GLBA Safeguards Rule
Gramm-Leach-Bliley Act and the FTC Safeguards Rule
The Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of customer information. The FTC Safeguards Rule implements GLBA for non-bank financial institutions and, as amended in 2023, prescribes specific controls including access controls, encryption, and multi-factor authentication.
Who it applies to
Non-bank financial institutions under FTC jurisdiction, such as mortgage lenders and brokers, finance companies, auto dealers offering financing, payday lenders, tax preparers, collection agencies, and certain investment advisers.
Identity requirements
- Implement multi-factor authentication for any individual accessing information systems holding customer information, unless an equivalent control is approved in writing by the Qualified Individual
- Place access controls that authenticate users and limit access to customer information to those with a legitimate need
- Periodically review and limit access privileges to customer information
- Encrypt customer information at rest and in transit
- Designate a Qualified Individual to oversee the information security program
- Log and monitor authorized user activity to detect unauthorized access to customer information
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Authentication & MFA | The Rule expressly mandates multi-factor authentication for anyone accessing systems with customer information. |
| Identity governance (IGA) | Access privileges to customer information must be granted on a need-to-know basis and periodically reviewed. |
| Privileged access (PAM) | Access controls must restrict and monitor users, including those with elevated rights to sensitive financial data. |
| Audit, logging & accountability | The program must include logging and monitoring of authorized user activity to detect unauthorized access. |
| Breach notification | A 2024 amendment requires notifying the FTC within 30 days of a notification event affecting 500 or more consumers. |
Penalties
GLBA violations can lead to FTC enforcement actions, injunctions, and civil penalties, with officers and the institution facing significant per-violation fines.
GLBA Safeguards Rule: frequently asked questions
- When did the MFA requirement take effect?
- The amended Safeguards Rule provisions, including multi-factor authentication and access controls, became fully effective on 9 June 2023.
- Who must comply with the FTC Safeguards Rule?
- Non-bank financial institutions under FTC jurisdiction, including mortgage lenders, auto dealers offering financing, tax preparers, payday lenders, and certain advisers.
- Does the Safeguards Rule require breach reporting?
- Yes. A 2024 amendment requires reporting a notification event involving the information of 500 or more consumers to the FTC within 30 days of discovery.