ADM 320 – Gramm-Leach-Bliley Act Policy
Title: McPherson College -Gramm-Leach-Bliley Act Policy
Effective Date: June 30, 2016
Issuing Authority: Office of the Vice President for Finance
Program Coordinator: Rick Tuxhorn, CPA
Last Updated: August 4, 2016
Purpose of Policy
This Policy is intended to comply with the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), enacted by United States Congress in 1999. Financial institutions, including anyone who offers financial products that are considered to be covered accounts, such as loans, are required to comply with the Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act requires that Financial Institutions have a policy in place to protect consumer information from foreseeable threats in security and data integrity.
McPherson College will provide safeguards to protect information and data in compliance with the Gramm-Leach-Bliley Act, related to the privacy and protection of personal information.
There are three major components of the Gramm-Leach-Bliley Act including a Financial Privacy Rule, Safeguards Rule, and Pretexting Protection.
Financial Privacy Rule
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. This privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties. It is not the practice of McPherson College to share information with unaffiliated parties.
The FTC has ruled in 16 C.F.R. Section 313.1(b) that any institution of higher education that complies with the Family Educational Rights and Privacy Act (FERPA) satisfies the privacy requirement of the GLBA. In instances such as deferred gift agreements, where McPherson College acts as a financial institution outside of the student financial records subject to FERPA, McPherson College privacy notices will be sent out annually.
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the Company is prepared for and protects consumers’ nonpublic personal information. The College has an Information Security Policy that accomplishes the requirements of this rule and designates program coordinators to oversee the compliance of various types of protected personal information.
The Gramm-Leach-Bliley Act requires the financial institution take adequate measures to protect from pretexting, which occurs when someone tries to gain access to personal nonpublic information without the proper authority to do so. The College has a Fair & Accurate Credit Transaction Act Policy, also known as Red Flag Rules, which accomplishes the requirements of this rule. It includes an annual risk assessment of the security and privacy risks of the covered accounts, at which time any adjustments to security processes are made. The annual assessment also includes the review of procedures for employees who have access to covered data and information. This assessment is done in July and appears to be in compliance.