FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The proposed changes would align the rules with those implemented by Congress in the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the Gramm-Leach Bliley Act.

3/8/2019 10:00 AM

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The Federal Trade Commission is seeking comment on proposed amendments to two rules that protect the privacy and security of customer information held by financial institutions.

The proposed changes include the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, according to a news release from the FTC.

The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule, which went into effect in 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties, the FTC reports.

“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”

As part of its periodic review of its rules and guides, the FTC sought comment in 2016 on the Safeguards Rule. In response to this review, and to keep the rule up to date, the FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the rule.

For example, the proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC also has proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors.

The proposed changes would bring the rules into line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the Gramm-Leach Bliley Act.

While the scope of the Privacy Rule was narrowed significantly by the enactment of the Dodd-Frank Act, the FTC’s current Safeguards Rule continues to apply to all financial institutions within the FTC’s jurisdiction. The FTC proposes to revise the Safeguards Rule so that the scope of that rule is clear on its face.

The Dodd-Frank Act transferred most of the commission’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority only over certain motor vehicle dealers. To address these statutory changes, the FTC has proposed, for example, to remove from the Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers. In addition, the revised rule would clarify when motor vehicle dealers must provide annual privacy notices to reflect provisions included in the FAST Act.    

The FTC also is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender. This proposed change would bring the Commission’s Rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.  

The notices seeking comment on the proposed changes to the Safeguards Rule and to the Privacy Rule will be published in the Federal Register. Comments must be received 60 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

If you are interested in sharing articles and analysis on legal cases, industry laws and regulations or other relevant topics for possible publication with ACA International, email our Communications Department at comm@acainternational.org.

Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to comm@acainternational.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.

Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.

Subscribe to ACA Daily NEWSROOM