Member login
American Financial Services Association

AFSA Seeks Delay on FTC Safeguards Rule

Blog Posts

AFSA Seeks Delay on FTC Safeguards Rule

This week, the American Financial Services Association, along with ACA International, the Consumer Data Industry Association, and the National Automobile Dealers Association, requested that the Federal Trade Commission (FTC) delay the effective date of the Standards for Safeguarding Customer Information rule (Final Rule) until December 2023.

AFSA members appreciate the FTC’s work to protect customers’ information. The association and its members have and will continue to work alongside the Commission to ensure the right safeguards are in place to protect customers, their institutions, and the financial marketplace.

The Final Rule, however, makes several modifications to the FTC’s current rule; one of the most troublesome is the establishment of specific criteria for each covered financial institution’s written risk assessment. As a result, many (if not most) covered entities will need to modify not only their methods for evaluating risks, but also the way they document those risks. All of this is required, even before they do any work to mitigate the issues found and bring their information security program more in line with the FTC’s updated requirements. This process is not straightforward and requires ongoing monitoring by qualified professionals who are already in short supply.

Finally, covered entities must ensure that their service providers meet many of the same complicated requirements and that contracts are amended to reflect these changes. This process is particularly cumbersome and, in many cases, is outside of the control of the covered entities themselves.  As a result, the difficulties many covered entities have in meeting internal compliance are only multiplied by the myriad differing service provider capabilities, technologies, receptiveness, and internal challenges of their own.

The residual effects of COVID-19 on the labor market and supply chain, conflicting regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to bring their information-security programs into compliance with the Final Rule by the effective date.

COVID-19-related disruptions continue to be felt in both the labor market and supply chain, making it difficult to find both qualified cybersecurity professionals as well as the equipment they need to comply with the Final Rule.

Covered entities simply need more time to ensure their service providers are taking the steps required under the Final Rule.

July 22nd, 2022 by