GLBA compliance: the Safeguards Rule, in practical terms.

What GLBA and the Safeguards Rule are

The Gramm-Leach-Bliley Act (GLBA) is the federal law that governs how financial institutions handle customer information. The piece most small firms have to deal with day to day is the Safeguards Rule — the Federal Trade Commission's regulation at 16 CFR Part 314. It implements sections 501 and 505(b)(2) of GLBA, and its job is simple to state: protect the security, confidentiality, and integrity of customer financial information.

The rule requires a covered firm to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards appropriate to its size, the nature of its activities, and the sensitivity of the information it holds. For years that was a fairly general obligation. That changed in December 2021, when the FTC amended the rule to add a list of specific, technical requirements — MFA, encryption, a named security lead, penetration testing, and more. Parts of the amended rule took effect in January 2022, but the major new requirements became effective June 9, 2023. That date is the one most firms now build their program around.

Who has to comply

The reach of GLBA surprises people. The FTC defines a “financial institution” broadly: any business significantly engaged in an activity that is financial in nature, or incidental to a financial activity. It is not limited to banks and credit unions.

The FTC's own examples include mortgage lenders and mortgage brokers, payday lenders, finance companies, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally-insured credit unions, and investment advisors that are not required to register with the SEC. Auto dealers are covered when they arrange financing or leasing. If you collect nonpublic personal information from customers in connection with a financial product or service, you are likely in scope — even if you have never thought of yourself as a “financial institution.”

There is one narrowing point. A firm that maintains customer information on fewer than 5,000 consumers gets a partial exemption. It is exempt from four specific obligations: the written risk assessment, the continuous-monitoring-or-penetration-testing requirement, the written incident response plan, and the annual written report to the governing body. Everything else in the rule still applies, including MFA, encryption, access controls, and service-provider oversight. The exemption is narrower than it sounds.

What the Safeguards Rule requires

Section 314.4 sets out the elements your written information security program must include. In practical terms, they are:

• Designate a Qualified Individual. One named person responsible for overseeing, implementing, and enforcing the program. They can be an employee, an affiliate, or a service provider. No specific degree or title is required — the test is real-world know-how.
• Conduct a written risk assessment. Identify reasonably foreseeable internal and external risks to customer information, and document them in writing.
• Build an inventory of data and systems. Know what customer information you have, where it lives, and which systems and people touch it. You cannot protect what you have not catalogued.
• Enforce access controls. Limit access to customer information to those who need it, on a least-privilege basis, and review that access periodically.
• Encrypt customer information at rest and in transit. The rule requires encryption of all customer information held or transmitted, both in transit over external networks and at rest.
• Adopt secure development practices. Apply secure development standards to apps you build or use to handle customer information, and assess externally developed apps.
• Require multi-factor authentication. MFA for any individual accessing any information system, unless the Qualified Individual approves equivalent or stronger controls in writing.
• Dispose of customer information securely. Securely dispose of customer information no later than two years after the last use, unless there is a legitimate reason to keep it.
• Implement change management. A documented process for evaluating and approving changes to systems that handle customer information.
• Log and monitor authorized user activity. Monitor and log the activity of authorized users and detect unauthorized access, use, or tampering.
• Test the program. Either continuous monitoring, or annual penetration testing plus vulnerability assessments at least every six months.
• Maintain a written incident response plan. A plan to respond to and recover from any security event that materially affects customer information.
• Train staff. Security awareness training for personnel, kept current.
• Oversee service providers. Select providers capable of safeguarding customer information, require it by contract, and periodically assess them.
• Report to the board annually. The Qualified Individual reports in writing, at least annually, to the board of directors or an equivalent governing body.

A GLBA compliance checklist

Here is a scannable GLBA compliance checklist you can use to self-assess. Each line maps to a requirement in 16 CFR 314.4 or the related notification amendment.

• A Qualified Individual is named in writing and is accountable for the program.
• A written risk assessment exists, is dated, and is reviewed when things change.
• An inventory of customer data and the systems that hold it is current.
• Access to customer information follows least privilege and is reviewed.
• Customer information is encrypted at rest and in transit.
• MFA is enforced on every account that can reach an information system.
• Secure development standards apply to apps that touch customer information.
• A change-management process is documented and followed.
• Authorized user activity is logged and monitored, with logs retained.
• Customer information is disposed of securely on a defined schedule.
• Continuous monitoring is in place, or penetration testing runs annually with vulnerability assessments at least every six months.
• A written incident response plan exists and has been exercised.
• Staff complete security awareness training, with completion records.
• Service providers are vetted, bound by contract, and reassessed.
• The Qualified Individual reports to the board at least annually, in writing.
• A process is ready to notify the FTC of a qualifying notification event.

One item on that last line deserves its own note. The FTC added a breach-notification amendment, effective May 13, 2024. If a notification event — the unauthorized acquisition of unencrypted customer information — involves 500 or more consumers, the firm must notify the FTC electronically as soon as possible, and no later than 30 days after discovery. Encryption matters here too: properly encrypted information that was not also exposed is generally outside the trigger.

What an MSP owns, and what stays with you

An MSP serving a GLBA-scoped firm owns the technical work: the MFA deployment, the encryption configuration at rest and in transit, the access controls, the logging and monitoring infrastructure, the patching and change-management cadence, the EDR, the SOC, the backups, and the security awareness training platform. The MSP can also help run the penetration testing and vulnerability assessments and produce the evidence files an examiner will ask for.

The firm owns the parts the rule places on the institution. Designating the Qualified Individual is a leadership decision — it is usually the owner, CFO, or COO, and the role can be supported by the MSP but not fully outsourced away from accountability. The firm owns the written policies, the business decisions in the risk assessment, the annual report to the board, and the relationship with its regulator. The MSP supplies the controls and the proof; the firm owns the program.

How a Micro-IT engagement maps to the Safeguards Rule

A financial firm on the Micro-IT managed stack gets the technical controls of the Safeguards Rule deployed and documented. Managed Endpoint ($79/device) brings EDR, patching, change management, and 24/7 SOC monitoring and logging of endpoint activity. Managed Inbox ($20/mailbox) adds enforced MFA and anti-phishing on the accounts where customer information moves. Managed Site ($149+/site) covers the segmented, monitored network and encryption in transit. On top of that: encryption at rest, immutable backups that are restore-tested, security awareness training, vendor coordination, and an incident-response runbook that includes the FTC notification flow.

That maps to most of 314.4 directly — MFA, encryption, access controls, logging and monitoring, secure disposal, change management, testing, training, and service-provider oversight. The Qualified Individual designation and the annual board report stay with your leadership. We do not sell a fixed “compliance package” price, because the right scope depends on your size and systems. Start with the free risk assessment, see plans to build an estimate, or call 270.816.5726.

Frequently asked questions