Way back in 2002, the FTC proposed new standards that would require all “financial institutions” to develop, implement, and maintain “…reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” Officially known as Standards for Safeguarding Customer Information, this should sound very familiar to all “traditional” financial institutions, as we adopted the very same safeguards back in 2000 under GLBA. After a lengthy (10 year) phase-in period, and several extensions, all businesses that fall under the FTC’s definition of a “financial institution” must comply with most of the provisions by June 9, 2023. As the FTC is defining a financial institution much more broadly than how it is traditionally defined, it is highly likely that some of your customers or members could fall under these new regulations, and be subject to legal action, including civil money penalties for non-compliance.
The FTC defines a financial institution as:
“…any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
So far this sounds pretty standard, however, here are the examples the FTC provides for “financial institutions”:
- A retailer that extends credit by issuing its own credit card directly to consumers.
- An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days.
- A personal property or real estate appraiser.
- A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization.
- A business that prints and sells checks for consumers.
- A business that regularly wires money to and from consumers.
- A check cashing business.
- An accountant or other tax preparation service that is in the business of completing income tax returns.
- A business that operates a travel agency in connection with financial services.
- An entity that provides real estate settlement services.
- A mortgage broker.
- An investment advisory company and a credit counseling service.
- A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.
Some of these are more obvious (mortgage brokers, check printers, real estate settlement), while others are not so obvious (car dealers, travel agents, tax preparation services, career counselor). This new interpretation exempts more traditional FI’s[1], but is much broader than what most of us have historically considered a financial institution, and may require a new mindset as you evaluate your new and existing customers and members. Could non-compliance trigger a monetary penalty that could in turn adversely impact the business’s ability to repay a loan? Given the pending third-party risk management guidance, should you require proof of Safeguard rule compliance for your third-parties going forward? And if so, is a management declaration or assertion sufficient, or should you also require third-party attestation?
To be clear, we haven’t heard from the federal regulators on how (or if) they will factor this into their Safety & Soundness exams going forward, but it seems reasonable to assume that auditors and examiners may ask if you (at a minimum) track your customer/member base’s exposure to these new rules. We believe this is one example of a regulation that may actually prove beneficial, as having a clearer understanding of exactly how your business customers and significant third-party providers are managing their information security risks is good for all of us.
[1] The “financial institutions” subject to the Commission’s enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act.
