GLBA Assessments, Compliance & Consulting

FLANK provides GLBA assessments, compliance & consulting services, along with world-class information security policy toolkits - including a GLBA Compliance Toolkit - for businesses throughout North America.  As for the Gramm–Leach–Bliley Act (GLBA),which is also known as the Financial Services Modernization Act of 1999, it effectively repealed an important component of the Glass-Stegall Act of 1933, but for compliance purposes, it also contains the following three (3) critically important components regarding the privacy of information, for which "financial institutions" need to be aware of:

  • Financial Privacy Rule
  • Safeguards Rule
  • Pretexting Protection

Download Gramm-Leach-Bliley Act (GLBA) Policy Packet

Our industry leading GLBA Compliance Policy Packet for ensuring rapid and quick compliance comes complete with the following documentation:

  • GLBA Information Security Program Template
  • Information Security Policies and Procedures
  • Employee Security Awareness Training Packet
  • Risk Assessment Procedures
  • Incident Response Plan
  • Internal GLBA Monitoring Checklist
  • Third Party Service Provider Monitoring Program

GLBA Financial Privacy Rule

Specifically, the Privacy and Information Disclosure Provisions within GLBA are applicable to organizations that offer financial products or services to consumers, and thus must meet certain regulatory compliance guidelines relating to "privacy notices and information disclosure practices” regarding consumer's information. Specifically, these financial institutions, such as banks and securities firms, to name a few, must make these disclosures to their customers, along with consumers also.  As for what type of business is defined as "financial institutions", it's those that are "significantly engaged" in "financial activities" and offer financial products and/or services to individuals, such as loans, financial and investment advice, insurance, and any other related products and/or services. The Federal Trade Commission (FTC) defines "financial activities" as the following:

Lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death; providing financial investment or economic advisory services; underwriting or dealing with securities, and engaging in any activity that the Federal Reserve Board has determined to be closely related to banking.

Source: http://www.ftc.gov/privacy/glbact/glboutline.pdf

Common examples of business that engage in "financial services" and that are also deemed to "financial institutions" include, but are not limited to, the following:

  • Mortgage Lenders | Brokers
  • Checking Cashers and Pay-day Lenders
  • Credit Counseling Services
  • Financial Investment advisory services
  • Automobile dealers who engaging in leasing and/or financing activities.
  • Collection agencies
  • Government entities providing financial products (i.e., student loans, mortgages)

As for defining what is a "consumer" and a "customer", they are the following:

A "consumer" is somebody who obtains or has obtained financial products or services from an actual financial institution, and for which is being used primarily for personal, family, or household purposes, or for that individual's legal representative.
A "customer" is actually a "consumer" who in fact has a "continuing relationship" (i.e., "customer relationship) with a financial institution.

GLBA Safeguards Rule

As for the Safeguards Rule, this is the second in a series of three main parts contained within the GLBA privacy provisions, calling for financial institutions to have an adequate security plan in place for protecting the confidential information of consumers. The Federal Trade Commission, in seeking to actively promote the Safeguards Rule, has made available, via their website, a comprehensive list of educational material and resources in the hopes of informing all mandatory and other interested parties. Key topics in the Education & Guidance section put forth by the FTC include a primer for businesses on protecting personal information, how to properly dispose of consumer report information, along with general guidelines for ensuring compliance with the privacy provisions within GLBA.

GLBA Pretexting

As for Pretexting Protection, which is sometimes known as "social engineering", this requires that safeguards be in place for protecting against "pretexting" measures, which can include any type of deliberate attempt to gain access to private information for which an individual is explicitly not allowed to access. The GLBA measures are far-reaching indeed, requiring financial institutions and all other related entities to have in place adequate safeguards regarding the Financial Privacy Rule, the Safeguards Rule and Pretexting Protection.

Policies and Procedures are Critical for GLBA Compliance

We have years of experience implementing GLBA best practices, providing organizations the following services:

  • Readiness Assessments and Gap Analysis services: An important component of GLBA compliance is knowing what "compliance" actually means. Specifically, what systems and supporting resources are to be included in the scope, what personnel are involved, along with identifying and understanding many other critical areas.
  • Policy and Procedure development: If you've been identified as a "financial institution" or a related party for purpose of GLBA compliance, then you'll need a trusted source to help develop a comprehensive set of policy and procedure documents.
  • Implementation of GLBA practices: A GLBA Readiness Assessment and Gap Analysis, while beneficial, merely identifies strengths and weaknesses within one's compliance platform. As such, organizations should shortly thereafter implement all necessary practices for ensuring compliance with the Financial Privacy Rule, the Safeguards Rule and Pretexting Protection. We can assist in these measures by developing a highly-customized GLBA roadmap for compliance.