Expanded definition of «financial institution». The final rule extends the definition of «financial institution» to entities involved in activities that the Federal Reserve Board considers ancillary to financial activities and harmonizes the FTC`s safeguard rule with the hedging rules of other federal agencies. In particular, this change brings «researchers» (i.e., companies that group together buyers and sellers of a product or service) within the scope of the final rule. Unlike previous rules and guidelines issued by federal financial regulators, the FTC`s new safeguard rule includes specific criteria for the protections that financial institutions must implement as part of their information security program. For example, the new protection rule requires financial institutions to implement multi-factor authentication for people accessing networks containing customer information. This is an important step in the development of data security regulations at the federal level. In the past, similar rules only provided general guidance to regulated companies and no specific technical requirements. In this respect, the new safeguard rule should allow covered financial institutions to clarify their obligations to protect consumers` financial information. Certain provisions of the Final Safeguard Rule, including those relating to the implementation of safeguards, the conduct of a written risk assessment, the appointment of a qualified person, and the conduct of continuous monitoring or annual penetration testing, come into force one year after the date of publication of the final rule in the Federal Register; The other provisions shall enter into force 30 days after their publication. The new safeguard rule will take effect within 30 days of its publication in the Federal Register. However, the important requirements of the rule will be delayed by one year. Requirements delayed by one year include qualified individual designation; written risk assessments; annual penetration tests and semi-annual vulnerability assessments; regular assessment of service providers; and a written incident response plan. The other requirements, which come into effect within 30 days of their publication, largely reflect the requirements of the existing backup rule.
Therefore, it is unlikely that financial institutions will have obligations until the above requirements come into effect in a year. On October 27, 2021, the Federal Trade Commission (the «FTC») announced significant updates to customer information protection standards (the «Backup Rule» or the «Modified Rule»). This rule, enacted under the Gramm-Leach-Bliley Act, is designed to protect consumer data collected by non-bank financial institutions such as mortgage lenders and brokers, payday lenders and car dealers, among others («obligated financial institutions»). The amended rule is likely to have a far-reaching domino effect and determine the importance of appropriate data security requirements across the industry. In this blog post, we highlight what`s new in the modified rule and give an overview of the potential impacts. Inference. Financial institutions subject to the amended rule should comply with it without delay. Certain provisions, such as the control of protective measures (without the above-mentioned strict new requirement of «continuous monitoring») and separate and regular risk assessments, come into force thirty days after the publication of the amended rule in the Federal Register. Other changes, such as written risk assessments, information security program requirements, continuous monitoring or penetration and vulnerability testing, the appointment of a qualified person, written reports and an emergency response plan will not come into effect until one year after the publication of the revised rule. Extension of the scope of the safeguard rule (and splitting of small companies).
The FTC expanded the scope of the rule by changing the definition of «financial institution» to cover institutions that engage in activities related to financial activities, as determined by the Federal Reserve Board. This new definition means that the amended rule covers «intermediaries», i.e. undertakings which `bring together the buyers and sellers of a product or service`, such as an undertaking which operates an Internet market and thus acts as an intermediary for the parties […].