GLBA Compliance Assessment
The Gramm-Leach-Bliley Act was ratified to bring reform to the financial services industry, specifically addressing concerns relating to consumer financial privacy. The Act itself is divided into three distinct Rules:
The Privacy Rule
The Privacy Rule mandates that a financial institution provides timely notices of their privacy policies to customers. In the event that a financial institution sought to disclose a customer’s private data to a third party, they would first need to alert the customer to their right to “opt out” from having their information shared with certain third party entities.
Information covered by the Privacy Rule is often referred to as “nonpublic personal information”, or NPI for short. NPI is classified as:
–Any information an individual submits to obtain a financial product or service (examples includes names, addresses, incomes, Social Security numbers, any other information that would appear on applications)
–Any information you receive about a customer from a transaction involving your financial products or services (examples include that said individual is a customer of yours, account numbers, payment history, loan or deposit balances, credit and debit purchase, etc.)
-Any information you obtain about a potential customer in relation to approving/providing a financial product or service (examples include information from court records or consumer reports)
Privacy Notices
“Financial institutions must give their customers- and in some cases their consumers- a “clear and conspicuous” written notice describing their privacy policy and practices. When you provide the notice and what you say depend on what you do with the information.” (Courtesy of ftc.gov) The contents of this notice need to include what information is collected, what information is disclosed, categories of third party affiliates to which information is disclosed, an ability to opt out of disclosure to non-affiliated third parties. A complete list can be found on the FTC’s website here. Customers must receive a privacy notice, regardless of whether or not your institution shares NPI. In addition, institutions need to provide an “initial notice” by the time the customer relationship is established, conditional on the customer’s approval. In addition, consumers of your institution’s services who aren’t established customers must receive a privacy notice, including an opt-out notice.
The Safeguards Rule
This rule mandates that financial institutions under FTC jurisdiction have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. (courtesy of the FTC). These safeguards should include comprehensive internal audits to determine security and possible risks for NPI.
The Pretexting Provisions
Serving as a factor in cyber security assessments, this Rule mandates that financial institutions have practices in place to monitor account activity and train employees to recognize phishing attempts. This is to reduce instances of “pretexting”, defined by the US Constitution as the act of trying to gain access to information without the proper authority to do so. This is also referred to as “social engineering.”
Velox Systems can help your financial organization prepare for this regulation as well as support your team with their technology! Click the button below to see what a partnership with Velox Systems might look like for your financial firm.