The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA).  The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments.

The Safeguards Rule requires financial institutions to have a comprehensive information security program.  The proposed rule amendment will more clearly define the requirements for such information security programs.  Some of the proposed changes to the Safeguards Rule include:

  • Encryption of all consumer data,
  • Implementing access controls to prevent unauthorized users from accessing consumer information;
  • Implementing multifactor authentication to access consumer data, and
  • Requiring periodic reports submitted to the boards of directors to ensure compliance.

The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the NY DFS cybersecurity regulations and the NIST framework.  The amendments are also designed to ensure that non-bank financial technology entities, fintechs, are subject to cybersecurity standards similar to those that banks are subject to under the FFIEC interagency guidelines.

Further, the Commission proposes to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.”  The expansion includes “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

While the proposed changes to the Safeguards Rule and Privacy Rule will provide more clarity for certain GLBA covered entities regarding the contours of their information security programs, the proposed expansion of the definition of financial institution may not be greeted with open arms by the companies not currently covered by the Safeguards Rule and the Privacy Rule.