers.
Add these four steps to your GLBA compliance strategy to stay confident while keeping everything secure.
1. Understand the Act and How It Applies to Your Business
Review the look at the Act to make sure you understand the nature of it, as well as the scope of it and how it applies to your business. You may need to take this step with your legal team or auditing professionals. This step gives you a firm foundation for designing and implementing your own GLBA compliance program.
2. Perform a Risk Assessment
Conducting a risk assessment gives you the opportunity to organize and catalog all systems under your care used to manage NPI and identify threats and vulnerabilities that could put information in your system at risk.
Working alongside your auditor, testing your compliance against GLBA requirements provides you with a powerful risk assessment, which can help ensure the use of proper controls that reduce and mitigate any risks, making this process central to your GLBA compliance program.
An inventory of all areas and systems that store, process and transmit NPI is essential, so prepare one for your risk assessment. Such systems may include network devices, PCs, laptops, personal mobile devices, mail servers and cloud hosts, and each one needs to be reviewed and evaluated to search for possible threats and vulnerabilities.
3. Make Sure You Have Effective Controls in Place
Effective controls can help mitigate risks, so make sure you have effective controls in place. Your current physical, technical and management control framework may mitigate risks that you discover during the risk assessment. However, it is more likely that you will need to improve existing controls or invest in new controls.
Auditors will expect to find evidence that your risk assessment matched vulnerabilities and threats to a coordinating control to make it easy for them by your having created a simple table with annotations that detail the rationale for your selection.
4. Defend Against Internal Threats
Internal or insider threats, which include employees who intentionally or inadvertently compromise your organization, are the biggest threats to most organizations in terms of GLBA violations. It is important that you do not overlook this threat zone.
The best strategy in defense against this potential threat starts during the pre-employment recruiting phase. Perform thorough background checks to filter out human resource security risks. Further, draw up employment contracts that place the responsibility on employees to follow security policies and procedures. Once on staff, provide regular reminders of employees’ duties of care for consumer information in whatever capacity they have access to that information. Provide regular written communications and mandatory training programs to reinforce security policies and keep all staff members updated on any new threats.
Do You Need More Ideas on Achieving and Maintaining GLBA Compliance?
At I.S. Partners, LLC. our auditing team understands how complex and time-consuming it can be to achieve and maintain GLBA compliance. We can help you implement these steps, as well as several others to help you confidently and consistently stay compliance with this important Act.