On October 27, 2021, the Federal Trade Commission (“FTC”) announced new updates to the Gramm-Leach-Bliley Act (“GLBA”) by amending the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and issuing a final rule (the “Final Rule”). The Safeguards Rule is designed to protect the security and integrity of consumer personal information that is collected by financial institutions by ensuring that financial institutions put in place administrative, technical, and physical safeguards to protect personal information. The Safeguards Rule requires financial institutions under the FTC’s jurisdiction to implement measures to keep customer information secure and to ensure that their affiliates and service providers also safeguard customer information in their care.
The issuance of the Final Rule is a significant development because it expands the scope of financial institutions that are subject to the Safeguards Rule, such as mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as “finders.”
The Final Rule is not applicable to certain types of entities, such as any entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act, any entity chartered and operating under the Farm Credit Act of 1971, institutions chartered by Congress specifically to engage in securitizations, secondary market sales or similar transactions related to a transaction of a consumer (as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by sections 313.14 and 313.15), entities that engage in financial activities but that are not significantly engaged in those financial activities, and entities that engage in activities incidental to financial activities but that are not significantly engaged in activities incidental to financial activities. The Final Rule also does not apply to national banks, savings and loan institutions, and federal credit unions, as these institutions are not subject to the FTC’s jurisdiction because they are regulated by other federal agencies.
Federal agencies have issued similar statements and rules that have sought to address the increased cybersecurity risk facing the financial services industry. By example, on January 21 2020, the Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC”) issued a joint statement that focuses on risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions. Additionally, on November 17, 2021, the OCC, FDIC and the Board of Governors of the Federal Reserve System issued a new rule that requires covered banking organizations to report any “significant” cybersecurity incident within 36 hours of discovery.
Modifications to the Safeguards Rule
The FTC has adopted five main modifications to the existing Safeguards Rule:
- It provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. The Final Rule requires covered financial institutions to comply with specific new requirements, such as the following:
- Protect by encryption all the customer information that is held or transmitted in transit over external networks and at rest;
- Implement multi-factor authentication for any individual accessing any information system, unless the use of reasonably equivalent or more secure access controls has been approved in writing by a qualified individual at the financial institution;
- Develop, implement and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates;
- Implement policies, procedures and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;
- Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information that is in the control of the financial institution; and
- Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. Covered financial institutions are required to conduct penetration testing annually and vulnerability assessments at least every six months
2. It is designed to improve the accountability of financial institutions’ information security programs, such as requiring covered financial institutions to designate a qualified individual that is responsible for overseeing, implementing and enforcing the financial institutions information security program. The qualified individual is responsible for providing periodic reports to boards of directors or governing bodies, as well as overseeing, implementing and enforcing the financial institutions information security program. The qualified individual may be employed by the financial institution, an affiliate, or a service provider.
3. It exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan and annual reporting to the board of directors.
4. It expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders” (i.e. companies that bring together buyers and sellers of a product or service) within the scope of the Safeguards Rule.
5. It includes several definitions and related examples, including the definition of “financial institution,” in the amended Safeguards Rule itself rather than incorporating them from another related FTC Rule, the Privacy of Consumer Financial Information Rule. This is done in an effort to make the rule more self-contained and to enable readers to understand its requirements without referencing the FTC’s Privacy of Consumer Financial Information Rule.
FTC’s Expanded Definition of “Financial Institutions”
In expanding the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, the Federal Reserve Board determined only one new activity to be incidental to financial activity that was not previously covered, which is the act of “finding” as defined in 12 CFR 225.86(d)(1).
The Federal Reserve Board describes the activities of a finder company as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” Under the Safeguards Rule, the only types of finder services that will be covered are those which involve consumer transactions. Furthermore, the Safeguards Rule only applies only to the information of customers, which are consumers with which a financial institution has a continuing relationship, thereby excluding those finders that only have isolated interactions with consumers and that do not receive information from other financial institutions about those institutions’ customers.
The FTC provides several examples of the types of consumer relationships with which a financial institution has a continuing relationship, which include, but are not limited to: (i) a consumer having a credit or investment account with a financial institution; (ii) a consumer obtaining a loan with a financial institution; or (iii) a consumer entering into an agreement or understanding with the financial institution whereby the financial institution undertakes to arrange or broker a home mortgage loan, or credit to purchase a vehicle for the consumer. The FTC also provides examples of consumer relationships with which a financial institution does not have a continuing relationship, such as a consumer obtaining a one-time personal or real property appraisal service, or a financial institution that sells a consumer’s loan and does not retain the rights to service that loan.
In light of the expanded definition of a “financial institution” to include finder companies that bring together buyers and sellers of products or services and collect very sensitive financial information, the Safeguard Rule would likely cover lead generation websites whereby a customer can sign up for an account to receive quotes on mortgages from lenders. As lead generation websites bring together potential borrowers and lenders of (to give just one example) a mortgage which the borrower and lender negotiate and consummate amongst themselves, this would be a financial activity that is within the scope of the Safeguards Rule. By virtue of signing up for an account on a mortgage lead generation website to accumulate quotes on mortgages from various lenders, a consumer enters into an understanding with the lead generation website whereby the lead generation website undertakes to facilitate a home mortgage loan for the consumer.
The deadline for compliance under the Final Rule is October 27, 2022, or one year after the date of publication. Covered financial institutions will have one (1) year to come into compliance with the following requirements:
- Designation of a Qualified Individual;
- Written risk assessments;
- Implement safeguards to control the risks that are identified through risk assessments;
- Annual penetration testing and biannual vulnerability assessments;
- Provide employees with training sufficient to address security updates and risks;
- Periodic assessment of service providers;
- Establishment of a written incident response plan; and
- Annual reports to the board of directors or equivalent governing body by the Qualified Individual.