GLBA (Gramm-Leach-Bliley Act of 1999) governs how financial institutions — banks, credit unions, accounting firms, investment advisors, mortgage brokers — protect their customers’ non-public personal information (NPI). For customer portals in the financial sector, GLBA imposes safeguards similar to (but distinct from) HIPAA and PCI DSS.
The GLBA Safeguards Rule, updated by the FTC in 2021, requires financial institutions to designate a qualified individual to oversee the security program, conduct risk assessments, encrypt customer data, implement MFA, and maintain audit logs — much of which a secure client portal provides natively.