GLBA

The Gramm-Leach-Bliley Act is the U.S. federal law governing the privacy and security of nonpublic personal information held by financial institutions. Its Safeguards Rule was substantially updated in 2021-2023.

GLBA structure

The Gramm-Leach-Bliley Act (1999) has three privacy-relevant components for financial institutions and their vendors: the Financial Privacy Rule (notice and opt-out for sharing nonpublic personal information, NPI), the Safeguards Rule (administrative, technical, and physical safeguards for customer information), and the Pretexting Provisions (prohibiting obtaining customer information by false pretense). Different regulators enforce GLBA depending on the entity: federal banking regulators for banks, SEC for broker-dealers and investment advisers, FTC for the residual category.

The updated Safeguards Rule

The FTC's Safeguards Rule was substantially revised in October 2021 (effective December 2022, with extensions into 2023). The new rule requires designated qualified individuals (QI) overseeing the program, a written information security program, risk assessments, MFA, encryption at rest and in transit, secure software development, vendor oversight, incident response plans, board-level reporting, and an annual program effectiveness review. The 2023 amendment added a 30-day FTC breach notification for incidents affecting 500+ consumers.

AI vendor diligence

Financial institutions selling AI capabilities to consumers or processing NPI fall directly under GLBA. AI vendors processing NPI on behalf of financial institutions are service providers under the Safeguards Rule, requiring contractual flow-down of safeguards and periodic vendor monitoring. Procurement teams at banks, broker-dealers, and other financial institutions will ask about MFA, encryption, breach notification SLAs (often tighter than 30 days), and the vendor's own Safeguards Rule equivalent program.