With the possible exception of medical providers, financial institutions handle some of the most sensitive information consumers possess—Social Security numbers, income and employment details, credit histories, account balances, and more. Protecting this data is not only essential to maintaining consumer trust but is also a legal requirement under the Gramm‑Leach‑Bliley Act (“GLBA”) and the Federal Trade Commission (“FTC”) Safeguards Rule. Together, these regulations establish a comprehensive framework for how financial institutions must secure, manage, and protect consumer information throughout its lifecycle.
Although the GLBA has been in effect for a couple of decades, and the FTC Safeguarding Rule was put into effect in 2003 and updated for smart phone usage in 2021 with penalties taking effect in 2023, we thought a review would be helpful for executives of financial institutions as well as fintechs. Below, we break down the core requirements of GLBA and the Safeguards Rule, along with practical considerations for financial institutions striving to meet and exceed compliance expectations. While the regulatory language can feel intricate, the intent is clear: organizations must take proactive, documented, and continually improving measures to safeguard customer data from unauthorized access, misuse, and breaches.
The GLBA: Overview and Purpose
Enacted in 1999, GLBA reversed the Glass-Steagall Act, modernizing the financial services industry by allowing greater integration across banking, securities, and insurance markets. But along with this expanded capability came heightened responsibility. Title V of GLBA—the Privacy Rule and the Safeguards Rule—requires financial institutions to:
- Explain their information‑sharing practices to consumers
- Protect the security and confidentiality of nonpublic personal information (NPI)
- Limit data sharing with non‑affiliated third parties unless certain conditions are met
The law defines “financial institution” broadly, extending beyond banks to include mortgage brokers, lenders, payday loan companies, tax preparation firms, investment advisers, fintechs, and various other service providers engaged in financial activities.
The FTC Safeguards Rule: Framework for a Modern Security Program
The FTC Safeguards Rule—originally issued under GLBA and updated significantly in 2021 and 2023—provides the detailed blueprint for how financial institutions must secure customer information. The rule outlines administrative, technical, and physical safeguards that organizations must implement as part of a comprehensive information security program.
Here are the foundational elements required under the rule:
- Designation of a Qualified Individual
Every financial institution must appoint a Qualified Individual (“QI”) responsible for implementing and overseeing the company’s information security program. This person may be an internal employee or an external service provider, but accountability ultimately remains with the institution’s leadership.
- Risk Assessment
A written, formal risk assessment must identify reasonably foreseeable internal and external threats to customer information. This includes evaluating:
- Data storage and transmission methods
- Employee access
- Third‑party risks
- System vulnerabilities
- Potential impact of data compromise
The risk assessment must guide the selection and implementation of safeguards and guardrails, ensuring they are appropriate to the institution’s size, complexity, and the sensitivity of the data it handles.
- Implementation of Safeguards Aligned to Identified Risks
The Safeguards Rule specifies several required protections:
- Access Controls: Ensure only authorized personnel can access sensitive data, requiring under the regulation role‑based permissions and least‑privilege principles.
- Encryption: Encrypt customer data both in transit and at rest.
- Multi‑Factor Authentication (“MFA”): Require MFA for any access to systems containing customer information. This requirement is why you have to constantly check your phone and keep yourself in Wi-Fi every time you use that financial website or app.
- Secure Development Practices: Implement secure coding practices and change‑management procedures.
- Data Inventory and Mapping: Maintain a clear understanding of where data resides, how it flows, and who has access. Data lineage is generally considered a next natural step once data inventory and mapping is completed.
- Monitoring and Logging: Continuously monitor systems for unauthorized activity and maintain detailed event logs.
- Vulnerability Management: Conduct routine scans, penetration testing, and timely patch management.
These safeguards ensure that institutions take a proactive rather than reactive approach to data protection.
- Employee Training
Human error is among the most common causes of data breaches. The rule mandates that institutions provide regular security awareness training designed to equip employees with the knowledge to identify threats such as phishing, social engineering, or unauthorized data access attempts.
- Oversight of Service Providers
Many financial institutions rely on third‑party vendors for critical operations, from cloud hosting to data analytics. Under the Safeguards Rule, institutions must:
- Conduct due diligence before engaging vendors
- Ensure contracts contain specific data‑security obligations
- Monitor vendor compliance
This requirement reflects the increasingly interconnected ecosystem of financial technology and the shared responsibility model.
- Incident Response Planning
The rule requires a written incident response plan that outlines:
- Roles and responsibilities
- Internal and external communication procedures
- Criteria for defining events
- Steps for containment, remediation, and recovery
- Documentation and post‑incident analysis
A well‑designed plan ensures organizations can respond to security events quickly and effectively.
- Annual Reporting to the Board of Directors
At least once a year, the QI (remember #1 above) must deliver a written report to the board or governing body detailing:
- Program status
- Risk assessment findings
- Security events and responses
- Recommendations for improvement
This ensures executive oversight and board accountability.
Conclusion
As financial data becomes increasingly valuable and cyber threats more advanced, GLBA and the FTC Safeguards Rule provide a structured, strategic framework for protecting consumer information. Institutions that embrace these requirements not as a checkbox exercise but as a guide to building a mature, adaptive security program position themselves for stability, trust, and competitive advantage.
Failure to comply can lead to substantial financial penalties; reputational damage; a significant and perhaps permanent loss of consumer trust; and increased scrutiny form federal regulators.
If your firm would like assistance designing or adopting robust cybersecurity strategies aligned with GLBA and the Safeguards Rule as part of migrating to the cloud with a consulting partner that has deep industry expertise – reach out to us here.
