ARTICLE
6 November 2021

FTC Finalizes Safeguard Rules For Non-Bank Financial Institutions

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
On October 27, the FTC announced a final rule amending the Standards for Safeguarding Customer Information, known as "the Safeguards Rule," under the Gramm-Leach-Bliley Act...
United States Finance and Banking
Photo of Moorari K. Shah
Photo of A.J. Dhaliwal
Authors

On October 27, the FTC announced a final rule amending the Standards for Safeguarding Customer Information, known as "the Safeguards Rule," under the Gramm-Leach-Bliley Act, which is applicable to a broad range of non-banking financial institutions, such as check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and credit reporting agencies to develop, implement, and maintain a comprehensive security system to keep their customers' information secure.

Key amendments include the following:

  • Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
  • Adds provisions designed to improve the accountability of financial institutions' information security programs, such as designating a single qualified individual to oversee their information security program and by requiring periodic reports to boards of directors.
  • Requires a written risk assessment, incident response plan, and periodic assessments of service providers.
  • Expands the definition of "financial institution" to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds "finders"– companies that bring together buyers and sellers of a product or service – within the scope of the Rule.

Provisions of the final rule are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.

Putting It Into Practice: This update comes in the wake of "widespread data breaches and cyberattacks" that, according to the FTC, have resulted in "monetary loss, identity theft, and other forms of financial distress." Financial institutions should carefully review the new Safeguards Rule to ensure compliance in light of the heightened scrutiny by the FTC. In particular, financial institutions may wish to refresh existing information security programs to ensure the confidentiality, integrity, and availability of sensitive customer information consistent with regulatory expectations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Moorari K. Shah
Moorari K. Shah
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More