Handle customer PII? An FTC-mandated info security program may be in your firm’s future. Here’s a breakdown of which firms must comply and who is exempt.
Your customers’ personally identifiable information (PII) and personally identifiable financial information (PIFI) is enormously valuable, which is why it is under constant threat. According to the website Privacy Affairs, credit card account details sell for an average of $120 on the Dark Web, while a scanned U.S. driver’s license is worth $150.
Stealing customer PII is hugely profitable for hackers, and comprises a big percentage of the $6 trillion lost to cybercrime annually.
The Federal Trade Commission (FTC) is taking a huge step to curb the trade in identity theft with the rollout of its revamped Safeguards Rule.
Beginning June 9, 2023 (updated by the FTC on 15 November, 2022 - the previous deadline was December 9, 2023) companies that handle significant amounts of customer personal data — which the FTC calls “financial institutions” — will be tasked to build and maintain a modern information security program that must include the following FTC-mandated elements:
The upgraded Rule also shines a skeptical spotlight on widespread but insecure workflows such as sharing sensitive customer documents via email. This will put pressure on companies to also abandon impossible-to-secure legacy technologies for more secure alternatives.
Surprisingly, large financial institutions may have the least to worry about the FTC Safeguards Rule. That’s because most of them are already under the purview of other federal agencies and their data security requirements.
These include:
Many small to medium financial service providers will need to comply with this rule, as well as a wide variety of firms not traditionally thought of as financial institutions.
Here’s a rundown by type of firm to help you easily discover if your company must comply to the Safeguards Rule:
1. Community Banks. All community banks fall under the Gramm-Leach-Bliley (GLB) Act mentioned above, making them exempt from the FTC Safeguards Rule.
2. Credit unions. All federal credit unions and many state-chartered ones are NCUA insured, making them exempt from the Safeguards Rule. However, some state-chartered credit unions lack NCUA insurance, meaning they must comply with the FTC Safeguards Rule.
3. Mortgage lenders. Most lenders, including banks, federally-insured credit unions, and more, already fall under other federal regulations. If you are a mortgage lender that is not already complying with another consumer data privacy rule, then the FTC Safeguards Rule will apply to you.
4. Mortgage brokers. Many of the 23,000+ mortgage brokers in the U.S. are independent professionals or work for small firms. The FTC Safeguards Rule will apply to them unless they are already complying with another federal data privacy law.
5. Finance companies. Finance companies offer everything from car loans to furniture layaway plans and every other big-ticket consumer item in-between. If not already regulated under another federal statute, the Safeguards Rule will apply.
6. Payday lenders. For most of the 23,000 payday lenders in the U.S., the FTC Safeguards Rule will apply.
7. Check cashers. Closely related to payday lenders, check cashing stores will also need to comply with the FTC Safeguards Rule.
8. Account servicers. The FTC Safeguards Rule applies to them.
9. Wire transferors. From old-school companies like MoneyGram and Western Union to next-generation Internet payments firms, all fall under the FTC Safeguards Rule unless regulated elsewhere.
10. Collection agencies. With 7,000+ debt collection agencies in the U.S., nearly all of them will need to comply.
11. Credit, debt, and career counselors. Counselors offer valuable personal finance and career advice, often at free or low cost. Nevertheless, since they handle sensitive and valuable financial information on behalf of their clients, the FTC Safeguards Rule applies to them.
12. Tax preparers and accountants. By handling such important client financial information, tax preparers are also liable.
13. Investment advisors. If you are not registered to the SEC (and compliant with its rules), then you fall under the FTC Safeguards.
14. Real estate and property appraisers. Even independent professionals in this area may now be forced to comply with the FTC Safeguards.
15. Check printers. Yes.
16. Travel agencies. Yes.
17. Colleges and universities. Financial aid offices routinely handle the private info of their students, making them liable to the Safeguards Rule.
18. Finders. This includes online marketplaces and web sites, as well as the companies hosting these sites. If a company handles customer data while in the process of bringing together buyers and sellers, then they also fall under the FTC Safeguards.
Not all of the organizations listed above will have to comply with the Safeguards, due to two major exceptions:
1. Organizations with financial information on fewer than 5,000 customers are automatically exempted from some components of the Safeguards Rule. However, they will still need to meet the updated requirements regarding the encryption of data both in transit and at rest, utilizing multi-factor authentication and secure disposal of information.
2. Organizations that are “not significantly engaged” in financial activities are also exempted. Examples of insignificant financial activities include:
After June 9th, 2023, an FTC auditor can come to your business and start to ask uncomfortable questions about your data security practices that can lead to an FTC enforcement action.
So if your firm is not exempt for the reasons above, then it’s imperative to start your journey towards FTC Safeguards compliance as soon as possible.
Part of that is by reducing your data security risks. Start by ensuring the customer data you collect is encrypted in transit and at rest - something which is not achievable over email.
To learn more and request a demo, visit FileInvite today.
Learn practical tips from Tiger Brokers, including regulations, key takeaways, and technology integration for seamless Customer Due Diligence.
Changes to the FTC's Safeguards Rule will go into effect on June 9, 2023, and will mandate several major changes for US-based financial institutions.
Learn how AML and KYC bolster financial security and work together as a robust defense against the exploitation of financial systems.