GLBA refers to Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) which aims to protect the private information of consumers. In this article, we took a closer look at GLBA requirements.
What is GLBA?
GLBA refers to Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) which aims to protect the private information of consumers. It concerns the financial institutions that offer financial services and products such as loans, insurance, financial and/or investment advice.
Gramm-Leach-Bliley Act concerns the institutions that operate within the borders of the United States of America and consists of three different sections:
The Financial Privacy Rule: This section aims to regulate the collection of private financial information and restricts its disclosure and mandates the institutions to notify their customers on their privacy policies.
The Safeguards Rule: This section requires the financial institutions to adopt proper security programs that aim to protect personal financial information.
Pretexting Provisions: This section prohibits all kinds of pretexting practices. Pretexting refers to the methods of acquiring private information under false pretenses.
Who must comply with GLBA?
GLBA compliances are required for all sizes of institutions that offer financial services. Companies that are not considered as ‘financial’ institutions like mortgage brokers, retailers that issue credit cards and such are also within the scope of GLBA compliances. Below you can find a list of business actions that makes your business non-exempt from the GLBA regulations.
- Brokering loans
- Servicing loans
- Offering a service regarding the collection of debts
- Offering services regarding funds such as lending, transferring, exchanging, or investing
- Offering services regarding real estate settlement
- Providing advice on investment, economy or finance
- Providing counselling services to professionals that work in finance
GLBA Compliance Checklist
In order to make sure that your business complies with GLBA requirements, you must meet the principles below:
Guaranteeing the security and confidentiality in regards to NPI
Protecting your organization against unauthorized access that can potentially harm your customers or cause any inconveniences for them
Protecting your organization against any threats targeting the integrity and/or security of NPI
In this article, we offer you 10 simple steps to make sure that your organization complies with the GLBA regulations.
Getting familiar with the regulations and how they affect your organization
In order to make necessary adjustments, you must first understand the act thoroughly. For this purpose, you can ask help from your legal experts.
Conduct a comprehensive risk assessment
For the second step, you must understand the potential risks regarding NPI and detect the threats and vulnerabilities that can endanger sensitive information.
Make sure that efficient controls are implemented to alleviate the risks
Examiners of GLBA often asks for proof regarding your organization’s ability to control all threats and vulnerabilities regarding the sensitive information.
Protect your organization from threats within
Make sure that you don’t have any ill intended employees that can harm and/or endanger your organization.
Ensure that your service providers are GLBA-compliant
If you opt for using a service provider in regards to your NPI needs, you must definitely make sure that your service provider complies with GLBA.
Do the necessary tests to confirm that your organization meets the requirements of the privacy rule
You must make sure that your organization meets the related requirements and inform your customers on this issue.
Don’t forget to update your DR and BCP plans
Make sure that you have appropriate and updated response plans. You must test all your plans every year and update when necessary.
Prepare a written plan regarding the information security plan of your organization
In accordance with the Safeguards Rule, your organization must provide a written plan on information security.
Don’t miss out on annual reports to the GLBA board
Your organization is required to provide annual reports to GLBA Board.
Review and update your processes regularly