The Gramm-Leach-Bliley Act (GLBA) was established with the primary objective of requiring financial institutions to develop, implement, and maintain safeguards to protect customer information. While traditional financial institutions like banks and credit unions are well-acquainted with the GLBA, the rise of new technologies has expanded the scope of the act. As a result, many businesses that offer services with financial aspects, due to these technological advancements, are now being classified as non-traditional financial institutions. This has led to a broader interpretation of what constitutes a “financial institution” under the GLBA.
Who is considered a “financial institution” under the GLBA?
The Safeguards Rule, which is a part of the GLBA, applies to financial institutions that fall under the jurisdiction of the Federal Trade Commission (FTC) and are not governed by another regulator under section 505 of the GLBA. A business is deemed a financial institution if it engages in activities that are financial in nature or incidental to such activities. This includes:
- Retailers issuing their own credit cards directly to consumers.
- Automobile dealerships leasing automobiles for more than 90 days.
- Personal property or real estate appraisers.
- Career counselors specializing in financial organizations.
- Businesses that print and sell checks.
- Money wiring businesses.
- Check cashing businesses.
- Tax preparation services.
- Travel agencies connected to financial services.
- Real estate settlement service providers.
- Mortgage brokers.
- Investment advisory companies.
- Credit counseling services.
- Companies acting as intermediaries between buyers and sellers.
What are the obligations under the GLBA?
If a business is identified as a financial institution under the Safeguards Rule, it must:
- Conduct a risk assessment to identify potential threats to customer information.
- Develop, implement, and maintain a comprehensive written information security program.
- Appoint a qualified individual to oversee the program.
- Regularly test and monitor the effectiveness of the safeguards.
- Implement policies ensuring personnel can enact the security program.
- Oversee service providers to ensure they maintain appropriate safeguards.
- Continuously update the security program.
- Establish a written incident response plan.Report to the business’s board of directors or equivalent governing body.
It’s crucial for businesses to be aware of their classification under the GLBA and ensure compliance to avoid potential legal repercussions. The mandatory compliance date was June 9, 2023.