Member login
American Financial Services Association

FTC Issues New Safeguards Rule

Blog Posts

FTC Issues New Safeguards Rule

The Federal Trade Commission (FTC) has issued its final Safeguards Rule, as AFSA mentioned was likely at our Annual Meeting this past week.

The Safeguards Rule was mandated by Congress under the 1999 Gramm-Leach-Bliley Act.

  • The first rule was issued in 2002 and became effective in 2003.
  • In 2019 the FTC issued a Notice of Proposed Rulemaking setting forth proposed amendments to the Safeguards Rule.
  • The FTC believed that amendments were needed to the previous rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.
  • AFSA commented and many of its comments are reflected in the statement by the two Commissioners who are dissenting from the final rule.

The new rule:

  • Includes more detailed requirements for the development and establishment of information security programs;
  • Adds requirements to improve accountability of financial institutions’ information security programs; and
  • Exempts financial institutions that collect on fewer than 5,000 consumers from certain requirements.

In addition to the updates, the FTC is seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission. AFSA intends on commenting.

AFSA has concerns regarding the financial impact this rule will have on financial institutions, without commensurate benefit to the security of sensitive information. As the Small Business Administration’s Office of Advocacy noted, the FTC does not appear to fully understand the economic impact of the proposed changes. Moreover, without the flexibility to prioritize, finite resources may be diverted to areas of lower risk but higher regulatory scrutiny. Lastly, prescriptive standards limit the ability to adapt quickly to future changes in both technology and the capabilities of threat actors.

October 29th, 2021 by