Wednesday, April 4, 2007

Enabling Gramm-Leach-Bliley Act Provisions

The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (see extract below) established a benchmark for consumer privacy, and standards for financial data security, that have not yet been met.

Back in 1999, when fewer than 4% of consumers banked or traded stocks online, lack of compliance was less of a problem than it is today. However, in 2007, with the number of online banking subscribers rising to include tens of millions of households, and the number of web sites and data entry forms requesting that consumers submit personal information (such as their social security number) also rising, we are reaching a tipping point.

We need no further confirmation than the recent "pump and dump" scams involving six leading banks, and almost $30m in lost funds, and the daily rise in identity fraud attacks on consumers and businesses.

Our prediction is, unless some significantly better technologies are enabled to protect consumer credentials and sign-up information, during the next twelve months, things may get significantly worse with respect to fraud levels, both in terms of number of "hits", and the amount involved.

Here's the extract and GLB, and our proposed solution:


§ 6801. Protection of nonpublic personal information

(a) Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805 (a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards—

(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Clearly, the sponsors of the Act knew what they were talking about, and what they wanted to enable. The good news is, with the release of VirtualATM, we have technology available than can finally enable compliance with GLB. The less good news is that the technology may not qualify as an objective standard until it achieves a tipping point of its own.

There are ways to create a certified approach. We have already spent quite a bit of money on third party penetration testing of this technology and will continue to do so. Also, in the coming months we shall be focusing on ensuring that the standards that VirtualATM enables are understood by the standards bodies, and by the sponsors of the GLB Act, with the objective of enabling true end-to-end transaction security and consumer privacy.

The most important focus point here is the protection of consumer privacy and personal information. If we all stay focused on that, we will create a better environment for online financial transactions than the situation that currently exists.

No comments: