The deadline for complying with certain provisions of the Standards for Safeguarding Customer Information (Safeguards Rule) has been extended to June 9, 2023. As we previously posted, on January 10, the Federal Trade Commission’s (FTC) final rule amending the Safeguards Rule under the Gramm-Leach-Bliley Act became effective. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The updated Safeguards Rule will require more specific criteria for what safeguards financial institutions must implement as part of their information security programs. While many provisions of the rule went into effect 30 days after publication of the rule in the Federal Register, other provisions were set to go into effect on December 9. That deadline has now been extended by six months to June 9, 2023.

Financial institutions subject to the new requirements include mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission.

The provisions of the updated Safeguards Rule specifically affected by the six-month extension include, among other things, requirements to:

  • Designate a qualified individual to oversee their information security program;
  • Develop a written risk assessment;
  • Limit and monitor who can access sensitive customer information;
  • Encrypt all sensitive information;
  • Train security personnel;
  • Develop an incident response plan;
  • Periodically assess the security practices of service providers; and
  • Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.

The FTC extended the deadline, in part, based on an August 5 letter from the Small Business Administration (SBA), requesting the extension and citing for support, among other things, the shortage of qualified personnel to implement information security programs and supply chain issues that may lead to delays in obtaining necessary equipment for upgrading security systems. In the letter, the SBA states:

“[S]mall financial institutions will need to modify their methods for evaluating these

risks and the manner that they document them. Small entities must also ensure that the service providers they work with meet many of the requirements of the rule as well as amend contracts to reflect the changes. Safeguarding customer information is extremely important. However, it is also important for the requirements of the rule to be implemented correctly.”

Troutman Pepper will continue to monitor important developments involving the FTC and the Safeguards Rule and will provide further updates as they become available.