Regulatory Compliance

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, is a comprehensive law requiring financial institutions to protect the security, integrity, and confidentiality of consumer information.

Banking Final Rule – 12 C.F.R. Part 30 –Appendix B, Section III – “Development and implementation of customer information security program” – Paragraphs B, C.3, D.2-.3 and F

A   Assess Risk. Each bank shall

1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
3. Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

B     Manage and Control Risk. Each bank shall:

3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

C     Oversee Service Provider Arrangements. Each bank shall:

2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and Where indicated by the bank's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by section D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers.

D     Report to the Board. Each bank shall:

Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The reports should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

Securities and Exchange Commission Regulation S-P 17 CFR, part 248.30: Procedures to safeguard customer information and records.

Commenters on this section supported the proposal, and we are adopting this section as proposed. Section 501 of the G-L-B Act directs the Commission (and the Agencies) to establish appropriate standards for financial institutions relating to administrative, technical, and physical safeguards to protect customer records and information. The rules implement this section by requiring every broker-dealer, fund, and registered adviser to adopt policies and procedures to address the safeguards described above. Consistent with the Act, the proposed rule further requires that the policies and procedures be reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

FusionVM unique approach enables financial organizations to prioritize the process based on their unique risk requirements. This facilities ongoing risk assessment with the appropriate reporting requirements as well.