On May 6, 1999, Representatives James Leach and Thomas J. Bliley Jr. and Senator Phil Gramm introduced the Financial Services Act in the US Senate. Just five months later, on November 12, 1999, it was signed into law.
The fact that this piece of legislation was adopted so quickly is a testament to its key role in enhancing data security and supporting consumer privacy. In our new interview, we are going to shed light on what distinguishes this law and what it entails for financial software development companies.
What is GLBA?
Named after its initiators, the Gramm-Leach-Bliley Act (GLBA) is also sometimes referred to as the Financial Modernization Act. This US law has transformed the financial services sector, as it gave the green light for commercial and investment banks, securities firms, and insurance companies to consolidate. GLBA also mandates that financial institutions handle clients’ personal information in a secure manner.
Who must comply with GLBA requirements?
In essence, GLBA is relevant not only to financial institutions but also to organizations that receive personal information from these institutions. While the law explicitly applies to a specific set of companies, its actual reach goes beyond what might be apparent at first glance. It all comes down to what qualifies as a financial institution.
According to the legislation, financial institutions are companies significantly engaged in financial activities. This involves a range of operations such as lending, investing, along with offering financial or economic advisory services. Other examples include brokerage loans, loan servicing, debt collection, and even career counseling.
As for significant engagement, companies need to meet two criteria:
- There must be a formal agreement confirming the client-customer relationship. For instance, a bar owner keeping a tab for their customers is not officially engaged in financial activity.
- The frequency of transactions. For example, if a retailer offers a one-time installment payment plan to a customer, they wouldn’t be considered officially significantly engaged in financial activity. On the contrary, if a business regularly conducts money transfers with customers, it would be recognized as significantly engaged in financial activity.
What kind of information is covered by GLBA?
The primary goal of GLBA is to protect nonpublic personal information (NPI), referring to any financial data capable of identifying an individual. This information is gathered by a financial institution in the course of delivering a financial product or service, as long as it is not publicly available.
There are three channels through which NPI can be obtained:
- Information voluntarily provided by individuals to obtain a product or service, such as name, address, income, social security number, etc.
- Information received about individuals as a result of a transaction related to your product or service like account numbers, payment history, etc.
- Information obtained about an individual in relation to providing a product or service like consumer reports, etc.
One must be cautious when dealing with publicly available information. Let’s consider an interesting example: even though phone numbers are listed in a public phone directory, a person can have several phone numbers. Thus, if you choose a number not listed in a directory, it would not be considered publicly available.
Ultimately, if a set of information includes even a portion of NPI, the entire block of data is categorized as non-public. For example, consider a list of names and phone numbers of borrowers compiled by a creditor. In this scenario, the name is publicly available information, obtainable from various sources, as well as the phone number. But the very fact that there are legal relationships between a borrower and a creditor falls under the category of nonpublic information. Consequently, it becomes imperative to uphold the confidentiality of such data.
What are the key GLBA rules regarding data security?
There are two major GLBA rules that aim to safeguard customer data.
The first rule is the Financial Privacy Rule, which mandates financial institutions to send privacy notes to customers. These privacy notices are provided:
- at the time of establishing a relationship, unless a delayed notice is provided for the timely completion of a transaction;
- annually (in certain cases as specified by legislation).
A privacy notice must include a list of collected consumer information, as well as how this information is used and protected. There is an official model privacy form that can be used as a reference.
Consumers can also choose to opt out of information sharing. This scenario becomes particularly significant if a financial institution discloses non-public information about a consumer to third parties. In such a case, the notice should also include:
- An opt-out notification detailing the option to decline the sharing of their NPI with non-affiliated third parties.
- Categories of information gathered and shared.
- Classes of third parties with whom the information is planned to be shared.
- A suitable way to opt-out.
- A reasonable time frame to opt out before the disclosure of such NPI.
There are some cases when consumers can’t opt out:
- Information sharing with entities providing essential services to the financial institution.
- Conducting marketing campaigns for products or services for the financial institution.
- Information sharing is required to comply with the law.
The second rule is the Safeguard Rule, which outlines an all-encompassing information security program that can include, among other things:
- appointing at least one employee to oversee security measures;
- conducting a risk analysis in departments dealing with sensitive information;
- establishing, monitoring, and testing a program to protect information;
- making necessary adjustments to security measures by changing the methods of collecting, storing, and using information if needed.
What measures can a software development provider undertake to ensure GLBA compliance?
For us, as a development company, the essence of the document boils down to the fact that each company has its unique risks and needs. Therefore, companies cannot rely on ready-made compliance programs. Recommendations include multi-step programs that companies can implement to reduce risks and comply with legal norms. These programs can include:
- Conducting risk and needs assessment. It is often recommended that a risk assessment be carried out by an external consultant with experience in GLBA compliance.
Adopting relevant GLBA compliance policies and procedures:
- corporate information security program;
- comprehensive reporting to the board or top management;
- procedures for identifying and ranking information assets based on confidentiality;
- identifying all potential threats, both internal and external, that can be reasonably anticipated;
- procedures to ensure that system modifications do not adversely affect GLBA compliance requirements.
2. Developing GLBA-compliant privacy policies and denial-of-service systems.
3. Implementing appropriate logical and physical security measures.
4. Monitoring and ensuring ongoing GLBA compliance.
5. Documenting the company’s current efforts to comply with GLBA requirements for ease of regulatory inspections.
What are the consequences of GLBA non-compliance?
When it comes to accountability, the fines are as follows:
- For a legal entity, a fine of up to $100,000 for each violation.
- For an individual, a fine of up to $10,000 for each violation (applies to officers and directors).
In addition, the possibility of criminal prosecution is not ruled out if the gravity of the committed offense warrants it.
What about GLBA certification? Is it required?
Since GLBA is a law, there is no separate certification program for third-party assessment of compliance.
However, companies put in a lot of effort to make GLBA compliance a part of their day-to-day operations. For instance, Microsoft Azure and Office365 have implemented the following:
- Creation and approval of a security program in written form.
- Monitoring, assessment, and adjustment of the program, taking into account the sensitivity of customer information, internal/external threats to information, and changes in business conditions.
- Appointment of individuals responsible for implementing the security program.
- Receiving reports from managers.
Another example is Entrust nShield® (HSM), which makes use of rigorous user authentication and encryption key protection as part of its regulatory compliance initiatives.
Wrapping up
In the current environment rife with data breaches, upholding GLBA compliance is crucial for financial institutions, as breaches not only incur significant costs but also pose a threat to reputation and ongoing operations. However, it’s worth remembering that GLBA doesn’t prescribe specific safety measures, granting financial institutions the responsibility to determine and implement their own security programs.
This underscores the importance of choosing a reliable technology partner with profound expertise in data security when developing financial software solutions. At Elinext, our experts have hands-on security engineering experience that is instrumental in identifying and implementing optimal security measures tailored to the specific needs of each company.