<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> A Marathon, Not a Sprint: Consumer Finance and the FTC Safeguards Rule

A Marathon, Not a Sprint: Consumer Finance and the FTC Safeguards Rule


    See Virtru In Action

    { content.featured_image.alt }}

    There’s been a lot of chatter about changes to the Gramm-Leach-Bliley Act Safeguards Rule–especially for industries looped in through the inclusion of financial “finders.” For these businesses, the Safeguards Rule is new territory. 

    To financial institutions that have been complying with the FTC Safeguards Rule since 2002, particularly ones that fit the traditional idea of a consumer finance business, the 2021 amendment may be perceived as another minor rule change. But don’t kick up your feet yet: There are still regulatory changes that will affect the way that your infosec program is configured. 

    Data security is a marathon, not a sprint. While many organizations have their eye on the December 9 FTC Safeguards deadline, this is just the beginning: You'll want to put foundational data protection frameworks in place to serve you well for years to come.

    But, first, it's important to break down the basics of the Safeguards Rule and who it covers.

    The Safeguards Rule Expands the Definition of Financial Institutions

    When most people think of a financial institution, they typically think of banks. But for the FTC, a financial institution means something a little bit different, and it’s been broadened with the recent amendment. Per the text of the rule, a financial institution is defined as:

    “Any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”

    Here’s a list of who that applies to specifically: 

    • Check-cashing businesses
    • Auto dealerships that lease personal property on a nonoperating basis for at least 90 days
    • Mortgage brokers
    • Any business that sells or prints checks
    • Personal property or real estate appraisers
    • Credit counseling services
    • Financial career counselors
    • Any business that wires money to and from consumers
    • Retailers operating an in-house credit card program
    • Tax preparers or accountants
    • Investment advisors 
    • Travel agencies
    • Real estate settlers 
    • A new group of businesses wrapped in the GLBA compliance pool: finders, defined by the FTC as “those who charge a fee to connect consumers who are looking for a loan to a lender.” Fintech companies may fold into this new requirement and should aim to employ the same safeguards as recommended by the rule. 

    Why Aren’t Banks Considered “Financial Institutions” Under The Safeguards Rule? 

    Banks, federal credit unions, and savings and loan institutions aren’t under the FTC’s jurisdiction.

    Instead, the Federal Reserve, Office of the Comptroller of the Currency, The Federal Deposit Insurance Corporation, and more federal and state regulators have a litany of regulations for banks to adhere to. Credit unions are overseen by the National Credit Union Administrations and various other state regulators. 

    The FTC is primarily concerned with businesses that participate in consumer finance—and in some ways acts as a catch-all for institutions not overseen by other major finance regulators. 

    What Consumer Finance Businesses Need to Know

    Traditional consumer finance firms like mortgage brokers, accountants, or tax preparers may not need to do all that much when it comes to the Safeguards Rule amendment. 

    Not because they’re exempt, but because they have other reasons for keeping up with the market. The consumer base for financial services is already wary of sharing private information, and this alone compels businesses to tighten up on their security posture to grow credibility and increase market share. Many of these businesses keep each other accountable contractually in partnerships. I’ll protect your data if you protect mine.

    For the smaller finance firms or businesses that facilitate financial dealings, it may be a different story. In the first iteration of The Safeguards Rule, the directives were brief and broad, and left a lot up to the financial institutions themselves to determine. In the 2021 amendment, there are more numerous and detailed directives, and financial institutions must check off every box. Here’s the compare-and-contrast for financial firms. 

    The New Rule Requires Specific Methods of Data Protection, is Less Open-Ended

    This is where the “Safeguards” part of the rule comes into play.

    1. Constantly evaluate and update access controls
    2. Keep track of all customer data. Have the ability to track it down at any point. 
    3. Encrypt customer data at rest and in transit. This means when it’s sitting in your database, or being transmitted for business purposes.
    4. Oversee and rigidly enforce security over apps—whether they’re developed in house, or by a third party. 
    5. Enforce multi-factor authentication for anyone who has access to customer data.
    6. Securely dispose of customers’ information every two years, unless there’s a business need to keep it. 
    7. Have change management processes written and planned. Be proactive and prepared for the future of cyber threats or business transitions.
    8. Audit activity of users who have access to customer data.

    Small Operations Are Exempt from Some Requirements

    The Final Rule states that financial institutions collecting data from less than 5,000 consumers is exempt from completing the written risk assessment, the incident response plan, and the annual report to the Board of Directors.

    Someone Needs to Steer the Ship

    The FTC is requiring financial institutions to designate a “qualified individual,” a.k.a. someone who is responsible for building and leading the infosec program. Your organization likely already has one, in the form of your CISO or a CIO. This person will need to report to the highest level of your company, like the CEO or Board of Directors. 

    Plan Ahead, and Put It All in Writing

    The Safeguards Rule amendment pulls no punches in putting the responsibility on financial institutions to protect customer data. The stakes are higher than ever when it comes to security threats, and part of protecting customer data from attacks is preventing them.

    The FTC emphasizes the importance of risk assessment and planning. First, financial institutions are required to complete risk assessments, report their findings, and draft processes and procedures for responding to the discovered risk. This is to be done often, to keep up with the constant advancements in cyber threats. 

    Be the Tortoise, Not the Hare

    We all know the Tortoise and the Hare fable, and there’s a metaphor brewing in the Safeguards Rule when it comes to onus and consistency. Lawmakers worldwide are walking a tightrope in drafting balanced regulations—rules that both mandate industry standards and place the onus on businesses defend data proactively

    Especially for longstanding Safeguard Rule comply-ees, it’s vital to maintain a consistent pace when it comes to data protection and security strategies. While the December 9 deadline is fast approaching, it’s not the finish line. The work never ends, and with every grueling risk assessment comes insightful findings that will fortify your security posture. 

    Be the tortoise: Lay a foundation of consistency and proactiveness in your infosec program. When the hare discovers vulnerabilities to customer data, or suffers a data breach in the future, the tortoise will already be miles ahead. 

    Virtru Leverages End-to-End Encryption to Protect Sensitive Consumer Data for the Long Haul

    Cybersecurity is a marathon, not a sprint. Whether you're a tortoise or a hare, we're all running this race together, and we all have a lot at stake.

    Using AES 256-bit access control keys, non-banking financial institutions can protect data at rest and in motion to meet the requirements stated in the FTC Safeguards Rule. Using the Trusted Data Format, Virtru applies an encrypted wrapper around data at the object level to protect it wherever it lives, for the entirety of its lifespan.

    By protecting data on a granular level, financial organizations have the unique ability to keep detailed audits on encrypted data at rest or in motion via email, file sharing, or SaaS apps. Using the Virtru Control Center, you have the ability to evaluate data access controls, grant or revoke access at any time, and control what recipients can do with data shared to them. This comes in handy during times when organizations are obligated to destroy data after a certain period of time. 

    When it comes to the next step for your infosec program, play the long game by consolidating your data safeguards. Contact our team for a demo today.


    Shelby Imes

    Shelby Imes

    Shelby is the Manager of Content Strategy at Virtru with a specialty in SEO, social media, and digital campaigns. She has produced content for major players in healthcare, home services, broadcast media, and now data security.

    View more posts by Shelby Imes

    See Virtru In Action