GLB Act Resource Page
Compliance with the FTC Safeguarding Rule Promulgated Under the Gramm-Leach-Bliley Act
The regulations under 16 CFR Part 314, published in May 2002 (May 23 Federal Register, p. 346484), stem from the Gramm-Leach-Bliley Act (the GLB Act or the Act) mandates extensive new privacy protections for consumers. The GLB Act requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. The compliance deadline for the safeguard rule was May 23, 2003.
The GLB Act broadly defines “financial institution” as any institution engaging in the financial activities enumerated under the Bank Holding Company Act of 1956, including “making, acquiring, brokering, or servicing loans” and “collection agency services.” Because higher education institutions participate in financial activities, such as making Federal Perkins Loans, FTC regulations consider them financial institutions for GLB Act purposes.
The GLB Act spells out several specific requirements regarding the privacy of customer financial information. Following passage of the Act, NACUBO and other higher education associations worked to have colleges and universities exempted from the jurisdiction of FTC because they did not fit the typical definition of a financial institution under the GLB Act. As a result, under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information.
NACUBO's Advisory Report 2003-01 can provide you with a summary and explanation of the FTC final regulations related to the safeguarding of customer information. Compliance deadline: May 23, 2003
- Model Policy #1: Sample A
- Model Policy #2: Catholic University
- Model Policy #3: University of Minnesota (Draft)
- Model Policy #4: Sample B
- Model Policy #5: Shenandoah University
- Notes from May 8 Meeting with FTC Officials
- Notes from COHEAO meeting with FTC Officials on April 23, 2003
- Catholic University of America, Office of the General Counsel
- Cornell Information Technology Policies
- Federal Trade Commission (FTC) pages on GLB:
- International Association of Privacy Professionals
- Internet2 Middleware Initiative
- Information Security Risk Evaluation at the CERT Coordination Center at Carnegie Mellon
- NACUBO and FASB Discuss Grant Revenue Recognition
- ED Proposes Auditing Safeguards Rule Compliance
- NACUBO and ACE to Negotiate Rates for Use of Music on Campus
- WEBCAST: NACUBO Live! 2017 Higher Education Accounting Forum
May 7-9, 2017
- WEBCAST: Update to Strategic Financial Analysis in Higher Education, 7th Edition: Corrections and Clarifications
Thursday, May 25, 2017 1:00PM ET
- WEBCAST: Results of the 2016 NACUBO Tuition Discounting Study
Wednesday, May 31, 2017 1:00 PM ET
- ON-DEMAND: How to Budget for Technology That Aligns with Institutional Goals
- ON-DEMAND: What’s Happening in Student Financial Services?
- ON-DEMAND: Legislative Lunchcast: A 30-Minute Washington Update from NACUBO