GLBA Compliance: 2026 Complete Guide

GLBA compliance is the set of privacy, safeguards, and customer notice obligations imposed by the Gramm-Leach-Bliley Act of 1999 on any company that is a "financial institution" under federal law. It governs how your business collects, protects, and shares nonpublic personal information about consumers, and the Federal Trade Commission enforces it for most non-bank financial institutions.

This guide is written for fintech founders, mortgage and lending operators, tax preparers, investment advisers, and the IT and compliance leads who report to them. It covers what GLBA requires in 2026 after the FTC's 2023 Safeguards Rule amendments, who counts as a "financial institution", the two operative rules (Safeguards and Privacy), how GLBA maps to other privacy laws, and what enforcement looks like.

Most teams underestimate the scope. GLBA predates every state privacy law on the books and is one of the few federal privacy regimes with a concrete security mandate in the statute. If you handle financial information about U.S. consumers, GLBA almost certainly applies, even if you do not think of yourself as a "bank".

💡 Pro Tip

Quick orientation: GLBA has two operative rules. The Privacy Rule (15 U.S.C. 6801-6809) governs notice and consumer opt-out for information sharing. The Safeguards Rule (16 CFR Part 314) governs information security. The 2023 FTC amendments to the Safeguards Rule added concrete requirements like designating a Qualified Individual, encryption, MFA, and a written incident response plan. Most of the operational work people now call "GLBA compliance" lives inside the Safeguards Rule.

For the security deep dive, see the cybersecurity compliance guide and the NIST Cybersecurity Framework guide. For a wider fintech regulatory map, see fintech compliance requirements. For breach funding, see cyber insurance requirements. For program design that holds GLBA, SOX, and SOC 2 together, see how to build a compliance program.

What is GLBA compliance?

GLBA is short for the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999. Congress passed it primarily to repeal the 1933 Glass-Steagall separation of commercial banking from investment banking and insurance. Title V was added to address the privacy concerns of letting banks, brokers, and insurers merge.

Title V of GLBA produced three operative obligations for financial institutions:

The Financial Privacy Rule (15 U.S.C. 6801-6803). Customers receive a clear notice of what information you collect, who you share it with, and an opportunity to opt out of certain sharing with nonaffiliated third parties.
The Safeguards Rule (15 U.S.C. 6801(b), implemented at 16 CFR Part 314). Every covered financial institution must develop, implement, and maintain a written information security program containing administrative, technical, and physical safeguards appropriate to its size, complexity, and the sensitivity of customer information.
The Pretexting Provisions (15 U.S.C. 6821-6827). Prohibits the use of false or fraudulent statements to obtain customer financial information from a financial institution.

Enforcement is split by institution type. The FTC covers non-bank financial institutions (most fintechs, mortgage brokers, payday lenders, tax preparers, debt collectors). The Consumer Financial Protection Bureau enforces certain GLBA-related rules within its jurisdiction. The federal banking regulators (the Federal Reserve, OCC, FDIC, and NCUA) cover the depository institutions they supervise. The SEC enforces it for registered broker-dealers, investment companies, and investment advisers under Regulation S-P.

GLBA is not a certification. There is no "GLBA certified" stamp. What exists is your written information security program, privacy notice, opt-out records, and the audit trail your regulator examines if it comes calling.

Who this matters for in 2026

GLBA matters because the federal definition of "financial institution" is broader than common usage suggests. The statute covers any institution "the business of which is engaging in financial activities" as defined in section 4(k) of the Bank Holding Company Act of 1956. The FTC's Safeguards Rule, at 16 CFR 314.2(h), explicitly names:

Mortgage brokers, lenders, and servicers
Payday lenders, check cashers, and currency exchanges
Finance companies and account servicers
Personal property and real estate appraisers
Tax preparation firms
Non-federally insured credit unions
Investment advisers not required to register with the SEC
Real estate settlement services companies
Wire transfer providers
Some debt collection businesses (collecting on debts they extend)
Higher-education institutions in Title IV federal student aid (via Department of Education rules)

Three forces have changed the GLBA landscape since 2020:

The 2023 FTC Safeguards Rule amendments. The FTC adopted significant amendments in October 2021, and most provisions took effect on June 9, 2023. The amendments added nine specific elements to the previously high-level security program requirement: a designated Qualified Individual, written risk assessments, access controls, encryption in transit and at rest, MFA, secure disposal, change management, monitoring, and an incident response plan. See the FTC's press release on the final rule and the updated compliance resource.

The 2023 breach notification amendment. A further FTC amendment now requires non-bank financial institutions to notify the FTC of any "notification event" involving the unencrypted customer information of 500 or more consumers, no later than 30 days after discovery. The rule took effect May 13, 2024.

State privacy law overlap. California, Virginia, Colorado, Texas, and a growing list of other states now have comprehensive privacy laws. Most exempt data subject to GLBA, but the exemptions are entity-level in some states and information-level in others. Which data sits under GLBA versus CCPA is now part of every fintech privacy program. See our CCPA compliance guide and GDPR compliance for US companies.

The two rules: Privacy Rule vs Safeguards Rule

People conflate these constantly. They are different rules, with different mechanics, different deadlines, and (for non-banks) different parts of the FTC's regulatory book.

Dimension	Privacy Rule	Safeguards Rule
What it governs	Notice, choice, and information sharing with third parties	The security program protecting customer information
FTC regulatory location	16 CFR Part 313 (and CFPB Regulation P at 12 CFR Part 1016 for many institutions)	16 CFR Part 314
Key customer-facing artifact	The annual privacy notice and opt-out mechanism	The written information security program (WISP)
Triggers updates when	You change information sharing practices or add a new category of nonaffiliated recipient	You materially change operations, business arrangements, or have a security event
Major 2020s changes	FAST Act exemption from annual notice for institutions meeting specific conditions (still in effect)	2023 amendments adding nine prescriptive elements + 2024 breach notification rule

The Privacy Rule is the older, lower-volume workstream. You write a notice, give customers an opt-out for sharing with nonaffiliated third parties (with some exceptions), keep records, and reissue the notice when sharing practices change. The CFPB version, Regulation P at 12 CFR Part 1016, is the operative rule for most CFPB-supervised institutions and tracks the FTC's Part 313.

The Safeguards Rule is where the volume of work lives in 2026.

The 2023 FTC Safeguards Rule: nine required elements

The current Safeguards Rule, in 16 CFR 314.4, requires every covered financial institution (except those with information on fewer than 5,000 consumers, which receive a partial exemption) to develop, implement, and maintain a written information security program with the following elements. These are the nine elements every GLBA program now has to deliver.

1. Designate a Qualified Individual. One accountable person responsible for overseeing the program. The role can be staffed in-house or by an affiliate or service provider, but accountability stays with the institution.

2. Conduct a written risk assessment. Periodic written identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, with criteria for evaluating those risks and the sufficiency of safeguards.

3. Design safeguards to control identified risks. Implement the controls the risk assessment indicates are appropriate. The rule names the safeguard families:

Access controls, including periodic review of user privileges
Identification and inventory of data, personnel, devices, systems, and facilities
Encryption of customer information in transit over external networks and at rest (substitute controls allowed where encryption is infeasible)
Secure development practices for in-house applications
Multi-factor authentication for any individual accessing any information system
Secure disposal of customer information no later than two years after last use, with documented exceptions
Change management procedures
Monitoring and logging of authorized user activity and detection of unauthorized access

4. Regularly test or monitor the effectiveness of safeguards. Either continuous monitoring, or annual penetration testing plus vulnerability assessments at least every six months. The FTC accepts continuous monitoring in lieu of the pen test plus scans, but if you do not run continuous monitoring you must run both.

5. Train staff and contractors. Security awareness training, plus verification that staff with significant security responsibilities are maintaining current knowledge of changing threats and countermeasures.

6. Oversee service providers. Select providers capable of maintaining appropriate safeguards, require those safeguards by contract, and periodically reassess them based on the risk they present.

7. Evaluate and adjust the program. In light of testing and monitoring results, material changes to operations or business arrangements, and any other circumstances with a material impact on the program.

8. Establish a written incident response plan. Covering goals, internal response processes, roles and decision-making authority, internal and external communications, remediation of weaknesses, documentation, and post-incident evaluation and revision.

9. Annual written report to the board. The Qualified Individual reports at least annually on the overall status of the program and the institution's compliance with the rule, including risk assessment results, service provider arrangements, testing outcomes, security events, and recommended changes.

The 5,000-consumer threshold matters. Institutions below that line are exempt from the written risk assessment, the monitoring/pen-test requirement, the written IR plan, and the annual board report. Everything else still applies.

For mapping these controls into a broader program, see the NIST Cybersecurity Framework guide. NIST CSF's Identify, Protect, Detect, Respond, and Recover functions map cleanly to the nine Safeguards Rule elements, and most mid-market institutions design against NIST CSF with the GLBA-specific elements riding on top.

What counts as "customer information" and "nonpublic personal information"

Illustration related to What counts as — Photo by Markus Spiske

GLBA protects "nonpublic personal information" (NPI) about a "consumer" or "customer". The definitions decide what falls inside the WISP and the notice obligations.

Nonpublic personal information is personally identifiable financial information provided by a consumer, resulting from a transaction, or otherwise obtained by the institution. It also includes any list or grouping of consumers derived using NPI that is not publicly available.

Consumer is an individual who obtains a financial product or service for personal, family, or household purposes. Customer is a consumer with a continuing relationship. Privacy notices are triggered by customer relationships, not every consumer interaction.

The practical result: data about a small-business borrower is generally not GLBA-protected, but data about an individual who applies for a personal loan, files a tax return, or opens a brokerage account is.

GLBA penalties and enforcement

GLBA does not contain a single statutory civil penalty amount. Enforcement happens through the existing authorities of the supervising agency. For non-bank institutions enforced by the FTC, violations are typically charged as unfair or deceptive acts or practices under Section 5 of the FTC Act. Civil penalties can reach $51,744 per violation under inflation-adjusted amounts, with each affected consumer or each day of violation often counted separately.

Recent FTC actions show what real penalties look like. The FTC's data security enforcement page catalogues cases where mortgage analytics firms, tax preparers, and online lenders faced multi-million dollar settlements and 20-year compliance monitoring requirements after Safeguards Rule failures. The pattern is consistent: monetary penalty, injunction, and mandatory third-party security assessments every two years for 20 years.

For SEC-registered institutions, GLBA violations are charged under Regulation S-P. The 2024 Reg S-P amendments (30-day breach notification, expanded coverage to transfer agents) signal a more aggressive posture.

Criminal penalties exist but are rare. The pretexting provisions at 15 U.S.C. 6823 make it a federal crime to obtain customer financial information through false pretenses, with penalties up to five years' imprisonment, or ten years if part of a pattern involving more than $100,000 in any 12-month period.

State AGs have concurrent enforcement authority in some states and tend to be more active than the FTC on small to mid-sized institutions. New York's DFS has its own cybersecurity regulation (23 NYCRR 500) that overlaps heavily with the Safeguards Rule.

GLBA vs other privacy laws

The overlap with other U.S. privacy laws is one of the most underappreciated dimensions of running a financial institution in 2026.

Comparison	GLBA	Other framework	How they coexist
GLBA vs CCPA / CPRA	Federal statute covering financial institutions; preempts in part	California state law covering most for-profit businesses with California residents	CCPA exempts personal information collected, processed, sold, or disclosed pursuant to GLBA. Non-GLBA data about the same consumer (marketing data, employment data) is still covered by CCPA
GLBA vs GDPR	U.S. sector-specific privacy regime	EU-wide horizontal privacy regime	No formal overlap. A U.S. financial institution serving EU residents must comply with GDPR independently. Customer consent and rights mechanisms in GDPR are more extensive than GLBA's opt-out
GLBA vs HIPAA	Financial information about consumers	Protected health information about patients	No overlap on the same data. An entity that is both a financial institution and a HIPAA business associate (rare but possible) maintains both programs in parallel
GLBA vs FCRA	Privacy and security of NPI generally	Accuracy, use, and dispute resolution for consumer reports	Both apply to credit information. Furnishers and users of consumer reports comply with both
GLBA vs PCI DSS	Federal statute on customer information generally	Private contractual standard for cardholder data	Both apply if you store, process, or transmit cardholder data. PCI DSS provides specific controls; GLBA provides the broader program obligation

The CCPA interaction is the most operationally important. California treats the GLBA exemption as information-level, not entity-level. A fintech holding NPI under GLBA still has to honor CCPA rights for the marketing and behavioral data it collects on the same consumer outside GLBA scope. The cleanest fix is two parallel data inventories with field-level classification at ingestion.

GLBA compliance for different organization types

Fintech startups. Year one of a fintech almost always misses GLBA. The team focuses on the product, regulatory advisors focus on lending licensing or money transmission, and Title V gets noticed when an enterprise partner asks for a Safeguards Rule attestation. Write the WISP early, designate the Qualified Individual at hiring time, and treat GLBA as the security floor that SOC 2, ISO 27001, and partner attestations sit on. See fintech compliance requirements for the full picture.

Mortgage and lending operators. The FTC has been most active here. Brokers, servicers, and online lenders have been the subject of repeated Safeguards Rule enforcement, often after a third-party breach exposes loan applications. The 2024 breach notification amendment specifically targets this segment.

Tax preparation firms. Explicitly named in the rule. Even a 5-person CPA practice with under 5,000 clients still has to comply with access controls, encryption, MFA, training, service-provider oversight, and program adjustment. The IRS publishes its own WISP guidance for tax professionals (Publication 5708) aligned to the FTC rule.

Higher education institutions. Universities in Title IV federal student aid programs are treated as financial institutions for Safeguards Rule purposes under the Department of Education's Federal Student Aid cybersecurity compliance program. The annual single audit now tests Safeguards Rule controls.

SEC-registered advisers and broker-dealers. Regulation S-P (17 CFR 248.30) is the SEC's GLBA implementation. The 2024 amendments added a 30-day customer notification requirement, phasing in through 2025-2026.

Common pitfalls (and how to avoid them)

Treating the Privacy Rule as the whole job. Plenty of fintechs write a clean privacy notice and never get to the Safeguards Rule. The Safeguards Rule is where regulators look after a breach.

Skipping the Qualified Individual designation. One named, accountable person. Splitting the role across a CTO, COO, and external counsel does not satisfy the rule.

Substitute controls without written sign-off. The rule allows substitutes where encryption or MFA is infeasible, but only if the Qualified Individual approves them in writing. Skipping encryption on legacy databases without that approval is exposure.

Relying on a SOC 2 report in lieu of a GLBA risk assessment. A SOC 2 covers a service organization's controls. It does not stand in for the institution's own written risk assessment of how customer information moves through its environment.

Service provider oversight on paper only. Vendors handling high volumes of NPI need actual due diligence, not just a signed DPA. The FTC has cited this in recent enforcement. An untested incident response plan is the same trap.

Frequently Asked Questions

What is GLBA compliance?

The set of obligations the Gramm-Leach-Bliley Act of 1999 imposes on financial institutions to protect customer information, provide privacy notices, and offer opt-out rights for certain information sharing. The two operative rules are the Privacy Rule and the Safeguards Rule, the latter substantially expanded by FTC amendments effective June 9, 2023.

What are the three key rules of GLBA?

The Financial Privacy Rule (notice and opt-out for information sharing), the Safeguards Rule (the written information security program), and the Pretexting Provisions (prohibiting acquisition of customer information through false pretenses). The Safeguards Rule consumes most of the program effort in practice.

GDPR is the EU's comprehensive horizontal privacy regulation covering all personal data of EU residents. GLBA is a U.S. sector-specific statute covering only financial information held by financial institutions. GDPR grants affirmative rights (access, deletion, portability) and requires a lawful basis for processing. GLBA primarily requires notice, opt-out for nonaffiliated sharing, and security.

Who has to comply with the GLBA Safeguards Rule?

Any "financial institution" engaged in financial activities under the Bank Holding Company Act, plus the categories named in 16 CFR 314.2(h): mortgage brokers, payday lenders, tax preparers, finance companies, investment advisers, real estate settlement firms, wire transfer services, and others. Bank-supervised institutions follow the parallel federal banking agency safeguards guidelines instead.

What is the 5,000 consumer threshold?

Institutions with customer information on fewer than 5,000 consumers are exempt from four of the nine Safeguards Rule elements: the written risk assessment, the continuous monitoring or pen test plus vulnerability scan requirement, the written IR plan, and the annual board report. The other five elements still apply.

How long do I have to notify the FTC of a breach?

For non-bank institutions covered by the Safeguards Rule, no later than 30 days after discovery of a "notification event" involving the unencrypted customer information of 500 or more consumers. Notification is made through the FTC's online notification form. The rule took effect May 13, 2024.

Does GLBA apply to business customers?

Generally no. GLBA protects individuals who obtain a financial product or service primarily for personal, family, or household purposes. Information about a business borrower or corporate brokerage account is not GLBA-protected, though it may still be covered by other obligations.

Bottom line

GLBA is the federal floor for any company handling consumer financial information in the United States, and the floor got higher in 2023. The companies that struggle treat the Privacy Rule notice as the deliverable and meet the Safeguards Rule after an enforcement action. The companies that operate well treat the nine elements of the 2023 rule as the spine of their security program and let SOC 2, NIST CSF, and partner attestations layer on top.

For a newly-funded fintech, the year-one move is to designate the Qualified Individual when you hire your first compliance lead, write the WISP before the first partnership goes live, and run the first risk assessment within six months of launch. For institutions already at scale, the 2026 action is to confirm the 2023 amendments are fully reflected: encryption at rest, MFA across the board, a tested incident response plan, and a Qualified Individual whose annual board report is actually written.

The cost of doing GLBA well is a fraction of the cost of a Safeguards Rule enforcement action with 20 years of mandatory third-party assessments attached.

Primary Sources

This article references the following authoritative sources:

Gramm-Leach-Bliley Act, Public Law 106-102 (full text). Library of Congress
FTC: Gramm-Leach-Bliley Act business guidance. Federal Trade Commission
FTC Safeguards Rule, 16 CFR Part 314. Federal Trade Commission
FTC press release on 2021 Safeguards Rule amendments. Federal Trade Commission
FTC Safeguards Rule: What Your Business Needs to Know. Federal Trade Commission compliance guide
FTC data security guidance and enforcement. Federal Trade Commission
Consumer Financial Protection Bureau. CFPB jurisdictional reference
Department of Education: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. Federal Student Aid
IRS Publication 5708: Creating a Written Information Security Plan for Your Tax & Accounting Practice. Internal Revenue Service
NIST Cybersecurity Framework. National Institute of Standards and Technology