The Gramm-Leach-Bliley Act is one of those regulations that fintech founders either overestimate or underestimate. Some assume it only applies to banks. Others assume it is only about privacy notices. Neither assumption is correct, and both can leave a fintech exposed.
If your fintech collects, stores, or processes nonpublic personal information about consumers - and most fintechs do - GLBA and its Safeguards Rule apply to you. The FTC enforces the Safeguards Rule against non-banking financial institutions and has been actively doing so with meaningful enforcement actions in recent years. This guide covers what GLBA requires, what the updated Safeguards Rule demands of your security program, and the breach notification obligation that took effect in 2024.
Who GLBA Actually Applies To
GLBA applies to financial institutions, which under the FTC's jurisdiction means any company that is significantly engaged in financial activities. This includes mortgage lenders, payday lenders, auto dealers that arrange financing, credit counselors, tax preparers, real estate appraisers, collection agencies, and companies that provide financial advisory or investment services. It also applies to fintechs that provide payment processing, lending, budgeting, personal finance management, or related financial services to consumers.
If your product collects a consumer's name alongside any financial account number, Social Security number, income information, credit history, or transaction data, you are likely handling nonpublic personal information subject to GLBA. The application is broader than many fintech founders realize.
There is a small entity exemption. Financial institutions that maintain customer information concerning fewer than 5,000 consumers are exempt from certain specific technical requirements of the Safeguards Rule, including the penetration testing and vulnerability assessment requirements. However, these entities are not exempt from the core program requirements, the qualified individual designation, or the breach notification obligation.
Two Updates You Need to Know About
The FTC updated the Safeguards Rule in December 2021. Most of those enhanced provisions - covering the qualified individual requirement, risk assessment, MFA, encryption, access controls, incident response planning, and service provider oversight - became enforceable on June 9, 2023. This was the most significant overhaul of the Safeguards Rule since its original enactment in 2002, moving from a principles-based framework to specific, technical requirements.
A separate and additional amendment took effect on May 13, 2024. This amendment added a breach notification obligation requiring covered financial institutions to notify the FTC of qualifying notification events. This is a distinct obligation from the security program requirements and operates on its own timeline and threshold. Both updates are now in effect, and both require compliance.
The Safeguards Rule: What Your Security Program Must Include
The updated Safeguards Rule specifies the minimum elements of an information security program for covered financial institutions. The rule is significantly more prescriptive than the original 2002 version, requiring specific controls rather than general principles.
Designated Qualified Individual
The Safeguards Rule requires you to designate a qualified individual to oversee and implement your information security program. This person must report in writing to your board or governing body at least annually on the overall status of the program, material matters related to the program, risk assessment results, risk management and control decisions, service provider arrangements, test results, security events or violations, and recommendations for changes. The qualified individual can be an employee, an affiliate employee, or a service provider - which means a fractional vCISO arrangement satisfies this requirement.
Risk Assessment
You must conduct a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The risk assessment must evaluate the sufficiency of existing safeguards and inform the design of your security program. This is not a checkbox exercise. The FTC expects the risk assessment to be a genuine, documented analysis that drives actual program decisions.
Safeguards Based on Your Risk Assessment
Based on your risk assessment, you must implement safeguards to control the identified risks. The Safeguards Rule specifies required safeguard categories including access controls limiting access to customer information to only those who need it, data inventory and classification, encryption of customer information at rest and in transit, secure development practices, authentication controls including MFA, penetration testing at minimum annually and vulnerability assessments at a minimum every six months, audit log systems, and continuous monitoring or periodic testing of key controls.
The updated Safeguards Rule requires MFA for any individual accessing any information system that contains customer information, unless the qualified individual has approved, in writing, a reasonably equivalent or more secure alternative. This is a specific requirement, not a recommendation.
Vendor Oversight
You must oversee your service providers by selecting providers that maintain appropriate safeguards, requiring them to maintain those safeguards by contract, and periodically assessing whether your providers are meeting their contractual security obligations. Pointing to a vendor's SOC 2 report satisfies part of this requirement. Having a contractual provision that requires security safeguards and that is periodically verified for compliance is the fuller standard.
Incident Response Plan
You must establish a written incident response plan that covers the plan's goals, internal processes for responding to a cybersecurity event, clear roles and responsibilities, external and internal communications, remediation activities, documentation and reporting, post-incident review processes, and the plan's evaluation and revision based on lessons learned. The plan must specifically address notification requirements, including notifying customers when their information has been or may have been accessed without authorization.
The FTC Breach Notification Obligation - Effective May 2024
Effective May 13, 2024, covered financial institutions must notify the FTC of any notification event involving the unencrypted customer information of 500 or more consumers. The notice must be submitted as soon as possible and no later than 30 days after discovery of the event, electronically through a form on the FTC website at ftc.gov.
A notification event is defined as the acquisition of unencrypted customer information without the individual to whom the information pertains's authorization. Unauthorized access to unencrypted customer information is presumed to constitute unauthorized acquisition unless the institution has reliable evidence showing that acquisition did not occur. If customer information was encrypted but the encryption key was also accessed without authorization, the information is considered unencrypted for purposes of this rule.
The notice must include the name and contact information of the reporting institution, a description of the types of customer information involved, the date or date range of the event if determinable, the number of consumers affected or potentially affected, and a general description of the event. The FTC makes these notifications publicly available.
This notification obligation is separate from any state breach notification requirements. State laws require notification to consumers and, in some cases, state regulators. The FTC notification requirement is in addition to those obligations, not a substitute for them. A single breach event may trigger the FTC notification, multiple state breach notification obligations, and customer notification requirements simultaneously.
Enforcement and What It Looks Like
The FTC has been actively enforcing the Safeguards Rule, focusing on mortgage companies, auto dealers, and non-banking financial institutions. Enforcement actions have resulted in consent orders requiring comprehensive program overhauls, ongoing third-party assessments, and, in some cases, significant monetary penalties. Civil penalties for violations currently exceed $50,000 per violation per day.
Importantly, GLBA enforcement does not require a breach to trigger. The FTC can bring an action against a covered entity for failure to maintain a required security program regardless of whether a breach has occurred.
What GLBA Compliance Looks Like in Practice
A fintech that is genuinely GLBA-compliant has a designated qualified individual overseeing its security program, who reports to the board or governing body annually in writing. They have a current written risk assessment. Their customer information is encrypted at rest and in transit. MFA is implemented for all access to systems containing customer information, or the qualified individual has approved equivalent controls in writing. They have a vendor risk management program with contractual security requirements. They have a written incident response plan that has been tested. And they have a process in place to identify and report qualifying notification events to the FTC within 30 days of discovery.
Building this program is not optional for covered fintechs. It is a legal requirement that is actively enforced. The question is whether you build it proactively or scramble to build it after a regulator's inquiry or a breach.