Gramm-Leach-Bliley Act

The formal title of this law is the Financial Services Modernization Act. The act is more commonly known as the Gramm-Leach-Bliley Act or as the acronym GLBA. The act was directed primarily at allowing expanded functions and relationships among financial institutions. The law covers how and under what circumstances bank holding companies can undertake new affiliations and engage in previously restricted activities.

GLBA Requirements

From the perspective of an impact on internal controls, the GLBA Title V section provided a series of specific regulations governing how individual information for customers of financial institutions may be shared. GLBA requires that financial firms disclose to customers the institutions' privacy policies and practices. The law provides some limited control to customers about how the information retained by a financial institution may be retained via an "opt-out" option. On an annualized basis, the financial institution is required to reinform clients of the institutions' privacy policies.

Enforcement of the act's provisions is assigned to the Federal Trade Commission, the federal banking agencies, the National Credit Union Administration, and the SEC.

Customer Privacy Provisions

GLBA requires financial institutions to review and, in many cases, overhaul how they deal with maintaining the privacy of customer information. Further, the act requires an ongoing review of who has access to what information, under what circumstances the information could be shared, and with whom. The most pervasive impact of the act is an ongoing requirement to control access to and use of client information on an individual-by-individual basis. The legislated "opt-out" requirement made operational and marketing activities much more complicated.

Internal Control Requirements

Section 501B of GLBA essentially mandates three high-level control objectives:

  • Ensuring the confidentiality of customer financial information

  • Protecting against anticipated threats to customer records

  • Protecting against unauthorized access to customer information that could result in substantial impact to the customer

Section 501B also gives governing agencies the authority to establish appropriate standards within their jurisdiction. The governing agencies include

  • Federal Trade Commission (FTC)

  • Federal Deposit Insurance Corporation (FDIC)

  • Office of the Comptroller of the Currency (OCC)

  • Office of Thrift Supervision (OTS)

  • Security and Exchange Commission (SEC)

  • Federal Reserve Board (FRB)

  • National Credit Union Administration (NCUA)

  • Commodity Futures Trading Commission (CFTC)

There are two prevalent standards that outline internal control requirements: the "FTC Safeguard Rule" and "Interagency Guidelines Establishing Standards for Safeguarding Customer Information," which was released by the OCC, OTS, FDIC, and FRB. Generally, the interagency guidelines document, which affects banks, requires the following:

  • A written information security program/strategy

  • Risk assessment and management

  • Access controls for customer information systems

  • Physical access control for areas containing customer information

  • Encryption of customer information either stored or transmitted electronically

  • Change-control procedures

  • Dual control procedures, segregation of duties, employee background checks

  • Security monitoring systems to detect unauthorized access to customer information

  • Incident-response program to effectively address security incidents

  • Protection from physical destruction of customer information

It is important to note, however, that different agencies govern different types of entities. Other rules and guidelines differ to some extent.

Federal Financial Institutions Examination Council

The Federal Financial Institutions Examination Council (FFIEC) is made up of the FRB, FDIC, OCC, OTC, and NCUA. The FFIEC provides IT examination handbooks that can be used by auditors to identify required controls in specific areas such as business continuity, e-banking, and information security. These FFIEC handbooks can be found at

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: