GLBA compliance is difficult and complex

The Gramm Leach Bliley Act of 1999 puts a tremendous technical burden on all financial institutions, but especially on community banks. Appendix B of the implementing regulations (1) requires that:
" Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities ...A bank's information security program shall be designed to:
  1. Ensure the security and confidentiality of customer information;
  2. Protect against any anticipated threats or hazards to the security or integrity..
  3. Protect against unauthorized access to or use...
(emphasis added)

At no place in the regulations are the terms "comprehensive", "appropriate" or "any anticipated threat" defined or explained. This leaves banks with an open-ended obligation to protect customer data. In an era when cybercrime exceeds illegal drugs as the major source of criminal revenue (2) most small banks are just not technically equipped to deal in-house with the demands of banking and banking security in a computer era (3).

The FFIEC and NIST provide guidance

While the OCC and other regulatory agencies governing community banks have not given clear guidance as to "reasonable" precautions, the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook (4) does provide guidance in this area. The FFIEC noted that:
"While no formal industry accepted security standards exist, these various standards provide benchmarks that both financial institutions and their regulators can draw upon for the development of industry expectations and security practices. Some standard-setting groups include the following organizations...The National Institute of Standards and Technology (NIST) at"

Under the Clinger-Cohen act of 1996 (5) and its successor FISMA, the Federal Information Security Management Act (6) all federal agencies, including the FDIC, OCC etc., must meet information security standards set by the NIST. The agencies are also audited annually on their compliance with NIST standards by the Office of the Inspector General (7).

The following paragraphs show a partial cross listing of NIST standards to the appropriate sections of the GLBA.

12 CFR Part 30 et al, Appendix B to Part 30 - Interagency Guidelines Establishing Standards For Safeguarding Customer Information

Information Security Program. Each bank shall implement a comprehensive written information security program (NIST 800-12, NIST 800-65).

A. Involve the Board of Directors.

B. Assess Risk. (NIST 800-30, NIST 800-53).

C. Manage and Control Risk. ( NIST 800-53, NIST 800-63, NIST 800-73, NIST 800-78, NIST 800-21, NIST 800-61, NIST 800-31, NIST 800-50, NIST 800-42).

D Oversee Service Provider Arrangements. ( NIST 800-42, NIST 800-61)

E. Adjust the Program.

F. Report to the Board ( NIST 800-42)

While the NIST standards are freely available to community banks, their scope (over 1600 pages as of mid-2006) and technical complexity are difficult to manage for a small institution. However, a complete NIST based GLBA compliance program for community banks can be produced at reasonable cost using hardware, software and partner services.

There are three types of safeguards listed in the GLBA regulations;

"Each bank shall implement a comprehensive written information security program that includes administrative , technical, and physical safeguards ... all elements of the information security program must be coordinated."

Every year, community banks are required to update their information security programs and risk assessments, including a formal approval by their Board of Directors.

Home  |  Products  |  Privacy  |  Terms of Use  |  Partners  |  News & Events  |  About
Copyright © 2006-2020 ACR 2 Solutions. All rights reserved.