What the FTC’s Updated Safeguards Rule Means for All Non-Bank Financial Institutions

Last month, the Federal Trade Commission issued guidance on the updated Safeguards Rule in the form of a set of Frequently Asked Questions for Automobile Dealers.

Although directed to auto dealers, the FAQs are a useful reminder for all non-bank financial institutions that the Safeguards Rule broadly regulates all non-bank financial institutions subject to FTC jurisdiction. These businesses include mortgage brokers, finance companies, payday lenders, collection agencies, tax preparation firms, accounting services, investment advisors not regulated by the SEC, and companies that act as “finders” to bring together buyers and sellers of financial products.

The Rule, because it applies only to those financial institutions that are subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another federal regulator under the Gramm-Leach-Bliley Act, often gets short shrift compared to other FTC-enforced privacy laws such as Section 5 of the FTC Act and COPPA. But as the FAQs demonstrate, the Rule still deserves attention because of its broad coverage and demanding requirements.

This post covers highlights from the FTC’s FAQs and offers key compliance considerations for businesses subject to the FTC’s jurisdiction and the Safeguards Rule.

Who Must Comply with the Safeguards Rule?

Under the Safeguards Rule, “financial institution” is defined broadly to include any business that significantly engages in financial activities or activities incidental to such activities as outlined in the Bank Holding Company Act. These activities include offering or arranging credit, leasing vehicles on a non-operating basis for more than 90 days, providing financial advisory services, facilitating wire transfers, or offering check-cashing services.

Importantly, the Safeguards Rule applies regardless of an institution’s size. Entities that maintain information on fewer than 5,000 consumers may be exempt from certain specific requirements but are still subject to the Safeguards Rule.

What does the Safeguards Rule protect?

The Safeguards Rule protects nonpublic personal information (“NPI”) collected about individuals in connection with a financial product or service for personal, family, or household use. NPI includes names, addresses, phone numbers, social security numbers, credit applications, account numbers, and transaction histories. Financial institutions must safeguard NPI regardless of whether it’s collected in person, over the phone, via a website, or through a third-party partner.

The Safeguards Rule Requirements

To comply with the Safeguards Rule, financial institutions must develop and implement a written information security program that is appropriate for the size, complexity, nature of their operations, and sensitivity of NPI at issue. The program must incorporate safeguards across three areas:

• Administrative (e.g., employee training, vendor oversight, and internal policies);
• Technical (e.g., access controls, encryption, and secure disposal of NPI); and
• Physical safeguards (e.g., secured facilities and workstations).

The written information security program must be designed to ensure the security, confidentiality, and integrity of customer information. The Safeguards Rule outlines ten elements of a compliant information security program:

• Appoint a qualified individual to oversee the program;
• Conduct a written risk assessment to identify internal and external threats;
• Implement safeguards to control identified risks;
• Regularly monitor and test the effectiveness of those safeguards;
• Adopt internal policies and procedures to support the program;
• Oversee service providers, including due diligence, contracts, and monitoring;
• Update the program based on testing, monitoring, and operational changes;
• Implement a written incident response plan;
• Report (at least) annually to the board of directors on the overall status of the written information security program; and
• Notify the FTC about breaches.

Note that compliance with the Safeguards Rule does not satisfy compliance with the GLBA Privacy Rule and vice versa. Instead, the Safeguards Rule operates in tandem with the GLBA Privacy Rule, which governs the disclosure of NPI to third parties and requires notices to consumers. Both rules must be addressed separately within a financial institution’s risk management framework.

Key Compliance Considerations

The FTC has been considerably quieter, in terms of its enforcement efforts in the privacy and data security space, since the turnover in presidential administrations. The agency’s issuance of the FAQs for auto dealers suggests, however, that protection of consumer financial information will continue to be a priority

The FTC has previously emphasized that while the Rule allows for flexibility based on a financial institution’s size and complexity, all covered entities must take reasonable steps to protect customer information. Smaller businesses may not be subject to all program elements but are still required to establish an appropriate and effective security program. Financial Institutions should begin by conducting a gap analysis, documenting all procedures and safeguards, training staff, reviewing service provider contracts, and preparing for the possibility of a breach.

Covered entities will also need to focus on their service providers who handle consumer information, as a critical component of the Rule is the oversight of service providers. Any third-party vendor or partner that accesses customer information must be subject to due diligence, bound by contractual obligations to safeguard data, and routinely monitored for compliance. Those requirements apply to vendors such as cloud services, software vendors, payment processors, and any other partner handling sensitive customer data.

A 2023 amendment to the Safeguards Rule also introduced a new breach notification requirement. If a financial institution experiences a “notification event,” defined as unauthorized acquisition of unencrypted customer information involving at least 500 consumers, it must report the incident to the FTC within 30 days. Notably, the Rule assumes that unauthorized accessto unencrypted information constitutes a notification event, unless the institution has “reliable evidence showing there has not been, or could not reasonably have been, unauthorized acquisition.”

Conclusion

Although the FAQs focus on auto dealers, the Safeguards Rule applies to allfinancial institutions under FTC jurisdiction. The always perilous cyber threat landscape, combined with increased regulatory scrutiny, make it essential for every covered financial institution, from tax preparers to fintech startups, to implement strong administrative, technical, and physical safeguards. By doing so, financial institutions not only achieve compliance but also enhance customer trust and reduce the risk of data breaches.