GLBA Compliance: What It Is and How to Achieve It

GLBA compliance means meeting all requirements under the Gramm-Leach-Bliley Act, a federal law requiring financial institutions to protect consumer financial data. To comply with the GLBA, all covered organizations must satisfy its three rules: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.

In 2026, GLBA compliance is mandatory for any organization classified as a financial institution, where operations involve the collection, storage or transmission of consumer financial data. Its requirements apply to traditional and non-traditional entities including credit unions, insurance companies, auto dealers, mortgage brokers, and colleges and universities.

This article explains what GLBA compliance requires and how to achieve it in practice, outlining the specific requirements across all three rules and a step-by-step process to comply. For a comprehensive overview of the Gramm-Leach-Bliley Act, start with our complete guide to GLBA.

What is GLBA Compliance?

GLBA compliance means meeting the requirements of the Gramm-Leach-Bliley Act, a federal law that requires financial institutions to protect consumer financial data through its three rules: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.

GLBA requirements apply to banks, credit unions, insurance companies, securities firms, mortgage brokers, auto dealers, colleges and universities processing Title IV student financial aid, and any other entities “significantly engaged” in financial activities.

GLBA compliance involves implementing privacy notices, security safeguards, and anti-pretexting measures in accordance with the Gramm-Leach-Bliley Act. The FTC enforces GLBA compliance for non-bank financial institutions, with penalties up to $100,000 per violation.

But GLBA compliance is not a one-time event. Instead, it must operate with ongoing governance and as part of an organization’s overall information security risk management program.

GLBA Compliance Requirements

GLBA compliance requirements are organized into three rules that address interconnected areas: privacy notice delivery, information security safeguards, and pretexting prevention. More specifically, the three GLBA rules are:

Financial Privacy Rule: Requires delivery of privacy notices to consumers explaining what nonpublic personal information (NPI) is collected, how it is shared, and what opt-out rights are available.
Safeguards Rule: Requires the development, implementation, and ongoing maintenance of a comprehensive, written Information Security Program (ISP), supported by specific technical and physical controls.
Pretexting Provisions: Prohibit unauthorized access to consumer information obtained through false pretenses, such as social engineering or impersonation.

Together, these three rules define the scope of an organization’s responsibilities under the GLBA. A closer look at a few key GLBA requirements can help organizations understand where they already comply, and where any gaps remain.

Information Security Program

The GLBA Safeguards Rule requires a written Information Security Program (ISP) with ten specific elements that govern how security risk is identified, managed, and reported over time. For many organizations, this is often the most resource-intensive part of GLBA compliance. At a minimum, the ISP must:

Designate a “qualified individual” responsible for overseeing and implementing the ISP
Conduct written risk assessments identifying reasonably foreseeable internal and external threats
Design and implement safeguards to control identified risks
Regularly test and monitor the effectiveness of safeguards
Implement policies, procedures, and training to ensure personnel can effectively enact the information security program.
Oversee service providers that access or maintain customer information
Update the ISP to reflect changes in the business, system architecture, or threat landscape
Develop a written incident response plan to address security events
Require the qualified individual to report annually to the board of directors or equivalent governing body
Establish a process for reporting qualifying breach events to the FTC in accordance with Safeguards Rule notification requirements

While the qualified individual does not need a specific certification, they do need to possess sufficient knowledge and authority to manage the program effectively. Ultimately, the institution itself retains responsibility for compliance, even if this role is outsourced to a third party.

Risk Assessment Requirements

Risk assessments are mandatory for GLBA compliance because they inform strategic decisions about how to implement the Safeguards Rule requirements. Under GLBA, risk assessments must:

Identify reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information
Assess the sufficiency of existing safeguards to control those threats
Be documented in writing with results used to inform remediation decisions
Be conducted periodically and updated as risks conditions change

Although the Safeguards Rule does not prescribe a specific risk assessment methodology, assessments must be able to sufficiently identify material risks to customer information. For this reason, many organizations align their GLBA risk assessments with established frameworks such as NIST SP 800-30 or ISO 27005.

Employee Training

For GLBA compliance, employees with access to customer information must receive security awareness training. These training programs must:

Cover the recognition and prevention of social engineering attacks, including phishing and pretexting
Address the organization’s specific ISP policies and procedures
Be updated to reflect emerging threats and changes to the security program
Be delivered to all personnel who handle customer information, not limited to IT staff

Training also plays a key role in supporting compliance with the Pretexting Provisions. Here, employees must be able to verify the identity of individuals requesting access to consumer information and report suspicious or unauthorized requests.

Vendor Management

To comply with GLBA, financial institutions must take reasonable steps to select and retain service providers that maintain appropriate safeguards. Under this requirement:

Contracts with service providers must require the implementation and maintenance of safeguards for customer information
Institutions must periodically assess service providers’ ability to protect customer information
Monitoring activities must be ongoing, rather than limited to the point of contract execution

FTC enforcement actions have emphasized the importance of vendor oversight, noting that compliance obligations cannot be transferred to third parties.

GLBA Compliance Updates

GLBA compliance requirements are regularly updated by the FTC to keep pace with current technology. The most recent GLBA updates include:

In 2021, the Safeguards Rule update (effective June 2023) made compliance significantly more demanding by adding specific cybersecurity requirements.
In 2023, additional changes to the rule (effective May 2024) required non-bank financial institutions to report certain data breaches and security incidents involving customer information to the FTC.
In 2025, the FTC released Frequently Asked Questions discussing the requirements of the Safeguards Rule and how it applies to motor vehicle dealers specifically.

In addition to GLBA updates, organizations must navigate changes in coverage as business operations evolve over time.

How to Comply with the GLBA

Complying with the GLBA involves a structured process: determine applicability, implement required safeguards, document the program, and establish ongoing monitoring. The following steps outline how to build and maintain a GLBA compliance program.

Step 1: Determine Applicability

Confirm whether your organization qualifies as a “financial institution” under GLBA’s broad definition, which includes non-traditional entities like colleges processing Title IV funds, auto dealers arranging consumer financing, and tax preparation firms. The FTC defines a financial institution as any entity “significantly engaged” in financial activities—a determination based on the nature of the activity, not the organization’s primary business purpose.

Applicability can change as business operations evolve. An organization that begins offering consumer financing, processing student financial aid, or arranging insurance may become subject to GLBA even if financial activity is not its core business.

Step 2: Designate a Qualified Individual

Appoint an individual with appropriate expertise to oversee the information security program. This individual is responsible for implementing and enforcing the program, conducting risk assessments, and reporting to organizational leadership. The role can be fulfilled internally or outsourced to a third-party CISO or managed security provider, but the institution retains compliance responsibility regardless of how the role is staffed.

The qualified individual must report to the board of directors or governing body at least annually on the status of the ISP, including risk assessment results, safeguard testing outcomes, security events, and recommended program changes. Organizations without a formal board must identify a senior officer or equivalent body to receive these reports.

Step 3: Conduct a Risk Assessment

Identify and evaluate internal and external threats to customer information, document findings in writing, and prioritize remediation based on risk severity. Risk assessments must identify reasonably foreseeable threats to the security, confidentiality, and integrity of customer information and assess whether existing safeguards are sufficient to control those threats.

Risk assessments must be updated periodically and whenever changes to business operations, system architecture, or the threat landscape could affect the security of customer information. The Safeguards Rule does not prescribe a specific methodology, but assessments must be thorough enough to identify material risks. Many organizations align their GLBA risk assessments with established frameworks such as NIST SP 800-30 or ISO 27005.

Step 4: Implement Safeguards

Based on risk assessment findings, deploy controls to address identified risks. The Safeguards Rule requires specific categories of safeguards:

Technical controls: Encryption of customer data in transit and at rest, MFA for systems accessing customer information, and least-privilege access controls
Operational controls: Incident response plan, vendor security requirements, and change management procedures
Administrative controls: Written ISP policies, security awareness training, and board-level reporting
Physical controls: Facility access restrictions, CCTV monitoring, on-site security personnel, and fire protection systems

Each risk identified in Step 3 should map to one or more controls that reduce it to an acceptable level. Institutions maintaining information on fewer than 5,000 consumers are exempt from some prescriptive Safeguards Rule requirements but must still implement safeguards appropriate to their risk profile.

Step 5: Deliver Privacy Notices

Provide initial and annual privacy notices to customers explaining data collection and sharing practices. Privacy notices must describe the categories of nonpublic personal information collected, the categories of third parties with whom information is shared, and the consumer’s right to opt out of certain information sharing.

Initial notices must be delivered when a customer relationship is established. Annual notices must be delivered for the duration of the relationship, though institutions that meet certain conditions—such as only sharing information in ways that do not trigger opt-out rights—may qualify for an exception to the annual notice requirement. Opt-out mechanisms must be accessible, functional, and clearly explained.

Step 6: Test and Monitor

Conduct annual penetration testing and semi-annual vulnerability assessments, or implement continuous monitoring that achieves equivalent results. Testing should also be performed whenever material changes occur to operations, business arrangements, system architecture, or where circumstances could reasonably be expected to affect the ISP.

Monitoring activities should evaluate safeguard effectiveness over time and inform program updates. Results from penetration tests, vulnerability assessments, and monitoring activities should be documented and reviewed by the qualified individual.

Step 7: Document Everything

Retain written records of the ISP, risk assessments, safeguard testing results, training logs, vendor assessments, and incident response activities. The Safeguards Rule requires written documentation for the information security program, risk assessments, and the incident response plan.

Documentation beyond these minimums supports compliance during regulatory review or audit. Written records serve as the primary evidence of compliance in the event of an inquiry or enforcement action and should be organized for timely retrieval.

GLBA Compliance Checklist

Use this GLBA compliance checklist to track your organization’s progress across all three GLBA rules. Here, each item corresponds to a specific regulatory requirement.

Rule Area	Requirement	Reference
Safeguards Rule	Designate qualified individual	16 CFR 314.4(a)
Safeguards Rule	Conduct written risk assessment	16 CFR 314.4(b)
Safeguards Rule	Implement access controls	16 CFR 314.4(c)(1)
Safeguards Rule	Encrypt customer data in transit and at rest	16 CFR 314.4(c)(3)
Safeguards Rule	Implement multi-factor authentication	16 CFR 314.4(c)(5)
Safeguards Rule	Conduct penetration testing (annual)	16 CFR 314.4(d)(2)(i)
Safeguards Rule	Conduct vulnerability assessments (semi-annual)	16 CFR 314.4(d)(2)(ii)
Safeguards Rule	Provide employee training	16 CFR 314.4(e)
Safeguards Rule	Oversee service provider security	16 CFR 314.4(f)
Safeguards Rule	Implement ISP program updates	16 CFR 314.4(g)
Safeguards Rule	Develop incident response plan	16 CFR 314.4(h)
Safeguards Rule	Report to board annually	16 CFR 314.4(i)
Safeguards Rule	Notify FTC of qualifying breach events within 30 days (500+ consumers)	16 CFR 314.4(j)
Privacy Rule	Deliver initial privacy notice	12 CFR 1016.4
Privacy Rule	Deliver annual privacy notice	12 CFR 1016.5
Privacy Rule	Provide opt-out mechanism	12 CFR 1016.10
Pretexting	Train employees on social engineering prevention	15 U.S.C. § 6821

GLBA Compliance by Industry

GLBA compliance requirements apply equally across all covered institutions, but how organizations implement them often varies by industry.

Financial Services

Banks, credit unions, and other depository institutions comply with GLBA through regulations issued by federal banking regulators like the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, the National Credit Union Administration (NCUA), or the Securities Exchange Commission (SEC). Under Regulation P (12 CFR 1016), the Consumer Financial Protection Bureau (CFPB) holds rulemaking authority over GLBA’s Privacy Rule for these institutions.

Instead of the GLBA Safeguards Rule, however, these regulatory bodies enforce the Interagency Guidelines Establishing Information Security Standards. Obligations are the same, but the implementing regulations, examination procedures, and enforcement mechanisms differ. Organizations subject to multiple regulators must satisfy each regulator’s requirements independently.

SEC-regulated broker-dealers, investment advisers, and investment companies must comply with Regulation S-P, adopted under GLBA authority. The SEC’s 2024 amendments to Regulation S-P — effective December 2025 for larger entities and June 2026 for smaller ones — require incident response programs, 30-day customer breach notification, and contractual 72-hour breach notification clauses with service providers. While these requirements might parallel GLBA obligations, they do not replace them.

Higher Education

Colleges and universities qualify as financial institutions under GLBA because they administer Title IV federal student financial aid. These institutions are subject to the FTC’s Safeguards Rule and to enforcement by the Department of Education and Federal Student Aid (FSA).

The Department of Education enforces GLBA compliance for Title IV institutions through the Student Aid Internet Gateway (SAIG) Agreement and the Federal Single Audit, which includes a Safeguards Rule compliance check. Non-compliance findings are documented in audit reports and may be referred to both the FTC and the FSA Cybersecurity Team. Institutions without a breach are required to submit a Corrective Action Plan (CAP) with implementation timelines. Repeated non-compliance may result in actions that impact Title IV participation.

Colleges and universities maintaining information on fewer than 5,000 consumers are exempt from several Safeguards Rule requirements, including written risk assessments, incident response plans, annual board reporting, penetration testing, and vulnerability assessments. These institutions must still maintain an information security program, designate a qualified individual, and oversee service providers.

The Department of Education has designated Federal Tax Information (FTI) used in financial aid processes as Controlled Unclassified Information (CUI) and has indicated that institutions should align with NIST SP 800-171 controls. However, this is not yet a formal GLBA requirement.

Student financial data in higher education is often distributed across financial aid, bursar, housing, and other systems managed by different departments. For university-specific implementation guidance, see our GLBA compliance for higher education guide.

Insurance

GLBA compliance for insurers is a state-by-state obligation with rulemaking authority delegated to state insurance departments rather than the FTC.

Today, all 50 states have adopted the NAIC’s Privacy of Consumer Financial and Health Information Regulation (Model #672), which establishes requirements for privacy notices and information-sharing limitations under GLBA’s Privacy Rule. However, the timing, scope, and specificity of each state’s adoption varies. Some states have updated their regulations to reflect subsequent GLBA amendments, while others have not.

The NAIC adopted the Insurance Data Security Model Law in 2017 to address GLBA’s security requirements. This model law introduced requirements for information security programs, risk assessments, incident investigation, and regulatory notification. As of 2026, more than 20 states have adopted it. Still, insurers may face different security program requirements depending on where they are licensed.

Meanwhile, health insurers must comply with both GLBA and HIPAA. Multi-state health insurers may need to satisfy GLBA-based state insurance regulations, HIPAA security and privacy requirements, the NAIC Data Security Model Law where adopted, and state privacy laws.

But some states are refining their GLBA exemptions. Connecticut, for example, narrows its entity-level GLBA exemption under the Connecticut Data Privacy Act (effective July 2026), removing it for non-bank financial institutions and keeping it for banks, credit unions, and insurers.

Non-Traditional Entities (Auto Dealers, Mortgage Brokers, Tax Preparers)

Non-traditional financial institutions including auto dealers, mortgage brokers, and tax preparers comply with GLBA through the FTC’s Safeguards Rule and Privacy Rule. Unfortunately, these organizations were disproportionately affected by the 2023 Safeguards Rule updates, which introduced specific mandates for encryption, multi-factor authentication, penetration testing, and written information security programs.

Before 2023, non-traditional financial institutions had no obligation to maintain a formal information security program under the FTC’s regulations. Now, the Safeguards Rule requires these organizations to designate a qualified individual, conduct documented risk assessments, implement technical safeguards, and oversee service providers.

Institutions maintaining information on fewer than 5,000 consumers are exempt from requirements for written risk assessments, incident response plans, penetration testing, vulnerability assessments, and annual board reporting. But the primary obligations—an information security program, a qualified individual, and service provider oversight—apply regardless of size.

Yet many non-traditional entities still do not recognize that GLBA applies to them, particularly where financial activity is incidental to their business.

How to Simplify GLBA Compliance

GLBA compliance requires coordination across teams and departments, particularly for organizations with distributed operations. Isora GRC gives security teams a centralized workspace to manage compliance across all three GLBA rules.

Assessment Management. Distribute GLBA compliance questionnaires to department heads and unit owners across the organization. Organize assessments by compliance objective — Safeguards Rule, Privacy Rule, or vendor management — and manage multiple compliance activities within a single workflow. Track completion status in real time instead of relying on email or spreadsheets.

Compliance Tracking. Monitor progress against Safeguards Rule requirements across departments. Generate compliance scorecards to identify control gaps and track remediation through resolution. Maintain audit-ready documentation to support annual reporting by the qualified individual to the board of directors or governing body.

Book a demo to see how Isora GRC simplifies GLBA compliance.

GLBA Compliance FAQs

What is GLBA compliance?

GLBA compliance means meeting the requirements of the Gramm-Leach-Bliley Act’s three rules: delivering privacy notices under the Financial Privacy Rule, implementing a written information security program under the Safeguards Rule, and preventing unauthorized access to consumer data under the Pretexting Provisions.

Different regulators enforce these requirements depending on institution type — the FTC for non-bank financial institutions, federal banking agencies for banks and credit unions, and state insurance departments for insurers. Penalties for non-compliance can reach $100,000 per violation.

What are the main GLBA compliance requirements?

GLBA compliance requirements include designating a qualified individual to oversee the information security program, conducting written risk assessments, implementing technical safeguards (encryption, MFA, access controls), delivering privacy notices to consumers, training personnel, overseeing service providers, and maintaining an incident response plan.

The FTC’s 2021 Safeguards Rule update (effective June 2023) formalized many of these as prescriptive requirements for non-bank financial institutions. A subsequent 2023 amendment (effective May 2024) added breach notification requirements.

Who needs to be GLBA compliant?

GLBA applies to any organization classified as a financial institution under the Act. This includes banks, credit unions, insurance companies, securities firms, mortgage brokers, auto dealers, and colleges or universities that process student financial aid.

The definition extends to any entity “significantly engaged” in financial activities. Different regulators enforce GLBA depending on institution type—the FTC does not regulate banks, credit unions, insurers, or SEC-registered firms, which fall under their respective federal or state regulators.

What is the GLBA Safeguards Rule?

The GLBA Safeguards Rule (16 CFR Part 314) requires non-bank financial institutions to develop, implement, and maintain a written information security program. The FTC’s 2021 update, effective June 2023, established ten required program elements, including risk assessments, encryption, multi-factor authentication, penetration testing, and incident response planning.

What are the penalties for GLBA non-compliance?

GLBA non-compliance may result in fines of up to $100,000 per violation for institutions. Individual officers and directors may face fines of up to $10,000 per violation and up to five years of imprisonment for willful violations. The FTC has increased enforcement activity since 2023, including at least five pretexting-related cases since April 2024.

Does GLBA compliance require penetration testing?

The FTC’s Safeguards Rule, effective June 2023, requires covered non-bank financial institutions to conduct annual penetration testing and semi-annual vulnerability assessments, or to implement continuous monitoring that achieves comparable outcomes. Banks and credit unions may face equivalent requirements through their banking regulators’ guidelines.

Conclusion

GLBA compliance is not a one-time project. The Safeguards Rule requires ongoing risk assessments, safeguard testing, vendor oversight, board reporting, and program updates—all of which must be coordinated across teams, departments, and in many cases, multiple regulatory frameworks.

For organizations managing these requirements across distributed operations, Isora GRC offers a centralized workspace to run assessments, track compliance, and maintain audit-ready documentation.

Simplify GLBA compliance with Isora GRC.

This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.

Learn More

Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.