When it was first established in 2003, the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information — the Safeguards Rule — set out to ensure that covered entities maintained the security of customer information. As part of the larger 1999 Gramm-Leach-Bliley Financial Modernization Act, the Safeguards Rule was part of the first wave of regulations that required financial institutions to document and use special care in their handling of sensitive customer information.
At the time, people were only beginning to understand the scope and scale of cybercrime. Throughout the ensuing two decades, the Safeguards Rule has provided incrementally updated data security guidelines for organizations in the financial sector but has struggled to keep pace with the changes and challenges of running a business as technology has evolved.
In a much-needed effort to modernize the original regulation, the rule has been updated as of 2021 to provide better guidance for businesses. Now, with a new definition in place for determining whether you are a covered financial institution and clearer guidelines to help companies navigate compliance, financial organizations will want to examine their Safeguards Rule procedures carefully.
If you have never heard of the Safeguards Rule but handle client money and sensitive client information, read on. You may be a “financial institution” and not even know it.
What Is The Safeguards Rule?
The Safeguards Rule became law in 2003. In 2021, the FTC sought comments on updates to the Safeguards Rule. In December 2021, the Safeguards Rule was updated to more closely apply to the modern cybersecurity landscape.
The updated Rule is expected to go into effect in December 2022, though a petition has been put forward to delay the Safeguards Rule enforcement until December 2023. That said, if you are subject to the FTC’s jurisdiction, no delays in enforcement have been formally announced, and you should start implementing compliance strategies immediately.
What Is a Financial Institution?
Under the Safeguards Rule, the term “financial institution” is a bit of a misnomer. Many types of companies can be called “Financial Institutions” under the Safeguards Rule and be expected to comply even when they may have absolutely nothing to do with the banking or finance world.
Under the Safeguards Rule, the term “finance” refers to your company having any relationship or touchpoint with customer financial data, either through lines of credit, loans, or general financial information. If your business handles any type of financial details, you may have to comply with the Safeguards Rule.
Some businesses classified as “Financial Institutions” by the FTC include:
- Car dealerships,
- Credit counselors,
- Appraisers,
- Collection agencies,
- Check cashing businesses,
- Retailers with store credit cards,
- Accountants and tax preparation services,
- Mortgage brokers,
- Credit unions, and
- A business that charges a fee or commission to connect buyers with consumers or loans with lenders and is involved in any financial transactions between these parties (also known as a “finder”).
This is only a representative list. The FTC considers each business’s facts and circumstances, so if you are concerned that your company may be considered a financial institution, reach out to your counsel to discuss your options. It is worth noting that the FTC may continue to expand the definition of financial institution.
How Can I Comply?
The FTC itself lays out a list of ways to comply with the Safeguards Rule. The key elements of an appropriate Safeguards Rule compliance program include:
- Designate a qualified individual to implement and supervise your company’s information security program. A “Qualified Individual” is an official title for a person overseeing the implementation of a customer information security program. This role can be outsourced, especially if you have a small organization. However, an employee must still oversee the vendor if you outsource this role.
- Conduct a risk assessment. This can be done internally or by a third party.
- Design and implement safeguards to control the risks identified through your risk assessment.
- Regularly monitor and test the effectiveness of your safeguards. Penetration testing is often the most effective way to achieve this.
- Train your staff.
- Monitor your vendors closely. The Safeguards Rule explicitly requires you to monitor your vendors to ensure that each vendor you choose to help you implement your Safeguards Rule compliance is in compliance themselves.
- Keep your information security program current.
- Create a written incident response plan. The Safeguards Rule also requires that your organization draft and maintain an incident response plan. The requirements that your plan must meet are spelled out by the FTC.
- Report to the board of directors. The FTC suggests an annual report delineating an overall assessment of your company’s compliance with its information security program. This includes a risk assessment as well as an overview of risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.
What Are The Consequences of Noncompliance?
Failure to comply with the Safeguards Rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases. The FTC was not shy about bringing enforcement cases even before the Rule was updated. Do not let your company become the subject of early enforcement under the revised Rule. Check with counsel if you have any questions regarding your status as a financial institution or how the Safeguards Rule may apply to you.