We are pioneer in the domain of information and data privacy management services, we offer extensive training programs, we help our clients with their impact assessments (PIA), advisory on changing privacy law & policy making.

Financial services are changing, with technology being a key driver. It is affecting the nature of financial services, from credit and lending through to insurance, and even the future of money itself. The field of fintech is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. This has resulted into higher degree of Data Privacy Risk involving processing related to KYC and other sensitive PII. We work with large banks internationally to design a customised approach which meets their global and domestic privacy compliance.

A big challenge for fintechis the provision of “right to be forgotten” where an organisation is not ready or able to use customer data once the purpose for which it was provided is met unless it has an explicit consent from the customer.

Fintechs today are developing customer life-cycle management models, where consumers are offered customised financial solutions at different stages of their life, according to their changing lifestyle, credit profiles and life-stage needs. A large segment of consumers may not be fully evolved to understand the long-term benefits customised products may have and, hence, may not provide their consent proactively. In its absence, innovations that are genuinely good for the consumer’s financial health may be restricted. It will take time for BFSI and fintech companies to adopt data protection guidelines.

We help you with
What is GLBA Compliance? Understanding the Data Protection Requirements of the Gramm-Leach-Bliley Act US GAPP

The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.

The primary data protection implications of the GLBA are outlined its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.


Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data. There are also several privacy and security benefits required by the GLBA Safeguards Rule for customers, some of which include:

  • Private information must be secured against unauthorized access.
  • Customers must be notified of private information sharing between financial institutions and third parties and have the ability to opt out of private information sharing.
  • User activity must be tracked, including any attempts to access protected records.

Compliance with the GLBA protects consumer and customer records and will therefore help to build and strengthen consumer reliability and trust. Customers gain assurance that their information will be kept secure by the institution; safety and security cultivate customer loyalty, resulting in a boost in reputation, repeat business, and other benefits for financial institutions.


The GLBA requires that financial institutions act to ensure the confidentiality and security of customers’ “nonpublic personal information,” or NPI. Nonpublic personal information includes Social Security numbers, credit and income histories, credit and bank card account numbers, phone numbers, addresses, names, and any other personal customer information received by a financial institution that is not public. The Safeguards Rule states that financial institutions must create a written information security plan describing the program to protect their customers’ information. The information security plan must be tailored specifically to the institution’s size, operations, and complexity, as well as the sensitivity of the customers’ information. According to the Safeguards Rule, covered financial institutions must:

  • designate one or more employees to coordinate its information security program
  • identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
  • design and implement a safeguards program, and regularly monitor and test it
  • select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information
  • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

In order to achieve GLBA compliance, the Safeguards Rule requires that financial institutions pay special attention to employee management and training, information systems, and security management in their information security plans and implementation.


The main focus of the GLBA is to expand and tighten consumer data privacy safeguards and restrictions. The primary concern, related to the GLBA, of IT professionals and financial institutions is to secure and ensure the confidentiality of customers’ private and financial information. Maintaining GLBA compliance is critical for any financial institution, as violations can be both costly and detrimental to continued operations. However, by taking steps to safeguard NPI and comply with the GLBA, organizations will not only benefit from improved security and the avoidance of penalties, but also from increased customer trust and loyalty.