Gramm-Leach-Bliley: What does it Mean for You ?

 

This white paper is intended for those affected by the Gramm-Leach-Bliley Act, or

GLBA. Include are, financial institutions, insurance companies, financial service providers, credit card companies, and billing service providers.

 

What is GLBA

 

GLBA is the Gramm-Leach-Bliley Act

 

* GLBA was signed into law in November of 1999

 

* The Act repeals the 66-year old Glass-Steagall Act, which prohibited banks,

    securities firms and insurance companies from being affiliated

 

* GLBA permits banks, securities firms and insurance companies to be affiliated

    within a new Financial Holding Company (FHC) structure

 

* The Federal Reserve Bank system is the supervisory entity over GLBA

 

* GLBA technically went into effect 7/01/2001, however many organizations will

    have ongoing requirements for addressing the security and confidentiality of

    customer information.

 

GLBA requires all financial institutions, regardless of whether they form a FHC, for a

disclosure to customers of policies and practices for protecting the privacy of non-public

personal information. The disclosure provided to customers at the time of establishing

the relationship-and at least annually thereafter-allows customers to "opt-out" of

information sharing arrangements to non-affiliated third-parties.

 

The Act permits financial institutions to only share personal customer information among affiliates within a holding company. Effective immediately, it is a criminal offense for any person

(including firm employees) to obtain, or attempt to obtain, customer information relating

to another person from any financial institution by making a false or fraudulent statement to an employee of that financial institution. Regulators have six months after the date of enactment to adopt final rules implementing the privacy provisions.

 

GLBA mandates that all entities, which meet the requirements of a financial services

firm, must comply with the new regulations.

 

 

 

 

 

Page 2

 

GLBA changes the way companies deal with customer information-specifically

information regarding individuals finances. GLBA provides a complex set of regulations

for the acquisition, transport, storage, and sharing of personal financial information.

Since much of this information is computerized, data security becomes a major

component of GLBA compliance.

 

In order to comply with GLBA regulations, firms must assess their current situation

regarding the security and accessibility of customer data. This type of assessment

provides a baseline for developing a plan to reach GLBA compliance.

 

Who is affected by GLBA

GLBA affects an extremely wide range of organizations. Ostensibly GLBA affects

financial institutions, but under the law this includes banks, bank holding companies, the

new FHC structure, credit card firms, mortgage services, insurance companies,

securities firms, and brokerage services, as well as many other related financial service

organizations. Basically any business that maintains personal financial information on,

or for its customers.

 

What is affected by GLBA

GLBA affects a wide range of personal data managed by many organizations. The

guidelines include:

 

* All individually identifiable information relating to customers or any person

   receiving services.

* Past, present, or future financial information, services or payment for services

* Demographic data collected by financial institutions

 

What is the impact of GLBA on your organization

 

GLBA will impact your organization in many ways. It mandates new rules and

procedures that will cost money and take time to implement.

 

Overall Impact

 

GLBA will have an incredible impact on all organizations dealing with financial

information. It will require a complete evaluation and re-design of the way in which

financial data is handled. In most instances revised security policies must be put into

place to meet specific requirements, including new privacy regulations.

Effective compliance requires organization-wide implementation, including:

* Creating awareness of GLBA

* Assessing information security systems, policies and procedures

* Developing an action plan with deadlines and timetables

Page 3

 

GLBA Penalties

GLBA calls for severe civil and criminal penalties for noncompliance, including fines and even imprisonment:

* Violation of GLBA:

The financial institution shall be subject to a civil penalty of not more than $100,000 for each violation; and

The officers and directors of the financial institution shall be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation.

Also, fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both

* Where a violation occurs while violating another Federal law, or as a part of a

pattern of any illegal activity involving more than $100,000 within a twelve-month

period, the violator will be subject to a fine of up to twice the amount provided in

Title 18 and imprisoned for more than ten years, or both

* Financial Institutions who violate GLBA will be subject by a number of sanctions,

including the penalties specified in section 8 of the Federal Deposit Insurance Act.

These include:

* Termination of FDIC insurance

* Implementation of Cease and Desist Orders barring policies or practices

deemed in violation of the Act's privacy provisions

*Removal of the financial institution's management including directors, officers, etc. and potentially barring them, permanently, from working in the banking industry

*Fines of up to $1,000,000 for an individual or the lesser of $1,000,000 or 1% of the total assets of the financial institution

 

GLBA Concerns

 

Costs

Some estimates of the cost of GLBA show that 33 cents of every dollar spent between

now and 2003 will go toward the Acts compliance. Whether this is 100% accurate or

not, GLBA compliance will be costly.

 

Advantages

GLBA compliance will bring with it many advantages, including:

Cost Savings

* Reduced costs for financial services and insurance

* Streamlined processing of finance information

* Improved Service

* Better financial services through reduced errors

* Faster access for customers

* Improved privacy of personal financial information

 

 

Page 4

 

GLBA Compliance

GLBA has a number of critical areas that need to be addressed in order to obtain

compliance and compliance is mandatory. In order to meet the complex requirements

of GLBA, analysis must begin now.

 

Gramm-Leach-Bliley Act Financial Data Security Provisions

Title V of the GLBA addresses data security of a financial institution through Section

501. With the advent of the Final Rule, Section 501 has become 501(b).

Section 501(b)

Section 501 requires the establishment of appropriate standards for administrative,

technical and physical safeguards (i) to ensure the security and confidentiality of

customer records and information, (ii) to protect against any anticipated threats or

hazards to the security or integrity of such records, and (iii) to protect against

unauthorized access to or use of such records or information that could result in

substantial harm or inconvenience to any consumer.

Gramm-Leach-Bliley Act Financial Privacy Provisions

Title V of the GLBA addresses financial institution privacy from two different

perspectives. Subtitle A requires financial institutions to make certain disclosures

regarding their privacy policies and to give certain individuals the opportunity to prevent

the institution from releasing information about them to certain third parties. Subtitle B

criminalizes the practice used by certain data collection services and other parties of

obtaining personal financial information from financial institutions by misrepresenting

their right to such information, a practice known as "pretexting."

Subtitle A establishes a framework for non-public personal information to be protected

by financial institutions. There are two principal operative provisions of Subtitle V.

Section 502

Section 502 generally requires that a financial institution may not, directly or indirectly,

or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal

information, unless (i) the institution has provided the consumer with a notice complying

with the privacy policy requirements under section 503 and the institution discloses to a

consumer that such information may be disclosed to a third party, (ii) the consumer is

given the opportunity before the information is disclosed to direct that such information

not be disclosed to such third party, and (iii) the consumer is given an explanation of

how the consumer can exercise the nondisclosure option.

 

Section 503

Section 503 generally requires that at the time a customer relationship is established

and at least annually thereafter during the continuation of such relationship, a financial

institution must provide a notice to consumers that describes the financial institution's

policies and practices with respect to (i) disclosing nonpublic information to affiliates and

nonaffiliated parties, including the categories of information that may be disclosed; (ii)

Page 5

 

disclosing nonpublic personal information of persons who are no longer customers of

the financial institution, and (iii) protecting the nonpublic personal information of

consumers.

 

Gramm-Leach-Bliley Act ­ Implementation and Compliance

On June 1, 2000, the Federal Reserve Board, the FDIC and other agencies published

the final version of their privacy rules. The FTC published its final rule on May 24, 2000.

There is still much discussion regarding who must comply with the GLBA provisions,

and who will police compliance.

What types of entities or Institutions are subject to the Privacy Rule? We must

recognize that the application of the GLBA's privacy provisions extend well beyond

depository institutions. Under the GLBA, a financial institution is an institution whose

business is engaging in financial activities permitted to Financial Holding Companies

under the Bank Holding Company Act (BHCA). Under the BHCA, GLBA Financial

Holding Companies will be allowed to engage in a wide range of activities that are

considered to be financial activities. These include-but are not limited to-banking,

insurance brokerage, data processing and types of Internet services. The GLBA privacy

provisions will apply to any entity that meets the definition of a financial institution

regardless of whether it is part of a financial holding company or not. The Federal

Reserve Board's list of financial activities is set forth in 12 CFR 225.86.

The FTC has not clarified whether certain Internet services will be considered covered

by GLBA. The FTC noted that institutions operating online, like those operating offline,

will have to evaluate whether they are engaged in a financial activity and, if, so, whether

they have customers that might activate the privacy requirements of the GLBA. The

FTC also indicated that a data aggregator would be deemed to be a financial institution.

 

Critical GLBA Issues

Although the GLBA law is complex, and has many specific regulations, the following

issues are critical for addressing the Act, and achieving compliance:

* Identify whether or not your business is covered by GLBA.

* If it is, where does your current security and privacy of customer data stand?

* To insure compliance, the first step that must be taken is to assess current

security and operations.

* To adequately address this assessment, additional data security technology

solutions may be required, including multi-level authentication, Public Key

Infrastructure, Virtual Private Networks, updated Security Policies, and Business

Continuity/Disaster Recovery Plans.

* In completing the GLBA assessment, remember that the regulations require

documentation on how privacy and confidentiality of customer data is managed.

* GLBA compliance will require planning-both from a cost budgeting and time

budgeting perspective. Additional staff may be required, as well.

 

Page 6

 

GLBA Compliance Review

In order to ascertain where an organization stands in compliance to the GLBA

standards, a Compliance Review is recommended. This assessment will determine the

magnitude of the regulatory impact on your organization, show where the organization

stands in comparison to the standards, and establish the scope of the required

compliance effort.

 

Conducting the Initial GLBA Compliance Review

In practical terms, this means that the GLBA Compliance Assessment (which should

include both a Gap Analysis and risk assessment) will be different for each organization.

The size and complexity of the organization will provide a blueprint for estimating the

complexity of the Initial GLBA Compliance Assessment. If your organization operates in

numerous states and has a large operating budget, then the risk assessment process

would be extensive. On the other hand, if it is small, and there is only a single location,

a substantially reduced plan, one that quick, efficient, and practical would be the

recommended choice.