What is GLBA compliance?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a United States Federal law that was originally enacted to modernize the financial industry. The law mandates that financial institutions disclose their information-sharing practices to their customers and proactively secure sensitive data.

The Two Sections of the GLBA:

The GLBA is broadly divided into two sections: the Safeguards Rule and the Financial Privacy Rule. Each has its own set of requirements:

The Safeguards Rule

This rule requires that financial institutions protect the customer information they collect.

Who does the Safeguards Rule apply to?

Put simply, all companies that offer consumers financial products or services like loans, financial or investment advice, or insurance are required to comply with the Safeguards Rule.

Under the GLBA, ‘financial companies’ includes a broad range of businesses of all sizes: any organization that is ‘significantly engaged’ in providing financial products or services. This includes any business that collects personal information from their customers, including names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and social security numbers.

More tangibly, this could include check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.

What does the Safeguards Rule entail?

To comply with the Safeguards Rule, companies must develop a written information security plan that describes how they protect customer information. The requirements are flexible depending on the company’s size, complexity, and circumstances, and are ultimately designed to ensure financial institutions assess and address the risks to customer information in all areas of their operation. The three areas that the GLBA identifies as particularly important in information security are:

  • Employee Management and Training
  • Information Systems
  • Detecting and Managing System Failures

The Financial Privacy Rule

Under this rule, financial institutions must give their customers clear and conspicuous written notice describing their privacy practices and policies.

Who does the Financial Privacy Rule apply to?

As with the Safeguards Rule, all ‘financial institutions’ as defined above must comply with the Privacy Rule. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.

What does the Financial Privacy Rule entail?

To comply with the Financial Privacy Rule, financial institutions must notify their customers about their ‘consumer personal information’ sharing practices and inform consumers of their right to opt-out.

Note that when the GLBA mentions ‘consumer personal information’, it refers to Nonpublic Personal Information (NPI), or any personally identifiable financial information that is not otherwise publicly available. For example, name, address, income, SSN, court records or other information from a consumer report, credit or debit card purchases.

It does not include information that has been made publicly available, i.e. information that has been widely distributed in the media or government records made available to the public.

Identity and the GLBA:

The financial sector sees millions of data transactions on a daily basis; from authentication into internal corporate systems to customer identity verifications for online transactions. As such, Identity and access management sits at the heart of the financial sector.

To meet GLBA and other compliance obligations, impacted organizations must meet requirements from both federal and private sector frameworks. To name a few, these requirements include the implementation of technical safeguards such as the flexibility to define password complexity requirements, data encryption in-transit and at rest, control over access to sensitive information, and user audit logging capabilities.

To help organizations meet these obligations, the Okta identity cloud offers a robust and mature security program. This toolset includes single sign-on, universal directory, adaptive multi-factor authentication, API management, lifecycle management, advance server access and access gateway.

In my next post, I’ll break down these requirements in further detail, as well as how the Okta toolset can address each to provide a more complete picture of how Okta can help your organization on its GLBA journey.

Learn more

Okta has made its privacy policy and documentation available online, accessible via the links below. For additional information on Okta’s approach to privacy and security, including additional compliance certifications and information, visit:

Financial organizations from around the world trust Okta to secure their data and manage user access. Check out the customer stories below to learn how: