| | |

FTC Safeguards Rule—Compliance Audits for Financial Institutions

ftc safeguards rule

Compliance audits on how your U.S. financial institution meets the FTC Safeguards Rule requirements are an essential practice if you handle customer financial data as part of a professional service.

Financial institutions have long been subject to professional standards and industry legislation. But, the latest amendments and extension to the FTC Safeguards Rule 2023 mean that those subject to the Federal Trade Commission’s jurisdiction must now concern themselves with cybersecurity. In practice, you will need to implement relevant financial data-security standards.

This blog post defines compliance audits and advises who can best carry them out for financial institutions, financial planners, financial advisors, and wealth managers who handle personal deposits and investments for individuals. Next, it explains the legal basis for the FTC Safeguards Rule, including the details of what a compliance audit should contain in order to comply with the rule. Finally, we’ll answer some of the most pressing questions about how this impacts your company, your customers, and data.

compliance auditWhat Is a Compliance Audit?

A compliance audit is an evaluation carried out by an independent expert to ensure that an organization is adhering to relevant government regulations and standards on financial, data, cybersecurity, and quality measures. Authorities range across state, federal, and international laws; while standards can include expected ecommerce industry standards or internal company guidelines.

Those who intake, store, process, and handle customer information—including card and transaction details—must manage increasing volumes of data. This management should include the entire journey of information from how it was initially obtained to how it is now stored and secured; who it was transferred to; who has access to it to, for what purposes, and for how long; and when it is scheduled for deletion.

At every point, data must be protected and controlled according to a wide range of regulations and standards. Data breaches and other failures generally incur all sorts of penalties, such as loss of corporate image, loss of revenue, legal claims, government fines, and remediation expenses—not to mention the personal costs and implications for affected individuals. Compliance audits are one major part in ensuring that customer data is kept secure and that you avoid penalties.

A Compliance Audit Can Be Confused with Other Types of Audits

A compliance audit should not be confused with:

  • Internal audits—An internal audit ensures that an organization follows its own standards for procedures and processes, while a compliance audit focuses on externally imposed regulations.
  • Monitoring activity—A compliance audit is a discrete project with a defined start and end; while monitoring is an ongoing process. However, a compliance audit may contain an evaluation of monitoring procedures.
  • IT audits—While a compliance audit can tackle security measures for relevant personal, financial, or health-related data, an IT audit is wider in scope, including a risk assessment carried out on your network infrastructure and overall cybersecurity posture.
  • Risk assessments—A risk assessment is part of an IT audit in that identifies security threats and vulnerabilities. Part of a larger compliance audit, it identifies areas of risk that involve noncompliance within the organization. Depending on the compliance standards and industry, these two assessments may overlap.

A Compliance Audit Conducted by External Experts Has the Edge

It is possible for large enterprises with big budgets to have their own employees, teams, and entire departments dedicated to conducting compliance audits. However, there are advantages to working with external consultants for compliance purposes.

  • External experts are able to maintain the highest levels of objectivity, since they have no direct connection with the department or organization under scrutiny.
  • External experts have a wide range of experience gained while working across industry verticals and varying sizes of projects, as well as legislation-specific skills that non-specialist employees will find difficult to match.
  • Finally, for small-to-medium sized enterprises, hiring external consultants makes more financial sense than training full-time staff members to conduct intermittent compliance audits and maintaining ongoing costs to keep their knowledge and skills up to date.

What Does the FTC Safeguards Rule 2023 Require Financial Institutions to Do?

The Gramm–Leach–Bliley Act (GLBA) is also known as the Financial Services Modernization Act of 1999. It was designed (according to its full title) “to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, and other financial service providers, and for other purposes” including data security.

Subsection A of the GLBA is known as the FTC Safeguards Rule.

The rule applies to financial institutions that are both:

  • Subject to the Federal Trade Commission’s jurisdiction, and
  • Not subject to the enforcement authority of another regulator under section 505 of the GLBA

The FTC has the authority to issue industry-wide regulations and guidance to help financial institutions within its jurisdiction to comply with the GLBA. The FTC Safeguards Rule implements data security requirements from the GLBA and applies them to information about any consumer’s past or present use of the financial institution’s products or services.

What the FTC Safeguards Rule Requires

Financial institutions are required to develop a written Information Security Plan that outlines how they plan to protect the nonpublic personal information (NPI) of their clients. This refers to any personally identifiable financial information that a financial institution collects about someone that isn’t publicly available.

This plan must include the following elements:

  • The naming of at least one person—a Qualified Individual—to manage the safeguards
  • A risk analysis on each department that handles nonpublic information
  • A tested program to secure the information
  • The implementation of adaptable safeguards on how information is collected, stored, and used

Extensions to the FTC Safeguards Rule 2023—an Update

The FTC Safeguards Rule was first updated in December 2021 by the FTC to include specific criteria requiring financial institutions to introduce new security controls and increase the accountability of boards of directors. In general, these new amendments made the FTC Safeguards Rule more prescriptive, detailed, and comprehensive than before. These amendments were slated to take effect on December 6, 2022.

However, on November 15, 2022, the FTC announced an extension for some types of institutions for some provisions of the FTC Safeguards Rule of six months—to June 9, 2023. The deadline extension was granted due to issues many financial institutions were having in complying with the “Qualified Individual” component.

What Should a Compliance Audit Contain?

Your financial institution may need to conduct a range of IT audits that enable you to identify issues and address errors in business areas. These may include network and cybersecurity audits as well as compliance audits on various aspects of regulatory compliance.

Conduct an IT Security Risk Assessment

An IT security risk assessment is required to make clear what information your organization possesses and where it is stored. As well as the inventory element, you need to conduct an assessment of possible security risks, both internal and external, hardware and software. This risk assessment must be written and subject to periodic reappraisal in light of new threats and technologies.

Design and Implement Safeguards

You’ll need to control risks identified through the security audit by implementing safeguards. These include physical and technical controls such as: authorization and access to information, data encryption, multi-factor authentication, secure data disposal, activity monitoring, and activity logs.

Training for the Team and the Qualified Individual

A Qualified Individual must be designated to supervise and implement the organization’s information security program. It’s important to note that this person doesn’t have to be an employee and can instead be an external expert or consultant from a service provider, such as Sagacent Technologies. You will also a need regularly scheduled, appropriate security-awareness training for staff at all levels.

Monitor and Test Compliance Measures

Once you establish safeguards, it is important that you maintain, monitor, and reassess them periodically. One way to achieve this is to conduct regular penetration testing to test for security vulnerabilities. It’s also important for the Qualified Individual to regularly report to the Board of Directors with an overall assessment of your organization’s compliance, with relevant sector standards and the status of your own information security program.

Help with Information Security and Incident Response Plans

Information security is a constantly changing environment, and your business data is a constantly growing resource. You need to keep your information-security program current. You also need to draw up an incident response plan that details what would happen in the occurrence of likely security events. A plan must contain the goals, process, roles, lines of communication, and necessary documentation for each event.

Questions About the FTC Safeguards Rule Requirements

We get asked the following questions often enough to know you probably still have some uncertanties.

Does the FTC Safeguards Rule Apply to Me?

Maybe you’re a small financial services firm that handles personal deposits and investments for individuals. Does the FTC Safeguards Rule apply to a small business like yours, or is it just for larger companies and organizations dealing with larger sums of money? To help you determine if your business is covered, the FTC Safeguards Rule lists thirteen examples of financial institutions that are included, and four examples of businesses that aren’t considered a financial institution (Section 314.2(h)).

Is External Help Necessary to Make My Business Compliant?

Is it possible for small financial services firms to conduct a compliance audit for the FTC Safeguards Rule without outside expertise? Yes, it is possible if you have internal technology, information, and cybersecurity expertise. You also need to have a clear understanding of where you are now, where you need to reach, and how to get there. Our recommendation is that you consult with external experts to walk you through all the necessary steps, starting with a comprehensive compliance audit.

Conduct a Compliance Audit on the FTC Safeguards Rules’ 2023 Updates

For further information, read our whitepaper, Do You Know the Security Regulations that Apply to Your Industry?.

And, if you’re concerned about how these new security regulations apply to you and want to close the gaps, contact us today to find out more about our regulatory compliance audits.