Table of Contents
Introduction
The GLBA applies to any financial institution, meaning any business that is “significantly engaged” in financial activities. Section 4(k) of the Bank Holding Company Act describes what is considered a “financial activity.” Even if a business isn’t considered a financial institution, the Act placed limits on the use of nonpublic personal information (NPI) if the business receives NPI from a nonaffiliated financial institution. The purpose of the Act is to protect NPI.
What is nonpublic personal information (NPI)?
- Any information given for a financial product or service, including name, address, income, SSN, or any other information that might be on an application
- Any information gained from a transaction involving a financial product or service, including your relationship with the individual, account numbers, payment history, balances, or purchases
- Any information obtained about an individual in connection with providing a financial product or service, such as information from a consumer report or court records
In other words, any personally identifiable financial information obtained by financial institution.
The GLBA consists of three sections:
- Financial Privacy Rule
- Safeguards Rule
- Pretexting Rule
In the following sections, we'll go over the requirements for each of these rules.
This article summarizes the main points of the GLBA that apply to financial institutions. However, the very act of summarizing means we're taking out details, so this is by no means an authoritative or comprehensive guide. We encourage you to consult with your legal team to ensure you stay in compliance with the rule.
Financial Privacy Rule
The Privacy Rule places requirements on how financial institutions can collect and disclose private financial data and is found in 12 CFR 1016 (Regulation P). Institutions must develop privacy practices and policies about how they collect and share consumer information. The Rule requires that institutions give ‘clear and conspicuous notice’ of their privacy policies as well as opt-out options if the institution is in the practice of sharing or selling NPI.
Privacy and Opt-Out Notice Requirements
A financial institution must provide an initial privacy notice to all customers by the time a relationship is established, regardless of whether they share NPI with third parties or not. If the financial institution does share NPI with nonaffiliated third parties, they must also provide their customers with an opt-out notice that includes a reasonable way to opt-out and a reasonable amount of time for the opt-out before disclosing the customer’s NPI.
What information does a privacy notice need to include?
- Your policies and practices for disclosing NPI to nonaffiliated third parties.
- What kind of third parties you might disclose information to.
- What kind of NPI you collect and the categories of information you might disclose.
- How you handle the NPI of former customers.
- Your policies for ensuring the confidentiality and security of NPI.
- An explanation of the opt-out option and what methods a consumer can use to opt-out at any time.
- Any disclosures required by the FCRA.
- If you disclose NPI to a nonaffiliated third party under a section thirteen exception, a separate statement needs to be included of the categories of information you disclose and the categories of third parties that you've contracted.
- Any disclosures required by section 14 or 15 exceptions.
What needs to be included in the opt-out notice?
- A statement in which you state that you disclose or have the right to disclose NPI to a nonaffiliated third party
- A statement that the consumer has the right to opt out of having their NPI disclosed
- A reasonable way for the consumer to opt-out.
What is considered "adequate notice" for the opt-out?
As long as you've explained which categories of NPI you may disclose and the categories of nonaffiliated third party you would disclose it to, your notice is considered adequate. You also need tell the consumer which of the financial products or services the consumer gets from you that the opt-out applies to.
What counts as a reasonable way for customers to opt-out?
Reasonable methods for a consumer to opt-out include any of the following:
- prominent check boxes on relevant forms
- an included reply form, along with the address it should be mailed to (if applicable)
- electronic means, such as an emailed form (if the consumer has agreed to the electronic delivery of information)
- a toll-free phone number consumers can call
It is important to note that a consumer must be allowed to opt-out at anytime, even if they don't initially.
How long does the opt-out last for?
The opt-out is effective until the consumer revokes it in writing or electronically. The opt-out continues to apply even after the customer relationship ends.
Do the privacy and opt-out notices need to be provided separately?
No, they can actually be included in the same form, and the safe harbor templates for the privacy notice include the opt-out option. They can be provided separately if that is your preference, but they should always be delivered at the same time.
Short Form Notice
For non-customer consumers, a financial institution only needs to provide a privacy and opt-out notice if they are in the practice of sharing NPI with nonaffiliated third parties. A financial institution that meets this requirement can choose to give non-customer consumers a “short-form notice” in place of a full privacy notice.
What does a short-form notice need to include?
A short-form notice needs to:
- explain that the full privacy notice is available on request,
- describe a reasonable way consumers can get the full notice, and
- include an opt-out notice.
What’s the difference between a consumer and a customer?
A customer is an individual who has a continuing relationship with an institution, whereas a consumer does not. An individual who merely cashes a check, makes a wire transfer, or applies for a loan would be a consumer. An individual who opens a line of credit, obtains a loan, or leases an automobile would be considered as having a continuing relationship with an institution, and would be considered a customer.
When is disclosure of NPI allowed?
- To service or process a financial product or service that the consumer authorized
- To maintain or service a consumer's account
- For a securitization, secondary market sale, or similar transaction that is related to a consumer's transaction
- With the consent of the consumer, or at the consumer's request
- To protect the security of your records
- To protect against fraud, unauthorized transactions, or other liability
- For required risk control for your institution or resolving customer disputes or inquiries
- To a person who is acting as a representative of the consumer
- As specifically permitted by the law to self-regulatory organizations, law enforcement agencies, or for public safety investigations
- In compliance with Federal, State, or local laws, authorized investigations, subpoena, or judicial process
- To a credit reporting agency in accordance with the Fair Credit Reporting Act
- To provide information to:
- insurance rate advisory organizations
- guaranty funds or organizations
- rating agencies of your institution
- compliance auditors
- your own attorneys, accountants, and auditors
If a financial institution shares information only with affiliates, the GLBA does not require an opt-out notice. However an opt-out notice will likely be required under the FCRA instead.
Annual Privacy Notice
Customers must also be given an annual notice (which is a copy of the full privacy notice) for as long as their customer relationship lasts. No annual notice is required for non-customer consumers. You do not need to provide an annual privacy notice if 1) your policies regarding the disclosure of NPI have not changed since the initial privacy notice was given and 2) you share NPI with nonaffiliated third parties only as allowed by the exceptions for sections 13, 14, or 15. You must meet both provisions to be exempt from the annual privacy notice requirement.
When is a customer relationship considered terminated?
- When the customer's deposit account is considered inactive
- When a closed-end loan is paid in full, charged off, or sold (and you didn't retain servicing rights)
- When, in an open-end credit relationship, you don't provide statements or notices about that relationship anymore, or if you sell the credit card receivable (without retaining servicing rights)
- If you have not communicated with the customer for a year beyond annual privacy notices or marketing material
Delivery Requirements
Every notice must be delivered in a retainable form and in such a way that the recipient can be reasonably expected to receive the actual notice in writing or electronically. It is important to note that a notice can only be delivered electronically with the consumer's consent.
In what cases can a consumer be "reasonably expected" to receive the notice?
You can reasonably expect a consumer to receive a physical copy of the notice if:
- You hand-deliver a printed notice
- You mail a printed notice to the last known address
You can reasonably expect a consumer to receive a electronic copy of the notice if:
- You post the notice on your electronic site and do not allow a consumer to obtaining a financial product or service until they have acknowledged receipt of the notice. (This includes isolated transactions, such as use of an ATM.)
What is the timeframe for providing the privacy and opt-out notices?
For a customer, the notice must be given as soon as a customer relationship is established. The only exceptions are:
- If providing the notice immediately would substantially delay the customer's transaction (such as when the relationship is entered into via phone) and the customer agrees to receive the notice at a later time.
- If the newly established customer relationship is not the customer's choice. (For example, if you have acquired the customer's deposit liability or servicing rights to their loan from another institution.)
If either of these exceptions apply, the initial notice must be provided a "reasonable time" after the customer relationship is established.
For a consumer, the short form notice and opt-out must be delivered prior to your disclosure of any NPI about the consumer.
Are there any differences for the delivery of the annual notice?
You can reasonably expect a consumer to receive the annual notice if the customer uses your website for financial products and services and agrees to receive the notice at the website. This only works if you post your current privacy notice where it is always obviously noticeable.
If a customer has requested not to be sent any information regarding their customer relationship with you, you must abide by that request. However, you will still need to make sure the notice is available upon request.
Can you provide a joint notice?
You can provide a joint notice from you and you affiliates or other financial institutions as long as the notice remains accurate for all institutions involved.
You can also provide a single notice to two or more consumers who jointly obtain a financial product or service from you. If you do, you need to make sure that the opt-out of one of the joint consumers can apply to all of the joint consumers, though you may allow each consumer the right to opt-out individually. You are not allowed to require all joint consumers to opt-out before you apply any opt-out direction.
Section 13 Exception
The section 13 exception covers the disclosure of information for certain marketing activities and service providers. For example, marketing financial products or services through a “joint agreement” with other financial institutions or hiring a nonaffiliated third party to provide marketing or perform general analysis of customer transactions. If you share NPI under this exception, you still have to give your customers and consumers a privacy notice describing this disclosure, but there is no opt-out requirement.
What information needs to be included in a disclosure for this exception?
The categories of NPI you disclose and whether the third party is a service provider or a financial institution
If you make disclosure under the section 14 and 15 exceptions, but not section 13, you would simply state that fact in the privacy notice.
In order to take advantage of the section 13 exception, there must be a contract that guarantees the confidentiality of information shared with the nonaffiliated third parties.
Section 14 Exception
This exception applies to information-sharing that is necessary for processing or administering financial transactions authorized by a consumer. For example, a disclosure of NPI to service providers who perform administrative activities for a consumer’s account or disclosures to creditors for a credit check.
Section 15 Exception
The section 15 exception applies to information-sharing such as disclosures for the purpose of preventing fraud or a response to a subpoena, or otherwise complying with the law.
What information needs to be included in a disclosure for section 14 and 15 exceptions?
You don't need to list these exceptions in the privacy notice. To describe the categories in regards to the third parties covered by these exceptions, you only need to state that you make disclosures to nonaffiliated companies for your everyday business purposes or as permitted by law.
Reuse and Redisclosure Restrictions
If you receive any NPI from an originating financial institution under the section 14 or 15 exceptions, you can only use the information for the purpose it was originally received for or within the exceptions. It can only be disclosed to your affiliates or affiliates of the originating financial institution.
Outside of the exceptions, NPI received about consumers who were given the opportunity to opt-out may be used internally for your own purposes. However, it can only be redisclosed consistent with the privacy policy of the originating financial institution or to your affiliates or the affiliates of the originating financial institution.
Disclosure of Account Numbers
The GLBA also prohibits financial institutions from sharing account numbers or other access numbers for marketing purposes, even if a consumer has not opted out. The section 14 and 15 exceptions do not apply to the disclosure of account numbers for marketing purposes.
Safeguard Rule
Financial institutions are also required to take steps to ensure the confidentiality and security of information. The Safeguards Rule requires that financial institutions have administrative, physical, and technical protections for the handling of customer information. Written policies and procedures need to be designed and implemented to meet these requirements; as long as all parts of the written safeguards are easily accessible, they don't need to be limited to one document.
What requirements does a financial institution's safeguards need to meet?
Your safeguards need to:
- be appropriate for your size and complexity, your activities, and the sensitivity of the customer information you handle
- reasonably ensure the security and confidentiality of your customer information
- protect against anticipated threats or hazards to the security of the information
- protect against unauthorized use of or access to information that could cause inconvenience or harm to your customers
What are the exceptions to the Safeguards Rule?
Financial institutions that collect consumer information from less than 5,000 consumers are exempt from the requirements for a written risk assessment, continuous monitoring or annual penetration testing and biannual vulnerability assessment, an incident response plan, and annual reporting to the governing body of the institution.
Risk Assessments
Before you can develop your information security program, you need to first identify any potential internal or external risks to security that might compromise customer information. Once this is accomplished, the information security program needs to be designed to control and protect against the identified risks, and must be regularly tested and monitored for effectiveness. Your institution needs to evaluate and adjust its information security program in response to the results of testing and monitoring, any changes to the business, or any other circumstances that might have an impact on the information security program. Risk assessments have to be performed periodically, though the Rule does not specify a specific schedule. It is up to each financial institution to decide based on their needs and resources.
What does the risk assessment need to address?
- What the criteria are for evaluating the risks you face
- What the criteria are for assessing the security of the information system
- How you will address the identified risks
Effectiveness Testing
Financial institutions need to test or monitor their safeguards’ effectiveness regularly, and the rule specifies that they must do this using either continuous monitoring or periodic penetration testing and vulnerability assessment.
How does continuous monitoring work?
Continuous monitoring can be accomplished by use of any system that allows the institution to ongoing monitoring of the information system’s security in real-time.
How does periodic penetration testing and vulnerability assessment work?
The periodic penetration testing is required at least once annually unless the risk assessment indicates a greater frequency is required, while the vulnerability assessments are required at least twice a year and any time there is a higher risk that new vulnerabilities have been introduced to your information systems.
It is important to note that a financial institution only needs to implement one or the other option, though they are welcome to implement both if desired. General testing should also be conducted for physical safeguards as well.
Qualified Individual
Every financial institution is required to designate a single “qualified individual” to oversee their information security program and be accountable for the security plan in its entirety. The Rule does not designate what level of education, experience, or certification qualifies an individual for the position. This is left to the institution to decide based on the complexity or size of their information systems. While this individual is responsible for the security program in full, particular duties and responsibilities can still be assigned to other employees if necessary. Additionally, this doesn’t need to be the qualified individual’s sole responsibility; they can have other duties.
Can the qualified individual be a third party?
Financial institutions can also hire a third party (an employee of an affiliate or service provider) to be their qualified individual. If they do so, they must still designate one of their own senior employees to direct and oversee the qualified individual, and they still retain responsibility for compliance with the Rule. The third party affiliate or service provider needs to maintain their own information security program in accordance with the Rule.
The qualified individual is responsible for making periodic reports (at least annually) to the governing bodies of the institution. If there is no ‘governing body,’ the report should be given to a senior officer that is responsible for the information security program.
What does the qualified individual's report need to include?
- The status of the financial institution’s compliance and the status of the information security program.
- Material matters such as the risk assessment, risk management decisions, arrangements with service providers, testing results, security events and management responses, and change recommendations. (The qualified individual is responsible for determining what matters are ‘material’ and should be included in the report.)
What is a security event?
A security event is any instance in which there is unauthorized access, disruption, or misuse of information in physical or electronic form.
Required Safeguards
Now that we've covered the requirements for designing, implementing, and maintaining security policies and procedures, let's go over the required safeguards. These safeguards are meant to ensure the safety of consumer information and that your staff is able to handle it appropriately, even in emergency situations. All of the following safeguards are required unless you fall under the exception to the Safeguard Rule.
Encryption
The safeguards rule requires that financial institutions encrypt data that is transmitted externally, which is defined by the Rule as “the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.” There is no specific way the rule requires these criteria to be met, just that whatever process used needs to be sufficient to prevent the information from being deciphered.
Access Controls
Every financial institution needs to implement access controls for all customer information, regardless of whether it is stored electronically or physically. The rule also requires that they implement the “principle of least privilege,” which means that each employee should only have access to the information necessary to perform their job duties. In pursuit of this goal, multi-factor authentication is required for all employees with access to networks that contain customer information.
System Inventory
For the inventory, financial institutions are required to identify everything they use to run their business. The goal of this requirement is to make sure that financial institutions have a full understanding of every part that goes into their information systems and its relevance to the information security program. This inventory is not limited to just those systems that are directly related to information security in order to prevent an incomplete knowledge of the institution's systems.
What items need to be included in the system inventory?
- Data
- Devices
- Personnel
- Systems
- Facilities
User Monitoring
Financial institutions are required to log user activity to monitor active users and their activities related to customer information. They also need to be able to monitor access to physical records and ensure access controls are being utilized. An example of this could be a sign in sheet, key card access logs, or a security camera.
Information Disposal
Customer information needs to be disposed of within two years after the last time a product or service is provided to the customer, and the financial institution needs to develop procedures for the secure disposal of such information. These procedures and policies need to be periodically reviewed to ensure customer information is not unnecessarily retained.
Change Management Procedures
The Rule also requires that financial institutions have change management procedures in place. This means that anytime there is an addition, modification, or removal of elements of the information system, the institution needs to have procedures in place to assess the effect of the change.
Employee Training
All employees should be provided with security awareness training that takes into account any risks identified by the risk assessment. The training program only needs to be appropriate to their organization, and only needs to be updated as necessary.
Financial institutions need to have qualified information security personnel sufficient for their information security requirements. The financial institution is the one who determines what ‘qualifies’ security personnel, and the information security personnel can be employed by the financial institution itself or by affiliates or service providers.
Is there specific training required for information security personnel?
Separate from the general employee training, the information security personnel need to be sufficiently trained with security updates and to address security risks. Key information security personnel also need to “take steps to maintain current knowledge of changing information security threats and countermeasures.”
Service Provider Assessments
Financial institutions need to periodically assess their service providers’ safeguards to ensure they adequately protect customer information.
Incident Response Plans
Financial institutions need to establish written incident response plans to address security events that materially affect the “confidentiality, integrity, or availability of customer information in their control.”
What should be included in the incident response plan?
- What the goal of the plan is
- What the internal processes are for responding to a security event
- What the roles and responsibilities are, as well as who has decision-making authority
- Communications and information sharing, both internal and external
- What requirements are for identifying and fixing weaknesses in the information systems
- What documents and reports are required for security events or incident response activities
- What evaluation and revision is needed for the incident response plan after a security event
It’s important to note that these plans only need to address events that affect customer information ‘materially’ and only need to suit the financial institution’s needs; they don’t need to address all possible scenarios or every small detail.
While not part of the new rule currently, the FTC is issuing a supplemental notice of proposed rulemaking to propose that a requirement be added that financial institutions need to notify them of detected security events.
Pretexting Rule
This rule exists to protect customer information from being accessed or used under false pretenses. In other words, it's meant to help prevent identity theft. A person is in violation of this rule if they try to obtain a financial institution's customer information relating to another person, or try to cause such information to be disclosed to any person.
What kind of actions violate this rule?
- Making a false statement to an officer, employee, or agent of a financial institution
- Making a false statement to a customer of a of a financial institution
- Providing a document to an officer, employee or agent of a financial institution while knowing that it is fraudulent or contains false information
- Requesting another person to commit one of the previous actions to obtain customer information
This rule does not apply to employees of the financial institution who obtain customer information in the course of testing the security procedures or systems, investigating claims of misconduct or negligence by an employee, or recovering customer information that was fraudulently obtained by another person.