GLBA Five Years Later – Information Privacy and the Challenge of Compliance

In July 2006, the banking industry observed the fifth anniversary of the “compliance date” of the Gramm-Leach-Bliley Act (GLBA). One might think that, by this milestone, all financial institutions would have sorted out what they need to do to comply with the customer information privacy requirements of the GLBA. Yet, for many institutions, understanding and meeting these requirements is still viewed as a daunting challenge. This need not be so. There are three principal areas that institutions need to be concerned about when taking steps to ensure that they comply with the information privacy requirements of the GLBA. In addressing these areas, institutions will see that complying with the privacy requirements of the GLBA can be as easy as 1-2-3.

1. Privacy Risk Assessment

With proper planning and preparation, financial institutions can satisfy the GLBA requirement for a privacy risk assessment in an efficient fashion. The first step is to identify the areas of the institution that access and maintain customer information. Areas where no customer information is handled (such as Human Resources) can be documented and set aside. For areas where customer information is handled, a review of existing procedures and documentation should be performed to identify and assess the risk of unauthorized disclosure. This review should involve the following: (i) conducting interviews and meetings with the management and staff responsible for developing and performing security-related procedures and controls; (ii) reviewing and analyzing relevant documentation (including recent examination and audit reports); and, (iii) observing pertinent operations. Management must make a judgment (that is, an assessment) of the effectiveness of the controls in place. If the institution’s controls are found wanting, a “mitigation strategy” should be developed, documented and executed.

Many financial institutions have concluded it makes sense to perform the privacy risk assessment as part of an overall information security risk assessment which is required by regulators and evaluates the safeguards for all information—whether related to the customer or to the institution itself. In addition to the risk of unauthorized disclosure, the focus is expanded to include misuse, alteration and destruction. This integrated approach often requires less effort than that required for two separate work products, and results in a document that paints a holistic picture of the institution’s security posture. For example, a combined risk assessment might assess high risk in all four categories due to a weakness in the institution’s network access controls, whereas a lower rating might result from isolated consideration of the threats. The consolidated risk assessment can serve as the foundation for an institution’s approach to risk mitigation, allowing management to schedule and fund corrective action in proportion to overall risk.

2. Vendor Due Diligence

The GLBA requires institutions to do the following: (i) identify all vendors with whom they share non-public information; (ii) ensure there are contractual provisions in place with these vendors that require them to provide appropriate protection of the non-public data; and, (iii) document the steps the institution has taken to become confident in the vendors’ efforts in this endeavor. Many institutions have been meticulous in achieving compliance. From the institution’s master list of all vendors, they have identified both organizations and individuals with access to the institution’s customers’ information. While most financial institutions quickly identify core processors and providers of Internet banking services, what about appraisers, attorneys and collection agencies? Institutions that include these “vendors” take on little additional burden to complete the compliance effort; at the same time, they can take great comfort in the knowledge that the completeness of their efforts is beyond question.

Major suppliers of banking services have incorporated standard contractual language acknowledging their obligation to protect non-public customer information, often with explicit mention of the GLBA. With regard to individuals and partnerships, such as lawyers and law firms, some institutions have chosen to rely on “Professional Standards” or a “Code of Conduct” rather than seek a contractual provision. If this approach is questioned, the institution can work with the vendor to agree on the necessary amendments.

Assessment of vendors’ information protection efforts is not as daunting as it may appear to those who have not performed such an assessment. To assist institutions with this task, major processing companies and others have retained “service auditors” to prepare “SAS 70 Type II” reports that document key controls and whether they are functioning as intended. These reports are provided to institutions, sometimes for a fee. When provided, financial institutions need to review these reports and document their conclusions about the sufficiency of the vendor’s efforts. If a SAS 70 is not available, several other options can be pursued. The vendor may have regular internal audit reports that can be reviewed or the institution could request a visit by its own internal auditor. With news reports of the disclosure of veterans’ records, credit histories and other privacy breaches regularly punctuating the news media, financial institutions have a vested interest in ensuring that their vendors are not among those in the news. Once the initial vendor due diligence is completed, annual updates must be performed.

3. Employee Training

With banking hours on Saturdays and Sundays (and into the evening) it has become an increasing challenge to provide adequate staffing while keeping a lid on salary expense. This problem is made more difficult by the requirements to provide annual training on topics such as BSA and customer information privacy. How does management maintain adequate staffing in the branches and provide required training without incurring large overtime expenses or asking employees to train on their own time? There are a variety of cost-effective solutions. Providing training to managers, who, in turn, deliver this training to their employees (whether in branches or central offices) provides the opportunity for dialog through which supervisors can determine first-hand if their staff “gets it.” Alternatively, institutions may implement computer-based training which can be taken on the job or at home, and which provides the added benefit of generating a record which can be reviewed and assessed by management, auditors and examiners.

Virtually all financial institutions have the capability and talent to conduct each of the three noted functions with existing management and staff. Some, however, elect to retain a qualified professional compliance firm to obtain assistance with the initial iteration (and some continue to draw on outside assistance for the subsequent annual efforts). However, at the end of the day, management is responsible for the overall customer information privacy program of the institution, including taking appropriate corrective actions, when required, and preparing and delivering the annual privacy report to the Board of Directors.

Jay Bowman serves as Director of Technology Compliance for Integrated Compliance Solutions, a leading provider of regulatory compliance services to financial institutions throughout the U.S. Mr. Bowman was previously the Director of Information Technology Services for an internal audit firm, where he led their banking IT practice in the Mid-Atlantic region. Mr. Bowman also served over 25 years with the Federal Reserve Banks of Philadelphia and Atlanta, where he co-authored the Fed’s Information Security Manual and held senior official positions over information technology, customer service and wholesale payments. He is a Certified Information Systems Manager (CISM) and Certified Information Systems Auditor (CISA).