What Businesses Need To Follow To Be Compliant With GLBA

The compliance check GLBA stands for Gramm-Leach-Bliley Act. It is also known as the Financial Services Modernization Act and this requires all the financial institutions and companies which offer consumer services like loans or financial products, financial or investment advice, or insurance to explain their information and sharing practices to their customers and to safeguard sensitive data.

The act is applicable to real estate appraisers, non-bank mortgage lenders, loan brokers, some investment or financial advisers, tax return preparers, debt collectors, banks, and real estate settlement service providers.

The Connection Of IT-GLBA

This act is important and mandatory for the financial institutions irrespective of it disclosing nonpublic information. The Act ensures that a policy is made in place in order to secure the data from malicious threats in security and data integrity. The monitoring and auditing of different resources in the Windows Server network where the actual crucial data is stored and accessed from, has to be secured.

Financial Institutions

The GLB Act applicable to the "financial institutions" and companies offering financial products or services to individuals. The Federal Trade Commission has the authority to enforce the law with respect to "financial institutions" which are yet to be covered by the federal banking agencies, the Commodity Futures Trading Commission, the Securities and Exchange Commission and state insurance authorities.

The institutions among them that fall under FTC jurisdiction for the purpose of the GLB Act are non-bank mortgage lenders, some financial or investment advisers, loan brokers, providers of real estate settlement services, tax preparers and debt collectors.

Moreover, the FTC's regulation is applicable only to companies that are "significantly engaged" in such financial activities at the same time. The law is that it requires that financial institutions to secure data collected about individuals; it does not apply to information collected in business or commercial activities.


GLBA compliance is mandatory, irrespective of whether a financial institution discloses nonpublic information or not. There must be a policy in place to protect the information from foreseeable threats in security and data integrity.

Three major components are put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information. They are:

  • Financial Privacy Rule-

    This rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
  • Safeguards Rule-

    This rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. The rule applies to information of any consumers past or present of the financial institution's products or services.
  • Pretexting protection-

    Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a phony website or email to collect data). GLBA encourages the organizations covered by GLBA to implement safeguards against pretexting.

Consumers and Customers

Whether the company has consumers or customers who obtain its services is the main thing on which a company's obligations under the GLB Act depend on. A consumer is any individual who obtains or has obtained a financial service or product from a financial institution for family, personal or household reasons. A customer is a consumer who has a continuous relationship with a financial institution. Moreover, when the relationship between the financial institution and the individual continues for a long-term, then the individual is said to be a customer of the institution.

The main difference between customers and consumers is that only customers are entitled to receive a financial institution's privacy notice automatically but the consumers are entitled to receive a privacy notice from a financial institution only if the company shares the consumers information with companies not affiliated with it, with some exceptions. Customers must receive a notice every year for as long as the customer relationship lasts. The privacy notice is required to be given to individual customers or consumers by mail or in-person delivery. Reasonable ways to deliver a notice may depend on the type of business the institution is in.

Published on Jul 2, 2015
Hardeep Singh
Written by Hardeep Singh
Outreach Manager @appknox. #ProactiveAlways towards Social Media, Startups and Tech Evangelism.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now