As of December 9, 2022, financial institutions and dealers must comply with all Standards for Safeguarding Customer Information requirements and amendments as outlined on the Code of Federal Regulations site.
The FTC Safeguards Rule actually took effect in 2003 to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. It was amended in 2021 to keep pace with evolving technology, providing more concrete guidance for businesses and the core data security principles they need to implement.
In this article, we will explain some key points of the rule, who it will affect, and what can happen if your organization is found to be non-compliant.Keep Compliant the Easy Way
Managed security services designed to help you meet your information security and compliance objectives.
Is Your Business Subject to the FTC Safeguards Rule?
“Financial institution,” as defined by the FTC Safeguards Rule, probably doesn’t mean what you think it does. In fact, the 2021 amendments add a new example of financial institution – finders: companies that bring buyers and sellers together, negotiating and consummating transactions between included parties. “Financial institution” is applied much more broadly to include the specific types of activity a business undertakes in its day-to-day operations, rather than the way a business might categorize itself.
This could include businesses such as:
- automobile dealers
- mortgage lenders
- payday lenders
- finance companies
- mortgage brokers
- account servicers
- check cashers
- wire transferors
- collection agencies
- credit counselors
- other financial advisors
- tax preparation firms
- non-federally insured credit unions
- investment advisors that aren’t required to register with the SEC
What Requirements Must Your Business Meet, if Covered?
If your business is covered by the FTC Safeguards Rule, you must develop, implement, and maintain an information security program with administrative, technical, and physical safeguards in place to protect your customers’ information. This program must be written and appropriate to the size and complexity of your business, nature, scope of your activities, and the sensitivity of the information at risk.
This program should aim to:
- Ensure the security and confidentiality of customer information
- Protect against anticipated threats or hazards to the security or integrity of that information
- Prevent unauthorized access to information that could result in substantial harm or inconvenience to any customer
When did the 2021 Amendments Go into Effect?
Within 30 days of the October 27, 2021, publication, financial institutions, and dealers needed to comply with the following sections of the amended Rule (many of which were existing requirements):
- 314.4(b)(2)—Additional periodic risk assessments
- 314.4(d)(1)—Regularly test or monitor the effectiveness of the safeguards critical controls, systems, or procedures
- 314.4(f)(1) and (2)—Overseeing service providers by (1) taking reasonable steps to select and retain and (2) requiring specific contract terms
- 314.4(g)—Evaluate and adjust your information security program considering the testing and monitoring results required by paragraph (d)
As of December 9, 2022, financial institutions and dealers must comply with all remaining requirements as outlined on the Code of Federal Regulations site.
The Expansive Costs of Non-Compliance
Some businesses may assume that the cost of compliance is too great as it may require audits, new technologies, training, expert employees, and processes to comply. But statistics show that non-compliance costs much more, with businesses losing an overall average of $14.8 million per event between business disruption, productivity losses, revenue losses, and fines and penalties.
But there are more serious risks of non-compliance including security breaches, criminal acts against customers and other business contacts, reputational damage, and more.
The following is a list of the possible legal ramifications of non-compliance to the FTC Safeguards Rule:
- Fines and penalties: Varying depending on the severity of non-compliance and the regulatory body governing the issue.
- Lawsuits: Stakeholders including customers, employees, vendors, and other affected parties might decide to file a lawsuit to collect damages.
- Regulatory scrutiny: Offending businesses can be subjected to costly regulatory audits for years to come.
- Imprisonment: In the worst cases of non-compliance, business owners, directors, and executives could go to prison for criminal negligence.
How to Ensure Your Compliance to the FTC Safeguards Rule
Maintaining data and privacy security and compliance is an ongoing process that starts with understanding your responsibilities and developing a written strategic plan. We recommend following the links to the FTC Guidelines regarding the Safeguards Rule in this article, but to summarize you must:
- Ensure the security and confidentiality of customer information
- Protect against anticipated threats or hazards to the security or integrity of that information
- Prevent unauthorized access to information that could result in substantial harm or inconvenience to any customer
Depending on the scope of your business and the breadth of the data that needs protecting, this may require you to perform regular audits, purchase new security and privacy based technology, change business processes regarding how information is handled in your company, hire expert employees or consultants, train and retrain current employees, etc.
You can also reach out to us at CNP Technologies. Our team of experts has been helping businesses to manage and maintain their security and compliance for over 25 years. We understand the importance, and the nuances, of information security for modern business.
We work with best-in-class solutions to deliver a range of managed security services designed to help our clients meet their information security and compliance objectives. Check out this brochure to learn more.