In October 2021, the Federal Trade Commission (FTC) announced amendments to the Standards for Safeguarding Customer Information, or “Safeguards Rule,” for short. A part of the Gramm-Leach-Bliley Act, the Safeguards Rule went into effect in 2003, but with changes in technology, the FTC saw opportunities for an update to protect the security and integrity of consumer’s personal information. The revisions provide clearer guidance for businesses and financial institutions which ensures both they and their affiliates and service providers protect personally identifiable information.
If your business does financing or requires customers to fill out a loan application—even if you don’t oversee the lending personally—you will be subject to the expanded requirements.
Who does the Safeguards Rule apply to?
The FTC defines a financial institution as “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities,” including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
With the most recent update, this definition has expanded to include anyone who acts as a “finder,” bringing together buyers and sellers while the parties themselves negotiate and complete the transaction. This includes businesses such as car dealerships, furniture companies, big box electronic retailers, home builders, and construction companies, who put customers in touch with lenders in order to pay for their services.
What does the Safeguards Rule require companies to do?
The Safeguards Rule aims to set standards which will protect customers’ personally identifiable information. As stated in these amendments to sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act, “You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
The objectives of this security program are to:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Section 314.4 of the Safeguards Rule identifies nine elements your business’s information security program must include, effective December 9, 2022. In summary, these are:
- Designate a Qualified Individual (may be employed by you, an affiliate, or a service provider) to implement and supervise your company’s information security program.
- Conduct a risk assessment with a written report which includes: criteria for the evaluation and categorization of security risks; criteria for the assessment of the “confidentiality, integrity, and availability of your information systems and customer information”; and requirements describing how these risks will be mitigated. After an initial risk assessment, subsequent assessments should be periodically performed in order to reexamine potential threats to your customers’ information.
- Design and implement safeguards to control the risks identified through your risk assessment.
- Regularly monitor and test the effectiveness of your safeguards. For information systems, the monitoring and testing includes continuous monitoring or periodic penetration testing and vulnerability assessments.
- Train your staff through ongoing and developing security awareness training.
- Monitor and assess your service providers to ensure they are capable of providing appropriate safeguards to the customer information they may have access to.
- Keep your information security program current.
- Create a written incident response plan “designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control.”
- Require your Qualified Individual to report to your Board of Directors.
As part of our services, Xamin works regularly with organizations who need to create security plans in compliance with the Gramm-Leach-Bliley Act. If you have any questions about these new regulations, contact us today.