The Gramm-Leach-Bliley Act

Congress recently passed the Gramm-Leach-Bliley Act in response to the public's increased concern and demand for tighter restrictions concerning the use and distribution of personal information maintained by financial institutions. Title 5 of the Act specifically addresses action to be taken by financial institutions in relation to privacy.

Commercial Business Intelligence recognizes this as another instance wherein federal legislation requires a substantial amount of paperwork, internal policy changes, and increased impact on your already-shrinking employment pool and budget.

We have developed key strategic partnerships to assist your institution in complying with Gramm-Leach-Bliley. Rather than burdening existing managers with this task, we are in the position to provide a temporary and cost-effective compliance team that can quickly cover the Act's requirements for you.

Key points of GLBA, and related services CBI provides, include:

Institution will be required to establish policies and practices to protect confidentiality and security of consumer information, to establish an adequate program for training employees, and to review, monitor and where necessary revise this compliance program to reflect policy changes, information security issues, and employee training. In order to achieve this a risk analysis should be implemented to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or of customer information systems.

A written information security program must be produced to control such risks as are identified and including the following:
* Access controls, such as controls to authenticate and permit access to customer information systems to authorized persons only. Background checks are recommended for employees having access to customer information.
* Access restrictions at physical locations such as buildings or computer facilities to ensure that access is only available to authorized users.
* Encryption of electronic customer information, including while in transit or in storage on systems or networks to which unauthorized individuals may be able to gain access.
* Procedures to ensure that system modifications are consistent and compatible with the security program.
* Monitoring of systems and procedures to detect actual or attempted information attack.
* Response programs specifying procedure to be followed if unauthorized access attacks occur, whether successful or not.
* Measures of protection against destruction, loss or damage to information from potential environmental hazards.

The board of directors must approve the written plan, staff must be trained to implement the program, and key controls, systems and procedure must be regularly tested.

A policy must be developed to protect security and confidentiality of customer information when in the control of third parties (effective July 2002 for existing contracts). Specifically the following are required:
* Contracts or agreements with nonaffiliated third parties must protect and ensure the security of customer information.
* Contract should detail responsibilities for the use and protection of consumer information.
* Due diligence should be exercised, and seen to be exercised, in selecting third party service providers.
* Risk assessment and thereafter monitoring programs of third party service providers must be established and maintained.

EDUCATION
CBI's staff can assist you in protecting confidentiality and security of consumer information by training and educating your employees. We offer onsite seminars or affordable internet-based online courses. These educational tools are based on G-L-B legislation and include a certificate of attendee completion for your audit division. Education will protect your staff and customers.

PREVENTION
Onsite and remote risk analysis can be implemented which will identify foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or of customer information systems. Prevention will protect your integrity.

NETWORK INTRUSION DETECTION
G-L-B requires the testing of systems and procedures to detect actual or attempted information attacks. Our partnership with Akaba Inc, a major intrusion detection firm allows an affordable, remote risk assessment and/or penetration test of your computer systems. G-L-B strongly suggests the use of third-party vendors for this sensitive process. These steps protect your data.

SOCIAL ENGINEERING (PRETEXT) DETECTION
G-L-B also requires the review of policies and procedures to combat pretext callers seeking unauthorized access to bank account information. Our strategic partners, licensed and accredited, work in a 'white hat' environment with the full cooperation of the bank's management. The results of the pretext attempt are passed on to management, who expose front-line employees to the methods used by today's information brokers . Again, G-L-B strongly suggests the use of third-party vendors for this sensitive process. These steps protect your data and educate your employees.

DOCUMENTATION
G-L-B requires a response program if unauthorized access attacks or privacy violation attempts occur whether successful or not. CBI has developed an internet and phone-based reporting system that will document access attacks and notify appropriate staff on a real-time basis.

BACKGROUND CHECKS
Background checks are recommended by G-L-B for employees having access to customer information. CBI's core products, due diligence and pre-employment services, are specifically designed for financial institutions and include online submissions and process monitoring via secure web pages. Background checks protect your reputation.

THIRD PARTY REVIEW
G-L-B requires a due diligence investigation and continued monitoring of all third parties and outside vendors who have access to customer information. CBI provides cost-effective and prompt reviews of any business entity in the US. Third-party review protects your relationships.

Board of Governors of the Federal Reserve System

Federal Deposit Insurance Corporation
Office of the Comptroller of the Currency
Office of the Thrift Supervision

The federal bank and thrift regulatory agencies have sent to the Federal Register joint guidelines for safeguarding confidential customer information. The guidelines implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), and will be effective on July 1, 2001.

The GLBA requires the agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer records and information. These safeguards are to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of these records, and protect against unauthorized access to or use of these records or information that would result in substantial harm or inconvenience to a customer.

The guidelines require financial institutions to establish an information security program to: (1) identify and assess the risks that may threaten customer information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. Each institution may implement a security program appropriate to its size and complexity and the nature and scope of its operations.

The guidelines outline specific security measures that institutions should consider in implementing a security program. A financial institution must adopt those security measures determined to be appropriate.

The guidelines also outline responsibilities of directors of financial institutions in overseeing the protection of customer information. The board of directors should oversee an institution's efforts to develop, implement, and maintain an effective information security program and approve written information security policies and programs.

The guidelines require financial institutions to oversee their service provider arrangements in order to protect the security of customer information maintained or processed by service providers. Each institution must exercise due diligence in selecting its service providers, and require its service providers by contract to implement security measures that safeguard customer information. Where indicated by an institution's risk assessment, the institution must also monitor its service providers by reviewing audits, summaries of test results, or other equivalent evaluation of its service providers, to confirm that they have satisfied their contractual obligations.