FTC’s Safeguard Rule: A Must-Read Guide for Small Financial Institutions

Last year the Federal Trade Commission (FTC) extended the deadline for their financial industry "Safeguard Rule" to June 9, 2023. That means any business that handles consumer data is subject to multiple security requirements—and could incur significant fines and service issues if not compliant. With this deadline approaching, read on to get the skinny on what it requires and how you can achieve compliance with this new rule.

Somewhere deep in the cyber realm of D.C.'s National Archives is a little document called Title 16. While this "little" document includes multitudes of federal rules and regulations (we're talking all the way up to 1,750), scroll to the right and you can narrow it down to one of the most talked about new cyber rules in the past 6 months. The appearance is more Morse code than anything but 16 C.F.R. Part 314 has risen to top of mind with a looming compliance deadline rapidly approaching. 

But the real ghost story? Whether fortunately or unfortunately, this monikered "Safeguard Rule" for financial institutions is a catch all—large and small businesses alike will have to follow these rules and some businesses aren't ready. We can help guide you through that. 

What is the Safeguard Rule? 

Originally set for a deadline of Dec. 9, 2022, the Safeguard Rule's main purpose is require financial institutions to protect consumer data, especially the sensitive kind. This includes institutions like higher education that have federal student aid programs and private loan debt collectors. The problem is, for smaller financial institutions, the hefty requirements from the FTC made it almost impossible to meet the deadline from their initial roll out date in Oct. of 2021. To accommodate small financial institutions' needs, the FTC extended their deadline to June 9, 2023. 

What information does the Safeguard Rule apply to? 

Basically, the Safeguard (or Privacy) Rule applies to a consumer's nonpublic personal information (NPI) that they have given to a financial institution. Title 16 identifies this as any "personally identifiable financial information" a financial institution gets from a consumer when providing a financial product or service. These are things like name, address, income, Social Security number, payment history, or court records (check out this outline from the FTC explaining more examples). "Publicly available" information like phone number (but only if it's listed) and anything the public has access to are not covered under the Safeguard Rule.  

Who does the Safeguard Rule apply to? 

The Federal Trade Commission (FTC) applies this rule in two parts. Financial institutions that "collect 'nonpublic personal information' from your 'customers' or 'consumers'" (Part I) or "if you receive 'nonpublic personal information' from a financial institution with which you are not affiliated, you may be limited in your use of that information" (Part II). 

• What is the definition of a "financial institution"? 
  Section 4(k) of the Bank Holding Company Act defines a financial institution as businesses that are "significantly engaged" in "financial activities" such as: lending, exchanging, transferring, investing for others, or safeguarding money or securities. It also includes things like brokering loans, debt collecting, providing real estate settlement services, or career counseling of people seeking employment in the financial services industry.
• What does it mean to be "significantly engaged"? 
  According to the FTC "A storeowner or bartender who 'runs a tab' for customers" would not be significantly engaged, "but a retailer that offers credit directly to consumers by issuing its own credit card" would be significantly engaged. Consider how often you are engaging in financial transactions. Do you find yourself sending out invoices weekly? That's significantly engaged. "A retailer that lets some consumers make payments through an occasional lay-away plan" would not be engaged often enough to be considered significantly engaged but "a business that regularly wires money to and from consumers" would be.

What are the basic requirements of the Safeguard Rule? 

This rule has quite a few requirements to keep nonpublic personal information (NPI) safe which we will be digging into over the coming weeks on the blog. But the basic requirements of the Safeguard Rule are: 

1. Designate a qualified individual to oversee their information security program;
2. Develop and conduct a written risk assessment;
3. Design and implement safeguards to control the risks identified through your risk assessment (which includes 8 additional requirements to meet);
4. Encrypt customer information in transit and at rest (or use alternative methods where encryption is not possible);
5. Develop an incident response plan;
6. Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
7. Periodically assess the security practices of service providers; and
8. Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Our recomendation to meet COMPLIANCE 

Whether big or small, as a financial institution, the Safeguard Rule is something you will have to comply with. There is no way around it. After reading all of these rules and regulations, your head may be spinning on where to start first. Luckily, we've got you covered. All (and I do mean all) of the requirements set by the FTC can be completed by partnering with Centre. Let me show you what I mean or refer to the table underneath my breakdown (regulations from the Safeguard Rule in bold): 

• Can't find a point person to designate for overseeing your information security program? Centre's IT Consulting and IT Staffing Services act as an extension of your staff to do that for you. We can take over the information and begin building it out for you to approve. Additionally, we can serve as your IT team and in turn serve as the person that oversees their security program. Win win! 
• Unsure of how to develop and conduct a written risk assessment? We can do that for you. Check out our IT Assessment resources. Furthermore, not sure how to implement safeguards that we identify in your risk assessment (you know, that pesky 8 step regulation)? All included in our IT assessments. We help you set up a proactive plan that helps you prepare for future growth and innovation
• Cybersecurity questions on how to encrypt customer information or implement multi-factor authentication? When you choose any of our uniquely tailored packages (Express, Managed, or Co-Managed Services), we set your business up with layered security protection including multi-factor authentication. You can rest easy that everything is safe and sound (which you'll disclose in your privacy notice--more information on that in the next blog!) 
• Outdated Incident Response Plan or just understaffed and never had time to create one? Guess what? We do that, too. We work with you to get the 4 main criteria for a secure IRP: Clean copy of data, proactive threat hunting, visibility into security gaps, and cyber insurance. With these services we will also periodically provide you with an assessment of our security practices. 
• Finally, if you choose any of these partnerships, you can be assured that you will have adopted secure development practice for in-house and external processes/application. Why? Because we do. When partnering with Centre, you come by security naturally. 
  
  

All of this, by the way? At a fraction of the cost for rolling out internally.

Now that you've met these requirements, don't miss the next steps. If you're a financial institution, this is for you. Act now and prepare for the future.