Comply with the
GLBA Safeguards Rule

The Safeguards Rule implements Section 501(b) of the Gramm-Leach-Bliley Act and requires financial institutions to develop and maintain a comprehensive written information security program with administrative, technical, and physical safeguards to protect customer information. The FTC's version (16 CFR Part 314) applies to non-bank financial institutions; banks follow the parallel Interagency Guidelines issued by federal banking regulators. Both share the same three objectives: ensure the security and confidentiality of customer information, protect against anticipated threats, and protect against unauthorized access or use that could harm customers.

Any "financial institution" — defined broadly as a business significantly engaged in financial activities. That includes banks, credit unions, mortgage lenders and brokers, auto dealers, finance companies, payday lenders, tax preparers, accountants, collection agencies, and investment advisors not registered with the SEC. Banks supervised by a federal banking agency are covered by the equivalent Interagency Guidelines rather than the FTC rule, but the security expectations are functionally the same.

A written information security program built on nine elements: a designated Qualified Individual; a written risk assessment; specific technical safeguards (access controls, a data inventory, encryption in transit and at rest, secure development, MFA, secure disposal, change management, and monitoring/logging of user activity); regular testing or continuous monitoring; staff training; service-provider oversight; ongoing program evaluation; a written incident response plan; and annual reporting to the board. Since May 2024 it also requires notifying the FTC within 30 days of a breach affecting 500 or more consumers.

NPI is personally identifiable financial information a financial institution collects about a customer that isn't publicly available — account numbers, balances, transaction history, Social Security numbers, income, and credit or loan data. "Customer information" under the rule is any record containing NPI, in any form, that the institution maintains or that's maintained on its behalf.

The 2021 amendments (full compliance June 9, 2023) moved the rule from flexible principles to concrete technical requirements: a named Qualified Individual, a written risk assessment, mandatory encryption, MFA, secure disposal, change management, continuous monitoring or periodic penetration testing plus vulnerability assessments, a written incident response plan, and annual board reporting. A later amendment added breach notification (effective May 13, 2024): notify the FTC within 30 days of discovering a breach involving 500 or more consumers.

Institutions can face civil penalties up to $100,000 per violation, and officers and directors can be personally liable up to $10,000 per violation, with each day of a continuing violation potentially counting separately. Willful violations can carry criminal fines and up to five years' imprisonment. Beyond fines, expect FTC consent decrees mandating multi-year security programs and third-party audits, plus reputational and litigation costs. In financial services, the average data breach now costs about $5.56 million (IBM, 2025).

It depends on your starting posture. A typical program build runs several months: gap assessment, risk assessment, remediation across the required elements, documentation, and ongoing monitoring. Tooling that automates the monitoring, logging, and evidence-collection requirements — like DataFence for the data-egress channel — can be deployed in hours and starts generating compliance evidence immediately, compressing the parts of the timeline that depend on continuous monitoring and audit-ready documentation.

No single tool makes an institution "GLBA compliant" — the rule requires a whole program, including MFA, a Qualified Individual, and board reporting that aren't software features. But DataFence directly addresses several of the most failure-prone, modern requirements: it monitors and logs authorized-user activity at the browser [314.4(c)(8)], enforces destination controls and blocks NPI from leaving via uploads or AI tools [(c)(1), objective #3], ensures secure (HTTPS) transmission [(c)(3) in transit], discovers shadow IT and unsanctioned vendors [(c)(2), (f)], and produces the continuous-monitoring and incident-response evidence [(d), (h)] auditors and the FTC expect.