Under which regulation must financial institutions implement a written Information Security Program?

The correct answer is that financial institutions must implement a written Information Security Program under the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to safeguard sensitive customer information and mandates the establishment of an Information Security Program designed to protect against unauthorized access to or use of such information. This regulation emphasizes the importance of protecting consumers' financial data and sets forth guidelines for institutions to develop comprehensive security measures, including risk assessment, security controls, and ongoing monitoring.

In contrast, the Fair Lending Act primarily focuses on preventing discrimination in lending and does not directly require an information security program. Regulation P pertains to the privacy of consumer financial information but does not stipulate the need for a written security program specifically. The Bank Secrecy Act is primarily concerned with anti-money laundering measures and does not require institutions to create an Information Security Program in the context described by the question. Understanding the distinct objectives of these regulations is crucial for compliance within the financial sector.