Ready to Comply With the FTC’s Amendments to the Safeguards Rule? 

What you don’t know can hurt you. What is the Safeguards Rule?

The Federal Trade Commission (“FTC”) issued a final rule effective January 10, 2022, to amend the Gramm-Leach-Bliley Act’s Standards for Safeguarding Customer Information (“Safeguards Rule”) that is applicable to non-bank providers of financial products or its expanded definition of ‘covered financial institutions’. The final rule is designed to provide guidance on how to implement specific aspects of an information security program and requires the status of the program to be reported to boards of directors or governing bodies at least annually. Modifications to the information security program requirements include the following:

The FTC’s expanded definition of covered financial institutions can be defined as non-bank entities that engage in financial activities, including entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.

Entities that fall under this category may include, but are not limited to: check cashers, payday lenders, wire transfer services, mortgage brokers, non-bank lenders, motor vehicle dealerships, personal property or real estate appraisers, tax preparers, courier services, credit reporting agencies, ATM operators, casinos and card clubs, brokers/dealers, investment advisers, mutual funds, private equity funds, hedge funds, commodity traders, underwriters, title companies, and insurance companies.

Incidental activities are defined as entities or ‘finders’ bringing together buyers and sellers of financial products or services. These entities are also considered covered under the final rule.

The effective date of the rule was January 10, 2022. Some of the new requirements are allowed to be phased in over a one-year period from the effective date of the final rule, such as qualified individual appointment, written risk assessments, annual penetration testing and biannual vulnerability assessments, periodic assessment of service providers, and a written incident response plan. Therefore, financial institutions likely will have no obligations to prove compliance with these new requirements until one year from the effective date. All other requirements, most of which were pre-existing in the previous Safeguards Rule, are required to be implemented as of the January 10, 2022, effective date.

Should an incident or breach come to light and an investigation be conducted, penalties can arise through failure to follow these GLBA requirements up to a $100,000 fine for each violation, $10,000 for officers and directors, as well as an amount that goes up to one percent of the company’s assets. Employees may individually also face 7 figure fines, up to five years in federal prison, and the revocation of licenses if they don’t follow the policies and procedures in place.

The FTC has emphasized that financial institutions still maintain the flexibility to design an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.

Contact us to learn more about the Safeguards Rule, getting your organization compliant, or evaluating your organization’s compliance with the rule.

Withum’s Systems and Process Assurance group has established consulting services to specifically address these requirements. Our dedicated team has extensive experience in Information Technology consulting, virtual Chief Information Security Officer (vCISO), virtual Chief Compliance Officer (vCCO) internal control assessments, and compliance assessment services.

Information Security Program | vCISO & vCCO Services | Risk Assessments | SOC Audit Services | Security Controls Assurance | Penetration Testing and Vulnerability Management | Compliance and Vendor Management

Authors:
Matthew Ferrante | [email protected]
Scott Mahoney | [email protected]
Levon Brown | [email protected]