Listen to: "Essential Guide to GLBA Compliance & Audits"
If a financial institution is found to be non-compliant with the Gramm-Leach-Billey Act (GLBA), it will cost you. An institution can be fined $100,000 for every violation of GLBA, while directors and officers can be fined $10,000 per violation and face up to five years in prison. Individuals may be barred from working in the banking industry and financial institutions may have their FDIC insurance terminated.
Given the serious nature of these consequences, it is vital to ensure your institution complies with GLBA.
What Is GLBA?
Since businesses need to collect, store, process, and share customer data amid ever-changing technologies and potential vulnerabilities, the U.S. Congress passed the Financial Services Modernization Act of 1999, which is more commonly known as the Gramm-Leach-Billey Act (GLBA).
The Act was passed to protect consumer privacy in our fast-paced financial world. It requires any business that acts as a “financial institution” to safeguard sensitive data and to explain all information-sharing practices to customers. The Act includes the Privacy Rule and the Safeguards Rule.
GLBA Privacy Rule
One of the key provisions of the Act limits the ability of financial institutions to disclose customers’ nonpublic personal information (NPI) to non-affiliated third parties to the core business under the Privacy Rule.
GLBA Safeguards Rule
Financial institutions must notify customers about their information-sharing practices and inform customers about their right to opt-out of any information-sharing practices. Further, according to the Safeguards Rule, financial institutions must adopt and implement a security program to protect NPI.
Who Must Comply with GLBA Requirements?
Any business, regardless of size, that offers financial services or products to consumers must comply with the GLBA.
What Types of Data Does GLBA Cover?
The key data that you and your IT staff serve to protect, in adherence with GLBA, includes all personally identifiable information (PII) and NPI. This covers data that could be linked to a customer through their transactional data collected by your financial institution. The same data that makes customers’ personal information crucial to your relationship with them is the same data that makes them so appealing and vulnerable to malicious third parties.
GLBA focuses on the protection of sensitive consumer information, including:
- Credit histories and reports,
- Birth dates,
- Bank account information,
- Social security numbers.
How Should a Financial Institution Meet & Maintain GLBA Compliance?
Financial institutions must become and remain GLBA compliant to protect their customers, maintain their professional reputation and accreditations, and to avoid penalties and fines. Add these four steps to your GLBA compliance strategy.
1. Understand the Act and How It Applies to Your Business.
Review the Act to make sure you understand the scope and how it applies to your business. You may need to take this step with the guidance of your legal team or auditing professionals.
2. Perform a Risk Assessment.
Conducting a risk assessment gives you the opportunity to organize and catalog all systems under your care that are used to manage NPI. Using a risk assessment matrix in the process helps identify threats and vulnerabilities that could put information in your system at risk.
Working alongside your auditor, testing your compliance against GLBA requirements provides a powerful risk assessment. It delivers assurance that controls are used properly and identifies areas where your security team could improve.
An inventory of all areas and systems that store, process and transmit NPI is essential, so prepare one for your risk assessment. Such systems may include network devices, PCs, laptops, personal mobile devices, mail servers, and cloud hosts, and each one needs to be reviewed and evaluated for possible threats and vulnerabilities.
3. Make Sure Effective Controls Are in Place.
Your current physical, technical and management control framework may effectively mitigate risks. However, an assessment may show the need to improve existing controls or invest in new controls.
Auditors will expect to find evidence that your risk assessment matched vulnerabilities and threats to a coordinating control. You can prepare for assessment by creating a simple table with annotations explaining the rationale for your selection.
4. Defend Against Internal Threats.
Internal or insider threats, which include employees who intentionally or inadvertently compromise your organization, are the biggest threats to most organizations in terms of GLBA violations.
The best defense against insider threats starts during the pre-employment recruiting phase. Perform thorough background checks to filter out human resource security risks. Further, draw up employment contracts that place the responsibility on employees to follow security policies and procedures. Once on staff, provide regular reminders of employees’ duties of care for consumer information in whatever capacity they have access to that information. Provide regular written updates and mandatory training programs to reinforce security policies and keep all staff members updated on any new threats.
What Happens During a GLBA Audit?
During the audit, a third party reviews the policies your organization has developed to ensure compliance with GLBA requirements, which include:
- Written plan for safeguarding consumer information,
- Clear incident response plan,
- Employee education regarding GLBA compliance,
- Demonstrated support from leadership.
The auditors will need to speak with and interview key members of your organization in order to collect the information needed about how compliance measures are actually implemented. When asked about something, be direct and honest in your response. If you do not have the information, find the right person in your financial institution to address the question and pass it off to them.
Auditors will review all aspects of your organization’s plan in order to understand how your plan works and whether it is robust enough. Remember that under GLBA, your plan must be specific and appropriate to your firm’s size, customer base, activities, and complexities.
How Should We Prepare for a GLBA Audit?
By preparing ahead of time for the audit, your financial institution can streamline the process.
Start the preparation by gathering all relevant documentation pertaining to your financial institution’s policies for safeguarding information. This may be eye-opening for your financial institutions, as it isn’t uncommon to realize when gathering documentation that your organization has documented policies that are being overlooked in your day to day operation.
In preparing for auditing, make sure that sure you are familiar with all aspects of your firm’s plan and can explain from a risk management perspective. This will help auditors appreciate the plan’s strong points even as they look for weak areas that need shoring up.
What Will Auditors Be Looking For?
As part of your preparation phase, your team should organize the materials that tell the story of your financial institution’s GLBA compliance. When everything is clearly organized, the auditors will be able to dive deep into the audit process to determine your organization’s strengths, weaknesses, and opportunities. Specifically, you will need to compile documentation related to staff training, incident response, consumer information safeguards, and risk assessment and mitigation.
Your organization can share memos, written policies, training manuals, online courses as documentation demonstrating your commitment to educating employees about compliance issues and cybersecurity.
A robust glba incident response plan should outline what employees should do if a security incident arises, including what type of information to capture in the immediate aftermath and how to best manage the organization during the response period. It should cover all types of data loss incidents, from reporting a misplaced laptop to mitigating a data breach.
A strong plan will be clear, with decisions and action steps listed. Plans that do not include actionable steps are merely policies; these are not strong enough to pass a GLBA compliance audit. Since threats change, incident response plans must be kept up to date. The strongest plans are tested at least quarterly and integrate feedback to promote continuous improvement.
Consumer information safeguards
Your organization needs to show a comprehensive written security plan that details physical, technical, and administrative safeguards to sensitive data in a manner that is appropriate with your institution’s size and complexity.
Strong safeguards are coordinated at the organizational level and reviewed by a committee or a dedicated individual, updated once a year or more to reflect changing needs, and tested for viability. Since technology and threats are constantly innovating, information safeguards will necessarily change over time and your organization’s records should reflect that.
Risk assessment & mitigation
To have a thorough GLBA compliance plan, you must understand where risks are and how to mitigate them. Mitigating risk isn’t a one-time action. For that reason, risk assessments should be run periodically and with the goal of bolstering the institution’s performance. Best practice is to demonstrate overall coverage and the tracking of incident responsiveness.
When carried out routinely, assessments should catch issues before the GLBA audit process, allowing you to fix something that would otherwise have been a compliance issue. Your team must document these internal assessments, their results, and the actions carried out to address them. Auditors will be looking for this type of record for proof of GLBA compliance.
What Are the Penalties for GLBA Non-Compliance?
One of the worst penalties associated with GLBA non-compliance is compromising customers’ data and suffering a breach. When a company suffers a breach, it risks its own reputation and losing hundreds, thousands, or more customers. Plus, non-compliance will almost always cost the business a lot in terms of lost time, resources, and productivity.
There are severe criminal and civil penalties associated with non-compliance with GLBA requirements, which include possible fines and imprisonment.
- The bank or other financial institution is subject to a civil penalty of not more than $100,000 per violation.
- Directors and officers of the institution are potentially subject to, and personally liable for, a civil penalty of not more than $10,000 per violation.
- The institution, along with its directors and officers, is also subject to fines in accordance with Title 18 of the U.S. Code, or they may face imprisonment for not more than five years or both.
What Are the Most Common Reasons for GLBA Non-Compliance?
Since missteps here lead to hefty fines levied by regulators, take a few minutes to review common mistakes in complying with GLBA.
One all-too-common misstep is that financial firms do not adhere to GLBA at all because they mistakenly believe that it does not apply to them. Accounting firms, in particular, may believe that GLBA only affects large banks or investment firms. In truth, GLBA does apply to accounting firms, including small firms or sole practices. Accountants who do not comply with GLBA not risk the exposure of sensitive client data and they could be held liable by the FTC.
Safeguards Rule Violations
The Safeguards Rule requires institutions to develop a written plan for safeguarding consumer information that is appropriate to the firm’s activities, size, complexity, and to the nature and sensitivity of the consumer data. The written plan should denote an individual to manage safeguards, change safeguards as needed to keep up with shifts in data management and retrieval and show risk assessments for every department that handles sensitive data.
If your organization’s written plan is outdated and does not reflect the reality of your firm’s data usage, it could cost you. Needs change, and a financial institution may need to modernize its plan to remain in full compliance with GLBA.
Flawed Risk Assessment
Some institutions do not carry out thorough risk assessments, which means the response plan cannot be complete. Common risk assessment flaws include failure to account for data processing, data storage, or data transition.
Best practice is for a risk assessment to focus on where the sensitive data is located and what controls are in place. Not every piece of consumer information is sensitive, so it’s important to narrow the scope to information that must be safeguarded.
Since many institutions rely on third-party vendors, vendor management is a top issue with GLBA compliance. While an organization cannot mandate vendor compliance with GLBA, if gaps exist, they can add stipulations in the contract that protect their interests. This provides a way to exit a bad contract, if necessary, in favor of a vendor that does comply with regulations.
Unprotected Copiers & Printers
Copiers and printers can store copies of sensitive data on their hard drives. This means a breach of the printer’s hard drive can provide access to stored customer data. To stay in full compliance with GLBA, you must protect copier and printer hard drives. Use overwriting, encryption, and password protections to defend sensitive data that is printed, faxed, or copied.
GLBA Plan Not Reflecting the Corporate Culture
Some companies have plans in place that seem great on paper, but are just that—paper plans that were designed to please auditors, rather than protect consumers. If an examiner digs into such a plan, they may find that it does not adequately protect consumer data.
Rather than keep a plan that’s isolated from corporate culture and consumer data as managed at your financial institution, invest in a plan that protects your needs, your reputation, and your customers. Developing a proper GLBA plan will also protect your financial interests, since data breaches lead to loss of trust and reputation.
Insufficient Staff Training
Compliance requires that staff are trained to spot threats, identify sensitive data, understand security requirements, and know their role in the effective implementation of security measures.
Lack of Top-Down Leadership
GLBA mandates that either the Board of Directors or a committee of the board oversee the development and implementation of the information security program and review reports on its success. The board takes accountability that consumer information is protected from the highest levels on down throughout the entire organization.
Lack of Follow-Through
Part of GLBA compliance involves testing to ensure the plan works as intended. Make it a priority to test your safeguards and revise the plan as needed before your organization falls victim to a data breach—and to continue to test your GLBA safeguards from time to time.
Get Help with GLBA Compliance
At I.S. Partners, LLC., our auditing team understands how complex and time-consuming it can be to achieve and maintain GLBA compliance. We can help your organization through the entire process.