Gramm-Leach-Bliley Act (GLBA)

GLBA compliance refers to an institution’s adherence to the rules and standards set by the law—specifically, ensuring consumer financial information is collected, stored, and shared in a secure and transparent way. It requires implementing safeguards to protect non-public personal information (NPI) and mandates privacy disclosures that explain what data is shared and why.

The Safeguards Rule is a core provision of GLBA that requires financial institutions to develop and maintain a written information security program. This program must include administrative, technical, and physical safeguards to ensure the confidentiality and integrity of customer information. Recent updates by the FTC have emphasized the need for multi-factor authentication, encryption, and regular risk assessments as part of compliance.

A GLBA audit is a structured review of an institution’s compliance with the act. It typically examines data protection practices, incident response policies, third-party risk management, employee training, and security protocols. These audits are often conducted internally, by independent auditors, or by regulatory examiners. A failed audit can lead to penalties, reputational damage, or regulatory sanctions.