GLBA Compliance Updates: Deadline Extended 

The GLBA compliance deadline has been extended to June 9, 2023. Learn about the reasons of this extension and figure out how the GLBA compliance works

Not so long ago, we wrote a post-reminder of the obligation of “financial institutions” to comply with provisions of GLBA’s new Safeguards Rule by December 9, 2022. However, the Federal Trade Commission (FTC) announced a six-month extension of the deadline on November 15, 2022. While this extension is likely to be welcome news for financial institutions, they should not delay their compliance efforts. For many, the new Safeguards Rule may require significant investment in security program development, personnel, and technology.

The postponement of the new Safeguards Rule signals substantial issues that businesses meet on the way to GLBA Compliance. When explaining their decision, FTC’s commissioners cited a report from the Small Business Administration Office of Advocacy. The report claims that a shortage of qualified information security personnel and supply chain issues affecting IT and security systems seriously hamper companies’ ability to comply with the new requirements. These difficulties were exacerbated by the COVID-19 pandemic, which made it difficult for financial institutions, especially small ones, to come into compliance by the deadline.

In this article, we are going to dig deeper into the GLBA Safeguards Rule and figure out why it is so difficult to comply with for some businesses. 

What are the key updates of the GLBA Safeguards Rule? 

As we already wrote, the FTC overhauled the Safeguards Rule in October 2021, requiring financial institutions to adopt enumerated technical and administrative safeguards. A few requirements of the new Safeguards Rule became effective 30 days after the rule was published. The major part of the new requirements, however, was set to go into effect on December 9, 2022 (now this date moved to June 9, 2022). By this date, the financial institutions must meet Safeguard Rule requirements, such as

  • Designate a qualified individual to oversee their information security program. 
  • Perform formal risk assessments based on specific criteria and with a description of how the identified risks will be accepted or mitigated;
  • Implement multifactor authentication for users accessing the organization’s information system;
  • Enforce access controls including least privilege access for all customer information; 
  • Encrypt customer information in transit and at rest;
  • Implement other measures required, including data inventory and classification practices, change management, penetration testing, vulnerability management, incident response plan, etc. 

A kind reminder of who the financial institutions in the GLBA context are. Financial institutions are entities that are directly engaged in financial activities. After June 9, 2023, it will also include companies that may not consider themselves to be financial institutions, such as non-bank and alternative lenders, retailers that extend credit to customers, and even colleges and universities that administer certain federal student aid programs. More on the updated definition of “financial institutions” under GLBA we wrote in one of our previous posts. 

How GLBA Compliance works

Besides the Safeguards Rule, GLBA contains two other major sections. Understanding the aim of these three sections helps organizations meet the requirements of the legislation. Each of these three parts is designed to inform about the types of data to protect, specific measures expected, and prevent unauthorized access.

Financial Privacy Rule 

The Financial Privacy Rule rule covers nonpublic personal information (NPI) such as name, date of birth, Social Security number, etc.) as well as transactional data (card, and/or bank account numbers). It also covers private information you may acquire during a transaction (a credit report, for instance). Thus, the GLBA Privacy Rule describes in detail what information must be protected. “Financial institutions” directly engaged in financial activities as well as those receiving “nonpublic personal information (NPI)” regarding consumers must adhere to the GLBA Privacy Rule. 

Safeguards Rule

The Safeguards Rule – the one which was updated a year ago, mandates how the GLBA-covered entities must protect this information. In other words, it requires financial institutions to have specific means to protect the NPI. According to the text of the rule, GLBA adherents must have “all necessary administrative, technical, and physical safeguards in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, and operations complexity. It must also take into consideration the sensitivity of the customers’ information. Other important requirements of the GLBA Safeguards Rule are highlighted above. 

Pretexting Provisions

In addition to protecting nonpublic personal information (NPI), GLBA-covered organizations must detect and prevent as many instances of unauthorized access as possible. These include applying a zero-trust approach and other countermeasures to prevent sensitive data from unauthorized access and disclosure by phone, email, or even in person. Pretexting provisions aim to mitigate this data loss and protect more consumers.

Benefits of GLBA Compliance 

GLBA compliance puts financial institutions at a lower risk of penalties or reputational damage caused by data security incidents. And this is an extremely high motivation to comply because the non-compliance penalties include:

  • $100,000 fine per violation for financial institutions found in violation 
  • $10,000 fine per violation for individuals in charge.
  • Up to 5 years imprisonment for individuals found guilty of a violation.

GLBA compliance makes many data incidents, such as unauthorized sharing or loss of private customer data, less likely to happen. 

There are also several privacy and security benefits for customers, some of which include:

  • Personal data is secured against unauthorized access.
  • Customers are notified of private information sharing between financial institutions and third parties.
  • Customers have the right to opt-out of private information sharing.
  • Attempts to access protected records are tracked.

Compliance with the GLBA protects consumer and customer records and will help build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution. Safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.

If some questions regarding the GLBA compliance and deadlines remain unanswered, please, contact our Planet 9 team, and we’ll be happy to assist!



Phone:  888-437-3646


Leave a Reply