Financial institutions

Federal Trade Commission Safeguard Rule for Financial Institutions

Under the Gramm-Leach-Bliley Act, organizations defined as “financial institutions” must maintain the security and confidentiality of information about their customers. The Safeguard Rule, one of three sections of the GLBA, was updated on December 9, 2021. With this update, the Federal Trade Commission notes that an organization “engaging in financial activity or incidental to such financial activities” is considered a “financial institution” and must comply with it.

That said, the major changes to the save rule are set to go into effect on December 6, 2022.

Who must comply with the safeguards rule?

The following are examples of organizations considered “financial institutions” under the Safeguard Rule:

  • Retailers extending a credit card
  • Dealers renting a car long term – more than 90 days
  • Organizations appraising real estate or personal property
  • Advisors helping people associated with a financial institution
  • Businesses that print and sell checks on behalf of customers or transfer money
  • Companies offering cashier’s check services
  • tax return preparers
  • Travel agency
  • Real Estate Settlement Services
  • Mortgage brokers
  • Colleges and Universities Accepting Title IV Funds

Effective December 6, 2022, organizations classified as “financial institutions” must implement security practices and then periodically review and update formal policies and procedures, including:

  • Designate a qualified person to oversee the information security program
  • Develop, implement and maintain a written information security program
  • Completion of a written information security risk assessment
  • Design and implement protective measures to control the risks you identify through the risk assessment
  • Set up a permanent monitoring of information systems
  • Engage penetration testing and third-party vulnerability assessments
  • Facilitation of security awareness training
  • Periodically evaluate third-party service providers
  • Establish a written information incident response program
  • Provide the respective board or group with a written report periodically and at least once a year from the qualified person

Specific control requirements regarding the implementation of safeguards include:

  • Implementation and review of access control
  • Inventory the systems that process customer information
  • Identification and management of data according to risk
  • Data encryption in transit and at rest
  • Secure software development practices
  • Require the use of multi-factor authentication for people accessing information systems
  • Establish secure procedures for data disposal
  • Development of change management procedures
  • Implementation of logging and monitoring procedures

While these elements should be implemented as part of an information security program, the revised rule is flexible enough to cover both large and small “financial institutions”. Specific safeguards should be appropriate for:

  1. The size and complexity of an organization and its operations
  2. The nature and scope of activities involving customer information
  3. The sensitivity of customer information handled by the organization

This means that organizations classified as financial institutions are allowed to implement different programs depending on their scope of operations and security risk assessment.

There are potential penalties for non-compliance with the Safeguard Rule, and the penalties for non-compliance could be financial or non-financial in nature. There is a maximum fee of $46,517 per breach of a consent order.

Complying with the new requirements could be a daunting task. Depending on the sophistication and maturity of an organization’s security personnel and infrastructure, a full diagnostic assessment to assess compliance may be necessary. Some requirements may need to be implemented once with ongoing maintenance, while others may require recurring assessments such as penetration testing, risk assessments, and trainings.

For more information on cybersecurity and data privacy, contact Kadian Douglas at [email protected] or 813-384-2735. For more information about CliftonLarsonAllen LLP, visit