The Federal Trade Commission rolled out a new Safeguards Rule in October of 2021, but the deadline to be compliant with this rule is June 9, 2023. These regulations work to protect consumers financially and are impacting more businesses that regularly deal with customer money. For example, these regulations will likely affect companies that wire money or extend their lines of credit.
These rules might feel like a big transition for businesses that have not previously dealt with FTC regulations. However, we want to help you understand what these regulations require of you and your business and how you can start preparing yourself now so that you do not feel rushed or stressed. Here is what you need to know.
Who Is Affected by the New FTC Guidelines?
The guidelines set forth by the FTC apply to financial institutions. However, the FTC considers more businesses to fall under the “financial institution” umbrella than people might realize. Specifically, the FTC lists￼ the following categories as financial institutions:
- Mortgage lenders or mortgage brokers
- Payday lenders
- Finance companies
- Account services
- Check cashers or wire transferors
- Collection agencies
- Credit counselors and other types of financial advisors
- Tax preparation firms
- Credit unions that are not federally insured
- Investment advisors that are not required to register with the SEC
- Finders, classified as companies that bring buyers and sellers together
Importantly, note that the FTC exempts businesses that keep information on fewer than 5,000 consumers.
What Do the New Guidelines Entail?
The new guidelines call for businesses that fall within these categories to develop a written security plan and documented testing to show how they will protect their customers’ data and financial information.
In the words of the FTC, these businesses need to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”
You will need to write out your plan so that you have documented procedures for how you will protect the sensitive information entrusted to you. The program you create will need to be customized to your business and take into account factors such as:
- The size of your business
- The complexity of your business
- The area and specialty of your business
- The level of sensitivity of the information you collect
As you create this plan, focus on demonstrating how you will keep the information confidential in the face of anticipated threats. Consider the different types of cyberattacks that criminals might try and the actions you can take to safeguard your customers.
To guide you, the Safeguards Rule outlines 9 main factors you need to include in your plan.
- You must have a qualified person at your company designated to put your security plan into action and supervise its use.
- You must go through a risk assessment.
- You must determine what strategies you will use to control your identified risks.
- You must continue to monitor and test how well these strategies work.
- Your employees must be trained according to your safeguards.
- You need to show how you will monitor your service providers.
- You need to update your information security program regularly so it’s current.
- You need a written incident response plan.
- Your designated individual from step one must submit a written report to your company’s governing body at least annually.
What is the penalty for noncompliance?
The FTC takes consumer protection very seriously and has thus enacted steep penalties for businesses that fail to comply with these regulations. The current stated penalty is a fine of up to $44,792 per violation per day.
However, businesses should note that these regulations have been enacted to protect companies and customers from cyberattacks. Therefore, failing to comply with the rules also places companies at risk for a security breach. A security breach can result in other costs, including a loss of productivity and reputation damage.
Overall, the estimated cost of noncompliance is more than 3X the cost of compliance.
Preparing for the New FTC Guidelines
If the FTC classifies your business as a financial institution, these regulations will go into effect this coming June. Starting to prepare now will help you feel more comfortable and confident before the deadline arrives, rather than stressed and rushed. A written security plan is also a cybersecurity best practice, so taking this step now can also help you better protect your own data and that of your customers.
At Deerwood Technologies, we can walk you through this process and answer any questions you might have about setting up your protection plan. You don’t have to go at this alone, Deerwood Technologies can help you confidently comply with regulatory requirements. Reach out to us today to discuss your approach to compliance.