Cadwalader Logo Cabinet News & Views - Informed analysis for the financial services industry
FTC Delays Safeguards Rule Implementation for Certain Financial Institutions 
Profile photo of contributor Mercedes Kelley Tunstall
Partner | Financial Regulation

The Federal Trade Commission (“FTC”) announced last week that it is delaying the date by which certain financial institutions must comply with certain provisions of its updated Safeguards Rule by six months, with the compliance date now being June 9, 2023. Applicable to non-banking institutions such as mortgage brokers, motor vehicle dealers, and licensed lenders, the FTC’s iteration of the Safeguards Rule (16 C.F.R. 34) — which implements data security requirements from the Gramm-Leach-Bliley Act (“GLBA”) — was updated in December 2021. 

The FTC’s new requirements are not without controversy. The Safeguards Rule has been hailed as uniquely effective over the two decades it has been in place because it is technology-agnostic and instead requires all financial institutions to maintain data security programs that are commercially reasonable, compared to their cohorts. Indeed, in a dissenting opinion from Commissioners Noah Joshua Phillips and Christine S. Wilson, they note that “the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”

To that end, the following provisions have been delayed:

  • Designating a qualified individual to oversee the information security program;
  • Developing a written security risk assessment;
  • Limiting and monitoring who in their organization, and among their service providers and other third parties, can access sensitive customer information;
  • Encryption of all sensitive information;
  • Training of security personnel;
  • Development of an incident response plan;
  • Periodic assessment of the security practices of service providers; and
  • Implementation of multi-factor authentication, or another method of equivalent protection.

While most of these provisions are part of a robust information security program, the FTC cited the need for the delay as stemming from the multitude of small businesses affected by the Safeguards Rule that are still struggling with resuming business as usual after the pandemic.

November 23, 2022
© 2024 | Notices | Manage Subscription | Contacts