Upcoming exam request includes a list of reports management/BOD use to monitor compliance with GLBA and reports given to the BOD. Not sure what they are asking for, we do not have a formal monitoring system for GLBA. We have a information privacy policy that is reviewed and approved annually. Would this suffice?

IT audits, penetration testing, vendor due diligence - there is a lot more to GLBA compliance than writing and approving a policy.

I believe that request is coming from 12 CFR Part 364 Appendix B III F:

"Report to the Board. Each bank shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank's compliance with these Guidelines. The report, which will vary depending upon the complexity of each bank's program should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results from testing; security breaches or violations, and management's response; and recommendations for changes in the information security program."