GLBA — privacy, Safeguards Rule, and what fintechs must do

The Gramm-Leach-Bliley Act of 1999 (GLBA) is the foundational U.S. financial privacy law. It governs how financial institutions collect, share, and protect non-public personal information (NPI) about consumers. The 2023 update to the GLBA Safeguards Rule materially raised the bar — adding explicit requirements for multi-factor authentication, encryption-at-rest, written incident-response plans, and qualified individual oversight that many fintechs first encounter during sponsor-bank diligence.

This page covers GLBA's structure (the three rules), what the 2023 Safeguards Rule update changed, what fintechs (versus traditional banks) actually have to do, where GLBA intersects with SOC 2 and PCI DSS, and how state privacy laws layer on top.

GLBA's structure

GLBA created three distinct compliance regimes:

• Privacy Rule (Title V). Requires financial institutions to disclose privacy practices and give consumers an opt-out before sharing NPI with non-affiliated third parties. Implemented by the CFPB's Regulation P (12 CFR Part 1016) for many institutions.
• Safeguards Rule. Requires financial institutions to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards proportionate to size, scope, and complexity. Enforced primarily by the FTC for non-bank financial institutions; the federal banking regulators have parallel safeguards expectations for banks.
• Pretexting Rule. Prohibits obtaining customer information from a financial institution under false pretenses (social engineering attacks against the institution).

What the 2023 Safeguards Rule update changed

The FTC's amended Safeguards Rule, finalized in 2021 and effective in stages through June 2023, replaced the previously-flexible "reasonable" standard with specific prescriptive requirements. The most consequential changes:

• Designated qualified individual. A named individual responsible for overseeing, implementing, and enforcing the information security program. The role can be in-house or outsourced; if outsourced, the institution remains responsible.
• Written risk assessment. Periodic, documented risk assessment that identifies foreseeable risks to NPI confidentiality, integrity, and availability.
• Encryption of customer information at rest and in transit. No longer optional. Compensating controls allowed only with written justification approved by the qualified individual.
• Multi-factor authentication. Required for any individual accessing customer information. Limited exceptions allowed only with written approval.
• Access controls. Authentication, role-based access, periodic access reviews.
• Inventory of data and systems. Maintained inventory of where NPI is stored, processed, and transmitted.
• Secure disposal. Procedures for secure disposal of customer information when no longer needed.
• Change management. Procedures evaluating the security impact of changes to information systems.
• Logging and monitoring. Implemented to detect and respond to attacks and intrusions.
• Penetration testing and vulnerability assessments. Annual penetration testing plus continuous vulnerability assessment.
• Written incident response plan. Documented IR plan tested periodically and updated based on lessons learned.
• Annual report to the board. The qualified individual reports annually on the program's status, risk assessment results, security events, and recommended changes.
• Vendor management. Service providers handling NPI must be selected based on their ability to maintain appropriate safeguards, with contracts requiring those safeguards and periodic reassessment.

Most well-run fintechs were doing many of these things already. The 2023 update made them mandatory and explicit, and brought enforcement teeth. The FTC's 2023 enforcement against multiple non-bank financial institutions for Safeguards-Rule deficiencies signaled the practical end of the "reasonable" era.

Who GLBA applies to

GLBA applies to "financial institutions" — a term defined broadly to include not just banks but also:

• Mortgage lenders, brokers, and servicers
• Payday lenders
• Check cashers, money transmitters, and other money services businesses
• Tax preparation firms
• Credit counseling and debt-management firms
• Investment advisors
• Insurance providers
• Auto dealers that arrange financing

Most fintechs offering deposits, lending, payments, money transmission, or financial advisory services fall within GLBA's scope, even if their business model is novel. The FTC has consistently applied GLBA to neobanks, robo-advisors, BNPL providers, crypto on-ramps, and fintech-adjacent service providers.

How GLBA applies differently to fintechs vs banks

The substantive obligations are the same; the supervisory body differs. Federally-chartered banks are supervised by the OCC; state-chartered banks supervised by the FDIC and state regulator. Non-bank financial institutions — including most fintechs — are supervised by the FTC for GLBA compliance.

Practical differences:

• Banks face GLBA expectations as part of their broader prudential examination — typically continuous and intensive.
• FTC enforcement of GLBA against fintechs is event-driven (incidents, complaints, market sweeps). When FTC enforcement happens, it tends to be substantial — multi-million-dollar penalties plus corrective action plans.
• A fintech operating behind a sponsor bank effectively faces both regimes — the bank's third-party risk function tests the fintech's GLBA compliance as part of diligence and continuous monitoring.

How GLBA intersects SOC 2 and PCI DSS

GLBA, SOC 2, and PCI DSS overlap meaningfully but are distinct:

• GLBA Safeguards Rule is law. Specific to NPI in U.S. financial services. Enforced by the FTC (non-banks) or banking regulators (banks).
• SOC 2 is a voluntary attestation framework administered by the AICPA. Covers security, availability, processing integrity, confidentiality, and privacy. Used as evidence of GLBA Safeguards Rule compliance and for sponsor-bank diligence.
• PCI DSS is a contractual standard imposed by the card networks. Specific to cardholder data. Operationally overlaps with both GLBA and SOC 2 in encryption, access control, and incident response.

A fintech with SOC 2 Type II and PCI DSS attestation typically satisfies most of the technical Safeguards Rule requirements. The Safeguards-specific obligations that don't map cleanly are: the qualified-individual designation, the annual board report, and the explicit GLBA-anchored privacy disclosures and opt-out.

State privacy laws on top

Several state privacy laws layer additional requirements on top of GLBA:

• California (CCPA / CPRA). Excludes most GLBA-regulated data from CCPA but still imposes additional notice and consumer-rights obligations on data outside the GLBA carve-out.
• New York DFS Cybersecurity Regulation (23 NYCRR 500). Applies to NY DFS-regulated financial institutions; substantively similar to but more prescriptive than the 2023 Safeguards Rule update.
• Other state regimes. Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and growing — most include partial GLBA exclusions but add notice or consumer-rights obligations on edge-case data.

Multi-state fintechs typically build GLBA Safeguards Rule compliance as the floor and layer state-specific obligations on top via a unified privacy program.

What examiners and banks test

Common GLBA testing focus areas during examination or sponsor-bank diligence:

• Documented qualified-individual designation with appropriate authority and resources.
• Current written risk assessment with identified risks and mitigations.
• Encryption configuration evidence — at-rest and in-transit, with documented exceptions.
• MFA enforcement evidence across all systems handling NPI.
• Inventory of NPI data flows and storage locations.
• Logging and monitoring evidence — what is logged, where it's stored, how long retained.
• Annual penetration test report and remediation evidence.
• Tested incident response plan with last-tested date.
• Vendor management documentation for any third party handling NPI.
• Annual board report (or equivalent for non-bank entities).

Each of these is satisfied by a combination of policy documentation, technical control evidence, and ongoing operational records. The same evidence-infrastructure properties that drive AML and sponsor-bank compliance — completeness, tamper-evidence, framework-tagging, exportability — apply to GLBA evidence as well.