Gramm-Leach-Bliley Act: Difference between revisions
imported>Howard C. Berkowitz No edit summary |
imported>Howard C. Berkowitz No edit summary |
||
Line 1: | Line 1: | ||
Before the passage of the U.S. '''Gramm-Leach-Bliley Act of 1999 (GLBA)''', banks, insurers, securities brokers, and other financial institutions had to | {{subpages}} | ||
Before the passage of the U.S. '''Gramm-Leach-Bliley Act of 1999 (GLBA)''', banks, insurers, securities brokers, and other financial institutions had to maintain separation, and certainly not comingle assets. Banks were regulated by the [[Glass-Steagall Act]] of 1933, which GLBA effectively repealed. | |||
It is inaccurate to say, however, that GLBA suddenly let financial institutions go wild; there had been mergers and other changes between 1933 and 1999. | |||
==Scope of GLBA== | ==Scope of GLBA== |
Revision as of 19:55, 11 November 2009
Before the passage of the U.S. Gramm-Leach-Bliley Act of 1999 (GLBA), banks, insurers, securities brokers, and other financial institutions had to maintain separation, and certainly not comingle assets. Banks were regulated by the Glass-Steagall Act of 1933, which GLBA effectively repealed.
It is inaccurate to say, however, that GLBA suddenly let financial institutions go wild; there had been mergers and other changes between 1933 and 1999.
Scope of GLBA
With GLBA, banks can have stockbrokers, and insurers can offer savings accounts, and all the other fertile permutations that an aggressive financial manager can conceive. Most GLBA compliance will involve making sure that the corporate security policy refers to some of the threats described by the law, and being able to document the organization has exercised due diligence in complying with its requirements.
Financial privacy
While some consider GLBA a hunting license for financial sharks, it also has strong provisions about maintaining privacy and security of financial data. An organization under its coverage must have compliant policies for financial privacy, safeguards, and pretexting protection ("social engineering") and be able to document that these policies actively are enforced.
Not only must staff be trained, you must make annual disclosure to your customerss on what information collected on them, how it is shared and used, and how you protect it. This is its Financial Privacy Rule. There are, however, interacting laws, such as the Bank Secrecy Act and Right to Financial Privacy Act which require that the collection of certain information, provided to law enforcement, must not be disclosed to customers.
Written notices are good, but enforcement is better, and GLBA requires that financial institutions have a written information security plan, which not only covers the personal financial data of customers, but formal customers. At least one employee must have formal responsibility for managing the safeguards on these data. Managing the safeguards involves a formal risk assessment, an active monitoring and testing program, and procedures for updating the protection to reflect changes in risk and the ways you use the data.
The "Fraudulent Access to Financial Information" section makes it illegal either to use "social engineering" or "pretexting" to gain access to financial information. This law requires the financial institution to take positive steps to avoid such collection, which would include both staff training and active pursuit of miscreants who set up "phishing" sites.
Be sure the security policy has a clear section on cautions against being "socially engineered", and be able to document that precautions cqan be taken. Many policies cover actions by employees, but not necessarily their interaction with the public -- a public which contains miscreants out to do no good.