On October 27, the FTC announced a final rule amending the Standards for Safeguarding Customer Information, known as “the Safeguards Rule,” under the Gramm-Leach-Bliley Act, which is applicable to a broad range of non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies to develop, implement, and maintain a comprehensive security system to keep their customers’ information secure.

Key amendments include the following:

  • Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
  • Adds provisions designed to improve the accountability of financial institutions’ information security programs, such as designating a single qualified individual to oversee their information security program and by requiring periodic reports to boards of directors.
  • Requires a written risk assessment, incident response plan, and periodic assessments of service providers.
  • Expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”– companies that bring together buyers and sellers of a product or service – within the scope of the Rule.

Provisions of the final rule are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.

Putting It Into Practice:  This update comes in the wake of “widespread data breaches and cyberattacks” that, according to the FTC, have resulted in “monetary loss, identity theft, and other forms of financial distress.”  Financial institutions should carefully review the new Safeguards Rule to ensure compliance in light of the heightened scrutiny by the FTC.  In particular, financial institutions may wish to refresh existing information security programs to ensure the confidentiality, integrity, and availability of sensitive customer information consistent with regulatory expectations.