FTC Amends Safeguards Rule for Covered Financial Institutions – JD Supra

On October 27, the Federal Trade Commission (FTC) announced a final rule (Final Rule), amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) as it applies to covered financial institutions. The Final Rule provides guidance on developing and implementing information security programs, such as access controls, authentication, and encryption. Notably, the Final Rule expands the definition of financial institution to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities now subject to the FTCs enforcement authority under the Safeguards Rule.

Expanded Definition of Financial Institution

The Final Rule expands the definition of financial institution to include entities engaged in activities that the Federal Reserve Board determines as incidental to financial activities. For example, an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days would qualify as a financial institution for its leasing business. The Final Rule explains, for this example, that leasing personal property on a nonoperating basis with an initial lease term of at least 90 days is a financial activity enumerated in the list of permissible nonbanking activities under 12 CFR 225.28 and referenced in the Bank Holding Company Act.

Additional examples of financial institutions that significantly engage in business incidental to financial activities include businesses that regularly wire money to and from consumers; retailers that extend credit by issuing their own credit cards directly to consumers; and check cashing businesses. A business only falls within the expanded definition of financial institution if it is significantly engaged in activities incidental to financial activities. For example, a retailer that accepts cash, check, or credit as a form of payment; a merchant that allows an individual to run a tab; and a grocery store that allows individuals to cash a check would not be considered to significantly engage in activities incidental to financial activities and therefore would not fall within the expanded definition.

By defining financial institution and enumerating examples, rather than incorporating by reference to the Privacy of Consumer Financial Information Rule (Privacy Rule) promulgated under the GLBA, the Final Rule allows readers to understand the requirements of the Safeguards Rule without having to refer separately to the Privacy Rule.

Requirements Under the Final Rule

Under the Final Rule, covered financial institutions which now include nonbank lenders, mortgage brokers, consumer reporting agencies, etc. will be required to develop, implement, and maintain a more comprehensive information security program. The information security program must be written and include, among other things, the following elements:

The Final Rule exempts financial institutions that maintain customer information concerning less than 5,000 consumers from the above requirements to implement a written risk assessment, conduct annual penetration testing and biannual vulnerability assessments, and to compel the Qualified Individual to report annually to the board of directors or equivalent governing body.

Effective Date

The new Safeguards Rule will become effective 30 days after the date of publication in the Federal Register, with certain exceptions. Notwithstanding the foregoing, the certain requirements will become effective one year after the date of publication in the Federal Register, including:

The rest is here:
FTC Amends Safeguards Rule for Covered Financial Institutions - JD Supra