GLBA (Gramm-Leach-Bliley Act)

If your business provides financial products or services to consumers — loans, insurance, investment advice, tax prep, even mortgage brokering — GLBA is the federal privacy law that governs how you handle their personal financial information.

You're in the NerdSquad IT Dictionary — where compliance frameworks get explained like a human wrote them, not a lawyer.

GLBA was signed into law in 1999, and for years it flew under the radar compared to flashier regulations like HIPAA or PCI-DSS. That changed in 2023, when the FTC significantly updated the Safeguards Rule — the part of GLBA that financial institutions care most about from an IT standpoint — adding specific technical requirements that look a lot like modern cybersecurity standards. If you haven't revisited your GLBA posture since before 2023, there's a good chance you're out of date.

What does GLBA stand for?

Gramm-Leach-Bliley Act.

Named after the three legislators who sponsored it: Senator Phil Gramm, Representative Jim Leach, and Representative Thomas Bliley. The law had two major purposes: it repealed Depression-era restrictions that prevented banks from also being insurance companies or investment firms, and it created new privacy and security requirements for how financial institutions handle consumer data.

The IT and compliance world is almost exclusively focused on the second part.

The simple way to think about it

GLBA is the financial services equivalent of HIPAA. Where HIPAA protects health information, GLBA protects nonpublic personal information (NPI) — the financial details a consumer shares with a company in the course of seeking or using financial services.

Think: bank account numbers, Social Security numbers, income data, credit history, investment holdings, tax return information. The kind of data that, in the wrong hands, enables identity theft, account takeover, and fraud at scale.

Who has to comply?

GLBA applies to "financial institutions" — but the FTC's definition of that term is broader than most people expect. It's not just banks. Under GLBA, financial institutions include:

• Banks, credit unions, and savings associations (regulated by federal banking agencies)
• Insurance companies and agencies
• Investment advisors and broker-dealers
• Mortgage lenders and brokers
• Tax preparation services
• Auto dealerships that arrange financing
• Payday lenders and check cashing services
• Accountants offering financial planning services
• Real estate settlement services

If your business is on that list — or adjacent to it — GLBA almost certainly applies to you. Many small businesses in financial services operate for years without realizing they're covered.

The three rules that matter

GLBA is built around three core requirements:

The Privacy Rule requires financial institutions to tell customers what personal information they collect, how it's used, and with whom it's shared. Customers must be given the opportunity to opt out of certain types of sharing with third parties. This is the "privacy notice" you've seen at the bottom of every bank statement.

The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer NPI. This is the IT-heavy rule — the one with specific technical requirements. The 2023 FTC update added explicit requirements for encryption, multi-factor authentication, access controls, incident response planning, and annual reporting to the board of directors.

The Pretexting Rule prohibits social engineering attacks against financial institutions — specifically, the practice of impersonating a customer to extract their information. This is less of an IT requirement and more of an operational awareness issue, but it's relevant to employee training programs.

What the updated Safeguards Rule actually requires

The 2023 FTC Safeguards Rule update is where most of the IT action is. Financial institutions covered by the FTC (non-bank financial institutions) are now required to:

• Designate a qualified individual to oversee the information security program
• Conduct periodic risk assessments
• Implement access controls limiting who can access customer NPI
• Encrypt NPI in transit and at rest
• Deploy multi-factor authentication for any system accessing NPI
• Implement monitoring and logging of authorized users' activity
• Develop a written incident response plan
• Report to the board (or senior officer equivalent) annually on the security program
• Oversee service provider arrangements — including requiring vendors who access NPI to implement appropriate safeguards

Organizations with fewer than 5,000 customers are exempt from some of the more administrative requirements (like the written incident response plan and board reporting), but the core technical controls apply regardless of size.

The "we're too small for GLBA" myth

This one shows up constantly in small financial services firms. The logic goes: GLBA is for big banks, not a three-person mortgage brokerage or an independent tax preparer.

It's wrong. GLBA's coverage is based on what you do, not how big you are. A sole-proprietor financial advisor with 50 clients is a covered financial institution under GLBA. The 2023 Safeguards Rule update did create some carve-outs for very small institutions, but those carve-outs are narrow and mostly apply to documentation requirements — not the underlying security obligations.

What happens when GLBA is violated?

Enforcement is split across multiple regulators depending on the type of institution:

• The FTC handles non-bank financial institutions (advisors, mortgage brokers, tax preparers, etc.)
• Federal banking agencies (OCC, FDIC, Federal Reserve, NCUA) handle banks, savings associations, and credit unions
• State regulators may also have parallel enforcement authority

Penalties vary by regulator but can reach $100,000 per violation for institutions, with personal liability up to $10,000 per violation for officers and directors who knowingly participate in violations. Criminal penalties (up to 5 years imprisonment) apply in cases of intentional disclosure. And that's before state attorneys general pile on with their own data breach and privacy statutes.

The FTC has become meaningfully more aggressive on Safeguards Rule enforcement since the 2023 update. Several high-profile enforcement actions have targeted mortgage servicers, auto dealers, and financial technology firms.

How GLBA connects to managed IT services

The updated Safeguards Rule reads like a checklist of what a good MSP should already be doing for any client. For financial services clients specifically, that includes:

• MFA enforcement across all systems that access NPI — a hard requirement, not a best practice
• Encryption of NPI at rest and in transit, including email and file transfer
• Access controls and least-privilege provisioning so only the right people can reach sensitive data
• Audit logging of who accessed what and when — essential for both compliance and breach investigation
• Patch management and vulnerability monitoring via RMM platforms
• Endpoint protection including EDR on every device that touches NPI
• Incident response planning — documented, tested, and updated regularly
• Vendor oversight — ensuring any third-party tool or service that touches NPI has its own appropriate safeguards in place

The vendor oversight requirement is worth flagging specifically: under GLBA, financial institutions are responsible for the security practices of their service providers. That means your MSP, your cloud storage vendor, your email platform, and your CRM all need to meet the bar — not just your internal systems.

How GLBA fits into the bigger compliance picture

Financial services firms often operate under multiple overlapping frameworks:

• SEC/FINRA rules layer cybersecurity and recordkeeping requirements on top of GLBA for registered investment advisors and broker-dealers
• SOX (Sarbanes-Oxley) adds financial reporting controls for publicly traded companies and their auditors
• NIST frameworks — particularly NIST 800-53 and the Cybersecurity Framework — map closely to GLBA Safeguards Rule requirements and are frequently used as implementation guidance
• State privacy laws like Florida FIPA, CCPA, and the New York SHIELD Act may impose additional requirements on top of the federal baseline
• PCI-DSS applies separately if the institution also processes card payments

As with other compliance frameworks, the security controls that satisfy GLBA — MFA, encryption, access controls, logging, endpoint protection — are largely the same controls that satisfy the others. A well-designed IT security program doesn't need to be rebuilt for each framework; it needs to be documented and mapped.

In plain English, one more time

• GLBA = federal privacy and security law for financial services companies
• NPI = nonpublic personal information — the financial data GLBA protects
• Privacy Rule = tells customers what data you collect and how it's shared
• Safeguards Rule = requires a written information security program with specific technical controls (updated 2023)
• Pretexting Rule = prohibits impersonating customers to extract their data
• Covered institutions = banks, credit unions, advisors, brokers, mortgage companies, tax preparers, and more
• Enforcement = FTC for non-banks; federal banking agencies for banks; state regulators may also apply
• "Too small" = not a valid exemption; coverage is based on what you do, not your headcount

Got questions?

Financial services firms often have the most complex compliance stacks of any industry we work with. If you're trying to figure out what GLBA actually requires of your specific environment, we're a good starting point.

• 📞 Call or text: (239) 465-0079
• 💻 Contact us online: nerdsquad.net/contact-nerdsquad
• 🛡️ Financial Services IT Support: nerdsquad.net/financial-services-it-support