Skip to content

Compliance

Navigating the New FTC Safeguards Rule: Essential Compliance Tips

The Federal Trade Commission (FTC) Safeguards Rule, a mandate under the Gramm-Leach-Bliley Act, plays a crucial role in ensuring that financial services, including those beyond traditional banking sectors like debt collection, uphold stringent data security measures to protect customer information from data breaches. This regulation necessitates a comprehensive approach to safeguard consumer data, stretching its

← All articles
Filed under Compliance

The Federal Trade Commission (FTC) Safeguards Rule is a mandate under the Gramm-Leach-Bliley Act. It requires financial services to protect customer information from data breaches. That includes businesses beyond traditional banking, such as debt collection. The rule reflects the FTC's goal of reducing the risk of unauthorized access to sensitive information.

Recent amendments raise the requirements. Non-banking financial entities must adapt quickly to stay compliant and strengthen their defenses. Starting May 13, 2024, all non-banking institutions must report data breaches and other security events to the FTC. Institutions need to build, run, and regularly reassess their information security programs.

Overview of the FTC Safeguards Rule

The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions to secure sensitive customer information. The rule covers a wide range of entities defined as financial institutions. That includes banks, but also mortgage lenders, payday lenders, finance companies, and other non-banking financial services. These institutions must run information security programs with administrative, technical, and physical safeguards.

Key Requirements of the FTC Safeguards Rule

  1. Designate a qualified individual. Appoint someone to oversee the information security program and ensure it works.
  2. Assess risk. Run a thorough risk assessment to find threats to customer information and system vulnerabilities.
  3. Develop safeguards. Based on the assessment, design and put in place safeguards that address the identified risks.
  4. Monitor and test. Test and monitor the safeguards regularly so they keep pace with new threats.
  5. Oversee service providers. Make sure service providers use adequate safeguards to protect customer information.
  6. Train staff. Run regular training so employees know the security protocols and the threats.

Expanded Coverage and Compliance Requirements

The scope of the rule has grown over time. Recent amendments extended coverage to "finders," which are entities that connect buyers and sellers. That shows how financial services keep evolving.

Compliance is critical. Non-compliance can bring severe penalties. A well-built and well-maintained information security program protects customer data. It also strengthens the institution's reputation and trust in the market.

Implications of the Recent Amendments

The recent amendments add strict requirements for non-banking financial institutions. These changes call for a fast, thorough response to protect consumer data. Here are the key implications.

Enhanced Reporting Obligations

Non-banking financial institutions must now report any data security breach to the FTC within 30 days of discovery. This applies when the breach affects at least 500 consumers. It covers a wide group of entities, including financial technology companies, mortgage brokers, and tax preparers.

Broader Scope of Covered Information

The amendments expand the definition of "customer information." It now includes data gathered through online activity, such as tracking via cookies, not just data provided by consumers. As a result, more types of breaches fall under the reporting requirements.

Tightened Incident Reporting Triggers

Any unauthorized acquisition of unencrypted customer information triggers a reporting obligation. The rule presumes unauthorized access unless the institution can provide reliable evidence to the contrary.

Public Disclosure and Increased Transparency

Once reported, the FTC may make these incidents public. That increases transparency. It can also lead to more public scrutiny, media exposure, and litigation risk.

Preparation for Compliance

Institutions should review and update their policies and procedures now. The amendments take effect 180 days after publication in the Federal Register. That leaves a limited window for updates.

These amendments aim to strengthen protections around consumer data. They also push institutions to improve their security measures. Non-banking financial institutions must make significant changes to meet the new federal standards and protect consumer information against unauthorized access and breaches.

Impact on Non-Banking Financial Institutions

Non-banking financial institutions face heightened scrutiny and higher expectations under the rule. Below are the key measures they must take.

Increased FTC Engagement and Investigative Activity

Expect more engagement from the FTC, especially on cybersecurity risk. The agency is likely to step up its investigations to ensure compliance. The goal is to strengthen security frameworks, reduce breaches, and protect consumer information.

Prioritizing Updates to Incident Response Plans

  1. Review and update incident response plans. Revisit your response strategy so you can act quickly and effectively during a breach.
  2. Reassess security and privacy programs. Reevaluate and strengthen existing frameworks to match the new requirements.
  3. Add new disclosure considerations. Build new disclosure steps into daily practice. Prepare executives and legal leaders with tabletop exercises that simulate breach scenarios.

Comprehensive Security Program Development

The FTC requires every non-banking financial institution to build, run, and maintain a comprehensive security program. It should protect customer information with strong technology and clear administrative protocols. The aim is a secure environment that protects sensitive data and builds consumer trust.

These steps help institutions comply with the rule. They also strengthen defenses against the growing threat of cyberattacks in the financial sector.

Preparing for Compliance

Designation and Training of the Qualified Individual

Appointing a qualified individual is essential. This person can be an employee, an affiliate, or a service provider. They oversee the information security program and ensure compliance with the rule. Regular training keeps this individual and the security staff current on threats and mitigation strategies.

Development of a Strong Information Security Program

  1. Risk assessment. Start with a written risk assessment that includes criteria for evaluating risks and threats to customer information.
  2. Implementation of safeguards. Design and put in place administrative, technical, and physical safeguards based on the assessment.
  3. Regular monitoring and testing. Test and monitor the safeguards so they keep pace with new threats.

Comprehensive Incident Response and Reporting

Build a detailed incident response plan. Cover goals, internal processes, and roles and responsibilities. Include communication strategies, steps for documenting and reporting security events, and a process for post-event analysis. Use what you learn to revise your security measures. The qualified individual should report regularly to the Board of Directors on compliance, risk assessments, and any security events with management's response.

Enhancing Access Controls and Encryption Practices

Use strict access controls to limit and monitor who can reach sensitive customer information. Encrypt sensitive data in storage and in transit to protect its integrity and confidentiality. Require multi-factor authentication, or an equivalent protective measure, for anyone accessing customer information.

Service Provider Oversight and Security Practices Reassessment

Monitor and periodically reassess the security practices of every service provider. Confirm they meet the required standards. Contracts should spell out security expectations and include clauses for regular security audits.

Mitigate Risk with Cyber Insurance

Digital operations face growing regulation, and cyber insurance has become a necessity. The risks of cyberattacks and the potential losses from inadequate coverage are too large to ignore. Businesses should prioritize cybersecurity and invest in comprehensive cyber insurance that covers a wide range of risks.

Full protection calls for standalone, full-coverage cyber insurance. These policies cover a wide range of third-party and first-party cyber risks. They can cover data restoration, lost business income, system failures, reputational harm, and more. Cornerstone can help with your commercial insurance needs. Connect with us today to evaluate the right cyber coverage amount for your company and to build an effective cyber security plan.

The effective date is close, on May 13, 2024. Financial institutions should act quickly to prepare for compliance with the FTC Safeguards Rule. Compliance ensures legal adherence. It also creates a secure, trustworthy environment to operate in. By protecting sensitive consumer information, you also protect your business's reputation.

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

Nevada Lifts Citizenship Requirement for Collection Agencies

Licensing

Nevada Lifts Citizenship Requirement for Collection Agencies

In Nevada, there is now no requirement to be a citizen of the United States or to be lawfully entitled to remain and work in the United States for collection agency applicants. The requirement was removed on June 14, 2019 when Nevada Governor, Steve Sisolak, signed into law bill AB275. This change which went into [...]

6 Key Changes To Nevada's New Collection Agency Licensing Act

Licensing

6 Key Changes To Nevada's New Collection Agency Licensing Act

Cornerstone unveils a new look and website as the company celebrates its 25-year anniversary

New Bond Amounts for North Dakota

Licensing

New Bond Amounts for North Dakota

North Dakota SB 2093 has been signed into law. This increases the bond requirement for collection agencies and money brokers to $50,000. Cornerstone has been in contact with the regulators within the North Dakota Department of Banking & Financial Institutions and they are currently deciding how they are going to implement this change. Please note [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.