FTC has modified the Safeguards Rule 2022

FTC has modified the Safeguards Rule to Inflict Significant Provisions on Covered Entities

The Federal Trade Commission (FTC) has recently issued its final rule regarding the amendments in the “Safeguards Rule”. These updates have now brought some changes to the Gramm-Leach-Bliley Act (“GLBA”). The rule covers and sets all the standards to safeguard customers’ information. Fair enough as everybody has a right to protect their data from unwanted threats. But how does all this work? Let’s dive into it deeply to get the details of this rule and which organizations enact it into practice.

Safeguards Rule: Purpose and recent amendments

Though your personal information is confidential you can’t hide it from the government or financial institutions by any means. However, it is the responsibility of these organizations to insulate the security and integrity of a person. As these financial institutions are the guardians of our data, they must protect it at any cost by making use of all possible means that they can, be it physical or technical. That’s why they use the “Safeguards Rule” that strengthens their security system. The “Safeguards Rule” needs financial institutions to strictly follow the FTC’s procedure and draw regulations. This will keep the information of a customer safe and sound. Not only that but it also controls how its affiliates and service providers take care of the personal data of a customer.

Modifications in the rule

The proposal for changes in rulemaking was issued by FTC in 2019. The allocation of the ‘final rule’ is a splendid decision for the institutions that provide security as it gives them more freedom in their work.

Financial Institutions that follow the Safeguards Rule

The financial institutions that are subject to the Safeguards Rule are mortgage lending organizations, “payday” lending services, finance corporations, mortgage dealers, account services providers, check cash providers, wire transferring servers, travel agencies operated in connection with financial services providers, collection agents, credit consultants, and other financial advice servers, tax preparation companies, credit unions that not federally insured, investment advisors who can easily do their work without having to register with the Securities and Exchange Commission, and entities functioning as “finders.”

Modifications brought into the “Safeguards Rule”

Though the amendments are made in just five of the “Safeguards Rule” still they are quite significant and have brought a positive impact. Let’s have a look at all of those modifications

1)   Accountability process up-gradation of financial institutions

This new amendment states that the accountability process should be scrutinized properly to keep the working of financial institutions smooth and reliable. For instance, putting the most competent individual who executes, imposes, and keeps a check on the information security program of financial institutions. Moreover, the qualified individual will also be held accountable to the board of directors and regulating bodies. Furthermore, his systematic reports to the board officials will be crucial. The rule defines that a financial institution, an affiliate, or a service provider can hire this qualified person for the institution.

2)   Exemption of some financial organizations

This modification spares some financial institutions from things like written risk appraisal, incident response proposals, and per annum reporting to the board of directors. Now the question is which organizations are exempted in this scenario. The rule clearly states that all those institutions that compile data on less than 5,000 consumers are free from all these tasks.

3)   Financial institution role elaboration

Another amendment in the  “Safeguards Rule” is made to slightly enhance the role of the “financial institution”. It also includes those entities that are considered to be involved in activities that are declared ‘financial’ by the Federal Reserve Board. This change is crucial as it incorporates “finders”. These “finders” make a deal between consumers and dealers of any product keeping in mind the “Safeguards Rule”.

4)   Various definitions and their examples

This modification is made for the convenience of the readers. Various definitions have been elaborated along with their examples, also containing the term “financial institution”. All of these amendments are made in the “Safeguards Rule” to avoid going back to the related FTC Rule. That is also called the Privacy of Consumer Financial Information Rule. The purpose behind the change is clear and that is to make it simple for the readers to find everything in the rule except jumping to the FTC’s Privacy of Consumer Financial Information Rule for a few things.

5)   Directions on information security program

A revision in the rule that empowers ‘covered entities’ by guiding them about formulating and executing various aspects of a perfect information security program. These factors that the entities learn include access control, authentication, and encryption details. Do you know what new provisions the ‘Final Rule’ intends these covered financial institutions to follow? Let’s see what are the requirements of this rule:

  • The customer information should all be protected by encryption. This information includes the one that is delivered in transit over external networks and at rest.
  • The Enforcement of multi-factor authentication for those who try to reach a person’s information system is a must. This process can only be ignored if a competent person from the financial institution devises an alternative much secure way.
  • Developing and implementing secure ways for the removal of consumer information not later than two years.
  • Making of certain policies to prevent any unauthorized permit or keeping a check on the access of even authorized persons.
  • Establishment of a written incident response plan which is devised to provide a swift response in case of any security or confidentiality threats.
  • Regular testing or survey of the security system or service providers to avoid any malfunctioning.
  • It is a must for all the covered entities to perform a per annum penetration test and also the vulnerability assessments after every six months.
  • Proper training of employees to cope with security risks.


The modifications introduced by the FTC in the “Safeguards Rule” are a must for the smooth functioning of the covered entities. The deadline to acknowledge these requirements is October 27, 2022. These financial institutions will be given a time duration of one year to fulfill these provisions.

Flashcards added to our CIPP/E and CIPP/US training courses!