Best Practices for Complying with the GLBA Safeguards Rule

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that requires financial institutions to act in a way that ensures the confidentiality and security of customers’ nonpublic personal information (NPI) and to explain how they share and protect that sensitive data. 

To be GLBA compliant, financial institutions must communicate to their customers how they share customers’ NPI, inform customers of their right to opt-out, and apply appropriate data protections to customers’ NPI.

What is the GLBA Safeguards Rule?

The GLBA’s primary data protection requirements are outlined in its Safeguards Rule. The Safeguards Rule requires financial institutions to store sensitive customer information securely and ensure its secure transmission, as well as maintain programs and implement audit procedures that prevent unauthorized access and improper disclosure. 

Who Must Comply with the GLBA Safeguards Rule?

The GLBA is specifically designed for organizations within the finance industry, however it applies to many organizations who may not typically think of themselves as a financial institution. In fact, the Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, mortgage brokers, payday lenders, nonbank lenders, real estate appraisers, and professional tax preparers. 

The Safeguards Rule also applies to third parties—such as ATM operators and credit reporting agencies—that receive customers’ NPI.  Therefore, financial institutions are responsible for not only developing their own safeguards but must also ensure that their service providers and other third-party affiliates take the necessary steps to safeguard customers’ NPI while in their hands.

The Benefits of GLBA Compliance

Aside from avoiding penalties and fines, the GLBA Safeguards Rule ultimately helps strengthen customer loyalty and trust by providing customers with the assurance that their sensitive data is protected at all times by the financial institution(s) with whom they choose to do business. 

The GLBA Safeguards Rule is designed to benefit customers in a number of ways:

• NPI—including name, address, social security number, and loan balances—must be secured against unauthorized third-party access.
• Customers are required to be notified when a financial institution shares their personal data wither with another financial institution or a third party for the purpose of completing a transaction.
• Customers have the ability to opt-out of having their sensitive personal information shared.

How to Comply with the GLBA Safeguards Rule

The GLBA Safeguards Rule requires that covered institutions create a written information security plan describing the measures taken to protect customers’ sensitive information. As part of this plan, covered institutions must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Addressing compliance concerns extends beyond avoiding penalties and fines to also building more trusting client relationships that drive engagement and loyalty. Your reputation distinguishes your firm from the next and without careful attention given to client privacy and compliance, quite frankly, your reputation is at risk. A recent Deloitte survey indicates that 73% of consumers are more likely to be open to or neutral about sharing data if they are satisfied with privacy policies explaining how data is used. By simply educating consumers about how their data is used, you can earn clients’ trust.

Organizations that take a leading-edge approach to protecting NPI to meet GLBA compliance requirements have a crucial competitive advantage in today’s business landscape.

Standing up an information security program for the first time? Looking to mature your existing program? Download a free copy of our checklist to learn more about which data protection capabilities should be incorporated into your security strategy.

Compliance Checklist for Mortgage and Lending Professionals

Learn how organizations throughout the mortgage supply chain should incorporate data protection capabilities into their security strategy to ensure compliance with the GLBA Safeguards Rule.

Download Now