FTC Wants Comment On Proposed Changes To Safeguards, Privacy Rules

The Federal Trade Commission (FTC) has requested comment on the proposed amendments of two rules that protect the privacy and security of customer data held by financial institutions (FIs).

The proposed changes are related to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule, which went into effect in 2003, requires FIs to develop, implement and maintain a comprehensive information security program. The Privacy Rule, introduced in 2000, requires an FI to inform customers about its information-sharing practices, as well as enable customers to opt out of having their information shared.

“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business[es],” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a press release. “While our original, groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost-20 years of enforcement experience. It also shows that, where we have rule-making authority, we will exercise it as necessary to keep up with marketplace trends, and respond to technological developments.”

The FTC is proposing more detailed requirements related to the comprehensive information security program, requiring FIs to encrypt all customer data, implement controls to prevent unauthorized access to customer information and the use multi-factor authentication. The agency also wants FIs to submit periodic reports to their boards of directors to ensure they are staying on track.

The Dodd-Frank Act gave the majority of the FTC’s rule-making authority for the Privacy Rule to the Consumer Financial Protection Bureau (CFPB), leaving the FTC with power only over certain motor vehicle dealers. With that in mind, the agency wants to remove examples of FIs that do not apply to motor vehicle dealers, as well as clarify when they must provide annual privacy notices.

In addition, the FTC is proposing to expand the definition of “financial institution” in both rules to include “finders,” which charge a fee to connect consumers looking for a loan to a lender.