GLBA Audits, Laws & Risk Assessment Strategies
Understanding GLBA Audits, Laws and The Obligations for a Broad Range of Companies
The Gramm Leach Bliley Act (GLBA) is a federal law that establishes privacy and safeguarding requirements for companies that store sensitive personal and financial information. The GLBA audit law applies to all entities that qualify as “financial institutions” under the statute.
GLBA Compliance Team Lead
Former DOJ Trial Attorney
While this might make it seem as though many – if not most – companies are exempt, as the U.S. Federal Trade Commission (FTC) explains, the GLBA “applies to all businesses, regardless of size, that are ‘significantly engaged’ in providing financial products or services.”
As a result, “many businesses that may not normally describe themselves” as financial institutions are subject to the Gramm Leach Bliley Act. If your company is subject to the statute, it needs to make compliance a priority. GLBA audit non-compliance can lead to significant penalties—not only for the company itself but also for its officers and directors.
Who Enforces GLBA Audit?
The FTC is the federal agency that is primarily responsible for enforcing GLBA audits. With its focus on consumer protection, the FTC enforces a broad range of statutes that apply to companies engaged in consumer product sales and services. Since the GLBA audit law is intended specifically to protect consumers’ data, it falls within the FTC’s enforcement jurisdiction.
What Companies are Subject to GLBA Audit?
The Gramm Leach Bliley Act (GLBA) applies to all companies that are significantly engaged in “financial activities.” This includes everything from lending to check cashing, and from debt collection to real estate settlement services. As a result, some examples of the types of companies that are subject to GLBA audit include:
- ATM operators
- Auto dealerships
- Check-cashing businesses
- Courier services
- Credit reporting agencies
- Mortgage brokers
- Non-bank lenders
- Payday lenders
- Personal property and real estate appraisers
- Professional tax preparers
However, these are examples only. Additionally, not only are financial institutions required to adequately safeguard sensitive data in their possession, but they must also, “take steps to ensure that their affiliates and service providers safeguard customer information in their care.”
What are the Gramm Leach Bliley Act (GLBA) Regulations?
The Gramm Leach Bliley Act (GLBA) and its enabling regulations address numerous different aspects of financial institutions’ operations. They also require financial institutions to take affirmative steps in many cases. The following list provides just a small sampling of the regulations that financial institutions need to address in their GLBA audit policies and procedures:
- Differentiation between “consumers” and “customers”
- Relationships with non-affiliated financial institutions
- Safeguarding nonpublic personal information (NPI)
- Privacy notices (issuance and contents)
- Opt-out notices
- Reuse and redisclosure of NPI
- Disposal of NPI
- Data security
- Physical security and access limitations
- Employee screening and background checks
- Employee training
- Employment policies and confidentiality agreements
- Managing remote and terminated employees
- Laptop and mobile device policies
- Monitoring for potential threats to data security
- Oversight and audit procedures
What is the Gramm Leach Bliley Act Privacy Rule?
The Gramm Leach Bliley Act (GLBA) has two major components: (i) the Privacy Rule and (ii) the Safeguards Rule. The Privacy Rule protects consumers’ nonpublic personal information (NPI), which includes, “any ‘personally identifiable financial information’ that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise ‘publicly available.'”
If a financial institution collects or uses NPI in any way (which virtually all financial institutions will), then it must comply with the GLBA’s Privacy Rule. Among many other things, this requires providing an adequate privacy notice to all customers. Financial institutions must also give their customers the right to opt-out of having their NPI shared with non-affiliated third parties.
The Privacy Rule also establishes compliance obligations with regard to “consumers” who do not become “customers.” These obligations differ in a variety of different ways. As a result, financial institutions must ensure that their GLBA audit programs adequately address both classes of individuals.
The Privacy Rule establishes strict requirements for privacy notices and the right to opt-out notices. It also establishes exceptions for when notices are not required. Before deciding not to provide a privacy or opt-out notice, financial institutions must carefully review the Privacy Rule’s exceptions and clearly document their justification for asserting that an exception applies.
What is the GLBA Audit Safeguards Rule?
The Safeguards Rule goes farther than the Privacy Rule, requiring financial institutions to implement stringent security protocols in order to protect customers’ NPI. The Safeguards Rule also addresses breach notification in the event that customers’ NPI becomes compromised.
Similar to the Privacy Rule, the Safeguards Rule applies to all financial institutions regardless of their size, how much NPI they collect, and the capacity in which they use or store NPI. In order to comply with this rule, financial institutions must thoroughly assess their existing safeguards, adopt all necessary additional safeguards, and implement policies and procedures designed to ensure adequate safeguarding on an ongoing basis.
The FTC provides a long list of suggested Safeguards Rule compliance measures. But, while this list can serve as a useful reference, the FTC has also made clear that financial institutions must adopt policies and procedures that reflect the scope and nature of their specific operations. What is sufficient for one company won’t necessarily be sufficient for another, and companies that fail to implement custom-tailored GLBA audit measures can expect to face difficult questions from the FTC.
Due to the breadth of the Safeguards Rule, financial institutions must take the Rule into account when developing various internal policies and procedures. For example, the Safeguards Rule should inform financial institutions’ cybersecurity and employment policies, among others. At Oberheiden P.C., we provide comprehensive corporate compliance services for companies in all industries, and we can help your company develop and implement policies and procedures that address all pertinent legal and regulatory requirements.
FAQs: What Do Companies Need to Know about GLBA Audit Compliance?
What Does GLBA Stand For?
GLBA is shorthand for the Gramm-Leach-Bliley Act. Also commonly referred to as the “GLB Act,” the official name of the GLBA is the Financial Modernization Act of 1999. Congress enacted the GLBA in 1999 in response to growing concerns about the security of consumers’ private information stored and transferred over the Internet.
While a lot has changed since 1999, the GLBA remains a cornerstone of federal compliance for companies that qualify as “financial institutions.” The FTC stringently enforces companies’ obligations under the GLBA—as well as the various other consumer data protection statutes that Congress has enacted over the past twenty-plus years.
How Long has the GLBA Been in Effect?
The GLBA audit took effect upon its signature by President Clinton on November 12, 1999. While financial institutions were given time to come into compliance with the wide-ranging legislation, the “phase-in” period has long since expired. Today, all financial institutions must fully comply with the GLBA audit from the first time they collect, use, or store customers’ or consumers’ nonpublic personal information (NPI).
What is GLBA Section 501(b)?
Section 501(b) of the GLBA provided the source of statutory authority for the FTC to establish the Safeguards Rule. It created a mandate for federal agencies to, “establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information.” While Section 501(b) was not specific to the FTC, as the nation’s top consumer protection agency, the FTC took the reins in establishing the Safeguards Rule which continues to govern financial institutions’ data security and privacy practices today.
What are the Penalties for Violating the GLBA?
The penalties for violating the GLBA are substantial. In civil FTC enforcement actions, financial institutions can face fines of up to $100,000 for each individual violation. Officers and directors can also face civil penalties of $10,000 per violation.
Crucially, the GLBA also includes provisions for criminal enforcement. In criminal cases, financial institutions, officers, and directors can face statutory fines, and officers and directors can also face up to five years of federal imprisonment.
What Does it Take for Companies to Comply with the GLBA?
Establishing (and maintaining) GLBA audit presents significant challenges for companies of all sizes. While companies of different sizes are not necessarily held to the same standards, all “financial institutions” must take steps to protect customer and consumer data that are reasonable in light of (i) the volume of data they collect, (ii) how they use and transmit data, and (iii) their financial resources.
Generally speaking, developing a GLBA audit program will entail:
- Establishing policies and procedures that address all pertinent provisions of the GLBA;
- Providing employee training and taking other appropriate measures to implement the company’s GLBA policies and procedures;
- Implementing data security protocols that are sufficient to protect customers’ and consumers’ data;
- Monitoring the company’s GLBA compliance efforts and conducting periodic GLBA audits; and,
- Documenting GLBA compliance and updating the company’s GLBA audit policies, procedures, and protocols as necessary on an ongoing basis.
Call to Recieve a GLBA Compliance Audit & GLBA Risk Assessment
Do you have questions about GLBA audit compliance? Are you unclear on whether the statute applies to your company, or whether your company is doing enough to comply with the Privacy Rule and Safeguards Rule? If so, we can help. To discuss your company’s GLBA risk assessment needs with one of our senior corporate compliance attorneys in confidence, please call 888-680-1745 or contact us online today.