GLBA compliance checklist for secure file transfer and storage workflows

If you’re working in financial services, you should know that file transfer and file storage are not a handwavy matter. Sensitive financial data like customer information and nonpublic personal information (NPI) moves between teams, vendors, systems, and environments.

Each handoff is a chance for the wrong access, the wrong destination, or the wrong retention outcome, which is exactly how file workflows turn into potentially costly GLBA data compliance issues.

This GLBA compliance checklist is meant to keep you out of that mess. It walks you through a sensible order of work, then tells you what evidence to keep so you can answer audit and incident questions without improvising.

What is GLBA?

GLBA is the Gramm-Leach-Bliley Act, a U.S. federal law focused on how financial institutions protect and disclose customer information. It applies broadly to many organizations in financial services, not only banks and credit unions.

If your business is significantly engaged in providing financial products or services, or you handle customer information on behalf of those businesses, GLBA becomes relevant.

GLBA is commonly described in three parts:

• Financial Privacy Rule: Requires clear privacy notices and sets expectations around how customer information is shared, including opt-out rights in certain cases.
• Safeguards Rule: Requires a written information security program with administrative, technical, and physical safeguards to protect customer information. Read our comprehensive guide to the Safeguards Rule for financial services.
• Pretexting provisions: Targets the misuse of false pretenses to obtain customer information, which is why training and access verification show up in real-world programs.

The enforcement depends on the type of financial institution. For many non-bank financial institutions, the Federal Trade Commission enforces the Safeguards Rule. Banks, credit unions, broker-dealers, and insurers are typically overseen by their primary regulators.

Penalties range from >$10 000 fines for individuals per violation, to >$100 000 for institutions per violation, cease and desist orders, loss of FDIC insurance, and even jail time for serious offences.

1) First, get your GLBA scope straight

In practice, file transfer and file storage controls usually tie most directly to the Safeguards Rule, because that is where GLBA requirements around access control, encryption, monitoring, testing, service provider oversight, and incident response are outlined; while Financial Privacy and pretexting show up in how you disclose sharing and how you prevent social engineering.

File transfer workflow inventory

For each file transfer workflow, write down:

• Where the file starts (source) and who owns and administrates that system
• Where the file ends (destination) and who owns and administrates that system
• The transfer method and endpoint (for example, SFTP, FTPS, HTTPS, API-based transfer)
• How access works (user login, SSH keys, service account, automation token)
• Which partner or internal team the workflow serves
• What the file contains (customer information types, sensitivity)
• What “normal” means for this workflow (naming, schedule, expected file count, typical size)

File storage inventory

For each file storage location where those files can land or persist, write down:

• Purpose (landing, staging, archive, analytics, backups, replicas)
• Who can read, write, delete, and administer
• Whether encryption at rest is enabled and who governs keys or settings
• Retention rules and how disposal is enforced
• Copy paths (replication, backups, exports, partner pulls)

2) The quick GLBA compliance checklist for file workflows

This short GLBA checklist covers the basic components that form your GLBA control framework, but we’ll follow with a more granular version afterwards. If you say yes to an item on this list, you should also be able to prove it.

• You have a written information security program and a designated owner (often called a Qualified Individual).
• You have a current inventory of file transfer workflows that at any point involve customer information.
• You have a current inventory of file storage locations where that information can land, including backups and replicas.
• Your risk assessment explicitly covers file workflow risks (misdelivery, credential compromise, permission drift, staging sprawl).
• You enforce least privilege for file transfer endpoints and for file storage permissions.
• You protect customer information in transit and at rest, or you have written, approved compensating controls.
• You use strong authentication for people accessing sensitive systems, especially administrative access paths.
• You log file activity and administrative changes, and you can retrieve logs quickly when needed.
• You test safeguards on a schedule and you close and remedy findings, not just record them.
• You oversee service providers with due diligence, contracts, and periodic reassessment.
• You have an incident response plan that covers file transfer and file storage breach and leak scenarios.
• You report on the information security program to leadership on the required cadence.

Evidence to keep:

• Written information security program, with the named Qualified Individual.
• Current file transfer workflow inventory and owners.
• Current file storage inventory, including backups and replicas.
• Risk assessment covering file workflow risks and a tracked risk register.
• Access review evidence for endpoints and storage (least privilege).
• Encryption and authentication settings evidence, plus approved exceptions.
• Audit log samples showing file activity and admin changes, plus retention.
• Testing results with closed remediation items.
• Service provider due diligence and contract safeguards.
• Incident response plan for file workflow breaches and leaks.
• Leadership reporting record on the required cadence.

2.1 Financial Privacy Rule checklist items for file transfer and file storage workflows

In terms of the GLBA Privacy Rule, do you have these bases covered, and can you prove it?

• You maintain current privacy notices that accurately describe how customer information and NPI is collected, used, and shared, including sharing through file transfer and file storage workflows with partners, vendors, customers, and internally.
• You have an operational process to handle opt-out rights where applicable, and your file sharing and file transfer processes respect those choices where required.
• You document what customer information is shared, with whom, and for what purpose, especially when sharing with nonaffiliated third parties or service providers.
•  You ensure customer information is only used for the approved task by writing those limits into contracts and by locking the workflow down to the right people, systems, and destinations.
• You have guardrails that prevent accidental sharing of sensitive account identifiers or customer information in contexts that are not allowed or not disclosed.

Evidence to keep:

• Current privacy notice versions and distribution records
• Opt-out handling records where applicable
• Data sharing register for customer information and NPI
• Service provider contracts or addenda that cover customer information protections

2.2 Pretexting checklist items for file transfer and file storage workflows

The GLBA Pretexting Rule makes it illegal under 15 U.S.C. § 6821 to gain or attempt to gain sensitive customer information from financial institutions using false pretenses, deception, or fraudulent impersonation (phishing). Basically, “it seemed legitimate so we handed over access”.

File workflows are especially vulnerable because attackers love requesting destination changes, credential resets, or “urgent exceptions.”

• You have a clear identity verification process for requests involving customer information, credentials, new destinations, access changes, or file releases.
• You require out-of-band verification for high-risk requests, especially bank detail changes, destination changes, and urgent “send it now” exceptions.
• You train staff to recognize phishing and social engineering attempts that target file transfer credentials, file storage access, and partner workflow changes.
• You enforce strong authentication for administrative and support access paths that can change file transfer or file storage controls.
• You monitor for suspicious patterns tied to pretexting, such as unusual access requests, unfamiliar senders, repeated failures, and sudden changes in file destinations.

Evidence to keep:

• Identity verification procedures and escalation rules
• Ticket or request records showing verification steps for high-risk changes
• Training records and phishing test results
• Authentication and access logs that support investigations

3) File transfer controls that satisfy GLBA requirements

Think of file transfer as two problems at once. One is who can connect. The other is what they can do after they connect. Managed file transfer and cloud SFTP services can help by enforcing secure transfer and storage protocols, centralizing identities, permissions, workflow boundaries, and detailed audit logs, so controls stay consistent across partners and workflows.

3.1 Access control and least privilege

What to implement:

• Use separate identities per partner and per workflow when customer information is involved. Centralized user and credential management makes per-partner separation easier to enforce and easier to unwind.
• Separate human access from automation access, then manage each tightly.
• Restrict administrative access to a small, named set of roles.
• Run regular access reviews and remove stale access promptly.

Evidence to keep:

• User and permission map
• Access review records and removals
• Administrative access logs

3.2 Encryption in transit and endpoint trust

Encryption is expected in financial services file transfer. The detail that often gets missed is endpoint trust. You want to be sure you are encrypting to the right destination, not just encrypting.

What to implement:

• Encrypt customer information in transit for file transfer workflows.
• Standardize secure protocol configurations and prevent configuration drift across partners and environments.
• Validate endpoint identity (for example, SSH host key validation or certificate validation) before transferring customer information, and treat host keys and certificates as controlled trust assets.
• Consider consolidating partner workflows onto a managed cloud SFTP endpoint and centralized storage. With SFTP To Go, files land in S3-backed storage (built-in storage or bring-your-own-bucket), a centralized secure destination with defined access boundaries for each user and auditable oversight of all events and permissions.
• Document exceptions and compensating controls if you genuinely cannot meet a control as written, and tie each exception to a specific workflow, owner, and expiry date.

Evidence to keep:

• Endpoint configuration baseline
• Change history for security settings
• Exception approvals and compensating control records

3.3 Partner isolation and misdelivery prevention

Misdelivery usually comes from shared landing areas, weak validation, or manual steps that are too forgiving.

What to implement:

• Separate landing paths per partner and per workflow. Per-partner boundaries are easier to keep consistent when permissions and paths are centrally managed through an MFT that supports GLBA compliance.
• Enforce separation with permissions, not folder names. 
• Validate inbound files against expectations (sender, naming pattern, timing, count, size).
• Quarantine unexpected files until reviewed.
• Control overwrites where replacement can break reconciliation or reporting. Centralized auditing through a managed solution helps you prove who delivered what, where it landed, and what happened next.

Evidence to keep:

• Partner boundary permission map
• Validation rules and exception logs
• Quarantine events and resolutions

3.4 Automation controls

File transfer automation accounts tend to involve broad access. That is a design problem that will need to be solved for GLBA.

What to implement:

• Keep automation permissions narrow and workflow-specific. With a cloud SFTP service like SFTP To Go, centralized workflows, configurable access rules and folder/file level boundaries make this easy to achieve.
• Rotate secrets and avoid long-lived shared credentials.
• Restrict who can create or modify automations that move, rename, publish, or delete files. 
• Log automation actions with a clear identity and workflow context. Platform-level logging through a secure MFT makes it easier to prove what automation ran and what files and users were involved.

Evidence to keep:

• Automation inventory with owners and purpose
• Secrets rotation records
• Change approvals and deployment history

3.5 Logging and monitoring

Logs are not just for “security.” They let you answer basic GLBA audit questions without guessing.

What to implement:

• Log authentication successes and failures.
• Log file actions (upload, download, delete, rename, permission changes).
• Log administrative changes to users, permissions, and endpoint settings. With SFTP To Go, centralized audit logs are easier to retain, search, filter, and export than logs spread across multiple servers, and consistent event records reduce time lost reconstructing timelines during audits and incidents.
• Alert on patterns that often indicate abuse (repeated failures, off-hours access, bulk downloads, mass deletes, new source locations). SFTP includes configurable webhook notifications that alert you to file events as and when they happen.

Evidence to keep:

• Sample logs showing user, time, action, path, outcome
• Alert rules and alert history
• Incident tickets linked to log evidence

4) File storage controls that satisfy GLBA requirements

Even when transfers are secure, lack of encryption at rest, broad storage permissions or undefined retention can undo the work.

Managed cloud SFTP plus storage can help by giving you one controlled secure landing and storage layer, instead of files silently propagating into personal shares, unmanaged buckets, and “temporary” folders that never disappear.

4.1 Storage access boundaries and segregation

What to implement:

• Enforce least privilege at the storage layer, not only at the transfer layer. 
• Separate partner datasets from each other and from internal datasets. With SFTP To Go, clear folder boundaries and configurable permissions make segregation easier to keep correct over time.
• Separate production and non-production storage, including separate credentials and policies.
• Restrict delete permissions and add recovery guardrails appropriate to risk.
• Consolidate storage to reduce the number of uncontrolled copy paths you have to audit and review.

Evidence to keep:

• Storage access policies and change history
• Access reviews and remediation tickets
• Evidence of partner and environment separation

4.2 Encryption at rest and governance

Encryption at rest is stronger when you can explain who can change it, who can decrypt, and how exceptions are handled.

SFTP To Go built-in S3 storage ensures rest encryption at all times with no encryption inconsistencies whatsoever, and mandatory MFA for admin logins; while audit logs record administrative activities and file events with user IDs, timestamps, and file/folder specifics.

What to implement:

• Encrypt customer information at rest, or document approved compensating controls where encryption is infeasible.
• Define who can change encryption settings and who can approve exceptions.
• Record security changes and key governance actions where applicable.

Evidence to keep:

• Encryption-at-rest configuration evidence
• Key governance documentation and rotation records
• Administrative change logs for storage security

4.3 Retention, lifecycle, and secure disposal

Retention failures are usually not dramatic but  gradual. A staging folder becomes an archive, which then becomes permanent. 

What to implement:

• Define retention by data type and workflow purpose. With a managed solution, centralized paths make it easier to apply retention rules consistently and prove they are applied.
• Enforce retention with lifecycle rules, not only policy documents. 
• This is true for log retention also as this is evidence you’ll need later on. SFTP To Go’s Enterprise plan now offers customizable log retention rules.
• Apply retention and disposal intent across copies, including backups and replicas, which are also a feature of SFTP To Go’s enterprise plan, and the platform's single managed landing and archive pattern reduces accidental long-term storage in random locations.
• Track and approve retention exceptions when business requirements justify them.

Evidence to keep:

• Retention schedule with approvals
• Lifecycle configuration exports
• Deletion evidence and exception approvals

4.4 Backup and recovery

Backups protect availability for your business, your client, and your partners in the event of data loss, data corruption, natural disaster, power outage, and more, but they also create more places where customer information exists. Treat backups as part of your file storage control process. 

What to implement:

• Back up storage and critical workflow configurations. With its S3-backed storage recording 99.99% uptime and 99.999999999% data durability, cloud-native SFTP To Go supports backup and recovery by taking server and infrastructure management off your plate.
• Run recovery tests on a schedule by restoring sample files and recording results. Backups are only useful if they can be restored quickly and correctly, and consolidating workflows on a managed platform can reduce the number of separate systems you must back up and recover.
• Apply access controls to backups that match production intent. These controls should be as strict and well maintained as your primary data store.
• Keep a recovery procedure current and practical, including who can trigger recovery, what gets restored first, and how you verify the restored data and workflow settings.

Evidence to keep:

• Backup inventory and policy
• Restore test records
• Recovery runbooks and update history

5) Service provider oversight for file transfer and file storage

Many financial services file workflows depend on third parties, including data processors, integration providers, contractors, and managed services.

What to implement:

• List every service provider involved in file transfer or file storage workflows that touch customer information, including who they are, what they can access, and why.
• Do due diligence before onboarding, then reassess on a schedule that matches the access they have and the sensitivity of the files involved.
• Put safeguards into contracts, including access limits, minimum security controls, and clear incident notification expectations that align with your incident response process.
• Track vendor findings until they’re closed, including deadlines, owners, and proof of remediation.
• If you’re trying to reduce the number of third parties directly handling customer information, consolidate file transfer and file storage into fewer managed systems; SFTP To Go can act as a single managed SFTP endpoint with centralized S3-backed storage, so fewer separate vendors and servers sit in the middle of partner file workflows.
• Keep vendor-facing evidence easy to pull by standardizing how you export access lists, permissions, and audit records from the systems you use for file transfer and file storage, instead of stitching it together from multiple one-off setups.

Evidence to keep:

• Vendor assessments and reassessments
• Contract safeguards or security addenda
• Remediation tracking and closure evidence

6) Incident response for file workflow events

File workflow incidents often come down to credentials, destinations, and logs. Your plan should reflect that.

What to implement:

• Define the file workflow scenarios you treat as high priority, including credential compromise, misdelivery, public exposure, ransomware on landing or staging areas, and integrity issues like tampering, missing files, or unexpected overwrites.
• Contain fast by disabling accounts, revoking keys, rotating secrets, isolating endpoints, and preserving logs. Centralized identity and access controls in an MFT make those containment steps more direct across many partners and workflows, instead of logging into multiple servers.
• Reconstruct events using a timeline of who accessed what, when, from where, and what changed. Centralized audit logs, such as the ones available in SFTP To Go, make timeline reconstruction faster and less speculative than piecing together logs from separate hosts.
• Close the loop by fixing the weak point, documenting what changed, and retesting the control so the same failure path is less likely to repeat.

Evidence to keep:

• Incident response procedure for file transfer and file storage events
• Incident tickets and post-incident writeups with timelines and affected file lists
• Log exports used for the investigation and the retention settings that preserved them
• Evidence of containment actions taken (disabled accounts, revoked keys, rotated secrets)
• Remediation records and retest results

Where SFTP fits in your GLBA compliance framework

GLBA compliance is about controls and evidence across the Financial Privacy Rule, the Safeguards Rule, and pretexting protections.

For file transfer and file storage workflows, a managed cloud SFTP and storage service is most useful as the control surface where files move and land under your oversight, because it helps you keep the day-to-day basics consistent across internal teams, automated jobs, systems, customers, vendors, and partners.

SFTP To Go fits here as a centralized place to run file transfers and land files into built-in or BYOB S3 storage, while making it easier to pull the proof you’ll need later.

• Controls it helps you keep consistent: 
  • Centralized identities and permissions
  • MFA-protected admin and web access (optionally via SAML SSO)
  • secure transfer endpoints over SFTP and FTPS (SSH and TLS) plus HTTPS where needed
  • IP allowlists
  • Clear folder boundaries between workflows
  • Standardized endpoint configuration (including controlled cipher suites and key exchange)
  • A single secure landing destination in S3-backed storage
  • Webhook notifications for file events,
  • Audit logging across file activity and admin changes. 
• Evidence it helps you produce and export: 
  • Audit logs covering file activity and admin activity, plus CSV exports.
  • Credential setup records: home directory isolation (chroot), permission level, activation or deactivation, and access expiry settings.
  • SSH key inventory per credential (what keys are on which credential, and when keys were added or removed).
  • IP allowlist records via inbound network rules, both org-wide and per credential.
  • Webhook configuration and delivery logs for event notifications and automations (what was sent, when, and whether delivery succeeded).
  • MFA-related evidence where relevant: admin dashboard MFA support, and enforced MFA for web portal credentials if you enable that policy.

Use SFTP To Go to support and streamline your GLBA controls, to centralize secure file transfer and S3-backed file storage with MFA, clear access boundaries, and exportable audit logs for GLBA evidence.

Frequently asked questions