The Gramm-Leach-Bliley Act (GLBA) is a US federal law that requires financial institutions to protect the security and confidentiality of customers' nonpublic personal information. Its security requirements are implemented through the FTC's Safeguards Rule (16 CFR Part 314), with a companion Privacy Rule governing how that information is shared.

Who must comply with the Safeguards Rule?

The FTC defines 'financial institution' broadly — it includes banks' nonbank competitors and many businesses 'significantly engaged' in financial activities, such as mortgage lenders, payday lenders, auto dealers that arrange financing, tax preparers, and fintechs. Many organizations are surprised to find they are in scope.

What does the updated Safeguards Rule require?

The Safeguards Rule, as amended (with key requirements effective June 2023), requires a written information security program led by a designated Qualified Individual, a risk assessment, access controls, encryption, multi-factor authentication, secure disposal, logging and monitoring, service-provider oversight, and periodic reporting to the board or governing body.

Is there a breach-notification requirement?

Yes. An amendment effective May 13, 2024 requires covered financial institutions to notify the FTC as soon as possible, and no later than 30 days, after discovering a security breach involving the unencrypted information of 500 or more consumers.

GLBA Safeguards, operationalized

Comply with the GLBA Safeguards Rule

The FTC Safeguards Rule elements as living controls — risk assessment, access controls, encryption, MFA, and breach notification — for financial institutions of every size.

Start free trial Book a demo

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a US federal law requiring financial institutions to protect the security and confidentiality of customers' nonpublic personal information. Its information-security obligations are carried out through the FTC's Safeguards Rule (16 CFR Part 314), while the companion Privacy Rule governs how institutions disclose information-sharing practices and offer opt-outs.

Who is covered

The FTC interprets "financial institution" broadly. Beyond banks, the Safeguards Rule reaches mortgage lenders and brokers, payday lenders, auto dealers that arrange financing, tax preparers, collection agencies, investment advisers, and many fintechs — any business significantly engaged in providing financial products or services. A large number of organizations are in scope without realizing it.

What the Safeguards Rule requires

The amended Safeguards Rule (with most requirements effective June 9, 2023) requires a written information security program led by a designated Qualified Individual, supported by a documented risk assessment and a defined set of safeguards: access controls and multi-factor authentication, encryption of customer information at rest and in transit, secure disposal, change management, logging and monitoring, secure development practices, service-provider oversight, an incident response plan, and periodic reporting to the board or governing body.

A subsequent amendment, effective May 13, 2024, added a breach-notification requirement: covered institutions must notify the FTC as soon as possible, and within 30 days, of discovering a breach involving the unencrypted information of 500 or more consumers.

How episki helps

episki implements the Safeguards Rule elements as living controls with a designated owner, a maintained risk assessment, and a breach-notification workflow tuned to the FTC's 30-day window. The same controls cross-map to FFIEC, NY DFS Part 500, and SOC 2, so a single program satisfies overlapping financial obligations.

GLBA outcomes with episki

Quantify the impact security and compliance brings to your business.

Safeguards Rule

The FTC's information-security requirements implemented as controls.

30-day notice

FTC breach-notification timer for events affecting 500+ consumers.

Qualified Individual

A designated owner accountable for the information security program.

Why teams choose episki for GLBA

Framework-specific automation, collaboration, and reporting in one workspace.

A written security program

The Safeguards Rule's required program, designed and evidenced.

Designated Qualified Individual
Written risk assessment kept current
Board / governing-body reporting

The required safeguards

The technical and administrative controls the Rule mandates.

Access controls and MFA
Encryption of customer information
Logging, monitoring, and secure disposal

Breach notification ready

Detect, assess, and report qualifying events to the FTC on time.

Incident response plan
30-day FTC notification workflow
Service-provider oversight

GLBA readiness inside episki

What a covered financial institution needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Designated Qualified Individual
✓ Written risk assessment
✓ Access controls and multi-factor authentication
✓ Encryption of customer information at rest and in transit
✓ Service-provider security oversight
✓ Incident response and 30-day FTC breach notification

GLBA accelerators

GLBA Safeguards accelerators

Stand up a defensible Safeguards program and keep it current.

Safeguards control set

The Rule's required elements as living controls with owners.

Breach notification workflow

Assess qualifying events and track the FTC reporting window.

Financial-framework crosswalk

Reuse evidence across FFIEC, NY DFS, and SOC 2.

GLBA frequently asked questions

Build a GLBA Safeguards program in episki

Implement the Safeguards Rule once and reuse the evidence across FFIEC, NY DFS, and SOC 2.

Start free trial Book a walkthrough