GLBA and AI Governance
Table of Contents
Is Generative AI Compliant with GLBA?
Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to protect certain customer information and implement safeguards to prevent unauthorized access or disclosure.
The use of generative AI systems introduces additional considerations when customer information or nonpublic personal information (NPI) is included in prompts.
Depending on how these systems are used and configured, such information may be processed by third-party providers, creating additional obligations around data protection and oversight.
This matters because:
- customer information may be shared with external AI providers
- prompt inputs may contain nonpublic personal information (NPI)
- GLBA requires financial institutions to protect customer information and maintain appropriate safeguards
What the Gramm-Leach-Bliley Act (GLBA) Regulates
The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that requires financial institutions to protect certain customer information and explain how that information is collected, used, and shared.
GLBA applies to financial institutions, including many:
- banks
- credit unions
- mortgage lenders
- securities firms
- insurance companies
- other organizations engaged in financial activities
A central concept under GLBA is Nonpublic Personal Information (NPI), which generally refers to personally identifiable financial information collected, obtained, or derived in connection with providing a financial product or service.
GLBA is implemented through several requirements, including:
Financial Privacy Rule
Addresses how financial institutions provide privacy notices and disclose information-sharing practices.
Safeguards Rule
Requires financial institutions to implement administrative, technical, and physical safeguards designed to protect customer information.
Information-Sharing Restrictions
Places limitations on certain information-sharing practices involving customer information.
Key Terms (Simplified)
Nonpublic Personal Information (NPI)
Personally identifiable financial information that a financial institution collects, obtains, or derives in connection with providing a financial product or service.
Examples may include:
- account information
- loan applications
- financial profiles
- transaction history
- information provided during account opening
Customer Information
Records containing nonpublic personal information about a customer that are handled or maintained by or on behalf of a financial institution.
Customer information may exist in electronic, paper, or other formats and remains subject to safeguards requirements when maintained by service providers acting on behalf of the institution.
Financial Institution
An organization engaged in financial activities or offering financial products or services to consumers.
Service Provider
A third party that performs services involving customer information on behalf of a financial institution.
In generative AI workflows:
- the financial institution remains responsible for customer information
- AI providers may act as service providers depending on how the system is deployed and governed
Responsibilities of Financial Institutions
Under GLBA, financial institutions are generally responsible for:
- protecting customer information
- implementing reasonable safeguards
- overseeing service providers
- maintaining information security programs appropriate to their risks
- limiting unauthorized disclosure of customer information
These obligations continue to apply when third-party technologies are used.
Why Generative AI Changes Risk
Generative AI systems introduce additional considerations in how customer information is handled:
- information may be transmitted to external providers
- prompts may contain customer information or NPI
- data may be processed through systems that introduce additional third-party dependencies, oversight requirements, or governance considerations
- visibility into downstream handling may vary
These factors can make oversight and risk management more complex.
Where AI Interacts with GLBA Requirements
Protection of Customer Information
GLBA requires financial institutions to protect customer information from unauthorized access or disclosure.
Service Provider Oversight
Covered institutions are generally required to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information. Where appropriate, these safeguards may also be established through contractual arrangements governing how customer information is handled and protected.
Information Security Programs
Organizations must maintain security programs that are appropriate to the sensitivity of the information they handle.
Risk-Based Safeguards
The GLBA Safeguards Rule requires organizations to implement administrative, technical, and physical safeguards designed to protect customer information.
What Teams Actually Do (and Where Risk Starts)
In practice, customer information may be entered into AI systems as part of routine work:
- support teams summarize customer interactions
- loan teams analyze application information
- operations teams review account-related data
- compliance teams analyze customer communications
These workflows are often intended to improve efficiency. However, employees may not always distinguish between using AI for legitimate business purposes and disclosing nonpublic personal information to third-party systems.
As a result, organizations may encounter situations where:
- customer information is shared with external providers without consistent review
- information flows are not fully visible to governance teams
- internal policies are applied inconsistently across departments
- service provider oversight becomes more complex
These challenges are often governance issues rather than technology issues, making visibility and control important considerations when deploying AI systems.
Customer Information and Generative AI
Unlike GDPR or CCPA, GLBA does not primarily focus on broad consumer control rights.
Instead, GLBA focuses on:
- protection of customer information
- transparency regarding information-sharing practices
- safeguards that reduce unauthorized access or disclosure
When generative AI is introduced into workflows, organizations must continue to apply these protections.
Risk Assessment and Generative AI
Organizations subject to GLBA generally maintain risk-based information security programs.
Generative AI may require additional evaluation where:
- customer information is shared with third parties
- new processing activities are introduced
- service provider oversight is required
- information security controls may need adjustment
Risk assessments help organizations determine whether existing safeguards remain appropriate.
Why AI Usage Becomes Difficult to Govern
Individually, these risks may appear manageable.
In combination, organizations may face situations where:
- customer information moves across multiple systems
- visibility into data handling is limited
- service provider oversight becomes more complex
- internal policies are applied inconsistently
This can make it more difficult to demonstrate that appropriate safeguards are being maintained.
The Core Problem: Prompts May Involve Customer Information
When customer information is included in prompts, it may involve:
- transmission to external systems
- processing by third-party providers
- handling of customer information or NPI outside traditional workflows
Without appropriate controls, these interactions may increase governance and oversight challenges.
How AI Governance Supports GLBA Alignment
Organizations may implement controls that operate before and during AI usage.
Examples include:
- detecting customer information before submission
- restricting sensitive data from being shared
- enforcing AI usage policies
- maintaining visibility into AI interactions
- supporting service provider oversight processes
These measures can help organizations manage AI-related risks more consistently.
Where Wald.ai Fits
Wald provides controls that can be used to manage customer information in generative AI workflows.
This includes:
- detection of sensitive financial and customer information
- redaction before data is sent to AI systems
- policy enforcement across users and teams
- visibility into AI interactions through governance controls
- support for enterprise DLP and AI governance programs
These capabilities can support organizations seeking greater control over AI usage involving customer information.
FAQs
Is generative AI compliant with GLBA?
Generative AI can be used in environments subject to GLBA, provided organizations continue to meet applicable obligations related to safeguarding customer information and overseeing service providers.
Does GLBA prohibit AI?
No. GLBA does not prohibit the use of AI technologies. The law focuses on how customer information is protected and managed.
What is nonpublic personal information (NPI)?
NPI generally refers to personally identifiable financial information that a financial institution collects, obtains, or derives in connection with providing a financial product or service.
What is customer information under GLBA?
Customer information generally refers to records containing nonpublic personal information that are maintained by or on behalf of a financial institution.
Can customer information be entered into AI systems?
Organizations should evaluate whether appropriate safeguards, oversight, and governance controls are in place before sharing customer information with AI systems.
Why is AI governance important for GLBA?
AI governance helps organizations manage how customer information is handled, enforce policies, and maintain visibility into AI usage.