Guides
A practical guide to GLBA Safeguards Rule compliance for teams deploying AI voice and SMS agents in financial services. Covers the nine required elements, breach notification rules, and how to operationalize compliance.
Last updated
If your team deploys AI voiceAI voiceAn artificially generated, natural-sounding voice produced by a TTS model. Thoughtly supports a library of AI voices and brand-specific cloning. agents to handle inbound loan inquiries, account openingAccount openingThe intake process for opening a banking, brokerage, or financial account. Thoughtly handles inbound intake calls and warm-transfers to a banker for sign-off. calls, or wealth-management leads, the Gramm-Leach-Bliley ActGLBAUS federal law governing financial-services privacy. Thoughtly's controls and retention policies are aligned with GLBA's safeguards rule. (GLBA) probably applies to you. GLBA governs how financial institutions collect, use, share, and protect customer information — and the FTC's Safeguards Rule was significantly amended in 2021 to add concrete, enforceable security requirements.
For revenue teams deploying AI voice and SMS agents in financial services, GLBA compliance is not optional. The good news is that most of what GLBA requires — access controls, encryption, audit trails, consent handling, and data minimization — maps directly to capabilities you can configure in a well-built AI voice platform. This guide breaks down what GLBA requires, what changed in the recent amendments, and how to operationalize compliance when deploying AI agents for financial services lead conversion.
The Gramm-Leach-Bliley Act (Public Law 106-102), enacted in 1999, requires financial institutions to protect the privacy and security of consumer financial information. Two sets of rules implement GLBA's privacy and security provisions:
The FTC amended the Safeguards Rule in 2021 to add more specific requirements, including multi-factor authentication, encryption, designated Qualified Individuals, risk assessments, and incident response plans. In 2023, the FTC further amended the Rule to require breach notification for certain security incidents, with those requirements taking effect in May 2024.
GLBA's definition of "financial institution" is broader than everyday usage suggests. Under Section 314.2(h) of the Safeguards Rule, covered entities include:
If your AI voice agents handle inbound calls for any of these business types — qualifying borrowers, opening accounts, capturing KYC-relevant intake data, or routing leads to licensed advisors — GLBA likely applies to how you handle the customer information those calls generate.
Section 314.4 of the Safeguards Rule identifies nine elements that a covered financial institution's information security program must include. Here is what each means for teams deploying AI voice agents:
You must designate a Qualified Individual to implement and supervise your information security program. This person can be internal or a service provider, but a senior employee must retain oversight responsibility. For AI voice deployments, this person should understand how call recordings, transcripts, and CRMCRMThe system of record for leads, contacts, deals, and activity. Thoughtly reads from and writes to your CRM continuously. write-backs flow through your systems.
You must inventory what customer information you collect and where it is stored, then assess foreseeable internal and external threats. For AI voice agents, this means mapping every data point your agent captures — name, address, Social Security number, income, account numbers — and tracing where it goes: call transcripts, CRM fields, webhookWebhookAn event-based integration that sends data from one system to another when something happens, such as a form submission, booked appointment, or completed call. payloads, integration logs.
The Rule requires specific safeguards, including:
You must regularly test your safeguards, either through continuous monitoring or through annual penetration testing plus vulnerability assessments every six months.
Provide security awareness training for all staff, with specialized training for employees responsible for the information security program.
Select service providers capable of maintaining appropriate safeguards, and require them by contract to implement and maintain safeguards.
Evaluate and adjust your information security program based on risk assessments, testing results, material changes to operations, or any security incidents.
Maintain a written incident response plan that describes how your organization will respond to a security event. The plan must include specific procedures for responding to data breaches.
Under the 2023 amendments (effective May 2024), covered institutions must notify the FTC within 30 days of discovering a security event involving unauthorized access to customer information affecting 500 or more consumers. The notification must include key facts about the event and the institution's response.
Use this checklist to map GLBA Safeguards Rule requirements to your AI voice agent deployment:
| GLBA Requirement | What to do for AI voice agents |
|---|---|
| Designate Qualified Individual | Name a security officer who understands your AI voice platform's data flows, call recording storage, and CRM integrations |
| Risk assessment | Inventory every data field your AI agent captures (name, SSN, income, account numbers) and map where each is stored, transmitted, and written back |
| Access controls | Restrict who can access call recordings, transcripts, and CRM records. Use role-based permissions in your AI voice platform and CRM |
| Encryption | Verify call recordings and transcripts are encrypted at rest and in transit. Confirm TLS for all API connections and webhook payloads |
| Multi-factor authentication | Enable MFA for all admin accounts on your AI voice platform, CRM, and any system that stores or processes customer information |
| Secure data disposal | Configure retention policies so call recordings and transcripts are purged after a defined period (e.g., 90 days) unless longer retention is justified |
| Activity logging | Ensure audit logs capture who accessed call recordings and when. Monitor for unauthorized access patterns |
| Service provider oversight | Confirm your AI voice platform provides a written security program, SOC 2 certification, and contractual safeguards commitments |
| Incident response plan | Document what happens if a data breach occurs — who is notified, how affected customers are informed, and how the AI voice platform is secured |
| Breach notification | Establish a process to assess and report qualifying breaches to the FTC within 30 days of discovery |
| Staff training | Train revenue ops and contact center staff on GLBA data handling rules, including what can and cannot be stored in CRM notes from AI agent calls |
Thoughtly provides several features that help financial services teams operationalize GLBA Safeguards Rule requirements when deploying AI voice and SMS agents:
All call recordings, transcripts, and data passed through Thoughtly integrations are encrypted in transit (TLS) and at rest. OAuthOAuthAn authentication standard that lets Thoughtly connect to your CRM or app without storing your password. tokens are used for all integration connections and are revocable at any time from your admin panels.
Call recordings and transcripts are stored per your organization's retention policy, which is configurable. The default retention period is 90 days, and you can adjust this to align with your GLBA secure disposal obligations. Structured outputs written back to your CRM live in your CRM under your own retention rules.
Thoughtly is SOC 2 Type II certified, which means an independent auditor has verified that Thoughtly's controls for security, availability, confidentiality, and privacy meet the AICPA's Trust Services Criteria. This directly supports your service provider oversight obligations under Section 314.4(f) of the Safeguards Rule.
Thoughtly enforces consent capture on every call, with verbatim compliance lines configured via Start nodes or Speak nodes. Suppression lists are enforced internally before sending agent replies, and opt-outs propagate across voice, SMS, and email channels. This supports GLBA Privacy Rule obligations around customer choice and information sharing.
Every call is recorded with a full transcriptTranscriptThe text record of a voice conversation, used for review, training, compliance audit, and search., creating an auditable record of what was said, what consent was captured, and what data the agent collected. Transcripts are retained on the call record and can be reviewed for compliance monitoring.
Thoughtly's docs recommend capturing only the personally identifiable information you actually need. Variables and extraction instructions can be configured to collect specific data points — and to avoid collecting data that is not necessary for the workflowWorkflowAn automated, multi-step process — usually triggered by an event (form fill, new lead) and orchestrating one or more voice / SMS / email actions.. This aligns with the Safeguards Rule's data minimization expectations.
Every Thoughtly integration (Salesforce, HubSpot, Keap, Pipedrive, Zoho CRM, and others) uses scoped OAuth tokens rather than stored credentials. Thoughtly respects field-level security and sharing rules in connected systems, so CRM access controls flow through to AI agent workflows.
For financial services specifically, Thoughtly's solution page notes that agents pre-qualify inbound interest under SOC 2, GLBA, and FINRA-aligned controls before routing to a licensed advisor. This does not make Thoughtly a compliance certification body — it means the platform's controls are designed to align with GLBA requirements so your team can build compliant workflows.
When AI agents capture Social Security numbers, income details, or account numbers during calls, that data often ends up in free-text CRM notes. If those notes are not encrypted or access-controlled, you have a GLBA exposure. Configure your agent to write structured fields only, and ensure your CRM enforces field-level encryption for sensitive data.
The Safeguards Rule requires secure disposal of customer information no later than two years after your most recent use. If your AI voice platform retains call recordings indefinitely with no configured retention policy, you are out of compliance. Set and enforce a retention schedule.
Many teams deploy AI voice agents without a documented incident response plan. If a breach occurs — say, a webhook payload containing customer data is intercepted — you need a written plan that defines who is notified, how the breach is contained, and whether FTC notification is required.
Under Section 314.4(f), you must select service providers capable of maintaining appropriate safeguards and require them by contract to do so. If your AI voice platform cannot provide a SOC 2 report or does not offer contractual security commitments, you have a gap. Verify before you deploy.
AI voice agents are capable of capturing a wide range of data during a call. But the Safeguards Rule expects you to collect only what you need. Configure your agent's variables and extraction instructions to capture only fields that serve a legitimate business purpose.
GLBA applies to financial institutions — not to specific technologies. If your organization is a covered financial institution under GLBA and you use AI voice agents to handle customer information (collecting, storing, or transmitting nonpublic personal information during calls), then GLBA's Safeguards Rule requirements apply to how those agents handle that data.
No platform can be "GLBA-certified" in the way that HIPAAHIPAAThe US health privacy law that governs protected health information. Healthcare voice and SMS workflows must handle PHI with appropriate safeguards. has BAAs. GLBA does not have a certification program. Thoughtly is SOC 2 Type II certified and provides encryption, configurable retention, access controls, and audit-ready transcripts that help you build GLBA-aligned workflows. Your organization remains responsible for compliance with GLBA itself.
Under the Safeguards Rule, NPI includes any record containing personally identifiable financial information about a customer of a financial institution, whether in paper, electronic, or other form. This includes data collected during AI voice calls — names combined with account numbers, income information, loan details, or credit history. Publicly available information (like a name from a phone book) is generally not NPI on its own.
The Safeguards Rule requires secure disposal of customer information no later than two years after your most recent use of it to serve the customer, unless you have a legitimate business need or legal requirement to retain it longer. Most teams set retention periods between 90 days and 2 years, depending on their business needs and any state-specific record retention requirements.
The 2023 breach notification amendment (effective May 2024) requires covered financial institutions to notify the FTC within 30 days of discovering a security event involving unauthorized access to customer information affecting 500 or more consumers. If your AI voice platform experiences a breach that exposes your customer data, you — as the covered institution — are responsible for reporting. This is why service provider oversight and contractual breach notification clauses matter.
This article is informational and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.
FTC Safeguards Rule: What Your Business Needs to Know
Standards for Safeguarding Customer Information (16 CFR Part 314)
Thoughtly — Financial Services Solution
PIIPersonally Identifiable Information (PII)Any data that can identify an individual — name, phone, SSN, account number. Voice agents must redact and protect PII per privacy law. Handling and Data Retention in AI Call Workflows
SOC 2 and Enterprise Security for AI Voice Platforms
AI Agents for Financial Services Account Opening and Onboarding