There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. The Financial Privacy Rule seeks the protection of customers’ personal financial information by financial institutions, while the pretexting provisions seeks to protect consumers from individuals and companies obtaining personal financial information under false pretenses.

The Challenge
The Safeguards Rule requires all financial institutions to design, implement and maintain security controls to protect customer information. So unlike other regulatory compliance legislation where it is the proof of the presence of controls that is regulated (usually through auditing and reporting), with GLBA, it is the actual presence of the controls that is mandated.

The Compliance
Standards for safeguarding customer information, issued by several government regulatory agencies in response to Section 501 of the Gramm-Leach-Bliley Act (GLBA), require that financial institutions implement an information security program that considers specific technical safeguards for securing their customers' nonpublic personal information (NPI). With the increasingly strict enforcement of the interagency guidelines for protecting customer information, financial institutions lacking the appropriate level of controls will find themselves having to deal with audit comments from agencies exerting substantial pressure to comply.

Complying with the interagency guidelines for protection can be greatly facilitated by implementing a security solution that focuses on the protection of the data itself. An enterprise class system with centralized management and local enforcement of policies controlling access to NPI can provides consistent enforcement of those policies throughout the IT environment, facilitating both compliance and auditor verification of policy enforcement for protection.

Protection in Compliance with GLBA

Along with opening up the financial services industries by removing the restrictions that prevented the affiliation of banks, brokerages and insurance companies, the Gramm-Leach-Bliley Act (GLBA) mandates controls over customers' nonpublic personal information with respect to usage, protection and distribution. Section 501 specifically requires the protection of nonpublic personal information( NPI), with Section 505(a) providing a list of specific agencies and authorities tasked with establishing and enforcing the standards outlined in Section 501(b) requiring administrative, technical and physical safeguards to:

1. Ensure the security and confidentiality of customer records and information;
2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
3. Protect against unauthorized access of NPI to or use of such records or information that could result in substantial harm or inconvenience to any customer.
   
   Senate Banking Committee, "Conference Report and Text of Gramm-Leach-Bliley Bill,
   "http://banking.senate.gov/conf/confrpt.htm, 4/21/04 Guidelines.

These documents provide a clear description of the methods and technologies that regulators expect to be considered for appropriateness in meeting the outlined risk control guidelines. In effect since July 1, 2004, these GLBA guidelines for technical safeguards under Section 501 are being enforced with increasing rigor. This enforcement is requiring institutions to implement security controls to address the dynamic and escalating risk environment surrounding their customers' personal information.

We provide solutions for constant monitoring for GLBA compliance.

For more details please contact us