Gramm-Leach Bliley Act (GLBA) Compliance

Evaluate your compliance level to meet GLBA requirements and ensure security controls are sufficient in development and implementation to remediate any non-compliance.

Request Consultation

What is GLBA Compliance?

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a United States federal law that mandates financial institutions to disclose information-sharing practices to their customers and proactively secure sensitive data. GLBA compliance prevents unauthorized sharing or loss of private customer data, which puts financial institutions at a lower risk of penalties or reputational damage.

GLBA Compliance Deadline

On November 15, 2022, the Federal Trade Commission (FTC) announced that the deadline to comply with certain provisions of the updated Standards for Safeguarding Customer Information Rule (Rule) component of the GLBA has been extended by six months from December 9, 2022, to June 9, 2023.


The six-month extension applies to the following GLBA compliance requirements:

  • Designate a qualified individual to oversee their information security program,
  • Develop a written risk assessment,
  • Limit and monitor who can access sensitive customer information,
  • Encrypt all sensitive information,
  • Train security personnel,
  • Develop an incident response plan,
  • Periodically assess the security practices of service providers, and
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Who Must Comply with GLBA?

GLBA compliance is applicable to financial institutions offering any financial products and services to individuals, such as loans, debt collection, financial advice, investment advice, or insurance. These include but are not limited to:

  • ATM operators
  • Banks
  • Car rental companies
  • Check-cashing businesses
  • Consumer credit reporting agencies
  • Credit counseling services
  • Courier services
  • Credit card companies
  • Etc.

Higher education is also within GLBA applicability. In 2021, the FTC issued amendments that were approved by its governing agency, the GLBA, thus updating the compliance requirements for higher educational institutions with a financial connection to the Title IV Program: “Any institution that receives Title IV funding must now comply with the Gramm-Leach-Bliley Act (GLBA).” “GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply.”

Penalties for Non-compliance

The penalties for failing to meet GLBA compliance requirements are as follows:

  • 1. Fines of $100,000 for each violation for financial institutions found in violation of GLBA regulation.
  • 2. Fines of $10,000 for each violation for officers and directors in charge of institutions found to be in violation of GLBA regulation.
  • 3. Up to 5 years in prison for officers and directors in charge of institutions found in violation of GLBA regulation.

Rest assure, we will guide you in the right direction to avoid any violations and non-compliance penalties that can cause a setback in security operations.

GLBA Compliance Requirements

The primary data protection recommendations of the GLBA are outlined by the following:

  • The Financial Privacy Rule: it requires financial institutions to protect the privacy of consumers, which covers most personal information (name, date of birth, and Social Security number) as well as transactional data (account or credit card numbers).
  • The Safeguards Rule: this requires all financial institutions to design, implement, and maintain security measures to protect private information.
  • The Pretexting Rule: this encourages financial institutions to develop safeguards for pretexting, also known as social engineering.

How Will WCG Help?

GLBA Assessment Services

WCG provides GLBA Assessment Services to assist financial institutions in determining their level of compliance against GLBA compliance requirements. We catalog the systems used for managing Non-personal, Public Information (NPI) and identify threats and vulnerabilities that can put the information at risk.

Our GLBA Assessment Services include, but are not limited to:

  • Review and/or Develop GLBA Data Maps

    Data mapping articulates and illustrates how data is stored, transmitted, and processed internally and externally. WCG reviews or develops GLBA data maps for financial institutions to ensure the data flows are accurate and sufficiently meet GLBA compliance requirements.

  • Conduct Compliance Assessment
    • Determine the involvement of your institution
    • Evaluate the risk assessment process
    • Examine and scrutinize policies, processes, procedures, and third-party agreements to determine if they sufficiently comply with the GLBA standards, NIST 800-171 requirements, and achieve industry best practices and where appropriate, make precise recommendations to satisfy the compliance requirements
    • Analyze existing controls to verify if they sufficiently meet GLBA Standards and NIST 800-171 Rev.2 requirements
    • Assess the service providers’ agreement and measures taken to oversee service providers
  • Examine Risk Assessment Results or Conduct Risk Assessment
    • Examine the results of the most recent risk assessment completed within one-year timeframe
    • If the risk assessment was over one-year timeframe, WCG will conduct a comprehensive Vulnerability Assessment, Cyber Security and Penetration Testing to evaluate cyber-threats and vulnerabilities to your GLBA environment.
  • Develop Reports

    WCG presents clear and concise recommendations to document vulnerabilities and non-compliance risks discovered during assessments.

GLBA Implementation Services

We utilize best practices in our GLBA implementation services that provide your organization with superior protective measures for your information systems and data. This approach keeps your organization compliant and operating effectively and efficiently while meeting its objectives. Also, we develop and implement individually tailored GLBA compliance programs, which consist of but are not have limited to:

  • Develop Data Maps

    WCG develops GLBA data mapping documents that articulate and illustrate what data your financial institution possesses, where they reside, how they flow through systems and applications, and how they are collected, stored, and discarded.

  • Generate a Customized Compliance Program Plan

    This includes activities, practices, roles, and responsibilities that protect confidential information and data. These areas comply with the provisions of the FTC safeguard rules, which implement applicable provisions of the GLBA.

  • Conduct Risk Assessment

    WCG conducts a comprehensive Vulnerability Assessment, Cyber Security and Penetration Testing based to evaluate cyber-threats and vulnerabilities to your GLBA-relevant data.

  • Develop GLBA-required Policies

    WCG develops the following GLBA-required policies for financial institutions to ensure they sufficiently comply with the GLBA compliance requirements:

    • Risk Assessment
      • Third Party Risk Management
    • Vulnerability Assessment and Penetration Testing
    • Vulnerability and Patch Management
    • Access Control
    • Acceptable Use
    • Cryptography
    • Security Awareness, Training, and Education
    • Incident Response
    • Audit and Logging
    • Record Retention and Disposal
    • Change Management
    • Password
    • Malicious Code
    • Data Classification
    • Asset Management
    • Compliance Management
    • Email
    • Identification and Authentication
  • Implement Controls

    WCG will work with your organization to implement controls found to be deficient or missing. The implementation of these controls will result in risk reduction, acceptance, avoidance, or transfer.

  • Conduct Awareness Training

    Staff awareness training is a crucial component for preventing data breaches and non-compliance since 75% of reported cyber-attacks are due to human error. Tailored to your needs, WCG will work with you organization to recommend and/or develop specific compliance awareness training courses to educate your employees that interact with covered Personally Identifiable Information (PII) during their daily activities.

WCG works closely with your financial institution and assures your compliance in accordance with the GLBA’s mandates. We provide institutions with exact information on how to protect confidential, private customer information; in addition, we apprise you of all updates that will impact compliance practices.

Subscription Center

Stay In The Know With Our Newsletter