Modification of the safeguard rule for non-banking financial institutions


The Federal Trade Commission (FTC) issued a final rule on October 27, 2021, amending the standards for protecting customer information, known as the “safeguard rule,” under the Gramm-Leach-Bliley Act, which applies to a wide range of non-bank financial institutions. The FTC approved the amendment by a vote of 3 to 2. The FTC’s press release states that “the updated safeguard rule requires non-bank financial institutions, such as mortgage brokers, vehicle dealers automobiles and payday lenders, that they develop, implement and maintain a comprehensive security system to protect their customers’ information. ”

The amendment includes “five main changes to the existing rule”, as listed below:

“First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.Secondly, it adds provisions to improve the accountability of financial institutions’ information security programs, for example by requiring periodic reporting to boards of directors or governing bodies.Thirdly, it exempts financial institutions that collect less customer information from certain requirements.Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines are incidental to financial activities. This change adds “finders” – businesses that bring together buyers and s sellers of a product or service – within the scope of the rule. Finally, the final rule defines several terms and provides related examples in the rule itself rather than incorporating them by reference to the Consumer Financial Information Privacy Rule, 16 CFR Part 313.”

The final rule is 145 pages long and details the security measures that must be taken by financial institutions to protect consumer financial information “against cyberattacks and other threats.” Most of the requirements codify the basic elements of an information security program that are generally accepted in the cybersecurity industry. Nonetheless, the final rule gives the FTC the ability to initiate enforcement actions and impose fines and penalties in the event that the provisions are not followed by regulated entities, so they deserve attention and consideration.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 301


Comments are closed.