FTC Updates the Safeguards Rule to Impose New Privacy Obligations on Financial Institutions

The Federal Trade Commission (FTC) recently issued a rule regarding the Standards for Safeguarding Customer Information (Safeguards Rule) which requires financial institutions to make changes to their information security programs. 

The FTC amendments to the Safeguards Rule incorporate five main compliance changes for financial institutions maintaining more than 5,000 consumers. These five main compliance changes involve 1) providing more detail about existing security program criteria, 2) increasing accountability for program reporting, 3) expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines incidental to financial activities, 4) incorporating additional terminology definitions, and 5) offering exemptions for smaller institutions.  

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure, including ensuring their affiliates and service providers safeguard customer information. The following elements of the information security program have been impacted by the Safeguards Rule amendment: 

• Qualified Individual-A Qualified Individual must be appointed for program oversight. 
• Risk Assessment-The Rule outlines key criteria that should be incorporated into the risk assessment such as encryption of customer information. 
• Controls-The implementation of controls to diminish the risks identified in the risk assessment process. 
• Training-Ensuring institution staff and third-party providers can carry out security standards.
• Third Party Risk Management-The Rule imposes requirements for ongoing monitoring of service providers to make sure the safeguards are adequate. 
• Incident Response-Creation of an incident response helps institutions to focus on adequate responses to security events. 
• Annual Report-The Rule requires a Qualified Individual to develop a written report on the status of the program. 

The final rule issued by the FTC was effective in January 2022, but there are some provisions that are not effective until December 9, 2022. It would be wise to analyze this new information to ensure your financial institution’s information security program is up to date. To see the FTC’s final rule, please visit this link.