Gramm Leach Bliley (GLBA) Compliance Auditors, Consultants, Assessments
GLBA Compliance Audits & Consulting
NDB provides GLBA compliance auditing and consulting services for ensuring your organization is compliant with The Gramm–Leach–Bliley Act (GLBA). As for the Gramm–Leach–Bliley Act (GLBA), it contains three (3) important elements regarding the privacy of information, of which businesses, primarily "financial institutions," need to be aware:
- Financial Privacy Rule
- Safeguards Rule
- Pretexting Protection
The Financial Privacy Rule of The Gramm-Leach-Bliley Act actually requires "financial institutions" to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter, and it must also explain the information collected about the consumer, how the information is shared, used, and protected. There must also be a right to opt out of the information being shared with other parties pursuant to the provisions of the Fair Credit Reporting Act. Additionally, if the privacy policy changes at any point in time, the consumer is to be notified, ultimately allowing the consumer to opt out again.
Important provisions of The Gramm-Leach-Bliley Act (GLBA)
Simply stated, the financial privacy rule within The Gramm-Leach-Bliley Act effectively establishes a privacy agreement between the "financial institutions" and the consumer. As for the actual definition of a "financial institution," they are businesses that are deemed to be "significantly engaged" in "financial activities" for which they offer financial products and/ or services to individuals, ranging from loans to financial and investment advice to many other related financial products and/or services.
The Federal Trade Commission (FTC) defines "financial activities" as the following
Lending, exchanging, transferring, investing for others, or safeguarding money or securities; insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death; providing financial investment or economic advisory services; underwriting or dealing with securities, and engaging in any activity that the Federal Reserve Board has determined to be closely related to banking.
Source: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act- As for a "consumer," they are individuals who obtain or have obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or even legal representation.
- And as for the definition of a "customer," this is an actual "customer" who has a "customer relationship" with a financial institution. Please note that a "customer relationship" is a continuing relationship with a consumer.
GLBA Safeguards Rule - An "Information Security Plan" is a Must-Have
Regarding the Safeguards Rule, this effectively requires financial institutions to develop a written Information Security plan that describing in detail what policies, procedures, and processes are in place for protecting a clients' nonpublic personal information (also known as Personally Identifiable Information or "PII").
Thus, the plan is to include provisions for:
- Assigning at least one employee to manage the safeguards.
- Undertaking a comprehensive risk analysis on each department's handling of clients' nonpublic personal information, or PII.
- Developing, monitoring, and testing a designated program to actually secure the information.
- Changing the policies, processes, and procedures as needed in conjunction with the changes in how information is collected, stored, and used.
In reality, this rule is doing nothing more than restating and reaffirming what business should be doing anyway: protecting ALL types of data, both internal, corporate information and related assets, and also nonpublic, PII client data.
GLBA Pretexting Protection
Finally, the Pretexting Protection requires that safeguards be in place for protecting against "pretexting" (i.e., social engineering) measures, which is any type of deliberate attempt to gain access to private information for which a person is not allowed to access.
The GLBA measures are far-reaching indeed, as it requires financial institutions and all other related entities to have in place adequate safeguards for regarding the Financial Privacy Rule, the Safeguards Rule and Pretexting Protection.
NDB Gramm-Leach-Bliley (GLBA) Compliance Auditors and Consultants - Fixed-Fee Pricing
Readiness Assessments and Gap Analysis services
An important component of GLBA compliance is knowing what "compliance" actually means; specifically, what systems and supporting resources are to be included in the scope, what personnel are involved, along with identifying and understanding many other critical areas.
NDB’s GLBA Readiness Assessments and Gap Analysis Findings will list and detail all relevant material regarding your organization's "preparedness" with the actual GLBA requirements, and what specific measures you'll need to undertake for actually meeting and maintaining GLBA compliance.
Policy and Procedure development
If you have been identified as a "financial institution" or a related party for purpose of GLBA compliance, then you will need a trusted source to help develop a comprehensive set of policy and procedure documents and materials that actually comply with the GLBA requirement for a "written Information Security plan."
Implementation of GLBA Practices
While GLBA Readiness Assessments and Gap Analysis findings help unearth areas requiring remediation, you will still need a strategy for implementing many of the operational requirements for ensuring GLBA compliance. NDB can assist in developing a highly structured roadmap for implementing all necessary procedures and related activities in accordance with GLBA.
Contact NDB at