Introduction: Purpose and Background of the GLBA
The Gramm-Leach-Bliley Act (“GLBA”), also known as the Financial Services Modernization Act of 1999, is a federal statute enacted by Congress in 1999 that requires financial institutions to adequately safeguard sensitive customer data in their possession and to take steps to ensure that customer information in their care is properly safeguarded.
The GLBA was passed in response to growing concerns about the security of transferring and storing private customer information on the Internet.
The Act applies to all companies that are significantly engaged in financial activities. GLBA audits are evaluations conducted by private companies or the federal government to assess the effectiveness of a financial institution’s GLBA compliance. They are primarily enforced by the Federal Trade Commission (“FTC”) since the objectives of the GLBA involve not only data privacy and safeguarding standards but also increased protections for consumers.
Below are the five important keys for companies to follow when preparing for a GLBA audit.
The Privacy Rule and The Safeguards Rule
The GLBA requires any company that conducts business as a “financial institution” to safeguard customer data and to explain their practices of sharing information. It is composed of two main rules: (1) the Privacy Rule and (2) the Safeguards Rule.
The Privacy Rule protects a consumer’s “nonpublic personal information” (“NPI”). NPI is defined as any financial information that is collected about an individual in connection with the company providing a financial product or service unless such information is publicly available. In other words, this rule limits the ability of “financial institutions” to disclose NPI to third parties.
The Safeguards Rule requires companies to maintain a written information security plan that outlines various features of the company's plan to protect consumer information such as monitoring and testing. This rule serves to protect consumer or customer NPI.
Failure to follow these and other provisions of the GLBA could lead to substantial penalties. In civil actions, companies that fall under the GLBA’s provisions could face up to a $100,000 fine for each individual violation and officers and directors can face up to $10,000 per violation.
These individuals may also be barred from working in the financial industry sector and the financial institutions themselves may have their insurance from the Federal Deposit Insurance Corporation (“FDIC”) revoked. In criminal actions, officers and directors could face up to five years jail time. This underscores the importance of being prepared for a GLBA audit.
5 Keys to Successful and Compliant GLBA Audits
GLBA audits could entail company-initiated audits, where the financial institution hires an independent auditor to assess its compliance or undertakes an internal evaluation/audit of its operations. More often, however, a GLBA audit refers to evaluations by federal government agencies of “financial institutions.”
Auditors in these latter instances will carry out various procedures including assessing the strength of the company’s internal controls, how well the company’s compliance program works in practice, and whether the compliance program is strong enough in light of the financial institution’s size, structure, and information it handles. Below are five keys to successful and compliant GLBA audits:
Conduct a risk assessment of company operations to evaluate the severity of threats and system vulnerabilities.
Risk assessment procedures are a priority for financial institutions seeking to achieve GLBA compliance from an audit. These procedures should evaluate the technology that manages, transfers, and stores NPI for customers or consumers.
The results of risk assessment procedures could also help the company identify areas of weaknesses that could interfere with system integrity and put customer data at risk. It is important that auditors understand that any and all identified weaknesses will be corrected as soon as possible and that the risk assessment process is continuously updated and improved.
Develop a robust and comprehensive GLBA compliance program.
The purpose of a compliance program is to monitor, identify, and respond to weaknesses within a company’s business operations. Every company that potentially satisfies the “financial institution” requirement of the GLBA should ensure that they have in place a secure and effective compliance program. Such a compliance should include the following elements:
- Open corporate culture and tone at the top;
- Clear understanding of the laws and regulations that apply to your company;
- Effective risk assessment procedures and internal controls;
- Reliable crisis management response team and leaders;
- Mandated annual training for all personnel regardless of seniority;
- Safe and secure channels for whistleblowing that is free from retaliation;
- Internal procedures to protect against insider threats and risks;
- Regular updates to the board and upper management;
- Proper identification and storage of NPI;
- Regularly evaluate compliance with the Privacy and Safeguards Rules; and
- Maintain thorough review and documentation practices.
The above are only a few examples of critical components that every GLBA compliance program should entail. A company’s GLBA compliance program will need to be periodically updated and optimized as changes in the legal and regulatory environment dictate.
Adopt various internal company-wide checks such as regular audits, personnel training, and physical security measures.
There are many steps a financial institution can take to get ready for a GLBA audit even before the government initiates one on its own. Such steps are generally internal and undertaken proactively. They include company-initiated audits, training, and security measures.
The financial institution should have consistent audits by a private and independent auditor in order to assess its compliance on a regular basis and correct weak areas before a government GLBA audit is conducted.
Additionally, training should focus on GLBA compliance, the sensitive nature of NPI, and legal and regulatory changes. Further, security controls involve both physical controls such as the use of key cards or entry clearances as well as electronic controls such as encryption, passwords, firewalls, etc.
These two types of controls greatly assist companies in protecting customers’ NPI. Regular assessments of the company’s security controls will reveal whether they need to be improved, updated, or replaced. Other security measures may involve pre-employment screening such as background checks.
Maintain a clear incident or crisis response plan in the event of data breaches.
Data breaches of customer data unfortunately do occur. Therefore, it is imperative that financial institutions under the GLBA’s ambit be prepared with a detailed crisis response plan in the event of such breaches—whether internal or external. An incident or crisis response plan should be detailed and formally documented.
It should clearly outline the steps the company ought to take when customer data breaches are identified. These plans should also contain procedures for preparing security incident reports, preserving evidence, tracing the source of the breach, containing the breach, and remediating the effects of the breach.
They may also involve prompt breach notification provisions to customers that may have been or will be affected by the breach.
Monitor, evaluate, and document GLBA compliance.
Compliance with the GLBA is not a single annual occurrence. It is something that must be periodically monitored for compliance, evaluated for effectiveness, and documented for a complete paper trail for future reference.
Financial institutions should have a compliance officer or compliance team with the responsibility and resources needed to effectively handle the company’s compliance. This includes taking the action necessary to bring the company up to compliance, make suggestions for improvement, and take corrective action for misconduct.
A detailed account of the company’s compliance history is useful not only for demonstrating the intent to follow the law but also for lessening any potential fines and penalties in instances where noncompliance is present.
“The GLBA is a broad statute that applies to any entity that is a “financial institution,” and can include banks, mortgage brokers, ATM operators, tax preparers, real estate appraisers, lenders, etc. Because the Act applies to all businesses significantly engaged in providing financial products or services to customers, any business can quickly fall under the provisions of the GLBA and, consequently, the enforcement authority of the FTC. Therefore, companies need to make compliance an imperative.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
GLBA compliance is mandatory for companies qualifying as financial institutions and engaging in financial activities regardless of their size. A critical aspect of GLBA compliance is being prepared for regular audits of company operations.
These audits are generally conducted by federal agencies as a part of their responsibilities under the GLBA. Steps such as adopting risk assessment procedures, regular training, security measures, and detailed documentation are useful best practices for maintaining GLBA compliance and preparing for audits.
Following these strategies safeguards the privacy of customer data, increases customer confidence in financial institutions, and enhances the reputation and business of these financial institutions.