Your customers’ personally identifiable information (PII) and personally identifiable financial information (PIFI) is enormously valuable, which is why it is under constant threat. According to the website Privacy Affairs, credit card account details sell for an average of $120 on the Dark Web, while a scanned U.S. driver’s license is worth $150.
Stealing customer PII is hugely profitable for hackers, and comprises a big percentage of the $6 trillion lost to cybercrime annually.
Better Safeguard than Sorry
The Federal Trade Commission (FTC) is taking a huge step to curb the trade in identity theft with the rollout of its revamped Safeguards Rule.
Beginning June 9, 2023 (updated by the FTC on 15 November, 2022 - the previous deadline was December 9, 2023) companies that handle significant amounts of customer personal data — which the FTC calls “financial institutions” — will be tasked to build and maintain a modern information security program that must include the following FTC-mandated elements:
- Routine written risk assessments
- Continuous monitoring of information systems or periodic penetration testing and vulnerability assessments
- Maintaining up-to-date lists of customer data and their location
- Encrypting data and only granting access to authorized users via multi-factor authentication
- Deleting customer data within two years of its use
- And many more requirements
The upgraded Rule also shines a skeptical spotlight on widespread but insecure workflows such as sharing sensitive customer documents via email. This will put pressure on companies to also abandon impossible-to-secure legacy technologies for more secure alternatives.
Some Financial Institutions Exempt
Surprisingly, large financial institutions may have the least to worry about the FTC Safeguards Rule. That’s because most of them are already under the purview of other federal agencies and their data security requirements.
- Banks and savings and loans associations, which are subject to the data security and privacy standards set out by the Gramm-Leach-Bliley Act
- Stock brokers, dealers and investment advisors registered with the SEC
- Insurance companies, which must follow the relevant state insurance laws
- Federal credit unions, which are regulated by the National Credit Union Administration
- Organizations regulated by the Farm Credit Administration or Commodity Futures Trading Commission
So, Who Must Comply?
Many small to medium financial service providers will need to comply with this rule, as well as a wide variety of firms not traditionally thought of as financial institutions.
Here’s a rundown by type of firm to help you easily discover if your company must comply to the Safeguards Rule:
1. Community Banks. All community banks fall under the Gramm-Leach-Bliley (GLB) Act mentioned above, making them exempt from the FTC Safeguards Rule.
2. Credit unions. All federal credit unions and many state-chartered ones are NCUA insured, making them exempt from the Safeguards Rule. However, some state-chartered credit unions lack NCUA insurance, meaning they must comply with the FTC Safeguards Rule.
3. Mortgage lenders. Most lenders, including banks, federally-insured credit unions, and more, already fall under other federal regulations. If you are a mortgage lender that is not already complying with another consumer data privacy rule, then the FTC Safeguards Rule will apply to you.
4. Mortgage brokers. Many of the 23,000+ mortgage brokers in the U.S. are independent professionals or work for small firms. The FTC Safeguards Rule will apply to them unless they are already complying with another federal data privacy law.
5. Finance companies. Finance companies offer everything from car loans to furniture layaway plans and every other big-ticket consumer item in-between. If not already regulated under another federal statute, the Safeguards Rule will apply.
6. Payday lenders. For most of the 23,000 payday lenders in the U.S., the FTC Safeguards Rule will apply.
7. Check cashers. Closely related to payday lenders, check cashing stores will also need to comply with the FTC Safeguards Rule.
8. Account servicers. The FTC Safeguards Rule applies to them.
9. Wire transferors. From old-school companies like MoneyGram and Western Union to next-generation Internet payments firms, all fall under the FTC Safeguards Rule unless regulated elsewhere.
10. Collection agencies. With 7,000+ debt collection agencies in the U.S., nearly all of them will need to comply.
11. Credit, debt, and career counselors. Counselors offer valuable personal finance and career advice, often at free or low cost. Nevertheless, since they handle sensitive and valuable financial information on behalf of their clients, the FTC Safeguards Rule applies to them.
12. Tax preparers and accountants. By handling such important client financial information, tax preparers are also liable.
13. Investment advisors. If you are not registered to the SEC (and compliant with its rules), then you fall under the FTC Safeguards.
14. Real estate and property appraisers. Even independent professionals in this area may now be forced to comply with the FTC Safeguards.
15. Check printers. Yes.
16. Travel agencies. Yes.
17. Colleges and universities. Financial aid offices routinely handle the private info of their students, making them liable to the Safeguards Rule.
18. Finders. This includes online marketplaces and web sites, as well as the companies hosting these sites. If a company handles customer data while in the process of bringing together buyers and sellers, then they also fall under the FTC Safeguards.
Exceptions to the Rule
Not all of the organizations listed above will have to comply with the Safeguards, due to two major exceptions:
1. Organizations with financial information on fewer than 5,000 customers are automatically exempted from some components of the Safeguards Rule. However, they will still need to meet the updated requirements regarding the encryption of data both in transit and at rest, utilizing multi-factor authentication and secure disposal of information.
2. Organizations that are “not significantly engaged” in financial activities are also exempted. Examples of insignificant financial activities include:
- A retailer which only offers occasional lay-away and deferred payment plans that comprise a tiny fraction of its business.
- Accepting cash, checks or credit cards — that is insufficient to make a retailer a ‘financial institution’.
- A grocery store that allows a customer to cash a check or write a check for a higher amount in order to get cash in return.
- Businesses that occasionally allow favored customers to “run a tab”.
How to Start Your Compliance Journey
After June 9th, 2023, an FTC auditor can come to your business and start to ask uncomfortable questions about your data security practices that can lead to an FTC enforcement action.
So if your firm is not exempt for the reasons above, then it’s imperative to start your journey towards FTC Safeguards compliance as soon as possible.
Part of that is by reducing your data security risks. Start by ensuring the customer data you collect is encrypted in transit and at rest - something which is not achievable over email.