What would you do if the FTC contacted you and told you they were investigating you for breaching the GLBA? Would you know what the GLBA was? How confident would you be that you’ve done everything necessary to protect your clients information? Because that is what the GLBA is all about.
What would you do if the FTC contacted you and told you they were investigating you for breaching the GLBA? Would you know what the GLBA was? How confident would you be that you’ve done everything necessary to protect your clients information? Because that is what the GLBA is all about.
What is the GLBA?
The Gramm–Leach–Bliley Act or GLBA, also known as the Financial Services Modernization Act of 1999, is a law that applies to businesses providing financial services. Now, the parts of the law that are most relevant to you as a mortgage broker are the ones pertaining to protecting your clients private financial information.
Basically if you don’t do a good job of protecting your clients financial information you can be hit with some pretty serious fines, you could lose your licence to operate as a broker, and maybe worst of all, you could go to jail.
How do you protect your clients, and yourself?
The GLBA has 3 important rules that you need to be aware of:
The Financial Privacy Rule
This rule basically says you need to provide your clients with a privacy notice, and it provides the basics of what your privacy notice needs to say. This includes:
You need to give each of your clients a privacy notice when you first start working with them, and then again every year you continue to work with them.
You also need to let your clients know that they can opt out of their information being shared with unaffiliated parties. Unaffiliated parties include other businesses that don’t have the same ownership as your company. This means that if a client opts out, you can’t share their information with other companies that might be trying to market to them.
If you change your privacy notice at any time, you have to provide the client with your new privacy notice to get their consent. Everytime you reestablish the privacy notice, the client can opt out of having the information shared with unaffiliated parties.
If you would like to download a sample form that you can use for your privacy notice, visit www.clientcollect.com/mortgagebrokers
The Safeguards Rule
This rule basically says that you need to make sure that you are taking reasonable steps to protect your clients private information.
Specifically the GLBA says you need to have:
And these safeguards apply to how you:
…your clients private information.
Here are some examples of safeguards you can put in place to protect your clients private information:
Administrative Safeguards
An example of an administrative safeguard is to have policies in place for how you treat client information, and to demonstrate you and your staff are aware of what your policies say. Ideally you should be able to show that you and your staff have taken some training on how to protect your clients private information.
Technical Safeguards
An example of a technical safeguard is the use of software that is designed to protect your clients privacy. This software would need to include encryption, password protected access to client information, and the ability to segment client information based on who needs to access it. For example, if your colleagues don’t need access to your client’s files, then they shouldn’t have access.
Physical Safeguards
An example of a physical safeguard is a lockable office, or a lockable filing cabinet. Leaving sensitive information out in your kitchen, or even at the office in the lunch room would be poor form. Keeping sensitive documents in a safe, and lockable place is preferable.
The Pretexting Provisions
Pretexting is basically another word for social engineering. This means someone pretends to be your client in order to trick you into giving them your client’s personal information.
If you’ve ever called your bank to inquire about your account, you’re encountered the pretexting provisions in action.
In order to allow clients to access their information you need to verify that you’re speaking to the right person by asking them a series of questions. This could include asking what their date of birth is, their account number, their address or any number of other personal details.
On top of confirming your clients identity before giving them any information, the GLBA also says that you need to provide your staff with training so they know how to spot scammers trying to get your clients information.
Best Efforts Are Important
Being able to demonstrate that you’ve taken steps to safeguard your clients information is important when it comes to determining whether you’re compliant with the GLBA, but it’s also important in mitigating your potential liability in the case of a data breach.
Even the most sophisticated organizations get hacked, or an honest employee mistakenly exposes sensitive client information. When this happens if you can show you’ve made best efforts to safeguard your clients private information, your potential liability will be greatly reduced.
Part of your responsibility when trying to be compliant with the GLBA is working with vendors who commit to adhere with the GLBA.
If you’d like to learn more about how you can use Client Collect to comply with the GLBA, visit www.clientcollect.com/glba