If you work for a financial institution, you may have heard the term GLBA once or twice. Or a lot. In our experience, people often use the term GLBA to describe several things related to GLBA compliance. In this article, we're going to demystify what GLBA is, and more importantly, what people mean when they say GLBA as it relates to regulatory compliance. 

What is GLBA? 

GLBA is an acronym that stands for the Gramm-Leach-Bliley Act. GLBA, also known as the Financial Services Modernization Act, is a federal law enacted in 1999, designed to secure consumers' personal financial information. So, now that we know what GLBA is, let's talk about why people use the term to describe a million different things. 

GLBA: The Legislation 

The first thing we need to talk about is the GLBA legislation. When people say GLBA in the context of information security law, they are most likely referencing GLBA Section 501(b), codified into law as 15 U.S.C. § 6801. This is the legislation approved by Congress that put the federal banking agencies into motion to write the GLBA standards, which we'll talk about in the next section. 

The federal banking agencies charged to develop these standards include the: 

  • Office of the Comptroller of the Currency (OCC) 
  • Board of Governors of the Federal Reserve System (FRB) 
  • Federal Deposit Insurance Corporation (FDIC) 
  • National Credit Union Administration (NCUA) 
  • Office of Thrift Supervision (OTS) (absorbed by the OCC in 2011) 
  • Federal Trade Commission (FTC) 
  • Securities and Exchange Commission (SEC) 

The Federal Financial Institutions Examination Council (FFIEC) also plays a role in developing standards since they were developed in 1979 to help keep all these organizations uniform and organized. 

GLBA: The Standards 

Now, let's talk about the GLBA standards which came about due to the legislation. In 2000, each agency published their own information security standards per GLBA in the Code of Federal Regulations (CFR). 

Here's where you can find those: 

These standards are the legally enforceable part of GLBA. So, when people say "GLBA compliance," what they most likely mean is "compliance with these guidelines and standards that implemented the GLBA legislation." 

GLBA: The Guidance 

The third thing we need to mention is the library of GLBA guidance which has been published to help financial institutions comply with the standards. Specifically, we're going to focus on four federal banking agencies in this section (i.e., the OCC, FRB, FDIC, and NCUA), as they tend to regulate, examine, and publish guidance in a similar way. 

Sometimes, these agencies will get together and publish unified guidance through the FFIEC. Other times, they will publish standalone resources. We'll cover both flavors in the following sections. 

The Thing about GLBA Guidance 

In the agencies' own words, "unlike a law or regulation, supervisory guidance does not have the force and effect of law." This view was codified into law in 2021. (Give your agency's page a bookmark, so you can find it later.) 

What This Means: While the guidance listed below is helpful in improving our understanding of the GLBA requirements, it is not legally enforceable. 

The federal banking agencies are not authorized to take enforcement actions based on guidance alone. While examiners may make comments or recommendations based on the guidance, any formal enforcement action related to GLBA must be connected back to the GLBA standards. All clear? 

Now that we're all on the same page, let's look at some examples of GLBA compliance guidance. 

IT Examination Handbook 

The most popular GLBA guidance is the FFIEC IT Examination Handbook, and specifically, the Information Security Booklet. This booklet (along with several others) was written to help examiners understand what it could look like for a financial institution to adequately implement the GLBA requirements. The booklets can also be used by financial institutions to better understand what their examiners may be considering as part of their evaluation. 

Examination Programs 

The federal banking agencies have also developed individual examination programs. 

These examination procedures are primarily based on the GLBA standards and provide higher-level guidance on what it would look like to examine a financial institution's information security and technology practices. They draw on guidance from the FFIEC IT Examination Handbook, as well as the other guidance we haven't mentioned yet. (Keep reading though! We'll get there.) 

Joint Statements 

The FFIEC occasionally publishes individual guidance documents, which they call "joint statements." These are standalone resources, focused on a relevant topic, sometimes related to GLBA. For example, the following joint statements talk about topics related to cybersecurity, which is a part of ensuring information security: 

The FFIEC publishes joint statements on their Press Releases & Announcements page. 

Letters to Financial Institutions 

Each agency also publishes its own letters to the financial institutions they supervise. 

Sometimes, the letter contents overlap. Other times, the agencies provide recommendations tailored to the needs of the institutions they supervise. At the end of the day, all of it can be used to help improve the institution's compliance with the GLBA standards. 

Bringing It All Together 

Understanding GLBA compliance can be confusing, since the phrase has been used to describe legislation, enforceable standards, and guidance simultaneously. While it may seem like semantics, using precise language can provide clarity, reduce stress when going through an exam, and ultimately, help you better navigate the challenges of regulatory compliance. 

If you'd like to learn more about what it means to comply with the GLBA standards, check out our free e-book: Foundations of an Information Security Program. The booklet breaks down the standards, provides implementation best practices, and includes a list of resources to help take your program to the next level. 

Whether you've been around GLBA since 1999 or you just landed here after doing a web search for "What is GLBA?", we hope you know that Tandem is here to partner with you in your journey towards securing your business. Learn more at Tandem.App