Financial institutions

From hammer to hammer: non-banking financial institutions face new security rules

Anthony J. Hendricks

On December 9, 2021, the Federal Trade Commission issued final rules that amended its standards for protecting customer information (“Safeguard Rules”). These updated rules place additional requirements on how non-bank financial institutions must protect customer information. However, there has been some confusion about who these rules apply to and when companies must comply. While the safeguard rules came into effect on January 10, 2022, companies have until December 9, 2022 to meet some of these requirements.

These new rules apply to non-banking financial institutions. They include expected businesses such as mortgage lenders and brokers, payday lenders, finance companies, check cashers, financial advisers, and tax preparation companies. But the rule also includes businesses you might not immediately consider financial institutions like car dealerships, real estate appraisers, and colleges and universities that participate in federal student financial programs.

There are several changes to the rules, but three additions should be highlighted. First, while the previous version of the Safeguard Rules required companies to have a written information security program in place, the FTC has now included more guidance on what must be included in companies’ programs. . This includes requiring financial institutions to perform a risk assessment and create policies and controls to address identified risks.

Risk assessments are not a one-time requirement. Instead, companies should perform additional assessments periodically. Additionally, companies must appoint a “qualified person” to be responsible for the company’s information security program and to provide written reports to the board of directors. Finally, the FTC added several technical requirements, including multi-factor authentication and encryption of customer information at rest and in transit.

The FTC is giving financial institutions until December 9, 2022 to fully implement these new requirements. However, since many of the requirements will take weeks – and in some cases months – for companies to put into practice, it is essential that companies start meeting the December deadline now.

Anthony Hendricks is an attorney at Crowe & Dunlevy,, a member of the Banking and Financial Institutions Practice Group, and Chair of the Cybersecurity and Data Privacy Practice Group.