Key Takeaways:

  • Expanded Financial Institution Definition: Businesses handling customer financial data may now be classified as financial institutions under new FTC rules, requiring compliance by June 9, 2023.

  • Evolving Privacy Laws: Ongoing state and federal legislation, like the CCPA, demands that businesses stay updated on new requirements for managing customer data.

  • Compliance Steps: Businesses must implement key security measures, including risk assessment and data encryption, to comply with the FTC’s Safeguards Rule.

On December 9, 2021, your business might have become a financial institution without you even realizing it. That’s a result of new Federal Trade Commission (FTC) regulations that went into effect on this day.

While these regulations went into effect well over a year ago, non-banking financial institutions have until June 9 2023 to be in compliance. When you read the term, “non-banking financial institutions”, you might not think it applies to your business. But the reality is much more complex, and it’s important businesses work to understand their obligations.

In addition to these new FTC regulations, new legislation is actively being discussed around the nation. Depending on where your business is located, many of these pieces of legislation may actively impact the way your business operates.

Ensuring your business remains compliant with all relevant laws and industry regulations begins with understanding these requirements. Once you understand these, you’re well-positioned to qualify your business’s obligations in how you handle customer financial data and take the relevant steps to ensure you remain compliant.

Read on to learn more about these changing definitions and discover what’s potentially on the horizon as lawmakers craft new regulations.

Is Your Business Now a Financial Institution?

Business owners should be asking themselves one question:

“Do we store or utilize our customer’s financial information to conduct business?”

Did you answer yes? If that’s the case, it’s likely your business is bound by the FTC’s amendment to its Safeguards Rule.

The updated rule applies a much broader definition to the term “financial institution”. Instead of you, or others, categorizing your business, what now drives this definition is the nature of the activities your business undertakes.

In Section 314.2(h) of the updated rule, the FTC provides a series of examples of businesses that are now considered to be financial institutions. These include:

  • Mortgage lenders
  • Payday lenders
  • Finance companies
  • Mortgage brokers
  • Account servicers
  • Check cashing businesses
  • Wire transferors
  • Collection agencies
  • Credit counselors
  • Non-federally insured credit unions
  • Investment advisors
  • Tax preparation firms
  • Financial advisors
  • Retailers that issue their own credit cards
  • Automobile dealerships that lease vehicles for over 90 days
  • Real estate appraisers

Finders are also included as a new example of a financial institution. This category refers to companies that bring together buyers and sellers and facilitate the two parties in negotiating and completing the transaction.

New regulations can be a threat to business. Understanding how to navigate your business’s obligations is crucial. If your business is considered a financial institution under these updated regulations, you must implement a comprehensive security program that protects your customers’ financial data.

Designing, Implementing, and Maintaining an Information Security Program

If you’re a Small to Midsize Business (SMB) grappling with your responsibilities under these new regulations, you’re not alone. Many small businesses are facing these challenges: it’s a major reason why the compliance deadline has been pushed back from December 2021 to June 2023.

However, time is now running out, and business owners need to start taking the steps required to ensure their business is in compliance by the June 9, 2023 deadline.

So, what’s involved in designing, implementing, and maintaining an information security program that protects customer financial data?

The FTC outlines eight key steps that businesses should take:

  1. Designate a “Qualified Individual”: this person is tasked with overseeing the information security program. They can be an employee or a third-party service provider.
  2. Create a Risk Assessment: this framework helps businesses understand where their risks lie and develop plans to mitigate them.
  3. Limit & Monitor Access to Sensitive Information: by limiting access to financial information to just those employees who need it as part of their job, businesses minimize the chance of a data breach.
  4. Encrypt Customer Data: adding encryption to customer data ensures that customer data remains secure even if it falls into the wrong hands.
  5. Train a Security Team: a skilled, experienced cybersecurity team is important in ensuring your business remains protected against the latest threats.
  6. Create an Incident Response Framework: if a security breach does occur, an incident response framework gives your team the processes it needs to respond to attacks and address vulnerabilities.
  7. Evaluate the Security of Service Providers: it’s not just your own security you have to worry about, it’s your vendors’ too. Consider requesting a SOC 1 or SOC 2 audit from service providers.
  8. Add Multi-Factor Authentication for Employees Accessing Customer Data: this additional layer of security ensures that in the event an employee’s access credentials are stolen, attackers will still struggle to access customer financial information.

Need some assistance navigating these requirements in your business? Contact LBMC today: our team is well-placed to guide you through these requirements.

What’s Next? Emerging Customer Privacy Legislation

The updates to the Safeguards Rule are far from the only changes occurring when it comes to the obligations businesses have in protecting their customer data. Both federal and state governments are introducing new legislation in response to concerns over privacy and cybersecurity.

There are numerous examples from developed countries around the world, but in the United States several measures are being considered (or have already passed) for codification into law.

The most well-known of these is the California Consumer Privacy Act (CCPA). This law, which came into effect in 2020, grants California residents the right to know what personal information companies are collecting, why they are collecting it, and who they are sharing it with. It also provides users with the right to opt out of the sale of their data and the right to request the deletion of their data.

Other states are following in California’s footsteps. The New York Privacy Act would grant New York residents similar rights to those provided by the CCPA, including the right to know what personal information is being collected, the purpose for collecting it, and who it is being shared with. It would also provide citizens the right to opt out of the sale of their data and to request the deletion of their data.

In addition to these state efforts, the federal government is also considering introducing new privacy legislation. The Biden Administration recently released a blueprint for an Artificial Intelligence Bill of Rights that aims to establish basic principles and standards that ensure the responsible development and use of AI technologies.

The framework proposes that companies would be required to use data and resources in a responsible manner, and also proposes that individuals should have access to clear information about the use of AI systems and have access to recourse if their data or AI systems are misused.

As technology continues to play an increasingly prominent role in our lives, it’s likely that more legislation will be enacted to ensure that customer data remains secure.

IT Compliance Services with LBMC Cybersecurity

Effectively securing your business’s customer data, whether you qualify as a financial institution or not, is non-negotiable. Many customers now actively assess a business’s data retention and cybersecurity policies, often requesting SOC or SOC 2 audits to demonstrate sufficient internal controls.

At LBMC Cybersecurity, helping businesses protect their customer data is a key focus of our IT compliance services. Our experienced team is equipped to advise any business ready to learn more about these regulations and the impact they have on their data privacy programs.

To learn more about how we can help, contact us today.