The Federal Trade Commission (FTC)’s proposed changes to the 2003 Safeguards Rule, which seek to tighten the data security procedures of US banks, seems premature and may contain traps for unwary financial institutions attempting to meet both state and federal laws, according to the American Financial Services Association (AFSA) and dissenting FTC commissioners.
The FTC proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, which apply to financial institutions under the Gramm Leach Billey Act (GBLA), on March 5. “We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” wrote Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
The Safeguard Rule requires a financial institution to “develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards.”
“We agree with commissioners Noah Phillips and Christine Wilson, who issued a dissenting statement,” said Celia Winslow, vice president of legal and regulatory affairs at AFSA, in an email. “The proposal is based on the rules passed two years ago by the New York Department of Financial Services.” The New York law in question – Cybersecurity Requirements for Financial Services Companies – is emerging from its two-year transitional period. “Writing national rules on that state rule, before we see the true impact of the rule, seems premature. We support a Safeguards Rule that has a flexible approach and can be tailored to a company’s size and complexity.
“We would encourage the FTC to preempt state laws,” wrote Winslow. “Fifty different state data security laws would cause a host of compliance problems. In trying to meet the requirements of different state laws and, potentially, different federal laws, financial institutions could end up with policies that meet the different requirements, but not be ideal for safeguarding consumer information.”
In a dissenting note FTC commissioners Phillips and Wilson issued a warning about the proposals’ new scope: “Some of the specific proposals track shortcomings the Commission has identified in its data security enforcement cases and investigations. Not all of these shortcomings concern firms covered by the Safeguards Rule and, in any event, they may not represent a broader trend that warrants a regulatory response. Therefore, it may not be appropriate to mandate such prescriptive standards for all market participants.”
According to Phillips and Wilson, a move away from the “flexible approach” of the Safeguards Rule “could create traps for the unwary, especially small and innovative businesses [while] large incumbents can often absorb regulatory compliance costs more effectively than new entrants or smaller players, potentially decreasing competition.”
Common sense approach
“The regulators are enforcing common sense with these requirements,” says Chris Marinac, director of research at FIG Partners. “Banks’ data is among their most important and most sensitive assets. This is a healthy change that can actually benefit and protect US financial institutions. I do not see this as onerous, companies should already be doing these activities on their own.
“My sense is that the community financial institutions in the US - let alone larger banks regionally and nationally - all must step forward and make a sincere focus on these areas. Their success and independence depend on proper execution here.”
While the scope of the 2000 Privacy Rule was narrowed significantly by the enactment of 2010’s Dodd-Frank Act, the Safeguards Rule continues to apply to all financial institutions within the FTC’s jurisdiction. The regulator states that one of its main reasons for revising the Safeguards Rule is so that the scope of that rule is clear.
"The way I see it, regulation is simply catching up with the evolution of the threat environment and risks faced by financial institutions of all sizes,” said Elona Ruka-Wright, chief risk officer at Finastra, in an email. “Many of the proposed changes/controls were already being implemented and considered standard of due care at large financial institutions.
“The guidelines of course required that the financial institutions take a risk-based approach and implement controls commensurate with the risks to their environment. Those requirements are costly to implement, and obviously community banks and credit unions would likely feel the impact more heavily.”