December 05, 2023 by Marko Dinic

GLBA Compliance Checklist for Financial Services

If you’re a financial services firm, you’re affected by various legislation, including federal laws such as The Gramm-Leach-Bliley Act (GLBA).

In this article, we cover:

  • Our comprehensive GLBA compliance checklist.
  • What GLBA is and how it affects you.
  • How to comply with GLBA with email archiving.

Let’s get started.

GLBA Compliance Checklist

Complying with GLBA isn’t an easy job for any organization because of its intricacies, but following the GLBA best case practices is one of the best ways to set yourself up for full compliance.

Use this GLBA compliance checklist and take the key steps for your organization to comply with GLBA:

  • Assess Your Organization — Conduct an initial audit of your organization’s structure, functions, and financial activities to determine its scope under GLBA.
    • Is your organization considered a financial institution under GLBA?
    • Does your organization provide financial services to customers?
    • Does your organization provide privacy notices on customer relationship establishment?
    • Does your organization have a written information security program?
  • Administrative Safeguarding — Evaluate the structure of your compliance department and its effects on GLBA compliance.
    • Appoint a designated compliance officer responsible for overseeing GLBA compliance.
    • Ensure the knowledge and experience of the newly designated GLBA compliance officer.
    • Implement a written GLBA compliance program tailored to your organization.
    • Restructure your compliance department according to the new officer and compliance program.
    • Conduct regular risk assessments and update the GLBA compliance program accordingly.
  • Physical Safeguarding — Evaluate the security and disposal practices of your physical record storage and ensure all GLBA practices are followed.
    • Implement policies and procedures for secure storage of physical records containing nonpublic personal information (NPPI).
    • Establish secure methods for both storing and disposing of public records.
    • Implement surveillance and strict access requirements to physical record storage rooms and devices.
  • Technical Safeguarding — Utilize the latest encryption technologies and transmission protocols for public data to prevent unauthorized access.
    • Assess your current third-party vendor’s solution and verify the current implementation complies with GLBA.
    • Choose an archiving solution with strong encryption protocols and regularly update it with the newest algorithms.
    • Implement access control protocols to restrict unauthorized access to your archive.
    • Implement intruder detection and prevention systems to identify and respond to security breaches
    • Utilize cloud technologies and firewall protection to prevent potential hacking attempts.
  • Staff Training — Evaluate the effectiveness of your staff compliance training program and their understanding of GLBA compliance laws.
    • Develop a comprehensive training program for your staff about GLBA requirements, how they affect them, and their responsibilities.
    • Ensure that employees understand their roles in safeguarding customer information.
    • Document the employee training program and its effectiveness.
    • Regularly keep employees informed about GLBA laws and threats with refresher training.
  • Incident Response Planning — Review your past incident response actions and develop a new GLBA-compliant plan.
    • Establish and maintain a comprehensive incident response plan for responding to security incidents involving NPPI.
    • Develop procedures for notifying affected individuals and authorities.
    • Conduct regular testing and simulations of your response systems. Update it with the new findings.
  • Compliance Audits — Conduct internal GLBA compliance audits to ensure the effectiveness of your compliance systems and strategy.
    • Analyze any deficiencies in your security, responses, and staff.
    • Engage with external auditors to conduct periodic GLBA compliance audits.
    • Improve your GLBA systems with the new findings.

Following this GLBA compliance checklist will ensure your organization is set up with the best means to protect the confidentiality of your customers.

As new laws are introduced and old ones are updated, it’s in your best interest to regularly refer to this GLBA compliance checklist and act according to the new regulations.

What Is GLBA?

Gramm-Leach-Bliley (GLBA), also known as The Financial Services Modernization Act of 1999, is a federal US law enacted to monitor and control the ways financial institutions handle sensitive private information of individuals.

GLBA consists of three parts:

  • The Financial Privacy Rule — Regulates the collection and disclosure of confidential financial information. It requires financial institutions to provide customers with privacy notices explaining their information-sharing practices, giving them the right to opt out of having their information shared.
  • The Safeguards Rule — Obligates financial institutions to provide security measures to protect customers’ confidential information. It includes the development and maintenance of comprehensive information security systems.
  • The Pretexting Provisions — Prohibits access to customer private information under false pretenses or fraudulent means.

Who does GLBA apply to?

Gramm-Leach-Bliley applies to every company that offers its customers any sort of financial product or service such as loans, insurance, or investment advice.

It specifically applies to banks, credit reporting agencies, debt collectors, security companies, tax preparation companies, real estate companies, insurance companies, and any correspondent companies doing business with them.

It’s important to note that GLBA doesn’t apply solely based on an organization’s legal structure. Instead, it focuses on whether the entity is involved in financial activities and has access to nonpublic personal information (NPPI) about individuals in the course of providing financial products or services.

This means that the GLBA can apply to organizations you might not think about like school districts as they offer their students financial advisory services.

How does GLBA work in practice?

In practice, The Gramm-Leach-Bliley Act focuses on the security and confidentiality of private information stored and shared through email correspondence.

It requires companies to have secure access controls for protecting stored information and for their emails to be retained for six years.

GLBA compliance is handled through email archiving solutions that capture and protect all incoming and outgoing data for extended periods of time.

Related: Email Retention Policies Best Practices

How to Comply with the Gramm-Leach-Bliley Act with Email Archiving

Complying with the Gramm-Leach-Bliley Act (GLBA) is essential for any financial institution, especially when it comes to exchanging sensitive information through email.

This requires many security measures, but most organizations are using older technologies.

Server breakdowns, lack of storage space, and Big Data piled up in email communication impose great challenges for maintaining a transparent and safe business. To comply with all three segments of the Gramm-Leach-Bliley Act, companies need to optimize and secure their data storage in email communication.

As mentioned in our GLBA compliance checklist, archiving is one of the most important parts of complying with strict laws and regulations.

By opting for an email archiving solution, companies can guarantee their clients that their sensitive data is carefully stored and manipulated, and available in cases of any legal dispute that might occur.

5 Benefits of GLBA email archiving

Safe information backup

Email archiving protects you from accidental deletion or damage of sensitive information as it backs up all documents sent and received in a stable format on a separate cloud server.

Even in cases of system breakdowns, you can be sure that your data is safe and can be recovered if you have an efficient Recovery strategy.

Storage space optimization: Instead of storing all information in your inbox and email server, email archiving helps you retain more space by deleting and deduplicating emails and documents.

This helps you reduce the space and power needed by your email server to keep the exchanged data.

In a simple and automated way, it helps you create additional storage space needed for the stability of data and the retention period required by the law.

Transparent communication

According to the GLBA, organizations are obliged to safely handle clients’ confidential information which can be hard to prove to the governing bodies.

With email archiving, you can easily monitor all internal and external communication. Thus, you can have a higher level of control over sensitive data handling and protection.

Information and property protection

Email archiving tools meet all regulatory and legal requirements and minimize the risk of intellectual property theft and false pretenses in email communication. They provide simple communication tracking without employing additional resources for handling legal issues.

Efficient legal ediscovery

One of the greatest benefits of email archiving is the automation of ediscovery by custom-made data indexing and archiving. In any case of legal disputes, email archiving can help you track down and present the data needed promptly, in accordance with the GLBA compliance standards.


Gramm-Leach-Bliley is one of the most important laws financial firms need to think about while developing their compliance strategy.

It has many intricacies in it, but with our GLBA compliance checklist, your organization can be on its way to full compliance.

One of the best ways to comply with GLBA is through the use of email archiving solutions, helping you automatically retain email and protect your customers’ sensitive information.

Solve all of your email archiving needs with Jatheon’s cloud email archiving solution built for businesses of all sizes. Stay compliant, speed up your ediscovery, and retain all of your business data in one easy-to-use solution.



What are GLBA email retention requirements?

Under GLBA email retention guidelines, companies need strict access control to the information exchanged over email and to retain said emails for a six-year retention period. This includes aligning your email retention policy with information security programs lied down by GLBA and staying up to date.

What are the three key rules of GLBA?

GLBA’s three key rules are the Financial Privacy Rule governing data collection and disclosure, Safeguard Rules mandating robust information security, and Pretexting Provisions prohibiting deceptive practices to protect customer data.

What is the difference between GDPR and GLBA?

GDPR and GLBA primarily differ in their focus and scope. GDPR applies to the European Union and addresses data protection for individuals, emphasizing their rights to data disclosure. GLBA is a U.S. law specifically targeting financial institutions and safeguarding nonpublic personal information.

What are the penalties for Gramm Leach Bliley?

GLBA violations can include regulatory action and fines of up to $100,000 per violation while compliance officers can receive up to $10,000 fines for each violation.

About the Author
Marko Dinic
As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Jatheon is a “Trail Blazer” in The Radicati Group’s 2024 Information Archiving MQ

Share via
Copy link
Powered by Social Snap