- Fintech companies and other financial institutions (FIs) that are not otherwise subject to a federal functional regulator should be aware that significant updates to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (the Rule) that were initially scheduled to go into effect on Dec. 9, 2022, will now be effective June 9, 2023.
- In relevant part, the updated Rule seeks to improve individual accountability by: (a) mandating the designation of a single individual, with appropriate background and experience, who is responsible for overseeing and implementing the Program (the Qualified Individual); (b) delegating certain oversight responsibilities to the Qualified Individual, who directly reports to the board of directors or similar governing body or senior official; and (c) setting knowledge and qualification requirements for information security personnel.
- The definition of FI was expanded to include "finders" that connect buyers and sellers. However, applicability was also narrowed because companies that process nonpublic personal information of fewer than 5,000 consumers are exempt from certain obligations.
Under the updated Rule,1 FIs are obligated to implement data security measures that will protect against data breaches and cyberattacks in order to prevent financial harm to consumers, including identity theft and loss of funds. These safeguards are meant to codify industry standards and implement "common-sense steps" to protect consumer data. Now that fintech companies and other FIs subject to the Federal Trade Commission's (FTC) oversight are subject to the new Rule, they should carefully consider the following new obligations that will be in effect by June 2023.
- Appoint One Qualified Individual to Be Responsible for the Program. FIs must designate a single Qualified Individual who is accountable for the information security program (Program) and has practical knowledge appropriate to the FI's business circumstances. This Qualified Individual has responsibility for overseeing and implementing the Program, including personnel training and oversight. The Qualified Individual can be employed by the FI directly or employed by an affiliate or a service provider. However, if the Qualified Individual is employed by an affiliate or service provider, the FI must: (a) still comply with the Safeguards Rule; (b) designate an employee to direct and oversee the Qualified Individual; and (c) require the organization that directly employs the Qualified Individual to maintain a compliant Program.
- Institute a Process for the Qualified Individual to Provide Written Reports to the Board of Directors. The Qualified Individual must provide written reports to the board of directors or, if there is no board, to an equivalent governing body or senior officer. These reports must be provided at least annually and include information about compliance with the Rule, the status of the Program and material matters related to the Program. The Rule specifies that material matters include: (a) risk assessment, management and control decisions; (b) service provider relationships; (c) cybersecurity testing results; (d) security incidents and management's response to such incidents; and (e) Program update recommendations.
- Maintain and Update the Program Based on Risk Assessment Findings. While the Rule previously obligated FIs to maintain a written Program based on an assessment of internal and external risks to customer information, the updated Rule requires FIs to conduct periodic written risk assessments and use those assessments to ensure the Program includes appropriate safeguards. The risk assessments should include: (a) criteria for evaluating and categorizing security risks and threats; (b) criteria for assessing the confidentiality, integrity and availability of the FIs' information systems and customer information; and (c) requirements for mitigating or accepting identified risks. The Rule specifically mandates periodic risk assessments that reevaluate risks and determine whether the existing safeguards are sufficient to control those risks. The assessments should be used to design and implement appropriate safeguards then update the Program.
- Implement Security Controls. FIs must implement and periodically review access and authentication controls to prevent unauthorized access to customer information, as well as to limit access to those individuals who need access for legitimate business purposes. These controls should take into account the risk assessment findings and include: (a) encryption of customer information at rest and in transit or, if encryption is not feasible, effective compensating controls approved by the Qualified Individual; (b) implementation of multifactor authentication for systems that contain customer information unless the Qualified Individual has approved an equivalent or stronger control; (c) secure development practices for any in-house developed applications that process customer information; and (d) penetration testing (annually) and vulnerability scanning (every six months) that address the risks and vulnerabilities identified in the risk assessment. Security controls have also been highlighted in recent FTC enforcement actions, which emphasized the importance of strict security practices and required that specific controls be put in place.
- Securely Dispose of Customer Information According to a Regular Schedule. Only data that is being processed can be breached or mishandled, so the updated Rule obligates FIs to develop procedures that require customer information to be disposed of securely. FIs must destroy customer information no later than two years after the last date the customer information was used to provide products or services. These procedures must be implemented so information is consistently disposed of in a timely manner. Exceptions are permitted if the information must be retained for business operations, legitimate business purposes, under applicable laws or regulations, or in situations where disposal is not reasonably feasible because of technicalities of information storage. The procedures and data retention policy should be reviewed periodically to ensure data is not unnecessarily retained.
- Ensure Personnel Can Implement the Program. The FTC has historically emphasized the need for FIs to train their employees on their written Programs. The updated Rule mandates FIs to implement policies and procedures that provide personnel with sufficient information to effectuate the Program. FIs must ensure their information security team has the qualifications to understand information security risks and implement the Program. The information security team should be provided with security updates and stay informed about shifting information security threats and countermeasures. The Rule also requires training, including security awareness training for all personnel and specialized training for information security teams. These trainings should be updated as needed based on the risk assessments.
- Assess, and Reassess, Service Provider Risks and Safeguards. FIs must develop and implement information security controls for their service providers. The FTC routinely brings enforcement actions for violations of the Rule where service provider policies are not enforced. The Rule previously required FIs to conduct due diligence on service providers and ensure that service providers maintain appropriate safeguards. Under the updated Rule, FIs must also periodically reassess their service providers to ensure safeguards remain adequate based on the level of risk they present. FIs should maintain appropriate oversight of service providers by: (a) taking reasonable steps to select and retain service providers that are capable of safeguarding customer information; (b) mandating service providers' safeguards by contract; (c) periodically assessing service providers based on the risks they present and the adequacy of their safeguards, and (d) describing service provider arrangements in board reports. As noted above, service provider arrangements are one of the material matters that must be included in reports to boards of directors related to the Program.
- Establish a Written Incident Response Plan. The updated Rule requires FIs to establish a written incident response plan that covers the following areas: (a) plan goals; (b) internal processes for responding to a security event; (c) roles, responsibilities and decision-making authority; (d) external and internal communications and information sharing; (e) remediation of weaknesses in information systems and associated controls; (f) documentation and reporting security events and related incident response activities; and (g) plan evaluation and revision following a security event. The FTC also expects FIs to commit sufficient resources to respond to reports of unauthorized access promptly and adequately and has brought enforcement actions where companies fail to maintain acceptable customer support capabilities.
- Understand Broad Applicability to Organizations Providing Financial Services. FIs are organizations that significantly engage in financial activities or activities incidental to financial activities as specified in the Bank Holding Company Act, 12 U.S.C. 1843(k). The FTC has jurisdiction over many fintech companies and other FIs that are not otherwise subject to a federal functional regulator. To further clarify the FTC's reach, the updated Rule incorporates examples from the Bank Holding Act, including mortgage lenders and brokers; property appraisers; real estate settlement servicers; payday lenders; finance companies; account servicers; check cashers, printers and sellers; wire transferors; collection agencies; credit counselors; financial advisors; accountants and tax preparation firms; non-federally insured credit unions; and investment advisers that are not required to register with the Securities and Exchange Commission. These examples include FIs that engage in activities incidental to financial activities, such as retailers that issue their own credit cards, dealerships that lease automobiles for longer than 90 days, career counselors that specialize in advice for financial professionals, and travel agencies that provide travel in connection with financial services. In addition, the updated Rule includes a new category of FI – namely, companies acting as finders that bring together buyers and sellers for transactions that the parties themselves negotiate and consummate.
- Know Exemptions for Small FIs. FIs that maintain information for fewer than 5,000 consumers (Small FIs) do not have to comply with certain sections of the updated Rule. While all FIs must base their Programs on risk assessments, Small FIs do not need to document their risk assessments in writing and their assessments do not have to include the specific criteria and requirements in the updated Rule. Small FIs also have reduced security control mandates and do not need to incorporate continuous monitoring or periodic penetration testing and vulnerability assessments into their information system safeguards. In addition, Small FIs do not need to establish written incident response plans. Qualified Individuals of Small FIs are not obligated to provide written reports to the board of directors or equivalent governing body or senior officer.
1. 16 C.F.R. § 314, available at https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.