Are you Prepared for the Upcoming FTC Compliance Deadline on June 9, 2023?

Laws
Written By Kristopher Wyatt

Written By: Kristopher Wyatt

statue of the scales of justice

In response to personnel shortages and supply chain issues, the FTC extended the original deadline in November by six months to accommodate organizations facing challenges in meeting the requirements. 

What is the Federal Trade Commission's Safeguards Rule?

The Federal Trade Commission's Safeguards Rule, also known as the Standards for Safeguarding Customer Information, aims to ensure that entities falling under its jurisdiction implement measures to safeguard customer information. Initially established in 2003, the Safeguards Rule underwent amendments in 2021 to align with current technological advancements. While maintaining the flexibility of the original rule, the revised version provides more specific guidance for businesses, incorporating fundamental data security principles that all covered companies must adopt.

Who’s covered by the Safeguard Rule? 

Financial institutions subject to the FTC's jurisdiction and not under the authority of another regulator as per section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805, are covered by the Safeguards Rule. The definition of a "financial institution" outlined in Section 314.1(b) states that an entity engaged in financial activities described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k), or activities "financial in nature" incidental to such financial activities qualifies as a financial institution.

To determine if your business falls under the coverage of the Safeguards Rule, it's important to note that the definition of "financial institution" is broader than its colloquial usage. Rather than how you perceive your company, the key consideration is the nature of your business activities. Section 314.2(h) of the Rule provides 13 examples of financial institutions, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors exempt from SEC registration, and the newly added finders—companies that facilitate negotiations and transactions between buyers and sellers.

The Rule also identifies four examples of businesses that do not qualify as financial institutions. Additionally, the FTC has exempted certain provisions of the Rule for financial institutions that handle customer information for fewer than five thousand consumers. It is crucial to assess whether your business has undergone significant transformations over the past two decades, even if initially not covered by the Safeguards Rule. As your operations evolve, periodically reviewing the definition of financial institution will help determine if your business falls under its coverage.

What happens if you don’t implement these measures?

Non-compliance with the Safeguards Rule can have serious consequences. The FTC has the authority to enforce penalties and take legal action against organizations that fail to implement and maintain adequate safeguards for customer information security. Businesses may face monetary fines, reputational damage, loss of customer trust, and potential legal repercussions for non-compliance.

Therefore, it is imperative for businesses falling under the Safeguards Rule to thoroughly understand its requirements, implement the necessary safeguards, and ensure ongoing compliance to mitigate the potential consequences of non-compliance. 

In accordance with the FTC, what is a financial institution?

Examples of financial institutions include: 

1. Retailer

A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because doing so fulfills the requirements for extending credit under 12 CFR 225.28(b)(1) and section 4(k)(4)(F) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)(4)(F) and shows that the retailer is actively engaged in doing so. 

2. Car Dealership

A car dealership that regularly engages in the non-operating leasing of automobiles for periods longer than 90 days is considered a financial institution for the purposes of the Bank Holding Company Act's section 4(k)(4)(F), which lists this type of leasing as a financial activity under 12 CFR 225.28(b)(3)

3. Real Estate

A real estate or personal property appraiser is a financial institution since doing so is a financial activity mentioned in 12 CFR 225.28(b)(2)(i) and cited in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F) of the Bank Holding Company Act. 

4. Career Counselor

A career counselor who specializes in offering career counseling services to individuals who are employed by or recently left a financial organization, individuals who are looking for work with a financial organization, or individuals who are employed by or looking for placement with the finance, accounting, or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). 

5. Selling/Printing Checks

A company that prints and sells consumer checks, either as its sole line of business or as one of its product lines, is a financial institution because this activity is one that is listed in 12 CFR 225.28(b)(10)(ii) and is mentioned in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F) of the Bank Holding Company Act. 

6. Wiring Money

A company that frequently wires money to and from customers qualifies as a financial institution because doing so satisfies the requirements of the Bank Holding Company Act's section 4(k)(4)(A), which mentions financial activities. This provision is found at 12 U.S.C. 1843(k)(4)(A)

7. Check-Cashing Operation

A check-cashing operation is a financial institution since cashing a check involves trading money, which is a financial activity as defined in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(A). 

8. Accountant/Tax Preparation

An accountant or other tax preparation service that specializes in filing income tax returns is considered a financial institution because it engages in the financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G)

9. Travel Agency

Because running a travel agency in connection with financial services is a financial activity listed in 12 CFR 225.86(b)(2) and referred to in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G), a company that does so is a financial institution. 

10. Real Estate Settlement Services

Because offering real estate settlement services is a financial activity described in 12 CFR 225.28(b)(2)(viii) and mentioned in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F) of the Bank Holding Company Act, an entity that offers such services is a financial institution. 

11. Mortgage Broker

A mortgage broker is a financial institution since doing business in mortgage loans falls under the definition of a financial activity under 12 CFR 225.28(b)(1) and is mentioned in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F) of the Bank Holding Company Act. 

12. Credit Counseling Services

Credit counseling services and investment advisory firms are both considered financial institutions under the Bank Holding Company Act's section 4(k)(4)(C), which is found in 12 U.S.C. 1843(k)(4)(C), because they offer financial and investment advisory services. 

13. Acting as a Finder

Because acting as a finder is an activity that is financial in nature or related to a financial activity listed in 12 CFR 225.86(d)(1), bringing together buyers and sellers of any product or service for transactions that the parties themselves negotiate and complete by a company acting as a finder is considered to be a financial institution.

Conclusion

Customer security is important and should not be taken lightly. If this rule applies to you, please make sure you are compliant by the deadline which is coming shortly. If you have any questions about what this means for you and the security of your customers or if you want to know if it affects your business, please contact Ozark Technology. We are here to help!

Ozark Technology is a Business Technology Provider that helps organizations across the country rethink the value technology brings to their business. Want to partner with us? Let’s chat.

Kristopher Wyatt

Kristopher Wyatt is an accomplished cybersecurity expert and leader in the industry. As the General Manager of Ozark Technology, he has helped the company be recognized as an MSP 501 List Winner every year since joining in 2019, demonstrating his expertise in the field. Kristopher is a sought-after speaker and was invited to speak to a new class of Dell sales team graduates in 2022, where he shared his insights into the complex relationship between end users and Dell. With two main partnership focuses, Advanced Security and Business Technology, Kristopher has extensive experience in providing secure toolsets, regulatory compliance, and IT support to SMBs and enterprise organizations. Prior to founding Ozark Technology, Kristopher spent several years in the United States Navy, where he worked as a Signal Intelligence Analyst, becoming a subject matter expert in his target area of responsibility. After leaving the Navy, he continued his career in the intelligence and counterterrorism sectors with the NSA, before moving on to work in the private security sector. With his diverse background and wealth of experience, Kristopher is a trusted authority in cybersecurity and is highly respected in the industry.

https://www.ozarktechnology.com/kristopher-wyatt
Previous

Exploring the Potential of Edge Computing in IT Infrastructure
Next

How a Credential Stuffing Attack Can Affect Your Business