GLBA
The Gramm-Leach-Bliley Act requires US financial institutions to protect consumer financial information — with engineering requirements that govern how data is stored, transmitted, and accessed.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their data sharing practices to customers and to protect sensitive customer data. The Safeguards Rule — enforced by the FTC and updated in 2023 — specifies technical, administrative, and physical safeguards for protecting customer financial information. Covered institutions include banks, insurance companies, mortgage lenders, securities firms, and increasingly, fintech companies that fall under the FTC's jurisdiction.
The 2023 FTC Safeguards Rule update significantly strengthened the technical requirements. Financial institutions must now designate a qualified individual to oversee the security program, conduct annual penetration testing, monitor access logs continuously, encrypt customer information in transit and at rest, implement multi-factor authentication, and maintain a written incident response plan. These requirements mirror enterprise security standards and require genuine engineering implementation — not policy documentation.
GLBA's Privacy Rule requires financial institutions to provide annual privacy notices and honor opt-out requests for sharing non-public personal information (NPI) with non-affiliated third parties. This creates engineering requirements around data inventory (knowing what NPI exists and where), data flow mapping (understanding which third parties receive NPI), and opt-out enforcement (actually preventing sharing when customers opt out).
We architect GLBA Safeguards Rule compliance into fintech and financial services systems — implementing encryption, access controls, and audit logging at the infrastructure level, building penetration testing into the security program calendar, and designing data inventory systems that make privacy notice obligations tractable. Our teams understand the FTC enforcement posture and build systems that can demonstrate compliance operationally.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.