The FTC’s New Safeguard Rule - 29 June 2023

The Federal Trade Commission (FTC) has updated the requirements of the Standards for Safeguarding Customer Information, known as the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA standards) to ensure protection of the privacy and personal information of consumers/customers.

The main objectives of the GLBA standards for safeguarding information to ensure the security and confidentiality of consumer/customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer/customer.

The amendments to the Safeguards Rule still retain the existing Rule’s process-based approach, which allows financial institutions to tailor their programs to reflect the financial institutions’ size, complexity, operations, and to the sensitivity and amount of customer information they collect.


Investment Advisors not Registered with the SEC – Compliance with New Safeguard Rule

The Safeguards Rule applies to businesses engaged in providing financial services, which includes investment advisors that are not required to register with the Securities and Exchange Commission (SEC).

Notably, however, financial institutions that maintain information on less than 5,000 consumers are exempt from certain requirements under the New Safeguard Rule, such as 1.) written risk assessment, 2.) incident response plan, 3.) annual reporting to the Board of Directors, and 4.) to conduct periodic testing and vulnerability assessments.

Below are the requirements all financial institutions must still comply with:

  1. Designating an individual responsible for overseeing, implementing, and enforcing the institution’s information security program.
    1. This individual may be an employee of the financial institution or a third party. It is important to keep in mind that compliance with the New Safeguard Rule remains with the financial institution, thus, a senior member of the financial institution should be designated to oversee any third party.
    2. An IT vendor may be designated as a qualified individual if an owner or manager is not a viable option


  1. Having a risk assessment plan that identifies reasonably foreseeable internal and external risk to the security, confidentiality, and integrity of customer information that could result in its unauthorized disclosure, misuse, or other compromise.


  1. To note: that only financial institutions with at least 5,000 customers must have the risk assessment be in writing.


  1. Here are examples of security features and policies that financial institutions may consider in the risk-assessment process:


    1. Password strength policies and enforcement
    2. Employee background checks
    3. Inactivity locks on screens
    4. File storage and locks on file cabinets and rooms
    5. Encryption of data when it is transmitted electronically
    6. Password protection
    7. Policies to verify identification for information request from customers or third parties


  1. Implementing safeguards to control the risks identified through the risk assessment. Encrypting all customer information the financial institution stores (at rest) or transmits over external networks through a multi-factor authentication that requires at least two of the following types of authenticators to access any nonpublic information:


  1. A knowledge factor (such as a password);
  2. A possession factor (such as a token or key); or
  3. An inherence factor (such as a biometric characteristic).


However, the New Safeguard Rule does not require customer information to be encrypted while in transit through internal business networks.

The definition of encryption does not require any specific process or technology to perform the encryption but does require that whatever process is used be sufficiently robust to prevent the deciphering of the information in most circumstances.

It should be noted that the FTC believes transmission of customer information to remote users or to cloud service providers should be treated as external transmissions, as those transmissions are sent out of the financial institution’s systems.


  1. Staff training to ensure that personnel can implement the information security program by providing adequate training, using qualified personnel, providing security and training updates, and verifying that key personnel maintain up-to-date knowledge of changing information security threats and countermeasures.
  2. Assessing service providers to ensure that those selected maintain adequate security measures, requiring them to implement and maintain such safeguards through contract provisions and periodic assessment for risk and continued adequacy of their safeguards.
  3. Periodic evaluations to adjust information security program for changes based on operation, risk-assessment findings, and other circumstances as needed. This requires periodically reviewing access controls on customer information, including technical and, as appropriate, physical controls to 1.) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information and 2.) limit authorized users’ access only to customer information needed to perform their duties and functions.”

© 2021 CCH Incorporated and its affiliates and licensors. All rights reserved.

This website uses cookies to ensure that we give you the best experience on our website. This cookie data is anonymous, read about how we use cookies and how you can control them in our Cookie Notice. Otherwise, we’ll assume you’re OK to continue. Find out more.