FTC Expands Reporting Regulations for Non-Bank Financial Institutions

By Todd Ehret

New regulations from the US Federal Trade Commission (FTC) will change the regulatory landscape for non-banking financial institutions. An amendment to the Gramm-Leach Bliley Act Safeguards Rule will require non-bank financial firms to notify the FTC as soon as possible (but no later than 30 days) after discovering a security breach involving the information of at least 500 consumers.

The data breach notification requirement will become effective May 13, 2024.

The three Democratic-appointed FTC commissioners unanimously approved the amendment, as there are presently two Republican vacancies.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC Bureau of Consumer Protection.

“The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

Background.

The Gramm-Leach Bliley Act (GLBA) set forth standards for financial institutions in developing, implementing and maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.

It requires federal financial regulators, including the FTC, Office of the Comptroller of the Currency (OCC), Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) to implement security standards for all financial institutions within each regulator’s jurisdiction.

The FTC, for example, regulates financial institutions that are not otherwise subject to enforcement by other regulators, including non-bank firms.

Such entities include fintechs, mortgage lenders, mortgage brokers, payday lenders, account servicers, check cashers, wire transmitters, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors exempt from registration with the Securities and Exchange Commission, and entities acting as finders.

The Safeguards Rule took effect in 2003 and was updated in December 2021. The 2021 changes were mainly based on the New York Department of Financial Services (NYDFS) 23 NYCRR 500 (Part 500), which requires financial institutions to provide regulatory and consumer notice where appropriate.

Previously, the FTC and other federal agencies that enforce the GLBA have long required financial institutions to provide notice in accordance with the law, citing the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

The interagency guidance required notification of unauthorized access to “sensitive customer information,” whereas the newly revised Safeguards Rule refers more broadly to “customer information.”

The 2021 updates to the Safeguards Rule excluded a reporting requirement.

The new Safeguards Rule.

The new amendment requires firms to notify the regulator through an online form, which will be available on the FTC website.

Reportable information includes:

• Firm name and contact information.
• Description of the information categories involved in the breach.
• Date or date range of the breach.
• Number of consumers affected or potentially affected by the event.
• General description of the breach.
• Disclosure of whether any law enforcement official determined that notifying the public of the breach would impede a criminal investigation or damage national security and a means for the FTC to contact that official.

The changes will significantly alter the regulatory landscape for non-bank financial firms, which previously had no obligation to report incidents to the FTC. They also cover an extensive range of information, including data breaches, unless firms can reasonably show there was no unauthorized access to data.

The new rules’ notification trigger is significantly tighter, due to its broader definition of customer information, which will effectively result in the reporting of all data security incidents. Covered information will include, for example, whether an individual is or has been a customer, any information provided by the consumer and information collected from website tracking cookies.

The FTC has indicated that it “intends to enter notification event reports into a publicly available database,” which could also negatively impact firms.

It is unclear how the FTC will align the new Safeguards Rule and public disclosure of “notification events” with the GLBA’s Privacy Rule requirements, which generally do not require consumer authorization for sharing data with third parties.

Compliance considerations.

Covered firms should review policies and procedures related to incident response and notification obligations to ensure they account for the revised Safeguards Rule. Firms should also review their overall compliance with the Safeguards Rule and consider areas for enhancement.

The Safeguards Rule is another instance of the complex and ever-changing regulatory landscape surrounding cybersecurity and data protection.

Firms should expect to see an increase in FTC engagement related to cybersecurity and data protection, as well as an increase in investigations and enforcement activity from all regulators.

Additionally, firms should prepare for a potential increase in media attention and private litigation risk if the FTC follows through with its stated intention of making incident reports publicly available.

This article also appeared in Thomson Reuter’s Regulatory Intelligence.