The Safeguards Rule: Financial Institutions Must Protect Client Data!

Do you know if your company classifies as a “financial institution” under the Federal Trade Commission’s Safeguards Rule? If it does, you will need to comply with information security guidelines to protect clients’ personal financial data. Failure to satisfy the Safeguard Rules could cause the FTC to take enforcement actions against your business. Not sure where to start or if this even applies to you? Read on to learn about these data protection rules and how we can help you roll out the necessary solutions to keep your customers’ information safeguarded.

Consumer Financial Information Rule as part of the Gramm-Leach-Bliley Act (GLBA)

The Safeguards Rule is part of the Gramm-Leach-Bliley Act, which originally went into effect on November 12, 1999. On top of making improvements to the financial services industry, the Act deals with customer financial privacy matters. It requires the Federal Trade Commission (FTC), and other government entities that oversee financial organizations, to enforce rules to fulfill the GLBA’s financial privacy provisions. In short, these institutions must spell out their information-sharing practices to their consumers and to protect sensitive data. Originally, all businesses designated as “financial institutions” were to be fully compliant with the Act by July 1, 2001.

In 2003, the Privacy of Consumer Financial Information Rule of the GLBA took effect – or simply, the Safeguards Rule. Several provisions of the Rule were amended in 2022, set to take effect on December 9 the same year. Then in November, the FTC announced a delay of six months, changing the effective date to June 9, 2023. According to Reuters, this is because companies struggled to fulfill the requirements for choosing a “qualified” individual for implementation. Supply chain issues also played a role in the delay.

Although there is still time to meet the FTC’s requirements, spring is already here. The guidelines are also incredibly specific and call for a comprehensive information security program. Companies covered under the rule should rally now to review what they need to be fully compliant.

So who does the FTC Safeguards Rule apply to?

The Safeguards Rule summary provided by the FTC defines a “financial institution” broadly. Luckily, Section 314.2(h) of the Rule lists examples of the types of companies that are covered. It includes tax prep firms, mortgage brokers, and investment advisors that don’t need to register with the SEC, to name a few. But the best way to determine if the rules apply to your company? Review the activities your business is involved in. These may include brokering or servicing loans, debt collecting, check cashing, or wire transfer services. Providing real estate settlement services count as well, as does providing financial, investment, or economic advisory services.

The same section of the Rule cited above also lists examples of businesses that aren’t financial institutions. For example, a business is not a “financial institution” just because it accepts different forms of payment that it did not grant itself. In addition, the FTC has made exceptions for certain provisions of the rules. These are specifically for financial institutions that “maintain customer information concerning fewer than five thousand consumers.”

What does the rule require companies to do?

The FTC Safeguards Rule requires financial organizations to create, rollout, and manage an information security program with administrative, technical, and physical safeguards designed to protect customer information. This includes records that have private personal information about a customer, whether in paper or electronic form. In addition to data handled by the company itself, information provided by other financial affiliates also counts.

Your information security plan must be on paper and tailored to the size and complexity of your business, the nature and scope of your conduct, and the sensitivity of the data at hand. The goals of your company’s plan are:

• to make sure that customer data is secure and kept confidential;
• to protect against the potential threats or risks to the security or integrity of that data; and
• to protect against unapproved access to that data that could end in serious harm or inconvenience to any client

So what does a practical information security program look like under the Safeguards Rule?

The Safeguards Rule lists nine items that your business’ information security strategy needs to include. Section 314.4 describes each element in detail – we will briefly list them below:

1. Choose a Qualified Individual to roll out and oversee your business’ information security plan*
2. Conduct a risk assessment*
3. Design and implement safeguards to control the risks detected through your risk assessment
4. Regularly monitor and test the effectiveness of your safeguards
5. Train your team*
6. Monitor your service providers and / or affiliates*
7. Keep your information security program up-to-date
8. Create a written incident response plan*
9. Require your Qualified Individual to report to your Board of Directors
   *These items are included in the six-month extension. Companies must also limit and monitor who can access sensitive customer information and encrypt that information by the deadline. MFA or another equivalent method of protection needs to be in place by then as well.

We’re happy to help your business meet the FTC’s guidelines

Businesses generally go above and beyond for their customers. They want to create longstanding relationships, provide the best products and services, and maintain a good reputation. Nowadays, it is nearly impossible to manage a company without some technology in place. But some businesses have yet to upgrade their systems and equipment – and are particularly not in compliance with industry standards. Technology and cybersecurity are constantly moving targets. The FTC amending the Safeguards Rule in 2021 reflects that completely. The revised rule keeps the flexibility of the original Safeguards Rule, but also gives companies more solid guidance on how to comply with the requirements.

Still not sure how to proceed? We’re happy to help you evaluate your current IT environment so that you can better protect your client’s financial information. As a private Cloud and Managed Services Provider, we have a variety of solutions available to you and your business. With our Managed Services offering, we can help your company become more secure. This would provide you with full IT support, including: Cloud and Virtual Desktop Services, Network Administration and Management, Data Center Solutions, Firewall and Security Solutions, Disaster Prevention Solutions, and much more. We can also assist you with upgrading your hardware and software. Your company can then focus on goals and projects rather than worry about protecting customer financial data. Let’s help get you compliant – contact us today!