Three Keys to Performing GLBA Risk Assessment
Experienced Federal Defense and Compliance Law Firm Helps Companies Identify and Address Compliance Concerns

GLBA Risk Assessment Team Lead
Former DOJ Trial Attorney

The Gramm Leech Bliley Act (GLBA) is one of the most important laws in the past half-century in terms of the effect it had on the financial services industry. The main thrust of the GLBA was to reform the financial services industry in the wake of decades of perceived deep-rooted problems; however, the law also imposes strict regulations on how financial services companies use, share and protect consumer information.
At Oberheiden, P.C., we’ve assembled a team of exceptional federal defense and compliance lawyers to quickly address our clients’ unique needs. Our corporate compliance lawyers work directly with management and in-house counsel to quickly and efficiently determine our client’s compliance obligations. From there, we will craft a custom-tailored compliance program that meets or exceeds regulatory requirements without imposing unnecessary burdens on your business. Oberheiden P.C. attorneys have notable experience working with some of the nation’s largest and most successful corporations and look forward to putting that experience to work on behalf of your organization.
Assessing Risk under the GLBA
For companies concerned about GLBA compliance, a bit of effort upfront can help determine whether you need to devote the time and resources to develop a full-fledged GLBA compliance policy. However, many management teams may not know whether they are subject to GLBA’s strict requirements and, if so, how to evaluate, interpret, and address those risks.
Below is a step-by-step guide to performing GLBA risk assessment.
Step 1: Are You a Financial Institution?
The problem for many companies that are subject to GLBA compliance regulations is that they simply do not know it. The GLBA applies to “financial institutions,” a term that historically has been used to described banks, credit unions, and lenders. However, the text of the GLBA provides its own definition of “financial institution.”
Under the GLBA, a financial institution refers to “all businesses, regardless of size, that are significantly engaged in providing financial products or services.” For many businesses that focus primarily on providing financial services, they will clearly fall under the gamut of the GLBA. However, determining whether a portion of a business constitutes being “significantly engaged” in providing financial products or services can be challenging.
The Federal Trade Commission provides a few examples of the defining boundaries of what constitutes being significantly engaged in the provision of financial services and products. On one end of the spectrum is the bar owner who occasionally allows customers to keep a tab or small furniture store that permits some customers to pay for items on layaway. According to the FTC, these businesses would not be significantly engaged in providing financial products or services. However, on the other end of the spectrum is the department store that offers customers a branded credit card or a business that regularly wires money to and from customers. These businesses, per the FTC, are significantly engaged in providing financial services or products.
Of course, most businesses fit somewhere in the middle, requiring management to take a comprehensive look at all activities that could be construed as providing financial services or products. For management teams without significant experience handling GLBA compliance matters, the assistance of a corporate compliance attorney is an invaluable asset in making this determination.
Step 2: Do You Have Consumers or Customers (and What’s the Difference?)
Businesses that are significantly engaged in providing financial products or services are “financial institutions” under the GLBA. However, this does not end the inquiry, as a businesses’ compliance requirements depend on whether their clients are “consumers” or “customers.” Of course, the distinction between a consumer and a customer is not one that most businesses typically make. Thus, making this classification may be foreign. However, it is critical to assessing GLBA compliance risk.
The FTC defines a consumer as “someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative.” On the other hand, a customer is” a subclass of consumers who have a continuing relationship with a financial institution.” Thus, all customers are consumers, but not all consumers are customers.
The importance of the distinction comes down to the fact that a businesses’ obligations under both the Privacy Rule and the Safeguard Rule depend, in part, on whether a client is a customer or a consumer.
Step 3: Do You Have Access to Non-Public Information (NPI)?
In this context, the GLBA is primarily concerned with non-public information (NPI). Non-public information is any personally identifiable financial information that a financial institution collects in connection with providing a financial product or service unless that information is otherwise publicly available. Generally, this is any information that a financial institution acquires or has access to by virtue of its relationship with a consumer. More specifically, NPI includes the following information about a customer:
- Name
- Address
- Social security number
- Any information provided in an application for a financial product or service
- Any information pertaining to a consumer’s account
- Any information obtained by virtue of providing a consumer with a financial product or service
If a business has access to a consumer’s or customer’s NPI, it must take the necessary steps to safeguard that information. Additionally, the business may also need to issue privacy notices to the customer and, in some cases, a consumer, outlining the company’s policies and practices. What a business must provide in a privacy notice depends on how the business uses the information.
By reviewing each of these three steps, a business will have a better idea of its GLBA compliance obligations. From there, the next step is to work with an experienced corporate compliance attorney to develop a comprehensive compliance program to meet those needs.
Contact an Experienced GLBA Compliance Law Firm for Assistance
If you have questions about GLBA compliance or are unsure how the GLBA applies to your business, the knowledgeable corporate compliance lawyers at Oberheiden, P.C. can help. Oberheiden, P.C. is highly experienced with working with businesses to assess their compliance risk under the GLBA and a host of other federal laws. We routinely work with businesses across all industries, giving us an in-depth knowledge of how the GLBA applies in even the most specific and complex circumstances. To discuss your company’s GLBA risk assessment needs with one of our senior corporate compliance attorneys in confidence, please call 888-680-1745 or contact us online today.