The Federal Trade Commission (FTC) has decided to grant an additional six months for financial institutions to comply with most of the provisions outlined in the new Safeguards Rule. The rule, which implements a section of the Gramm-Leach-Bliley Act (GLBA), now has a compliance deadline of June 9, 2023, for all covered institutions. This extension was announced in November 2022.
The GLBA, enacted in 1999, establishes various standards and requirements for financial institutions to protect consumer information. The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. In October 2021, the Federal Trade Commission (FTC) made significant changes to the Safeguards Rule, which now mandates financial institutions to implement specific technical and administrative safeguards.
While many requirements went into effect on January 10, 2022, the majority of the requirements were set to take effect on December 9, 2022. The extension of the deadline for compliance reflects the FTC’s understanding that financial institutions need more time to comply with the rule’s requirements.
The Federal Trade Commission’s (FTC) latest revisions to the Safeguards Rule marks a significant departure from previous regulations issued by federal financial regulators. The new rule establishes a new benchmark for financial institutions to safeguard consumer financial data and sensitive information by introducing specific standards for the safeguards they must implement. One of the critical provisions of this updated rule is that it requires financial institutions to implement multifactor authentication for those with access to networks holding customer information.
This updated regulation represents a progression in data security regulations at the federal level, as previous regulations only offered general guidance to financial institutions. The new Safeguards Rule aims to provide more clarity and direction on the specific actions that financial institutions must take to safeguard consumer financial information. The new Safeguards Rule issued by the Federal Trade Commission (FTC) brings several new requirements for financial institutions to protect consumer financial data and sensitive information. These include:
The Federal Trade Commission (FTC) recognized that certain financial institutions, particularly smaller ones, may face difficulties in meeting the new requirements of the Safeguards Rule by the original deadline. In light of this, the FTC granted the extension for all institutions to implement the necessary actions to comply with the rule. Financial institutions should review the new Safeguards Rule and consult with legal and compliance professionals to ensure they are aware of the specific requirements that apply to them and to ensure they are compliant with the rule by the new extended deadline.
The Safeguards Rule applies to a wide range of financial institutions that may not immediately be recognized as such. These include non-bank lenders, retail stores offering credit to customers, and colleges and universities administering certain federal student aid programs. Companies falling into these categories must comply with the regulations set out in the Safeguards Rule to protect consumer data and financial information.
These measures include implementing physical, electronic, and procedural safeguards such as regular staff training on security protocols, firewalls, and encryption. Companies must also have procedures to investigate and respond to any security breaches or suspected breaches. Financial institutions can protect customer information and maintain compliance with the Safeguards Rule by ensuring that these measures are followed.
The updated GLBA rule applies to any organization within the financial institution definition. The FTC has indicated that financial institutions include any businesses engaged in transactions involving personal financial information, such as payment processing services, credit card issuing, and merchant banking. Examples of these types of organizations might include but are not limited to:
Not all organizations will have to comply with the Safeguards Rule. Financial Institutions collecting information on less than 5,000 consumers are exempt from the requirements of written risk assessment, incident response plan, and annual reporting to the board under the new Safeguards Rule.
The FTC expects the Safeguards Rule to be enforced in two distinct ways.
These two enforcement mechanisms ensure that financial institutions are held accountable and appropriately manage their information security programs. The FTC is committed to upholding the Safeguards Rule and providing a safe digital environment for consumers.
The newly expanded definition of a financial institution in the updated Gramm-Leach-Bliley Act brings new requirements for a larger subset of businesses. These entities must enhance their cybersecurity measures to comply with the extended deadline. The positive aspect of this update is that it aligns with current technological developments, the evolving threat landscape, and other cybersecurity regulations. The combined regulations now apply to more businesses, promoting information security maturity across a wider range of industries.
As the deadline for compliance approaches, all organizations should actively explore options to meet the requirements. To ensure compliance with the GLBA, you can assess your readiness through various methods, such as using your internal staff, working with a trusted partner, or a combination of both, where you hire a vendor while utilizing your internal staff’s expertise and knowledge. It is important to start the process as soon as possible to ensure compliance by the June 9, 2023, deadline.