GLBA
You don't think you're a financial institution. The FTC says you are.
If your business arranges financing, processes loan applications, or handles customers' financial data, auto dealers, mortgage and insurance platforms, fintech, GLBA's Safeguards Rule already applies to you. And it's in effect now.
What most in-scope businesses miss
It's not a privacy notice and a checkbox. It's a written security program.
The Safeguards Rule requires a real information security program: a named owner, a risk assessment, technical controls like MFA and encryption, vendor oversight, and a written incident response plan. Most businesses that are in scope don't have one, and don't know they need it.
What the Safeguards Rule requires
0
FTC Safeguards Rule (16 CFR Part 314)
required elements in your written information security program, every one mandatory.
A named owner, a risk assessment, technical safeguards, monitoring, vendor oversight, training, a written incident response plan, and a report to leadership, among them. It's a program, not a policy.
Not a form. A program.
What GLBA actually is
Two rules, one program to run.
GLBA breaks into two rules that matter for in-scope businesses, plus a wider net than most expect.
The Safeguards Rule
The written information security program with technical controls. This is the heavy lift, the nine required elements above.
The Privacy Rule
Governs how you disclose customers' nonpublic personal information, and the privacy notices you owe them.
Who it covers
Far more than banks: dealers who finance, mortgage and insurance platforms, tax preparers, and the SaaS that serves them.
Already in effect
The updated rule is active now, with real enforcement. This isn't a future deadline you can plan around.
Who it's for
If your product touches customers' financial data, you're probably in scope.
GLBA likely applies if:
- You're an auto dealer that arranges financing or leasing.
- Your SaaS serves dealers, lenders, mortgage, or insurance and touches customer financial data.
- You process, store, or transmit loan applications or account information.
- You have direct access to consumers' financial accounts.
- A financial-institution customer has flowed the requirement down to you.
How it gets done
We build it into your SOC 2, so it's one program, not two.
We deliver GLBA woven into a SOC 2 program through Managed GRC, so the Safeguards Rule controls and SOC 2 satisfy each other and you don't run two tracks. Legal calls (whether you're in scope, QI status) go to your counsel; we build and run the program around their determination. Most teams add Managed Overwatch for the monitoring the Rule requires.
Questions we hear
Common questions
Who does GLBA apply to?
GLBA applies to financial institutions and the service providers that handle nonpublic personal information for them. Under GLBA, "financial institution" is broader than most expect: it includes auto dealers who arrange financing, mortgage brokers, insurance companies, and tax preparers, on top of banks and credit unions. If your SaaS processes, stores, or transmits that data on behalf of any of them, your platform is likely covered as a service provider.
What does the Safeguards Rule require?
A comprehensive written information security program with nine required elements, including a designated qualified individual, a risk assessment, technical controls (MFA, encryption, access controls, regular penetration testing), service-provider oversight, a written incident response plan, and an annual written report to your board or senior leadership.
What's the difference between the Safeguards Rule and the Privacy Rule?
The Safeguards Rule (16 CFR Part 314) requires a written information security program with specific technical controls, that's the security lift. The Privacy Rule (16 CFR Part 313) governs how nonpublic personal information is disclosed and requires privacy notices to consumers.
How does Simple Plan IT deliver GLBA?
As part of an integrated SOC 2 + GLBA program. GLBA controls are woven into the SOC 2 framework rather than run as a separate track. The discovery interview includes GLBA-specific sections covering your information security program governance and NPI data-flow risks, and the resulting program satisfies both the Safeguards Rule and SOC 2.
Does Simple Plan IT decide whether GLBA applies to me?
No. Whether GLBA applies depends on whether your company qualifies as a service provider under the Act, which is a legal determination your counsel makes, not us. We confirm QI status before policy writing begins and refer legal questions (QI designation, NPI data-flow flags, Privacy Rule obligations) to counsel, then build and run the program around their answer.
The rule doesn't wait for you to find out you're covered.
If you're in scope, the Safeguards Rule is active now. We build and run the program so your team doesn't have to decode it.