Beth Stewart
GLBA compliance protected banking image

GLB Act Compliance - Rules and Pretexting

Compliance
April 3, 2015

The Financial Privacy Rule, The Safeguards Rule, and Pretexting Protection of the GLB Act are designed to protect consumers' nonpublic, personal information from disclosure.

The Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999. The GLBA repealed a portion of the Glass-Steagall Act of 1993, which prohibited any one institution from acting as any combination of an investment bank, commercial bank and insurance company. The act also repealed the prohibitions “against simultaneous service by any officer, director or employee of a securities firm as on officer, director or employee of any member bank.”

A company’s obligations under the GLB Act are contingent on whether the company has customers or consumers

consumer is an individual who obtains or has obtained a financial product or service from a financial institution for family, personal or household reasons. A customer is a consumer that has a continuing relationship with a financial institution. For example, a person that hires a broker for a personal loan or a mortgage company is considered a customer of the broker or lender, while a customer that utilizes a check cashing service is a consumer of that service.

The Federal Trade Commission has authority to enforce the law for “financial institutions” not covered by other authorities, such as the Securities and Exchange Commission, Commodity Futures Trading Commission, state insurance authorities and federal banking agencies. For example, tax preparers, debt collectors, providers of real estate settlement services, non-bank mortgage lenders, loan brokers, and financial/investment advisors fall under FTC jurisdiction for enforcement of the GLB Act.     There are 3 major elements to the GLB Act that are designed to protect consumers’ nonpublic personal information from disclosure: The Financial Privacy Rule, The Safeguards Rule, and Pretexting Protection.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. This rule also applies to companies, regardless of industry type, who receive such information. Similar to HIPAA, The Privacy Rule protects nonpublic personal information (NPI), which is defined as financial information collected by a financial institution in connection with providing a financial product or service.Under the Financial Privacy Rule, institutions are required to give their customers (and in some cases consumers) a written notice describing their practices and privacy policies. What is stated in the notice depends on what your company does with NPI. Even if your company does not share customer NPI, all customers must receive a privacy notice, with the “initial notice” being provided by the time the customer relationship is established and at least annually during the continuation of a customer relationship . A privacy notice must be provided to a consumer if an institution intends to disclose nonpublic, personal information.The privacy notice must also explain the opportunity for a customer or consumer “opt out”, allowing the client to refuse permission for their information to be shared with affiliated parties. The Fair Credit Reporting act is responsible for the “opt-out” opportunity, but the privacy notice should inform the customer of this right under the GLB Act. The client cannot “opt-out” of marketing of products or services for the financial institution, sharing of information with those providing a priority service to the financial institution, or when the information is legally required.Privacy notices must be delivered to each consumer or customer in writing, or, if the client agrees, by electronic communication. Privacy notices posted in your building or given orally do not comply with the Financial Privacy Rule. For guidelines and information regarding your company’s privacy policy, including a model privacy form visit the U.S. Securities and Exchange Commission website.

The Safeguards Rule requires all financial institutions to conduct a thorough risk assessment of its security measures and design, implement and maintain a comprehensive information security program to protect customer information in all areas of operation. This rule not only applies to financial institutions that collect information from their own customers, but also financial and other intuitions that receive customer information from other financial intuitions. Under the Safeguards Rule, companies are required to:Designate one or more employees to coordinate safeguards.

  1. Identify and assess risks to NPA in each relevant area of company operations and evaluate the effectiveness of current safeguards.
  2. Design and implement information safeguards to control risk and regularly test and monitor the effectiveness of the information security program’s key controls, systems and procedures.
  3. Select appropriate service providers and contract them to implement safeguards.
  4. Evaluate and adjust the program according to relevant circumstances, including changes in business operations, arrangements or the results of testing and monitoring the safeguards.

Again, similar to HIPAA, the requirements are designed to be flexible to allow implementation of the appropriate safeguards.When a company adopts safeguards, the Safeguard Rule requires it to consider all areas of operation, including the three areas particularly important to information security: employee management and training, information systems and managing system attacks and failures. We have added a PDF to the Compliance section of our resources page that includes the recommended practices for each of the three areas.

Pretexting occurs when someone tries to access personal, non-public information without the proper authority to do so, such as impersonating an account holder to request private information by phone, email, mail. Phishing and phony websites used to collect data are also an example of pretexting. The GLB Act makes it illegal for any person to obtain or attempt to obtain, to attempt to disclose or cause to disclose, customer information of a financial institution by false pretenses or deception. To meet the GLB Act’s standards in this regard, programs should be put in place to educate employees to recognize social engineering and phishing scams.

Our blog series on Compliance continues next week with a look at the Sarbanes-Oxley Act, which set new and enhanced standards for all public accounting and management firms and public company boards.

References: Bill Summary & Status 106th Congress (1999-2000) S.900 CRS Summary - Thomas (Library of Congress).C. Landis Plummer. n.d. Federal Register . https://www.federalregister.gov/articles/2001/08/07/01-19338/standards-for-safeguarding-customer-information.n.d. U.S. Securities and Exchange Commission . https://www.sec.gov/divisions/marketreg/tmcompliance/modelprivacyform-secg.htm.

 and www.itispivotal.com, 2017. Unauthorized use and/or duplication of this material without express and written permission from Pivotal IT is strictly prohibited. 
Excerpts and links may be used, provided that full and clear credit is given to Pivotal IT with appropriate and specific direction to the original content. 
featured blog posts