December 2, 2022

Volume XII, Number 336


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

FTC Delays Safeguards Rule Implementation for Certain Financial Institutions

The Federal Trade Commission (“FTC”) announced last week that it is delaying the date by which certain financial institutions must comply with certain provisions of its updated Safeguards Rule by six months, with the compliance date now being June 9, 2023. Applicable to non-banking institutions such as mortgage brokers, motor vehicle dealers, and licensed lenders, the FTC’s iteration of the Safeguards Rule (16 C.F.R. 34) — which implements data security requirements from the Gramm-Leach-Bliley Act (“GLBA”) — was updated in December 2021. 

The FTC’s new requirements are not without controversy. The Safeguards Rule has been hailed as uniquely effective over the two decades it has been in place because it is technology-agnostic and instead requires all financial institutions to maintain data security programs that are commercially reasonable, compared to their cohorts. Indeed, in a dissenting opinion from Commissioners Noah Joshua Phillips and Christine S. Wilson, they note that “the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”

To that end, the following provisions have been delayed:

  • Designating a qualified individual to oversee the information security program;

  • Developing a written security risk assessment;

  • Limiting and monitoring who in their organization, and among their service providers and other third parties, can access sensitive customer information;

  • Encryption of all sensitive information;

  • Training of security personnel;

  • Development of an incident response plan;

  • Periodic assessment of the security practices of service providers; and

  • Implementation of multi-factor authentication, or another method of equivalent protection.

While most of these provisions are part of a robust information security program, the FTC cited the need for the delay as stemming from the multitude of small businesses affected by the Safeguards Rule that are still struggling with resuming business as usual after the pandemic.

© Copyright 2022 Cadwalader, Wickersham & Taft LLPNational Law Review, Volume XII, Number 327

About this Author

Mercedes Kelley Tunstall Partner Cadwalader, Wickersham & Taft LLP

Mercedes Kelley Tunstall is widely recognized as a legal leader in fintech, cryptocurrency and consumer financial services regulation and compliance.

Mercedes regularly counsels banks, lenders, payments companies, digital asset companies and fintechs regarding federal banking regulators and compliance with laws and industry standards. She also defends clients against enforcement actions taken by these regulators, including the Consumer Financial Protection Bureau (CFPB). As a former Federal Trade Commission (FTC) lawyer and bank in-house counsel...