Gavel to Gavel: Non-banking Financial Institutions Face New Security Rules

On Dec. 9, 2021, the Federal Trade Commission issued final rules that amended its Standards for Safeguarding Customer Information (“Safeguard Rules”). These updated rules place additional requirements on how non-banking financial institutions must protect customer information. However, there has been some confusion on who these rules apply to and when companies must comply. While the Safeguard Rules went into effect on Jan. 10, 2022, companies have until Dec. 9, 2022, to meet some of these requirements.

These new rules apply to non-banking financial institutions. They include expected businesses like mortgage lenders and brokers, payday lenders, finance companies, check cashers, financial advisers and tax preparation firms. But the rule also includes businesses that you might not immediately think of as financial institutions like car dealerships, real estate appraisers, and colleges and universities that participate in federal student financial programs.

There are multiple changes to the rules, but three additions should be highlighted. First, while the previous version of the Safeguard Rules required companies to have a written information security program in place, the FTC has now included more direction on what needs to be included in businesses’ programs. This includes mandating that financial institutions complete a risk assessment and create policies and controls to address the risks identified.

Risk assessments are not a one-time obligation. Instead, companies must periodically perform additional assessments. In addition, companies must appoint a “qualified individual” to be responsible for a company’s information security program and to provide written reports to the board of directors. Finally, the FTC added several technical requirements, including multifactor authentication and encryption of customer information at rest and transits.

The FTC is giving financial institutions until Dec. 9, 2022, to fully implement these new requirements. However, because several of the requirements will take weeks – and in some instances months – for companies to put in practice, it is vital that businesses start now to meet the December deadline.

This article first appeared in The Journal Record on May 11, 2022, and is reproduced with permission from the publisher.