GLBA Compliance for Financial Services

Reviewed by Thomas Reinhardt, CISA, CRISC, Financial Services Compliance Specialist

GLBA is federal law requiring every financial institution — banks, insurance companies, credit unions, lenders — to protect customer information through the Safeguards Rule, Privacy Rule, and disposal requirements. The 2023 FTC Safeguards Rule update made requirements significantly stricter, mandating encryption, MFA, monitoring, and incident response. Enforcement is active across multiple federal regulators, and vendor compliance cascades through your entire supply chain.

You work in financial services — banking, insurance, lending, or securities. A customer just called asking about your data security practices. Your board just requested a compliance report. Your IT vendor sent over a questionnaire asking about your GLBA compliance posture. If you're not sure what GLBA requires, you're in a position that millions of people in financial services find themselves in: working in a regulated industry where the regulatory requirements were established decades ago and have been slowly updated without receiving the attention that newer frameworks like HIPAA or GDPR command.

The Gramm-Leach-Bliley Act (GLBA) is 1999-era financial services regulation, but it remains the foundational privacy and security requirement for banks, insurance companies, credit unions, and other financial institutions. It's more demanding than many financial services professionals realize, particularly after the 2023 updates that significantly tightened security requirements. Understanding what GLBA requires, how it's enforced, and how it layers with other regulations is essential if you're operating in the financial services sector.

GLBA applies to every financial institution and creates three distinct compliance obligations

GLBA is federal legislation regulating financial institutions' treatment of customer information. It applies to any institution engaged in financial activities — banks, securities firms, insurance companies, credit unions, consumer lenders, and related entities. If you're taking deposits, making loans, managing investments, or providing insurance, GLBA applies.

The law has three main components. The Privacy Rule governs how financial institutions use and disclose customer information. The Safeguards Rule addresses how institutions protect customer information from unauthorized access. The Disposal of Consumer Report Information Rule addresses secure destruction of sensitive information. Understanding the distinction between these components clarifies your compliance obligations.

GLBA applies uniformly across the US as federal law, but states can and do impose additional requirements on top of it. Some states have enacted additional privacy requirements or cybersecurity standards that apply alongside GLBA. States also regulate banking and insurance through their own regulators, who often impose requirements stricter than federal minimums. If you're a financial institution, you have federal regulators — the OCC, the Federal Reserve, the FDIC, or your state banking regulator depending on your charter — overseeing GLBA compliance, plus the Consumer Financial Protection Bureau. You may also have state-level regulators. GLBA compliance means satisfying all of these bodies simultaneously.

The 2023 Safeguards Rule update requires encryption, MFA, monitoring, and incident response

The Safeguards Rule is GLBA's security component, and it was significantly updated in 2023. The original rule, which governed compliance for over two decades, was relatively general — it required safeguards "appropriate" to the institution's size and complexity, creating interpretive flexibility that many institutions used to minimize security investment.

The 2023 FTC update is substantially stricter. Required controls now align with the NIST Cybersecurity Framework and include encryption of sensitive customer information both in transit and at rest, multifactor authentication for anyone accessing customer information or systems holding it, monitoring systems and networks for unauthorized access and suspicious activity, incident response and breach notification procedures, employee training on data security, and secure disposal of customer information.

The Ponemon Institute's 2023 Cost of a Data Breach Report found that financial services breaches cost an average of $5.90 million per incident — the second-highest of any industry. The updated Safeguards Rule directly addresses the controls that would have prevented or mitigated the majority of these incidents. Many financial institutions are still coming into compliance with the updated rule. The FTC provided transition time, but examiners are now looking for full compliance. Institutions that cannot demonstrate it face enforcement action.

The Safeguards Rule applies to the institution and its service providers. If you use a vendor to process customer data, that vendor must also implement safeguards. Your vendor's subcontractors must also meet GLBA standards. This creates a cascading obligation through your entire vendor ecosystem.

The Privacy Rule restricts customer data sharing and requires explicit consent mechanisms

The Privacy Rule governs how financial institutions handle and disclose customer information. It requires privacy notices describing your information practices and restricts sharing nonpublic personal information with third parties without consent.

The rule distinguishes between customers (people with ongoing relationships) and consumers (people you've transacted with but don't have ongoing relationships with). Different rules apply. For customers, financial institutions must obtain affirmative consent before sharing nonpublic personal information with nonaffiliated third parties. Exceptions exist for service providers bound by contract and for legitimate business purposes, but the default is that sharing requires consent.

If you're a bank sharing customer information with a marketing vendor, credit monitoring company, or business intelligence service, you need consent. Many banks collect this during onboarding, but institutions that haven't explicitly obtained consent need to address it.

The Privacy Rule also includes a disposal requirement: you must dispose of customer information in a manner preventing unauthorized access. This creates operational complexity — you need processes to identify what information qualifies, determine when retention is no longer necessary, and securely delete or destroy it. Many institutions warehouse customer information they no longer need because they haven't built disposal processes.

Multiple federal regulators enforce GLBA — and they're actively examining

GLBA is enforced by multiple federal bodies depending on institution type. The OCC enforces for national banks. The Federal Reserve enforces for bank holding companies and state-chartered Fed member banks. The FDIC enforces for state-chartered non-Fed-member banks. Credit unions fall under the National Credit Union Administration. Securities firms fall under the SEC. Insurance companies may be regulated by state insurance commissioners. The Consumer Financial Protection Bureau and FTC also have enforcement authority.

Enforcement is real and active. Regulators conduct examinations looking for compliance with the Safeguards Rule, Privacy Rule, and disposal requirements. Violations result in remediation orders. Serious cases bring civil money penalties, orders to cease practices, or business restrictions. According to HHS and federal regulatory enforcement data, financial services organizations faced over $200 million in combined privacy and security enforcement actions in 2023 across federal and state regulators.

Enforcement actions expose institutions to reputational damage. If a bank experiences a breach and examiners determine inadequate safeguards violated the updated Safeguards Rule, that finding becomes public. The institution pays regulatory penalties and faces customer trust and media scrutiny. Criminal penalties are also possible for willful violations — rarely used but available for egregious cases.

GLBA layers with PCI DSS, HIPAA, GDPR, and state laws — you follow the strictest standard

Financial institutions rarely operate under GLBA alone. A bank processing credit card payments is also subject to PCI DSS, which is stricter in many respects — specific encryption standards, access control architectures, and audit practices. You follow the stricter requirement.

A financial institution handling healthcare information (health insurance companies, healthcare lenders) is also subject to HIPAA, with different definitions, consent requirements, and security standards. A financial institution with EU customer data is subject to GDPR, with different data protection requirements. A bank with European customers must comply with GDPR alongside GLBA.

The 2024 Verizon DBIR found that the financial sector experienced a 34% increase in confirmed breaches year-over-year, with stolen credentials involved in 44% of financial services breaches. This threat landscape means the overlapping control requirements from multiple frameworks are not redundant — they address different attack vectors and regulatory obligations simultaneously.

Vendors and MSPs inherit GLBA obligations — and institutions are liable for vendor compliance

Financial services MSPs and IT vendors inherit GLBA obligations whether they realize it or not. If you're managing IT infrastructure for a financial institution or processing customer data on their behalf, you're bound by GLBA. The Safeguards Rule's service provider language makes this explicit.

Many MSPs and IT vendors working with banks, insurance companies, or other financial institutions need to meet GLBA compliance themselves. They cannot just contractually promise to protect customer data — they must implement the technical and administrative safeguards the regulation requires. Financial institutions are increasingly requiring vendors to demonstrate GLBA compliance directly through documentation, attestations, or SOC 2 Type 2 reports covering GLBA requirements.

Financial institutions remain liable for their vendors' GLBA compliance. This creates extensive vendor assessment requirements — security questionnaires, onsite audits, security certifications, and ongoing monitoring. A financial institution with dozens or hundreds of vendors has significant vendor management overhead just to maintain GLBA compliance across the ecosystem. The obligation is real: regulators hold institutions accountable if vendors fail to meet GLBA standards.

Start with the updated Safeguards Rule, then audit your privacy practices and vendor ecosystem

For financial institutions, GLBA compliance means first understanding which regulatory bodies supervise your institution and what their specific expectations are regarding the updated Safeguards Rule and Privacy Rule.

Start with an assessment against the updated Safeguards Rule requirements. Do you have encryption for sensitive customer information at rest and in transit? Multifactor authentication for anyone accessing customer information? Monitoring systems that detect unauthorized access? Incident response and breach notification procedures? These are the core updated requirements, and most institutions need to address at least one.

Then assess your Privacy Rule compliance. Do you have explicit customer consent for sharing nonpublic personal information? Privacy notices accurately describing your practices? Processes for honoring consumer privacy requests?

Then assess your vendor ecosystem. Which vendors handle customer information? Have you assessed their GLBA compliance? Do you have contractual protections binding them to GLBA-compliant practices? Are you monitoring for ongoing compliance?

GLBA compliance is achievable, but it is not optional. Regulators expect it, and they're examining for it. The updated Safeguards Rule makes it more demanding than the original version, but the requirements are manageable for institutions that take them seriously. For vendors and MSPs working with financial institutions, understanding GLBA and demonstrating compliance is increasingly necessary for working in this sector at all.

Frequently Asked Questions

What changed in the 2023 Safeguards Rule update?
The FTC moved from general "appropriate safeguards" language to specific technical requirements: encryption at rest and in transit, multifactor authentication for customer information access, network monitoring, incident response procedures, employee security training, and secure data disposal. These requirements align with the NIST Cybersecurity Framework and are substantially more prescriptive than the original rule.

Does GLBA apply to insurance companies?
Yes. GLBA applies to all financial institutions, including insurance companies, which are defined as entities engaged in financial activities. Insurance companies may be primarily regulated by state insurance commissioners rather than federal banking regulators, but they're still subject to GLBA's Safeguards Rule and Privacy Rule requirements.

How does GLBA interact with state privacy laws like CCPA?
GLBA is federal law and sets a floor for financial institution compliance. States can and do impose additional requirements on top of GLBA. Financial institutions must comply with both GLBA and any applicable state privacy laws, following the stricter requirement where they overlap. Some state laws explicitly exempt GLBA-regulated data, but this varies.

Are vendors required to be GLBA compliant?
Vendors that handle customer information on behalf of financial institutions are bound by the Safeguards Rule's service provider requirements. Financial institutions must ensure vendor compliance through contractual obligations and oversight. Institutions that fail to monitor vendor compliance face regulatory consequences themselves.

What are the penalties for GLBA violations?
Penalties vary by regulator and severity. Civil money penalties can reach significant amounts. Regulators can issue cease-and-desist orders and business restrictions. Criminal penalties — including fines and imprisonment — are available for willful violations, though rarely pursued. Reputational damage from public enforcement actions often exceeds the direct financial penalties.

Do I need both GLBA compliance and SOC 2?
GLBA compliance is legally required for financial institutions. SOC 2 is not legally mandated but is increasingly expected by business partners, customers, and regulators as evidence that your security controls are independently verified. Many financial institutions pursue both — GLBA for regulatory compliance and SOC 2 for customer and partner assurance.

Fully Compliance provides educational content about IT compliance and financial services regulations. This article reflects general information about GLBA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your institution.