These Businesses Must Follow the New FTC Safeguards Rule

If your business sits in the financial sector in any way, it likely must comply with the new FTC Safeguards Rule. Reaching compliance with this rule is necessary to reduce the risk of data breaches and other security issues that can compromise customers’ personal information. Finance industry organizations that collect and store vital data are enticing targets for criminals as this information can easily be used to commit identity theft and other types of fraud. 

The new deadline for compliance with the Safeguards Rule is June 9, 2023. This was recently extended by six months to help give businesses more time to work towards putting every necessary step and action item in place to follow the rule. The deadline is looking firm, so take this post as an advance warning to get those ducks in a row to avoid hefty fines and other consequences for non-compliance. You still have plenty of time to establish proper protocols, information security programs, and risk assessments as required by the rule. The deadline is just over the horizon, so don’t delay with this in mind, and know that expert assistance is available to help you get there.  

A look at the types of businesses that fall under the FTC Safeguards Rule will help clarify which organizations need to act today. If your business falls into any of the categories mentioned below, you’ll need to get things in order in accordance with the rule as soon as possible. Don’t make the mistake of delaying action until right before the June deadline. That’s a surefire way to get fined while also risking the security of your business and its customers. 

The Safeguards Rule was created to help better secure consumer personal data, but achieving compliance leads to lasting benefits that stretch far beyond the letter of the law. Employing these safeguards will set up an organization with adequate defenses against the constant onslaught of cybercrime and related issues. 

What Businesses Need to Follow FTC Safeguards Rule? 

The Safeguards Rule technically pertains to all financial institutions that fall under the jurisdiction of the FTC and are not under the umbrella of authority from another regulator. The letter of the rule defines a financial institution as: 

Any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. 

A few other definitions of the rule to know about are: 

  • Financial product or service means any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956.
  • Financial service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service. 

If those definitions apply to your business or organization, you need to work towards compliance with the rule. But let’s break things down another step to show precisely what types of businesses fall under the rule. 

A brief look at the businesses that the FTC Safeguards Rule applies to include: 

  • Mortgage lenders
  • Mortgage brokers
  • Account servicers
  • Dealerships
  • Finance companies
  • Check cashers
  • Payday lenders
  • Collection agencies
  • Credit counselors 
  • Financial advisors 
  • Accountants and Tax preparation firms
  • Wire transferors
  • Non-federally insured credit unions
  • Investment advisors that aren’t required to register with the SEC

This list is a solid look at which businesses must comply with the Safeguards rule, but it’s not exhaustive. Others that aren’t listed here might fall under the rule, and it simply depends on if the entity is a financial institution as defined by the rule. 

The FTC states that, “The Rule defines ‘financial institution’ in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.” 

That last line is worth highlighting because it shows that even if you don’t classify your business as any of the financial institutions mentioned above, it still might fall under the rule based on the type of activities it undertakes. 

A particular section of the Safeguards Rule can help determine if your company falls under it. Section 314.2(h) breaks down all of the examples bulleted here. It’s worth looking at that section of the Rule as it further expands on the type of businesses that fall under it and why. 

If after looking at the breakdown of examples within the rule still doesn’t clarify things for your business, the Rule also highlights examples not included as a financial institution, such as: 

  • Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act
  • The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971
  • Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of service rights), or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party 
  • Entities that engage in financial activities but that are not significantly engaged in those financial activities, and entities that engage in activities incidental to financial activities but that are not significantly engaged in activities incidental to financial activities.

Regardless of whether you think your business is or is not a financial institution as defined by the FTC Safeguards Rule, it would be best if you were certain. You can get assistance with this clarification or start working towards all other necessary steps toward compliance today, as LibertyID is here to guide businesses through it. 

LibertyID provides full-service, fully-managed identity fraud restoration to its subscribers. With a 100% success rate in resolving all 31+ forms of identity fraud. LibertyID Business Solutions provides Business fraud remediation, full pre-breach preparation with custom WISP protocols, post-breach regulatory response, customer, and employee identity fraud restoration management, advanced employee training, and third-party vendor management tools.