Safeguards Rule Resource Center
The Gramm-Leach-Bliley Act (GLBA) requires that covered financial institutions, including debt collectors, protect the security of their customers’ financial information. In 2021, the Federal Trade Commission made the first major changes to these requirements in almost 20 years and gave companies one year to comply with the Standards for Safeguarding Customer Information—the Safeguards rule.
The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023. (This is an extension from the previous deadline of Dec. 9, 2022, which was achieved thanks in part to ACA’s advocacy on the issue.)
Read the text of the amended rule as well as articles breaking down compliance with the rule, review the comprehensive ACA SearchPoint document on the Safeguards Rule, listen to related recordings of ACA’s members-only ACA Huddle® and more.
Safeguards Rule Compliance Countdown
Safeguards Webinar Recordings
ACA How: Safeguards Rule What?
TPx and ACA will distill the Safeguards rule of GLBA to simple terms and answer what an organization needs to do and by when.
ACA How: Owning Your Security Program
At a high level, every ACA member needs an overarching security program that is documented and governed.
ISO: How TPX Can Help
There are strategic, tactical, and technical aspects of being defensible to the Safeguards rule of GLBA. During this session, TPx will go over how we can help so ACA members can focus on their business.
Blogs From TPx
What to Know
Under the Gramm-Leach-Bliley Act (GLBA), a debt collector must comply with the Safeguards Rule, which requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
The Safeguards Rule took effect Jan. 10, 2021, and its requirements will apply beginning June 9, 2023.
The final Safeguards Rule contains five main modifications to the existing rule:
- It adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.
- It adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
- It exempts financial institutions that collect less customer information from certain requirements.
- It expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the rule.
- The final rule defines several terms and provides related examples in the rule itself in one place rather than incorporate them from the Privacy of Consumer Financial Information Rule.
Text of the Safeguards Rule
The Safeguards Rule as published in the Code of Federal Regulations.
FTC Safeguards Rule: What Your Business Needs to Know
Small entity compliance guide from the FTC.
CFPB Circular on the Safeguards Rule
The CFPB issued a circular stating that financial services companies with insufficient data protection or information security violate the prohibition on unfair acts or practices in the CFPA, and provides examples.
NIST Cybersecurity Framework
Debt collection agencies can use the NIST Cybersecurity Framework’s standards and best practices to help them comply with the Safeguards Rule.
ACA Daily Articles About the Safeguards Rule
Read coverage of news and compliance information in these ACA Daily articles.
Members can read ACA SearchPoint document #2255, which was recently updated to reflect the CFPB’s compliance guidance on the Safeguards Rule.
ACA Huddle® Recording
Best Practices for FTC Safeguards Rule Compliance
Leslie Bender, CCCO, and Kim Phan lead this ACA Huddle on the Safeguards Rule. Learn more about what your company should be doing to develop and implement an information security program that complies with the rule. Members can view a PowerPoint presentation from the Huddle here.
ACA How: Safeguards Rule Implementation
Friday, December 09, 2022 - Friday, July 14, 2023
Central Standard Time
ACA has partnered with TPx Communications for a webinar series to help you comply with the Safeguards Rule. It will run throughout October and into December.
ACA filed extensive comments on the Safeguards Rule discussing potential compliance burdens for ACA members. Most recently, ACA International and other industry trade groups submitted a letter to the FTC requesting deadline extension from Dec. 9, 2022, to Dec. 9, 2023.
On Nov. 15, 2022, the FTC announced it is extending the deadline for companies to comply with some of the changes in the Safeguards Rule by six months to June 9, 2023.
Read more in this ACA Daily article.
Access all of ACA’s letters and comments to regulators on our Policymakers website: