FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

Share This Page

For Release

The Federal Trade Commission is seeking comment on proposed amendments to two rules that protect the privacy and security of customer information held by financial institutions.

In separate notices to be published in the Federal Register shortly, the FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule, which went into effect in 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”

As part of its periodic review of its rules and guides, the FTC sought comment in 2016 on the Safeguards Rule. In response to this review, and to keep the Rule up to date, the FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the Rule. For example, the proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC also has proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors.

The proposed changes would bring the rules into line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the Gramm-Leach Bliley Act.

While the scope of the Privacy Rule was narrowed significantly by the enactment of the Dodd-Frank Act, the FTC’s current Safeguards Rule continues to apply to all financial institutions within the FTC’s jurisdiction. The FTC proposes to revise the Safeguards Rule so that the scope of that Rule is clear on its face.

The Dodd-Frank Act transferred the majority of the Commission’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority only over certain motor vehicle dealers. To address these statutory changes, the FTC has proposed, for example, to remove from the Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers. In addition, the revised Rule would clarify when motor vehicle dealers must provide annual privacy notices to reflect provisions included in the FAST Act.

The FTC also is proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender. This proposed change would bring the Commission’s Rule in line with other agencies’ interpretation of the Gramm Leach Bliley Act.

The notices seeking comment on the proposed changes to the Safeguards Rule and to the Privacy Rule will be published in the Federal Register soon. Instructions for filing comments appear in the published notices. Comments must be received 60 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

The Commission vote to submit the Privacy Rule notice for publication in the Federal Register was 5-0. The Commission vote to submit the Safeguards Rule notice for publication in the Federal Register was 3-2. Commissioners Noah Joshua Phillips and Christine S. Wilson issued a dissenting statement.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.

Contact Information

MEDIA CONTACT:
Juliana Gruenwald Henderson
Office of Public Affairs
202-326-2924

STAFF CONTACTS:
David Lincicum
Bureau of Consumer Protection
202-326-2773

Allison Lefrak
Bureau of Consumer Protection
202-326-2804