FTC Seeks Substantial Changes to the Privacy and Safeguards Rules
The Federal Trade Commission (FTC) has focused over the course of 2018-2019 on consumer protection, data security, privacy and FinTech issues as part of its review of "Competition and Consumer Protection Issues in the 21st Century" which we discussed in a prior blog.
During this time, the FTC Commissioners have made clear that they believe in strong enforcement of all of its existing authority and expressed concerns over consumer protection issues. On March 5, 2019, the FTC announced that it plans to reopen two key rules: the Standards for Safeguarding Customer Information (Safeguards Rule) and the Privacy of Consumer Financial Information Rule (Privacy Rule). The notice stated "We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business," said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. "While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC's almost 20 years of enforcement experience. It also shows that where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments," said Director Smith.
Director Smith also testified before the Senate Homeland Security and Government Affairs Committee on March 7, 2019, about the FTC's work on data security issues including its call for the Congress to pass comprehensive data privacy legislation.
While the draft rules have not yet been released, the FTC did indicate in the release of the direction that it plans to go which has important ramifications for the financial services industry.
First, the Commission was split (3-2) on proposed changes to the Safeguards Rule. As noted by Commissioners Phillips and Wilson in dissent, the proposed changes are "based in substantial part on regulations promulgated two years ago by the New York State Department of Financial Services," and "[w]e do not have data about the impact and efficacy of those regulations." The proposed changes include a requirement for formal designation of a Chief Information Security Officer (CISO) and annual reporting to the Board of Directors, detailed risk-assessments; implementation of specific safeguards including encryption, access controls, secure development practices, multi-factor authentication, security awareness training, use of qualified information security personnel and a written incident response plan. While many of these prescriptions have been captured in existing guidance, the proposed changes would create many new formal requirements.
The proposed regulations would also add "entities acting as finders" to financial institutions under the FTC's Safeguards Rule jurisdiction, alongside "mortgage lenders, 'pay day' lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission." As noted by the dissent, the proposed changes may put those entities subject to FTC oversight on a different footing than those supervised by other federal financial regulators.
Second, the Commission unanimously (5-0) proposed modest changes to the Privacy Rule. The changes would clarify that, pursuant to the Dodd-Frank Act, the FTC's role in the privacy notice rulemaking is limited. While transferring most privacy notice rulemaking authority to the Bureau for Consumer Financial Protection (CFPB), Dodd-Frank reserved the FTC authority over any "motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles or both." The proposed changes would reflect this by narrowing the scope of the FTC's Privacy Rule, thus eliminating: definitions, subparts and illustrations not relevant to motor vehicle finance. The Commission will seek comment on whether or not the Privacy Rule should apply to "finders" that match potential borrowers and lenders in the motor vehicle finance space. Lastly, the press release indicated that the proposed rulemaking process could suggest clarifications that bring FTC's requirements for annual privacy notice disclosures in line with the exemptions which Congress imposed when these changes were included in P.L. 114-94. These exemptions to annual notice apply in some circumstances where financial institutions do not make any disclosures which may trigger a right to opt out of sharing and do not change their practices from those disclosed in the initial notice.
The FTC's actions are important components to systemic changes that are being seen across other Executive Branch agencies to focus on consumer protection and data security issues. It also mirrors the concerns seen in the U.S. Congress now about similar issues and the discussion around the need for a federal privacy law in the U.S.
Feel free to contact the authors of this blog and to check back for more information on the FTC's rulemaking process on these issues.