In this guide, we’ll explain who the FTC Safeguard Rule applies to, why it’s so important to comply, and the steps your financial institution needs to take.
In 2023, finance suffered more data breaches than any other sector. For cybercriminals, financial institutions are a treasure trove of funds and sensitive data. For the organisations and individuals affected, the impact can be devastating.
Not content to sit back while these disastrous breaches unfold, financial authorities like the Federal Trade Commission (FTC) are tightening cybersecurity regulations. The updated FTC Safeguards Rule sets out more stringent requirements, applying to a wider range of organisations.
The FTC Safeguards Rule compels financial institutions to keep their customer information safe by taking the necessary cybersecurity measures. It requires affected organisations to have a documented data security program that fits the organisation’s size, complexity, business activities, and the sensitivity of the information they handle. Key requirements include regular risk assessments and appointing dedicated individuals to safeguard customer data.
The Rule was first rolled out in 2003, but it was amended in 2021 after public consultation. The new version aims to provide clearer guidance and keep pace with a cybersecurity landscape that has changed drastically in recent years. Escalating cyberwarfare between states, more sophisticated AI-powered cybercrime tactics, and new security risks caused by remote work mean that organisations need to implement comprehensive, up-to-date cybersecurity measures to keep their data secure. Authorities like the FTC are updating regulations to reflect this.
A further October 2023 amendment also now means that non-bank financial institutions now have to report any breaches of unencrypted data of more than 500 customers within 30 days of discovering them.
The deadline to comply with the new requirements of the revised FTC Safeguards Rule was June 9, 2023.
The Rule applies to financial entities under the Federal Trade Commission's (FTC) watch. However, it’s crucial to understand that their definition of a "financial institution" extends quite far beyond your typical bank with tellers and deposit forms.
Instead, the FTC's Safeguards Rule applies to a variety of businesses. This includes mortgage lenders and brokers, car dealers, payday loan providers, finance firms, account managers, check cashers, money transfer services, debt collectors, credit counsellors, financial consultants, tax preparers, certain credit unions, and investment advisors not registered with the SEC.
To understand whether your organisation is affected, consult Section 314.2(h), which sets out exactly who the FTC considers to be a financial institution, and provides examples of organisations which don’t fall under this definition.
A significant number of affected organisations may not have realised that they fall under the FTC Safeguards Rule. This likely explains a poll showing that most car dealers were not compliant yet even after the deadline had already passed.
Failing to comply with the Safeguards Rule can lead to an investigation by the FTC and potential fines. For violations arising from a consent order, the FTC can impose additional daily penalties of up to $43,000 per day.
Aside from fines, being investigated and fined by the FTC is never a good look. Reputational damage is hard to quantify, but very real nonetheless.
Not adopting rigorous cybersecurity measures that comply with the FTC Safeguards Rule also, of course, means risking a data breach. The consequences of cyberattacks often include severe operational disruptions, direct financial losses from dealing with the fallout, loss of consumer trust, and lawsuits from victims.
The fallout can be particularly bad for financial institutions because they handle so much sensitive data. Researchers found that out of all sectors, finance suffered the second highest cost of breaches.
The FTC Safeguards Rule sets out nine specific requirements for a “reasonable information security program”:
In short, the FTC is asking financial institutions to do more or less everything within their power to prevent data breaches. The intensity of modern cybercrime is such that anything less means putting customer data at risk.
For individuals whose sensitive data is stolen, consequences like identity fraud can be very damaging. Authorities like the FTC are therefore no longer willing to tolerate any cybersecurity negligence from financial institutions.
Metomic’s data security solution allows your financial institution to secure sensitive customer information stored in SaaS applications, helping with FTC Safeguards Rule compliance.
Metomic allows you to:
Request a personalised demo with one of our SaaS security specialists to discover how Metomic can boost your financial institution's security posture and regulatory compliance.