The Federal Trade Commission on Tuesday said it is seeking comment on proposed amendments to two rules that protect the privacy and security of customer information held by financial institutions.
In separate notices to be published in the Federal Register shortly, the FTC announced that it is looking for comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement and maintain a comprehensive information security program. The Privacy Rule, which went into effect in 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”
As part of its periodic review of its rules and guides, the FTC sought comment in 2016 on the Safeguards Rule. In response to this review, and to keep the rule up to date, the FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the rule.
For example, the FTC explained the proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC also has proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors.
The agency indicated the proposed changes would bring the rules into line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the Gramm-Leach Bliley Act.
While the scope of the Privacy Rule was narrowed significantly by the enactment of the Dodd-Frank Act, the FTC’s current Safeguards Rule continues to apply to all financial institutions within the FTC’s jurisdiction. The FTC proposes to revise the Safeguards Rule so that the scope of that Rule is clear on its face.
Officials recapped the Dodd-Frank Act transferred the majority of the commission’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority only over certain motor vehicle dealers. To address these statutory changes, the FTC has proposed, for example, to remove from the Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers. In addition, the revised Rule would clarify when motor vehicle dealers must provide annual privacy notices to reflect provisions included in the FAST Act.
The FTC also is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender. Officials indicated this proposed change would bring the commission’s rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.
The FTC reiterated the notices seeking comment on the proposed changes to the Safeguards Rule and to the Privacy Rule will be published in the Federal Register soon. Instructions for filing comments appear in the published notices. Comments must be received 60 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.
The commission vote to submit the Privacy Rule notice for publication in the Federal Register was 5-0. The commission vote to submit the Safeguards Rule notice for publication in the Federal Register was 3-2. Commissioners Noah Joshua Phillips and Christine Wilson issued a dissenting statement that’s available here.
Along with explaining three reasons for their objections, Phillips and Wilson closed their statement by saying, “This is a notice of proposed rulemaking (NPRM), and the commission is merely proposing new regulation and soliciting views on its impact. But we are also aware that the momentum behind an NPRM regularly results in the promulgation of new or revised rules.
“While the commission is not making a final determination today, we are concerned that the specific suggestions herein will frame the debate so as to take the commission in a direction that may be unwarranted (particularly given the prospect of legislation), and which may have negative repercussions,” they continued.
“A review of the Safeguards Rule, especially in light of new legal developments, is warranted. But we should go where the evidence today leads us. We would strongly encourage those in industry, academia, and civil society with expertise in these areas to comment and provide evidence on this proposal,” they went on to say.