As per FTC, starting June 9, 2023 all collection agencies will be treated as financial institutions. This means all collection agencies must secure consumer data nearly the same way as banks.
Failure to comply with GLBA can have severe consequences for the collection agency, especially the owners and the higher management. Each violation can result in fines up to $100,000 and may extend to criminal penalties, including jail time. We will try to cover only the important parts of GLBA per our understanding.
GLBA covers your employees and even your vendors that have access to your customer and debtor data. This includes your collection letter printing vendor, your software providers that access your data, and even your Sales Representatives. Any data access outside your company network must be secured through the VPN and their laptops should be encrypted.
If your associates can access emails through their cell-phone, you must evaluate if their emails can potentially have sensitive data and take appropriate steps to secure their mailbox or completely disable mobile access to these emails. The GLBA Privacy Rule only applies to nonpublic personal information (NPI), including (Debtor) Name, Address, Income, Social Security number. Transaction information such as account numbers, payment history, loan balances and information from court records or consumer reports.
After the recent changes done by CFPB and these upcoming GLBA laws will result in significant operational challenges and cost additions for all collection agencies in America.
When consumers turn to a financial institution for services, they want to know that their private information is being kept safe and sound. None of us want our information shared with companies we do not approve of. The Gramm-Leach-Bliley Act (GLBA) is a law that was enacted with this desire for security and privacy in mind. The act was passed in 1999 to protect consumers’ private information within financial institutions and give them the power to choose what happens with that personal information.
What Types of Businesses Are Impacted by the Gramm-Leach-Bliley Act?
The GLBA covers any institutions that provide financial services, including:
- Handling loans
- Handling savings
- Exchanging or transferring funds
- Providing financial advising
- Investing for others
- Career counseling (of those who are seeking employment with financial services)
- Collecting debt
- Banking
- Insurance
- Credit union
The law covers a wide variety of institutions that handle finances and can include institutions one may not expect, such as car dealerships that collect and distribute the personal information of their consumers or retailers that grant credit cards to their customers.
Protecting Your Customer’s Nonpublic Personal Information (NPI)
When a consumer decides to work with a specific financial institution, they must be able to trust that institution with their private information. Often, the information given to these institutions by their customers can be highly confidential and leave the customer vulnerable to a number of personal and legal issues should their information be shared or leaked to the wrong party.
Under the Gramm-Leach-Bliley Act, financial institutions are legally obligated to protect all of their private consumer’s nonpublic personal information (NPI). An NPI is defined as the individually identifiable financial information collected by a financial institution that cannot be found in the public domain. This can include information like:
- Address
- Income
- Social security numbers
- Payment history
- Account information
- Loan balances
- Purchase history
- Credit history
- Consumer reports
Under the GLBA, a financial institution must uphold and ensure the safety, security, and confidentiality of any information their customers have trusted them with. A financial institution must always have security measures in place to prevent security breaches and data leaks. In order to ensure this, the Federal Trade Commission (FTC) has the power to audit any financial institution at any time. Should the financial institution have a need to share the customer’s information with an outside party, the customer must be made aware of the ways in which their information will be shared and given a choice in whether they would like to “opt-in” or “opt-out.”
The Gramm-Leach-Bliley Act and Privacy Notices
Whether you are opting in to sharing your customer’s NPI or not, the GLBA requires every financial institution to provide their customers with a privacy notice before a customer-business relationship has been established. Should this cause issues with the timeliness of completing the customer’s transactions with your business, there is an exception to this rule- as long as the client agrees, you may provide the notice within a reasonable time frame after the relationship has already been established.
Along with a privacy notice, customers must have an option to opt-out of sharing their NPI with outside parties. This opt-out notice must emphasize that the customer has a right to opt out, give a sensible method of opting out, and grant the customer a reasonable time frame to opt-out. The customer must also be given a copy of the privacy notice annually for the duration of the business-customer relationship.
The FTC’s Recent Amendments to the Gramm-Leach-Bliley Act
The FTC has recently made a few amendments to the GLBA. Due to this, multiple changes will become effective on June 9, 2023, including:
- Risk assessments– financial institutions will now be required to maintain a formal risk management program that includes a written risk assessment
- Designation of a single responsible and qualified individual– while it has already been required that the financial institution has designated employees overseeing the security program, financial institutions must now appoint a qualified individual to hold the ultimate responsibility of the program.
- Employee training– this new requirement means financial institutions must ensure their staff have received proper security training from qualified personnel if they have access to private information like customer names, addresses, social security numbers, and date of birth. This training must be done regularly.
- Monitor own providers to whom data is outsourced or serviced– financial institutions must monitor and complete risk assessments regarding the third-party service providers they are deciding to work and share information with. It is the financial institution’s responsibility to ensure the third-party vendors they share information with have the proper security measures to continue protecting their customer’s NPI.
- Information Systems Monitoring & Penetration Testing– financial institutions must now regularly test and monitor their safeguards, systems, and procedures for any attempts at a security breach or weaknesses
- Incident plan– a new requirement of the GLBA is that financial institutions will now be required to have a written incident response plan that addresses seven particular topics- the goal of the plan, internal processes for a response, external and internal communication, requirements for identified weaknesses, how the security event will be documented and reported, and the changes and evaluations needed to the incident plan after the occurrence of a security event
- Specified security controls– There have now been security controls added as specific requirements to maintain GLBA compliance, including access controls, system inventory, encryption, secure software development, multi-factor authentication, data retention, change management, and system monitoring
- Accountability of the responsible and qualified individual– the individual who has been designated the responsible party is now required to annually report their security program’s status to the executive leaders of the financial institution in order to maintain a sense of accountability and the motivation to uphold the highest security measures for customers.
In Conclusion
The GLBA has been put in place to protect consumers’ personal information from falling into the wrong hands. It is the responsibility of financial institutions to have security measures in place to protect their consumers and themselves. Staying up to date on the newest GLBA requirements can be crucial to ensuring your financial institution is doing everything you can to maintain compliance.
References:
https://globalcerts.com/wp-content/uploads/Whitepaper-2022-GLBA-Amendments.pdf