The Gramm-Leach-Bliley Act (GLBA) places financial institutions under strict obligations to protect the non-public personal information (NPI) of their customers — and that protection doesn’t end when the document stops being useful. GLBA shredding compliance requires that financial institutions properly dispose of records containing NPI when retention periods expire. For New York financial services firms — including banks, credit unions, mortgage companies, securities dealers, insurance agencies, and tax preparers — this means implementing a documented, verifiable program for secure document destruction.
The FTC’s Safeguards Rule, which implements the privacy and security requirements of GLBA, was significantly strengthened in 2023, extending its reach and increasing its requirements for smaller financial institutions. If your New York financial services business hasn’t reviewed your document destruction practices recently, now is the time. This guide covers everything you need to know about GLBA shredding compliance, from which documents are covered to how to build a program that satisfies regulators.
What Is GLBA and Who Does It Cover?
The Gramm-Leach-Bliley Act was enacted in 1999 to modernize financial regulation while establishing privacy protections for consumers. Its Financial Privacy Rule and Safeguards Rule together govern how financial institutions collect, use, share, and protect customer information. The law defines “financial institution” broadly, covering any company that is significantly engaged in financial activities, including:
- Banks and credit unions
- Mortgage brokers and lenders
- Investment advisors and securities dealers
- Insurance companies and agents
- Tax preparers and accountants who prepare financial statements
- Check cashing businesses
- Debt collectors and payday lenders
If your New York business falls into any of these categories, GLBA shredding compliance is not optional. Visit our compliance page to see how we help financial institutions meet their obligations.
What Records Require GLBA-Compliant Destruction?
GLBA’s Safeguards Rule covers any record containing “non-public personal information” — broadly defined as any personally identifiable financial information that a consumer provides, results from transactions, or is obtained in connection with financial services. This includes:
- Loan applications and credit reports
- Account statements and balance information
- Tax returns and W-2 forms used in financial service delivery
- Wire transfer records and transaction histories
- Insurance policy applications and claims
- Social Security numbers, dates of birth, and government ID copies
When these records are no longer needed, they must be destroyed in a way that makes them unreadable and unrecoverable. Learn about our GLBA-compliant shredding services designed specifically for financial services businesses.
The FTC Safeguards Rule: Updated Requirements for 2024-2025
In 2023, the FTC significantly updated the Safeguards Rule to include more specific technical requirements. Financial institutions subject to GLBA must now implement a written information security program that includes:
- Designating a qualified individual responsible for information security
- Conducting regular risk assessments
- Implementing specific technical safeguards including encryption and multi-factor authentication
- Establishing procedures for secure disposal of customer information
- Implementing an incident response plan
- Reporting significant security events to the board of directors
The disposal procedures requirement specifically addresses GLBA shredding compliance — your written security program must document how paper and electronic records containing NPI are destroyed. Our service process provides the documentation trail you need for your written program.
Building a GLBA Document Retention and Destruction Schedule
GLBA compliance starts with knowing what you have and how long you need to keep it. Financial institutions must balance GLBA’s disposal requirements against other federal and state retention requirements. Key retention guidelines for New York financial services firms include:
- Customer account records: Generally 5-7 years after account closure
- Loan origination records: Typically 3-7 years depending on loan type
- SEC records for registered firms: Varies by record type (3-6 years)
- Tax records: Generally 7 years
- Insurance records: Per New York DFS requirements (often 6 years)
Electronic Media Destruction Under GLBA
GLBA shredding compliance extends beyond paper. Hard drives, backup tapes, USB drives, and other media containing NPI must be physically destroyed — not just reformatted or overwritten. For financial institutions in New York, this means partnering with a vendor who can provide physical destruction services for electronic media with the same chain of custody documentation as paper shredding. Contact us via our contact page to learn about our comprehensive electronic media destruction services for financial services firms.
Why New York Businesses Choose New York Shredding
For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.
Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.
Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.