The revised FTC Safeguards Rule is an update to the original Safeguards Rule, enacted in 2003 as part of the Gramm-Leach-Bliley Act (GLBA). This rule requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the confidentiality and integrity of customer information. The revised law, adopted in 2021, introduces several changes to enhance customer data protection and align it with modern cybersecurity practices.
The most important consideration with the new FTC Safeguards rule is scope expansion. The new law also requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, payday lenders, and other "finders," businesses that bring together consumers and financial institutions, to develop, implement, and maintain a comprehensive security program to keep their customers' information safe.
"Finders" is a term used to describe businesses that act as intermediaries between consumers and financial institutions. They play a role in connecting potential customers with financial products or services but do not directly provide these services themselves.
Some examples of finders include:
Car dealerships (financing or leasing): Car dealerships that directly extend credit to customers, arrange or facilitate financing or leasing through third-party financial institutions, or handle sensitive financial customer information during their financing or leasing operations.
Property managers: Property managers who collect, process, or store sensitive financial customer information as part of their property management services, such as tenant screening, rent collection, or financial reporting.
Real estate brokers: Real estate brokers who handle sensitive financial customer information during the buying, selling, or leasing of properties, such as obtaining mortgage pre-approvals, processing rental applications, or facilitating financing.
Loan brokers: These businesses help connect borrowers with lenders by gathering customer information and submitting it to multiple financial institutions to find the best loan terms and rates for the customer.
Mortgage brokers: Similar to loan brokers, mortgage brokers assist individuals in finding suitable mortgage loans by collecting customer information and presenting it to various lenders for evaluation.
Insurance brokers or agents: These intermediaries help customers find appropriate insurance products by collecting their information and submitting it to multiple insurance companies for the best coverage options and rates.
Financial advisors or planners: These professionals often recommend specific financial products or services to their clients based on their financial goals and risk tolerance. In doing so, they may gather sensitive customer information and submit it to various financial institutions to find the best options for their clients.
Non-bank lenders and finance companies, including payday loan providers: Businesses that offer loans or financing directly to customers without being traditional banks or credit unions.
Debt collectors and credit counseling services: Companies involved in collecting debts or providing financial advice and counseling to consumers often handle sensitive financial information.
Check-cashing businesses: Companies that provide check-cashing services to customers, which may involve handling sensitive financial information.
Virtual currency exchanges and other fintech companies that offer financial services: Businesses involved in trading virtual currencies or providing innovative financial services through technology, often processing and storing sensitive customer financial data.
Comparison websites or platforms: These online platforms allow customers to compare different financial products or services, such as loans, credit cards, or insurance policies. They may collect customer information and share it with relevant financial institutions to provide accurate comparisons and personalized offers.
Please note that this list is not all-inclusive, and other businesses that handle sensitive financial customer information may also be subject to the revised FTC Safeguards Rule.
What does this mean for my business?
Here's a brief overview of the main points that business owners, executives, and managers should be aware of:
Risk Assessment: The revised rule emphasizes the importance of thorough risk assessments. Organizations must identify and assess risks to customer information in each functional area and design safeguards to control these risks.
Access Controls: Companies must now implement access controls on information systems, including authentication, authorization, and regular user access monitoring. This helps prevent unauthorized access to customer data.
Encryption: The rule requires financial institutions to encrypt all customer data using strong encryption methodologies, both in transit and at rest. This helps ensure the confidentiality and integrity of the data.
Multi-Factor Authentication: The revised rule mandates multi-factor authentication for anyone accessing customer data. This adds an extra layer of security to prevent unauthorized access.
Incident Response Plan: Companies must develop and maintain a written incident response plan outlining the steps to take in a cybersecurity event. This plan should include procedures for notification, containment, and recovery.
Secure Development Practices: Financial institutions must implement secure development practices for their applications, including regular security testing, patch management, and vulnerability management.
Third-Party Service Providers: Organizations must ensure that their third-party service providers also comply with the Safeguards Rule and exercise oversight and due diligence in selecting and monitoring these providers.
Periodic Evaluation and Adjustment: Companies must regularly evaluate and adjust their information security program to account for technological changes, business operations, or other factors that may impact the program's effectiveness.
Accountability: The revised rule emphasizes the accountability of senior management and the board of directors. They oversee the information security program and receive regular reports on its effectiveness.
By understanding and complying with the revised FTC Safeguards Rule, businesses can better protect customer data and maintain a strong reputation for data security, which is critical in today's digital world.
It is important to note that the applicability of the revised Safeguards Rule to "finders" may vary depending on the specific services they provide and the extent to which they handle sensitive financial customer information. If you are unsure whether your business falls under the rule's scope, it is advisable to consult with a legal expert familiar with the Gramm-Leach-Bliley Act and the FTC Safeguards Rule.
When does this go into effect?
The FTC Safeguards Rule is already in effect. It was originally adopted in 2003 and amended in 2021. The initial compliance period for the updated FTC Safeguards Rule was supposed to start on January 1, 2023. However, the FTC extended the deadline by six months in response to reports of personnel shortages and supply chain issues.
The revised deadline for compliance is now June 9, 2023.
Are you a business needing help with a plan to implement a program to comply with the new FTC Safeguards Rule and unsure where to start?
We have a quick 4-question quiz to see where you stand with the process, and our new report: The 5 Biggest Mistakes Hawaii Companies Are Making with the FTC Safeguards Rule and What You Can Do to Avoid Them