The Federal Trade Commission (FTC) has voted to propose alterations to two rules governing the protection of privacy and security of customer information in possession of financial institutions, the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, specifically.
Typically, when we discuss Registered Investor Adviser (RIA) or Broker-Dealer compliance, we are referring to the rules of the SEC, FINRA, or the States. We'd like to note that the FTC is an independent agency of the US Government tasked with consumer protection, and therefore many of its rule and regulations apply to Investment Advisers and Broker-Dealers.
The commission is seeking public comment on the proposed amendments.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, made the following statement regarding the rationale behind the proposals:
“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business. While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”
Proposed Changes to the Safeguards Rule and Privacy Rule
In response to feedback requested during a 2016 review of the Safeguards Rule, the FTC is proposing changes to both rules intended to spell out requirements for a mandatory comprehensive information security program necessary for compliance with the safeguards standards, including:
- Encryption of all customer data
- Implementation of access controls to prevent unauthorized access to sensitive customer information
- Establishment of multi-factor authentication protocols to limit access to customer data
- Appointment of a chief information security officer responsible for oversight, implementation, and enforcement of the information security program
- Submission of periodic compliance reports by the chief information security officer to respective boards of directors
The proposed amendments would align the rules with changes implemented by Congress through the 2010 Dodd-Frank Act and the 2015 FAST Act, which brought changes to the annual privacy notice requirement under the Gramm-Leach-Bliley Act.
Stern Warnings Signal Intense Scrutiny
Firms should consider themselves thoroughly cautioned regarding customer privacy and information security.
A recent risk alert dated April 16, 2019 was handed down by the Office of Compliance Inspections and Examinations (OCIE) that indicated the OCIE detected a significant number of problems when it examined privacy notices and safeguard policies of investment advisers and broker-dealers, including:
- Failure to provide adequate initial privacy and opt-out notices
- Failure to design, adopt, or implement effective policies and procedures protecting client privacy as required by the Safeguards Rule
Firms are highly encouraged to read this latest FTC press release on proposed changes to the Safeguards Rule and the Privacy Rule, as well as the above mentioned OCIE Risk Alert on compliance issues related to the application of these rules.
Times of regulatory change signal the opportunity for a thorough review of your firm’s related policies and procedures.
A variety of regulatory bodies are sending repeated and specific signals that compliance with these requirements will be heavily scrutinized, which also means very little leniency should be expected with regards to related compliance violations going forward.
A Review of Policies and Procedures: The Key to Maintaining Compliance
Core Compliance & Legal Services, Inc., utilizes decades of experience to help you stay current with the latest developments in regulatory requirements, including the creation or review of compliance policies and procedures, such as the development of comprehensive information security programs.
We help our clients stay on the right side of compliance.