While the Sarbanes-Oxley Act has been grabbing all the headlines of late, it's just one of many federal reporting...
regulations that demand the CIO's attention.
One, the Gramm-Leach-Bliley Act (GLB Act), has been in effect for two years and places different burdens on companies based on their size.
In the past, a bank's most valuable asset was the gold in the vault. That's given way to the newest asset -- information, said Campbell Tucker, privacy director for Wachovia Corp. of Charlotte, N.C., the nation's fourth-largest bank.
Protecting that information has always been a company priority, and the GLB Act's requirements fall in line with Wachovia's goals, he said.
The GLB Act applies to financial institutions and governs company disclosure of customers' personal and financial information. The act also requires financial institutions to design, implement and maintain safeguards to protect customer information. The GLB Act was passed in 1999, and companies were required to be in full compliance in 2001.
"We've always invested in privacy and security," Tucker said. "We always want to stay a step in front of the criminal. As a result, we would be investing in information security whether GLBA existed or not. GLBA might alter -- in some ways -- the order in which you address certain things."
Wachovia has taken the step of creating a privacy office, which helps it comply with the GLB Act. Additionally, the company has information security personnel who have mapped Wachovia's own standards against the requirements of GLB. Wachovia also has made significant technology investments, but it is difficult to separate what the GLB Act costs the company specifically, Tucker said. For example, several weeks ago, amendments to the Fair Credit Reporting Act were passed and, while those changes focus more on business processes, it also requires technology changes, Tucker said.
Yet the burdens of the GLB Act weigh far more heavily on smaller institutions than they do on a giant like Wachovia. Glenwood State Bank in Glenwood, Iowa, is a community bank with a staff of about 30.
"A lot of the supporting information and documentation for a community bank this size is the same as if you're national bank," said Vaughn Wasenius, vice president and cashier for Glenwood. "If you have a staff of 1,000, you can handle it more easily."
Reluctant to sound too critical of the GLB Act lest a regulator be listening, Wasenius said that one of his chief issues with compliance is the changing interpretation of what the law requires. That elastic interpretation of the act has made it more demanding than other recent regulations, like Sarbanes-Oxley, Wasenius said.
Similar to Wachovia, Wasenius said, community banks such as Glenwood traditionally have not disclosed customer information. Therefore, the GLB requirement that companies provide a method for people to opt out of information sharing with other institutions does not apply because it's not an option. Yet Glenwood still needs to pay for the technology and processes to provide that opt-out method. For example, Glenwood spends $10,000 on mailings to comply with the GLB Act, Wasenius said.
"Certainly with identity theft and all the things going on out there, customers want their info preserved, and we always strived for that," Wasenius said. "Some of the documentation and the cost is what we've become uncomfortable with."
Glenwood has invested in technology from Oculan Corp., of Raleigh, N.C., namely the Oculan 250, which is resold to Glenwood as the iSource from First National Technology Solutions. It complies with the GLB Act though risk assessment, a risk management program, oversight of service-provider agreements and reporting to the board.
For an institution the size of Glenwood, the manpower and the time requirements of compliance become a major issue, and Oculan's technology has helped to reduce that, Wasenius said.
"When you're forced to wear a multitude of hats, the time to delve through the technical information and make sure you will spend an hour each day looking at reports disappears," Wasenius said. "You need a system that forces you to look at it on [a] periodic basis."
FOR MORE INFORMATION: