AFSA submitted a letter on August 2 to the Federal Trade Commission (FTC) seeking changes to its proposed rule amending the Standards for Safeguarding Customer Information before it is implemented.
Known as the Safeguards Rule, AFSA laid out five key problematic areas.
First, the proposed rule seems to discount that financial institutions of all sizes have a vested interest in ensuring that their customers’ information is protected. AFSA members have no desire to become the target of the next large data breach and have expended significant resources to mitigate such breaches. Reputational risks and financial costs from data breaches mean every financial institution has a strong incentive to ensure data is held and maintained in a secure manner.
Second, the rule does not include an adequate safe harbor. The FTC wants financial institutions to ensure that they “have information-security plans that protect customer information” in place while simultaneously ensuring that any rule is flexible. A safe harbor for those companies that are complying with established standards from any one of several regulatory bodies will ensure protections and credit access for consumers.
Third, AFSA strongly supports a single, federal, risk-based standard that preempts state law regarding cybersecurity. The current law does not give the FTC authority to preempt state laws. AFSA believes, however, that the FTC should seek congressional approval to do so. The result of inconsistent state laws on data security leads to uneven consumer protections and the inability for businesses to effectively comply, reducing credit broadly.
Next, smaller institutions should be exempt from the amended Safeguards Rule. Current security standards are and should be scaled to the size of the institution. The proposed rule would impose national bank-data-security requirements on both large and small financial institutions, those with thousands of branches and those with just a handful. This is unfair and unworkable for smaller financial institutions that do not have a broad, national exposure to cyber-threats. However, some regulation is needed. AFSA proposed that the FTC adopt the same standard as the California Consumer Privacy Act, which provides an exemption for any institution that has fewer than 50,000 or more consumer records in their database.
Finally, the proposed rule, as written, is highly prescriptive, which runs the risk of becoming a “check the box” exercise as opposed to producing a robust, enhanced security posture. AFSA encouraged the FTC to implement a risk-based approach that provides flexibility to financial institutions, while requiring compliance with the law.
AFSA will continue to work closely with the FTC as it considers this rulemaking.
AFSA Requests FTC Change Safeguards Rule
Aug 07, 2019
Approach Your Business Path with Purpose
Aug 05, 2019
Everything we do in business, from building strong teams or expanding operations to marketing to our communities or meeting compliance requirements, should hold greater meaning than simply business as usual.
From a 35,000-foot perspective,… Read the rest
The Consumer Financial Protection Bureau (CFPB) today announced that it would extend the comment period for the Notice of Proposed Rule Making implementing the Fair Debt Collections Practices Act (FDCPA).
The extension was granted in response… Read the rest
AFSA Assembling Working Group on QM Proposal
Aug 02, 2019
The CFPB has released an advance notice of proposed rulemaking to solicit feedback about future changes to qualified mortgage standards under Regulation Z. In particular, the CFPB intends to allow the current treatment of loans eligible… Read the rest
Back-to-School AFSA University Promo
Aug 02, 2019
Are you looking to take your compliance training to the next level? Have a fresh compliance training program but need a bit more substance? AFSAU is exactly what you need and it’s more affordable than ever.
New subscribers to AFSA University… Read the rest
The Department of Housing and Urban Development (HUD) today published a proposed rule updating the interpretation of the disparate impact standard in home financing. The update would require plaintiffs who allege disparate impact discrimination… Read the rest