Home
Client Services
Firm Philosophy
Contact Us
Career Opportunity
Acct Services
Loan Review
Tax
Compliance
EDP
About Us
Newsletter Signup
FBLG Banking News
Banking Library
File Transfers
Salary Survey
Survey Signup
FORTNER, BAYENS, LEVKULICH & GARRISON, P.C.
Certified Public Accountants

Is My Bank Compliant with GLBA or is it a Journey That We Will Never Complete?

By: Tyler Tobin, GSEC/GIAC
Date: 10/8/09

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (“GLBA”), contains numerous provisions designed to protect the privacy of personal financial information.  Ten years after GLBA’s passage, banks still struggle with the question of whether or not their information security program is GLBA compliant.  Technology has changed dramatically over the last decade, and information volume is ever increasing, resulting in banks continuing to ask the same basic questions:  Is my Bank GLBA Compliant? Even if we don’t have any outstanding issues with the Regulators, is there more that should be done? 

The short and technical answer to the question of GLBA compliance is often “no.”  GLBA contains numerous standards, and our experience performing information systems examinations, vulnerability assessments and GLBA risk assessments reveals that even the most hardened and properly configured environments fail to meet all GLBA requirements.  However, the longer and nuanced answer to the question of GLBA compliance is “maybe.”  As technologies develop and information needs grow, industry standards change and banks are required to respond to conditions not fully contemplated in GLBA.  By focusing on the intent of GLBA, rather than on relating individual internal controls to specific GLBA requirements, banks can implement policies and procedures which timely and appropriately respond to changes in industry standards.  I believe that if a bank adopts industry best practices in its information security program, GLBA compliance will result.

The answer to the question of whether the information security program should be enhanced, even if there are no outstanding issues with the Regulators, is often “yes.”  Technologies and information security risks can change daily, and banks must continually evaluate the adequacy of their information security policies and procedures so that risks are timely detected and appropriately mitigated.  A control that operates satisfactorily today may become utterly ineffective as new threats emerge, and the 12 - 18 month cycle time between regulatory examinations is an eternity in the realm of information risk management.
 
So what is GLBA compliance?  Ultimately, I believe that GLBA compliance is not just an objective, but also a process.  Measures necessary for full compliance change with technology and information needs, and banks must focus on identifying, evaluating and responding to changing information risks rather than on “checking off” individual controls existing at a point in time.  By constantly assessing information security policies, evaluating information security posture and implementing industry best practices, banks will maintain GLBA compliance and reduce the risks from emerging information security threats.