Does the FTC Consider Your Business a Financial Institution? —An Updated Safeguards Rule Reminder

Does the FTC Consider Your Business a Financial Institution? —An Updated Safeguards Rule Reminder

October 3, 2023

Staffing shortages and supply chain issues in 2022 prompted the Federal Trade Commission (FTC) to issue a six-month extension for businesses to implement many of the provisions required by their update of the Standards for Safeguarding Consumer Information—also known as the Safeguards Rule.

While the clock ran out on the extension in June 2023, the data security experts at REDW remain concerned that many businesses are unaware of their need to comply with the Safeguards Rule and may be out of compliance with the regulation.

What is the Safeguards Rule?

The Safeguards Rule is a set of standards that were mandated by the Gramm-Leach-Bliley Act in 1999 that were recently updated by the FTC after receiving public input. They’re a detailed set of requirements that covered businesses must follow to protect the public from incidents that can lead to identity theft and financial losses.

Who is required to follow it?

The Safeguards Rule applies to financial institutions that aren’t covered by another agency. The FTC uses a very broad definition of financial institutions defined in the Code of Federal Regulations.

The FTC shared several examples of organizations they deem to be operating as financial institutions. These include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.

What is required in the Safeguards Rule?

The updated Safeguards rule addresses protecting consumer data to shield it from breaches, cyberattacks, and other threats. The rule defines nine elements that must be included in each organization’s information security program.

  • Designate a Qualified Individual to implement and supervise your company’s information security program
  • Conduct a risk assessment
  • Design and implement safeguards to control the risks identified through your risk assessment
  • Regularly monitor and test the effectiveness of your safeguards
  • Train your staff with security awareness training
  • Monitor your service providers, including spelling out security expectations in contracts
  • Keep your information security program current
  • Create a written incident response plan
  • Require your Qualified Individual to report to your Board of Directors

REDW’s trusted advisors are here to help.

Whether you’ve just realized that your company needs to follow the FTC’s Safeguards rule and you’re at ground zero or you’ve been working on it for months—or years!—the data security specialists at REDW can help get you to the finish line. Contact us today to get started, using the How can we help? form on this page.

Recent Posts