The Gramm-Leach-Bliley Act (GLBA) is one of the most common regulatory compliance acts in the business world. And if you’re involved in providing financial products or services to consumers and utilize the services of third-party vendors, it’s something you need to be aware of.
What is the GLBA?
Also known as the Financial Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) is a federal law that requires all financial institutions in the United States to clearly explain how they protect and share their customers’ private information. The GLBA vendor management requirements are twofold. First, they require your organization to explain to the customer what information is being shared, to what extent and how it is being protected. Secondly, they require that your organization define how the information is being managed, monitored, and kept secure. The objective of the GLBA is to protect consumer financial privacy by establishing safeguards that require companies to explain how and what information they share with affiliates and other business partners
Based on the rules of the GLBA, companies have limitations regarding disclosure of a consumer’s nonpublic personal information (NPI) to non-affiliated third parties. They must first notify the customer about their information-sharing practices and then give them the right to opt-out if they don’t want the information shared. Furthermore, any third party that receives this information from a financial institution is restricted in its redisclosure and reuse of that information.
The two most important aspects of the GLBA are as follows:
- Financial Privacy Rule. This is the foundational rule of the GLBA. It states that financial institutions must give each customer a privacy notice as soon as the relationship is established (and annually thereafter). This notice must include an explanation as to what information is being collected, where it’s being shared, how it’s being shared and how the information is protected.
- Safeguards Rule. This rule requires that the organization develops a written security plan that outlines how the information is handled and what methods are used to develop, monitor and test various security aspects. And if there are any changes in how the information is handled, the safeguards must be updated to reflect these updates.
Adhering to these two rules will not only help you remain compliant, but it will also significantly reduce your chances of being caught in a compromising situation that puts your business and customers at risk.
Who Must Comply With the GLBA?
Not every business has to account for the GLBA. However, it’s usually applicable for any business setting where financial products and services are being provided for a customer and confidential data and private information are shared. This includes (but not limited to) companies such as:
- Financial advisors
- Insurance advisors
- Credit unions and banks
- Mortgage lenders
- Payday lenders
- Mortgage brokers
- Check-cashing businesses
- Real estate appraisers
- Tax preparation services
- Courier services
- Credit card companies
- ATM operators
- Credit reporting agencies
Again, this is just a sample of organizations that are typically subject to GLBA compliance. However, any company that processes, stores or shares confidential and private information about consumers is required to adhere to the standards.
Consequences for Non-Compliance
Failure to comply with GLBA rules can prove costly on multiple fronts. However, the initial financial penalties are generally what cause the most concern.
Non-compliance penalties include:
- Financial institutions that are found to be in violation face fines up to $100,000 per incident.
- Individuals who are found to be in violation face fines up to $10,000 per incident.
- Individuals who are found to be in egregious and/or repetitive violation may face prison time up to five years.
In addition to the financial ramifications, there may also be reputational consequences. You never want to be the business that people can’t trust. But a GLBA violation that leads to media coverage has the potential to tarnish your image.
GLBA Compliance Tips
Every organization is going to require a unique approach. Having said that, adhering to the following suggestions will increase your chances for success:
- Understand the Act
The first step is to familiarize yourself with the rules of the GLBA. That’s essentially what you’ve done in reading this article. Now it’s up to you to do further research and understand exactly how it applies to your business.
Depending on the size of your business and other relevant risk factors, you may find it helpful to consult with your legal team and auditing professionals. The more you pull together all relevant parties, the stronger your compliance program will be.
- Perform a Risk Assessment
Secondly, perform a risk assessment to get a feel for all of the different factors involved. A good risk assessment will identify both the likelihood of something happening as well as the severity if it does. These two factors may be multiplied to develop a true risk factor.
Depending on your business and the type of data you process, you’ll need to take inventory of all processes, systems and devices that transmit NPI. This may include PCs, smartphones, laptops, mail servers, software, cloud hosts, etc.
As your assessments become more consistent across the board, you’ll start to see the various vulnerabilities and blind spots that are holding you back.
- Implement the Correct Controls
It’s not enough to acknowledge that risks exist. Even if you take proactive steps to neutralize various threats, there’s always the risk that something could happen. This is why you need to have effective controls in place at all times.
If something does go wrong, an auditor will look for evidence that you had controls in place that were adequate for the vulnerabilities and threats as displayed in your risk assessment. Any absence of proper controls could lead to serious financial penalties.
- Monitor and Respond
Finally, you’ll need a plan in place to monitor and respond to various threats and issues on an ongoing basis. Because of rapidly evolving cyber threats and ever changing security best practices, continuous monitoring is a must.
How Panorays Can Help
The Panorays platform works with your third parties so that you can be assured that they adhere to regulations and standards such as GLBA, GDPR, CCPA and NYDFS, among others. That way, you’ll always be ready for external audits.
Want an automated, comprehensive and easy-to-use third-party security management platform that works for your business? Contact us today for a free consultation, or sign up for a free demo today.