FTC Safegards Rule

FTC Safeguards Rule

The FTC Safeguards Rule is a regulation implemented by the Federal Trade Commission (FTC) in the United States. It requires financial institutions, including lenders, mortgage brokers, and other entities that handle personal financial information, to develop and implement comprehensive information security programs to protect customer data. This rule went into effect June 7 2023.

To simplify the mandatory rules, we have compiled a manageable list of requirements:

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Exemptions: If your business has fewer than 5,000 customers, there is an exemption within the Safeguards Rule for financial institutions in such cases. It’s important to note that this exemption is based on the total number of customers, not an annual count. If, at any point, your organization exceeds 5,000 customer records, you will no longer be exempt from the Safeguards Rule. However, these five requirements remain applicable:

  • Appoint an organization or a qualified employee to oversee your cybersecurity program.
  • Implement safeguards and take necessary measures to mitigate risks.
  • Regularly assess the state of your infrastructure.
  • Provide security awareness training to your staff.
  • Keep your cybersecurity systems updated.


FTC site: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know


Penalties

  • $100,000: fines per violation for financial institutions found in violation
  • $100,000: fines per violation for individuals found in violation
  • Up to 5 Years imprisonment potentially for individuals found in violation


Who is covered by this rule

  • Mortgage lenders and mortgage brokers
  • "Payday" lenders
  • Finance companies
  • Account services
  • Check cashers
  • Wire transferors
  • Travel agencies operated in communication with financial services
  • Collection agencies
  • Credit counselors and other financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors not required to register with the SEC
  • Finders, or companies that bring together buyers and sellers, such as Auto dealers and Real Estate Agencies.

The FTC Safeguards Rule is a regulation implemented by the Federal Trade Commission (FTC) in the United States. It requires financial institutions, including lenders, mortgage brokers, and other entities that handle personal financial information, to develop and implement comprehensive information security programs to protect customer data. This rule went into effect June 7 2023.


To simplify the mandatory rules, we have compiled a manageable list of requirements:

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Exemptions: If your business has fewer than 5,000 customers, there is an exemption within the Safeguards Rule for financial institutions in such cases. It’s important to note that this exemption is based on the total number of customers, not an annual count. If, at any point, your organization exceeds 5,000 customer records, you will no longer be exempt from the Safeguards Rule. However, these five requirements remain applicable:

  • Appoint an organization or a qualified employee to oversee your cybersecurity program.
  • Implement safeguards and take necessary measures to mitigate risks.
  • Regularly assess the state of your infrastructure.
  • Provide security awareness training to your staff.
  • Keep your cybersecurity systems updated.

So what do these rules mean?

Here's a brief description of the key aspects of the FTC Safeguards Rule:


  • Information Security Program: Financial institutions covered by the rule are required to develop and maintain a written information security program. The program must be designed to ensure the security, confidentiality, and integrity of customer information. It should address the risks identified through a risk assessment process.

  • Risk Assessment: The rule mandates financial institutions to assess the risks to customer information in their possession. The risk assessment should consider internal and external threats to the security and integrity of customer data.

  • Safeguards: Financial institutions are expected to implement appropriate safeguards to control the identified risks. These safeguards may include physical, technical, and administrative measures to protect customer information. Examples of safeguards include secure storage, access controls, encryption, employee training, and monitoring systems.

  • Service Provider Oversight: The rule requires financial institutions to take reasonable steps to select and oversee service providers that have access to customer information. This includes conducting due diligence and ensuring that service providers maintain adequate security measures.

  • Employee Training: Financial institutions must provide employees with training and education programs to ensure they understand the requirements of the information security program and their role in safeguarding customer information.

  • Evaluation and Adjustment: Financial institutions are expected to monitor, evaluate, and adjust their information security programs in response to changing risks, technologies, and circumstances. Regular assessments and updates should be conducted to maintain the effectiveness of the program.

  • Incident Response: The FTC Safeguards Rule emphasizes the importance of having an incident response plan in place. Financial institutions should be prepared to respond to security incidents promptly, mitigate damages, and notify affected customers when necessary.



  • Multifactor Authentication: The amended Safeguards Rule now requires the use of multi-factor authentication, though the language is very broad. The regulation requires “multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.”
Share by: