ACA International responds to proposed enhanced information security requirements for financial institutions, including debt collection agencies.
8/6/2019 15:30
Revisions to the Federal Trade Commission’s proposed amendments to the Safeguards Rule on information security would reduce unnecessary burdens to financial institutions while continuing to protect consumers, ACA International outlined in recent comments to the FTC on behalf of the accounts receivable management industry.
“The current Safeguards Rule provides a sufficient data security framework to accomplish the commission’s data security goals. ACA International and its members understand the importance of reasonable data security practices, and members already devote significant resources to data security programs,” said Leah Dempsey, vice president and senior counsel of federal advocacy. “Amending the Safeguards Rule would unnecessarily raise costs on ACA members and other financial institutions without a material benefit to consumers or information security. To the extent that the commission nonetheless advances the proposed amendments, it should revise certain proposals to avoid unnecessarily burdening financial institutions while continuing to protect consumers.”
The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement, and maintain a comprehensive information security program. Most ACA members are considered “financial institutions” subject to the Safeguards Rule because they collect consumer debt.
As part of its periodic review of its rules and guides, the FTC sought comment in 2016 on the Safeguards Rule. In response to this review, and to keep the rule up to date, the FTC proposed changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the rule with comments due Aug. 2, 2019.
While security threats are evolving, the current Safeguards Rule continues to provide the FTC with a robust, flexible tool to protect consumers and provide sufficient framework to regulate covered financial institutions’ information security programs, ACA argues.
ACA expressed concern that financial institutions collecting consumer debt and ACA members included in the Safeguards Rule will also incur additional costs to adopt the current proposed amendments when instead revising certain rule proposals would accomplish the mission of continuing to protect consumers.
“The Safeguards Rule already accounts for evolving expectations if reasonable security, with appropriate consequences for non-compliance,” Dempsey said.
The FTC also has enforcement standards in place if it believes a financial institution in its jurisdiction has not employed reasonable security as well as other tools outside of amending the Safeguards Rule to convey expectations on data security to financial institutions.
Existing state data security regulations, such as those from the New York Department of Financial Services (NYDFS), the FTC used as a basis for its Safeguards Rule proposal make the amendments premature.
The NYDFS rule took effect in February 2018, therefore the impact and benefit for consumers from these new laws and regulations compared to the added costs to businesses is not yet known, Dempsey explained. At the same time, Congress is also considering various options for federal data security legislation that could affect or alter the Safeguards Rule and the FTC is continuing to provide its perspective to Congress on approaches to data security regulation and enforcement.
“Given the weight, importance, and urgency of the concerns at issue, ACA urges the commission to abstain from rulemaking until more comprehensive approaches to privacy and data security can be fully explored by Congress,” Dempsey said.
If the FTC proceeds with the proposed amendments, ACA also offers a suggested minimum deadline of one year for compliance with the various requirements in the Safeguards Rule, expanded exemption for smaller financial institutions and safe harbor for companies that comply with a third-party data security standard.
“Given the breadth of the administrative and technical requirements in the Proposed Amendments, ACA also strongly recommends the FTC consider adding an additional, temporary good-faith compliance period for covered financial institutions,” Dempsey said.
Read ACA International’s complete comments to the Federal Trade Commission.
Related Content from ACA International:
FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules