Federal Trade Commission Safeguards Rule:

The FTC Rule is designed to protect the confidentiality and security of consumers' personal information.

The Safeguards Rule was enacted in response to the increasing use of electronic transactions and the growing risk of identity theft and other forms of fraud. The rule provides a framework for covered entities to protect their clients' personal information and maintain their trust.

Who’s covered by the Safeguard Rule?

Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, investment advisors and other financial  institutions must develop, implement and maintain a comprehensive  information security program to protect client data

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

The information security program must be written and include, among other things, the following elements:

DESIGNATION OF A QUALIFIED INDIVIDUAL: In its comprehensive written information security program, a covered financial institutional must designate a qualified individual (Qualified Individual) responsible for overseeing and implementing the information security program. The Qualified Individual may be an employee, an affiliate, or a service provider. In the event that the Qualified Individual is a service provider or an affiliate, he/she is subject to additional requirements

RISK ASSESSMENTS:  A covered financial institution must conduct risk assessments. Risk assessments must be written and include, among other things, criteria for the assessment of identified security risks, confidentiality, and integrity of information systems. A covered financial institution must design and implement safeguards to control the risks identified through such risk assessments

ENCRYPTION AND MULTI-FACTOR AUTHENTICATION:  Institutions must encrypt all customer information held or transmitted both in transit over external networks and at rest. In the event that such encryption is infeasible, the covered financial institution may instead secure the customer information through an effective alternative control reviewed and approved by the Qualified Individual. In addition, a covered financial institution must implement multifactor authentication (or a reasonably equivalent or more secure method of access control approved in writing by the Qualified Individual) for any individual accessing any information system

PERIODIC PENETRATION TESTING AND VULNERABILITY ASSESSMENTS: Organizations must conduct annual penetration testing based on relevant identified risks (in accordance with the risk assessment). In addition, at least every six months is required to conduct vulnerability assessments, which must include systemic scans or reviews of information systems reasonably designated to identify publicly known security vulnerabilities

OVERSIGHT OF SERVICE PROVIDERS:  A covered financial entity must oversee service providers, including requiring service providers by contract to implement appropriate safeguards for customer information and periodically assessing service providers

ANNUAL REPORT TO THE BOARD OF DIRECTORS: At least annually, the qualified Individual is required to report in writing to a covered financial institution’s board of directors, senior director or equivalent governing body on the overall status of the information security program and material matters related to such program

The FTC has extended the compliance deadline to June 9, 2023

You can read more on the following link of the FTC website

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know#Financial_institution