If you work for a financial institution, you may have heard the term GLBA once or twice. Or a lot. In our experience, people often use the term GLBA to describe several things related to GLBA compliance. In this article, we're going to demystify what GLBA is, and more importantly, what people mean when they say GLBA as it relates to regulatory compliance.
What is GLBA?
GLBA is an acronym that stands for the Gramm-Leach-Bliley Act. GLBA, also known as the Financial Services Modernization Act, is a federal law enacted in 1999, designed to secure consumers' personal financial information. So, now that we know what GLBA is, let's talk about why people use the term to describe a million different things.
GLBA: The Legislation
The first thing we need to talk about is the GLBA legislation. When people say GLBA in the context of information security law, they are most likely referencing GLBA Section 501(b), codified into law as 15 U.S.C. § 6801. This is the legislation approved by Congress that put the federal banking agencies into motion to write the GLBA standards, which we'll talk about in the next section.
The federal banking agencies charged to develop these standards include the:
- Office of the Comptroller of the Currency (OCC)
- Board of Governors of the Federal Reserve System (FRB)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
- Office of Thrift Supervision (OTS) (absorbed by the OCC in 2011)
- Federal Trade Commission (FTC)
- Securities and Exchange Commission (SEC)
The Federal Financial Institutions Examination Council (FFIEC) also plays a role in developing standards since they were developed in 1979 to help keep all these organizations uniform and organized.
GLBA: The Standards
Now, let's talk about the GLBA standards which came about due to the legislation. In 2000, each agency published their own information security standards per GLBA in the Code of Federal Regulations (CFR).
Here's where you can find those:
- OCC: 12 CFR Part 30, Appendix B (Interagency Guidelines Establishing Information Security Standards)
- FRB: 12 CFR Part 208, Appendix D-2 (Interagency Guidelines Establishing Information Security Standards)
- FDIC: 12 CFR Part 364, Appendix B (Interagency Guidelines Establishing Information Security Standards)
- NCUA: 12 CFR Part 748, Appendix A (Guidelines for Safeguarding Member Information)
- FTC: 16 CFR Part 314 (Standards for Safeguarding Customer Information)
- SEC: 17 CFR Part 248.30 (Procedures to Safeguard Customer Records and Information)
These standards are the legally enforceable part of GLBA. So, when people say "GLBA compliance," what they most likely mean is "compliance with these guidelines and standards that implemented the GLBA legislation."
GLBA: The Guidance
The third thing we need to mention is the library of GLBA guidance which has been published to help financial institutions comply with the standards. Specifically, we're going to focus on four federal banking agencies in this section (i.e., the OCC, FRB, FDIC, and NCUA), as they tend to regulate, examine, and publish guidance in a similar way.
Sometimes, these agencies will get together and publish unified guidance through the FFIEC. Other times, they will publish standalone resources. We'll cover both flavors in the following sections.
The Thing about GLBA Guidance
In the agencies' own words, "unlike a law or regulation, supervisory guidance does not have the force and effect of law." This view was codified into law in 2021. (Give your agency's page a bookmark, so you can find it later.)
- OCC: 12 CFR Part 4, Appendix A
- FRB: 12 CFR Part 262, Appendix A
- FDIC: 12 CFR Part 302, Appendix A
- NCUA: 12 CFR Part 791, Subpart D, Appendix A
What This Means: While the guidance listed below is helpful in improving our understanding of the GLBA requirements, it is not legally enforceable.
The federal banking agencies are not authorized to take enforcement actions based on guidance alone. While examiners may make comments or recommendations based on the guidance, any formal enforcement action related to GLBA must be connected back to the GLBA standards. All clear?
Now that we're all on the same page, let's look at some examples of GLBA compliance guidance.
IT Examination Handbook
The most popular GLBA guidance is the FFIEC IT Examination Handbook, and specifically, the Information Security Booklet. This booklet (along with several others) was written to help examiners understand what it could look like for a financial institution to adequately implement the GLBA requirements. The booklets can also be used by financial institutions to better understand what their examiners may be considering as part of their evaluation.
Examination Programs
The federal banking agencies have also developed individual examination programs.
- OCC: Cybersecurity Supervision Work Program (CSW)
- FDIC and FRB: Information Technology Risk Examination (InTREx) Program
- NCUA: Information Security Examination (ISE) Program
These examination procedures are primarily based on the GLBA standards and provide higher-level guidance on what it would look like to examine a financial institution's information security and technology practices. They draw on guidance from the FFIEC IT Examination Handbook, as well as the other guidance we haven't mentioned yet. (Keep reading though! We'll get there.)
Joint Statements
The FFIEC occasionally publishes individual guidance documents, which they call "joint statements." These are standalone resources, focused on a relevant topic, sometimes related to GLBA. For example, the following joint statements talk about topics related to cybersecurity, which is a part of ensuring information security:
- Joint Statement on Security in a Cloud Computing Environment
- Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs
- Joint Statement on Cyber Attacks Compromising Credentials
The FFIEC publishes joint statements on their Press Releases & Announcements page.
Letters to Financial Institutions
Each agency also publishes its own letters to the financial institutions they supervise.
- OCC Bulletins
- FRB Supervision and Regulation Letters
- FDIC Financial Institution Letters
- NCUA Guidance (e.g., Letters to Credit Unions, Risk Alerts, Supervisory Letters, etc.)
Sometimes, the letter contents overlap. Other times, the agencies provide recommendations tailored to the needs of the institutions they supervise. At the end of the day, all of it can be used to help improve the institution's compliance with the GLBA standards.
Bringing It All Together
Understanding GLBA compliance can be confusing, since the phrase has been used to describe legislation, enforceable standards, and guidance simultaneously. While it may seem like semantics, using precise language can provide clarity, reduce stress when going through an exam, and ultimately, help you better navigate the challenges of regulatory compliance.
If you'd like to learn more about what it means to comply with the GLBA standards, check out our free e-book: Foundations of an Information Security Program. The booklet breaks down the standards, provides implementation best practices, and includes a list of resources to help take your program to the next level.
Whether you've been around GLBA since 1999 or you just landed here after doing a web search for "What is GLBA?", we hope you know that Tandem is here to partner with you in your journey towards securing your business. Learn more at Tandem.App.
