%20Logos%202022/sharetru-white-logo.svg){kind=logo}
Why Sharetru?
Platform
The Gramm-Leach-Bliley Act has governed how financial institutions protect customer data since 1999. But the version of the GLBA Safeguards Rule that exists today looks substantially different from what was on the books even three years ago. The FTC's 2023 amendments introduced specific, technical requirements around encryption, access controls, and monitoring — requirements that bear directly on how your organization moves files.
If your institution is still relying on legacy FTP servers, consumer-grade cloud storage, or email attachments to transfer customer financial data, you are almost certainly out of compliance. This post covers what the Safeguards Rule requires, how it maps to file transfer infrastructure specifically, where financial institutions most commonly fall short, and what a genuinely compliant managed file transfer platform needs to deliver.
The GLBA Safeguards Rule (16 C.F.R. Part 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program designed to protect customer information. The rule is enforced by the Federal Trade Commission for most non-bank financial institutions and by federal banking regulators — the OCC, FDIC, and Federal Reserve — for banks and credit unions under the Interagency Guidelines.
The scope is broader than many compliance officers assume. "Financial institutions" under GLBA includes:
If your business collects, processes, or transmits nonpublic personal information in connection with a financial product or service, the Safeguards Rule applies.
The FTC finalized substantive amendments to the Safeguards Rule in 2021, with the core technical requirements taking effect in June 2023. These changes moved the rule from a relatively principles-based framework to a set of specific technical and organizational controls that are much harder to satisfy with vague, informal security practices.
Key changes introduced or clarified in the 2023 amendments include:
Each of these has a direct analog in how your file transfer infrastructure operates.
File transfer is not a peripheral activity for financial institutions. It is how payroll data moves to processors, how loan files travel between underwriters and servicers, how account statements get distributed, how ACH batch files are submitted, and how audit packages are delivered to regulators. File transfer infrastructure sits at the center of NPI flows — which means it sits at the center of Safeguards Rule compliance.
Section 314.4(e) requires covered institutions to encrypt customer information "in transit over external networks and at rest." In practice this means:
The Safeguards Rule requires access controls that limit employees' access to customer information to what is necessary to perform their job functions. In the context of file transfer this means:
§314.4(d) requires covered institutions to "monitor and test the effectiveness of key controls, systems, and procedures." For a file transfer platform this translates to:
§314.4(f) requires covered institutions to oversee service providers by taking reasonable steps to select and retain service providers that maintain appropriate safeguards for customer information and to include contractual provisions requiring those safeguards. If your MFT platform is cloud-hosted, your vendor must be able to produce documentation of its security program — including SOC 2 Type II reports, penetration test results, and security certifications. FedRAMP Authorization is the gold standard for SaaS vendors serving regulated industries, because it represents continuous third-party validation of security controls, not a point-in-time audit.
Financial sector organizations are disproportionately targeted in file-transfer-related breaches. A single compromised SFTP server at a bank or mortgage servicer can expose hundreds of thousands of records containing Social Security numbers, account numbers, credit scores, tax returns, and wire transfer data.
The MOVEit vulnerability exploited in 2023 compromised dozens of financial institutions. Accellion FTA breaches in 2020–2021 hit banks, insurance carriers, and investment firms. In both cases, the attack vector was the managed file transfer layer — the infrastructure used to move regulated data between parties.
File transfer systems are attractive targets because they tend to be:
Legacy FTP transmits credentials and file contents in plaintext. Any network intermediary between sender and receiver can capture both. Despite this being documented for decades, FTP servers remain active in many financial institution environments — often because they were set up years ago by a vendor and never revisited.
Dropbox, Google Drive, and similar consumer or SMB cloud tools are not designed to meet GLBA's access control, audit logging, or vendor oversight requirements. They lack contractual guarantees appropriate for NPI, and they often store data in ways that conflict with the institution's data residency requirements.
Emailing loan files, account statements, or tax documents — even to other businesses — is transmission of NPI over a channel with no guaranteed encryption in transit, no access controls on the recipient side, and no audit trail visible to the sending institution.
Using a single set of SFTP credentials shared among multiple employees or contractors eliminates the ability to attribute file access to a specific individual — making it impossible to satisfy audit requirements or respond meaningfully to a breach investigation.
A managed file transfer platform that genuinely supports GLBA Safeguards Rule compliance needs to deliver:
For publicly traded financial institutions, the Sarbanes-Oxley Act (SOX) adds a second layer of requirements that intersects with file transfer compliance. SOX Section 302 and Section 404 require management to assess and certify the effectiveness of internal controls over financial reporting. File transfer systems that move financial data used in reporting fall within the scope of SOX IT general controls (ITGCs).
A platform that satisfies GLBA's technical requirements will, in most cases, also satisfy the SOX ITGC requirements applicable to file transfer systems — making a single, well-configured MFT deployment serve both compliance obligations.
Use this checklist to assess your current file transfer posture against Safeguards Rule requirements:
For organizations subject to GLBA, Sharetru provides a controlled file transfer environment that supports the security requirements compliance and audit teams are expected to document. Because Sharetru enforces secure transmission protocols, encryption, individual user access, MFA, role-based permissions, logging, retention, monitoring, and vendor security oversight, your organization can account for each of the GLBA-aligned controls listed above within one purpose-built platform. That means NPI is not being moved through unmanaged email attachments, shared accounts, consumer cloud tools, or informal workflows. It is transferred through a system designed to protect sensitive information, limit access, preserve evidence, and give your team a clear answer when auditors ask how customer data is secured.
Sharetru helps your organization meet GLBA requirements by giving you one secure place to send, receive, protect, and track sensitive customer information. Files are encrypted, users have their own logins, access can be limited to the right people, and activity is recorded so your team can prove what happened. Instead of relying on email attachments or consumer file-sharing tools, Sharetru gives your organization a safer and more accountable way to handle NPI.
Ready to close your GLBA file transfer compliance gaps? Book a Demo with Sharetru and see how a purpose-built MFT platform makes compliance demonstrable, not aspirational.