Home
Pricing
Talk to our team
Compliance Hub

Who Needs GLBA Compliance

Espresso Labs Team
3 min read
Who Needs GLBA Compliance

GLBA’s definition of “financial institution” is much broader than most people expect. The FTC’s Safeguards Rule uses the definition from the Bank Secrecy Act, which includes any company that is significantly engaged in financial activities — not just banks.

Who Is a “Financial Institution” Under GLBA?

Under the Safeguards Rule, financial institutions include:

Traditional financial services:

  • Banks and credit unions
  • Savings associations and thrifts
  • Securities broker-dealers and investment advisers
  • Insurance companies and agencies
  • Mutual fund companies

Lending and credit:

  • Mortgage brokers and lenders
  • Payday lenders and consumer finance companies
  • Auto dealers that finance vehicle purchases
  • Student loan servicers
  • Credit card issuers

Other financial services:

  • Tax preparation services (e.g., H&R Block, Jackson Hewitt, and similar firms)
  • Accountants who provide financial products or services
  • Real estate settlement services
  • Check cashing businesses
  • Wire transfer services
  • Financial advisors and wealth managers
  • Financial data aggregators and account information service providers

Fintech companies:

  • Payment processors
  • Digital wallet providers
  • Buy-now-pay-later (BNPL) companies
  • Personal finance apps that collect and process consumer financial data
  • Peer-to-peer lending platforms

The Critical Distinction: “Significantly Engaged”

The phrase “significantly engaged in financial activities” is key. A company doesn’t need to be a licensed bank to be covered by GLBA. The FTC applies GLBA to any company where financial activities are a significant part of its business — not just incidental.

For example:

  • An accounting firm that also sells insurance or investment products is covered
  • A retail company that offers store credit cards is covered
  • A software company that primarily provides financial data services may be covered even without holding deposits

Who Is NOT Covered?

GLBA does not cover:

  • Individuals acting as financial institutions
  • Companies not engaged in financial services (a grocery store that accepts credit cards is not covered)
  • Nonprofit organizations not significantly engaged in financial activities

Exemptions Under the Safeguards Rule

The revised Safeguards Rule includes a small business exemption from certain administrative requirements for institutions with fewer than 5,000 customer records. These smaller entities still must maintain an information security program and designate a qualified individual, but are exempt from some specific requirements like:

  • Annual penetration testing mandate
  • Biannual vulnerability assessments mandate
  • Formal board reporting requirement

Note: This is an exemption from specific procedural requirements, not from the obligation to protect customer information with appropriate technical controls.

What About State-Regulated Insurance Companies?

Insurance companies are regulated under state law, not federal banking law. However, many states have adopted cybersecurity regulations modeled on GLBA and the NAIC Insurance Data Security Model Law (which mirrors Safeguards Rule concepts closely). Some states (like New York through NY DFS) have gone further with more prescriptive requirements.

How Espresso Labs Helps

Whether your organization is a traditional financial institution or a fintech company that recently realized it falls under GLBA, Espresso Labs can assess your current compliance posture and build a managed program to close the gaps. Contact us to get a rapid assessment of your GLBA obligations and how to meet them cost-effectively.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team