The formal title of this law is the Financial Services Modernization Act. The act is more commonly known as the Gramm-Leach-Bliley Act or as the acronym GLBA. The act was directed primarily at allowing expanded functions and relationships among financial institutions. The law covers how and under what circumstances bank holding companies can undertake new affiliations and engage in previously restricted activities.
From the perspective of an impact on internal controls, the GLBA Title V section provided a series of specific regulations governing how individual information for customers of financial institutions may be shared. GLBA requires that financial firms disclose to customers the institutions' privacy policies and practices. The law provides some limited control to customers about how the information retained by a financial institution may be retained via an "opt-out" option. On an annualized basis, the financial institution is required to reinform clients of the institutions' privacy policies.
Enforcement of the act's provisions is assigned to the Federal Trade Commission, the federal banking agencies, the National Credit Union Administration, and the SEC.
GLBA requires financial institutions to review and, in many cases, overhaul how they deal with maintaining the privacy of customer information. Further, the act requires an ongoing review of who has access to what information, under what circumstances the information could be shared, and with whom. The most pervasive impact of the act is an ongoing requirement to control access to and use of client information on an individual-by-individual basis. The legislated "opt-out" requirement made operational and marketing activities much more complicated.
Section 501B of GLBA essentially mandates three high-level control objectives:
Ensuring the confidentiality of customer financial information
Protecting against anticipated threats to customer records
Protecting against unauthorized access to customer information that could result in substantial impact to the customer
Section 501B also gives governing agencies the authority to establish appropriate standards within their jurisdiction. The governing agencies include
Federal Trade Commission (FTC)
Federal Deposit Insurance Corporation (FDIC)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
Security and Exchange Commission (SEC)
Federal Reserve Board (FRB)
National Credit Union Administration (NCUA)
Commodity Futures Trading Commission (CFTC)
There are two prevalent standards that outline internal control requirements: the "FTC Safeguard Rule" and "Interagency Guidelines Establishing Standards for Safeguarding Customer Information," which was released by the OCC, OTS, FDIC, and FRB. Generally, the interagency guidelines document, which affects banks, requires the following:
A written information security program/strategy
Risk assessment and management
Access controls for customer information systems
Physical access control for areas containing customer information
Encryption of customer information either stored or transmitted electronically
Dual control procedures, segregation of duties, employee background checks
Security monitoring systems to detect unauthorized access to customer information
Incident-response program to effectively address security incidents
Protection from physical destruction of customer information
It is important to note, however, that different agencies govern different types of entities. Other rules and guidelines differ to some extent.
The Federal Financial Institutions Examination Council (FFIEC) is made up of the FRB, FDIC, OCC, OTC, and NCUA. The FFIEC provides IT examination handbooks that can be used by auditors to identify required controls in specific areas such as business continuity, e-banking, and information security. These FFIEC handbooks can be found at http://www.ffiec.gov.