Ftc Amends Gramm-Leach-Bliley Act ‘Safeguards Rule’ To Strengthen The Data Security Of Financial Institutions

Laura Resende


On October 27, 2021, the Federal Trade Commission (FTC) released an update to the Gramm-Leach-Bliley Act’s (GLBA) Standards for Safeguarding Customer Information, or the ‘Safeguards Rule’ (the Rule). In response to widespread data breaches that caused significant harm to consumers, the FTC amended the rule to be more expansive in scope and specific in security controls.

Scope and Definitions

The update has expanded the definition of “financial institutions” under scope to include non-banking institutions, such as finance companies, investment advisors that are not required to register with the Securities and Exchange Commission (SEC), mortgage brokers, and finders. Finders are defined as “companies that bring together buyers and sellers of a product or service.” Financial institutions that collect information on more than 5,000 consumers are required to maintain a comprehensive security system. A consumer, in the context of the Safeguards Rule, is defined as an “individual who obtains or has obtained a financial product or service… that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.”

Information Security Program Requirements

A significant addition to the Safeguards Rule is the specificity of the security system requirements. Previously, the Safeguards Rule outlined a general security system but lacked specific requirements that financial institutions need to implement. These requirements include the development, implementation, and maintenance of:

– Access controls
– Multi-factor authentication
– Incident response plan
– Data inventory and classification
– Continuous monitoring, or annual penetration testing with bi-annual vulnerability scans
– Penetration testing is defined as “attempt to circumvent or defeat the security features of an information system”
– Along with network penetration testing, social engineering and phishing testing also satisfies this requirement
– Security awareness training for employees
– The encryption of customer data
– Secure testing practices of third-party services
– Secure procedures for disposing customer data
– Required to be deleted two years after the last date the data is used unless the information is required for a legitimate business purpose
– Procedures for identifying and maintaining a list of unauthorized users
– A written risk assessment
– An internal assessment that evaluates identified security risks, the quality of controls that are currently in place, and an explanation of how these risks can be mitigated

Risk Assessment Requirements

Previously, the Safeguards Rule required financial institutions to develop and implement safeguards to address identified risks. The amended rule has specified criteria that must be included in the risk assessment.

– Evaluation of identified security risks or threats
– Assessment of the quality of existing controls in the context of security risks
– Explanation of how the identified risks will be mitigated based on the risk assessment

Accountability and Responsibility

The FTC has made it a point of emphasize proper accountability for controls maintenance and implementation in the updated Rule:

– A single assigned “Qualified Individual” is required to be responsible for the information security program
– Periodic reports are required to be delivered to a board of directors or governing body

Exemptions and Burden-Relief Measures

While the above requirements may add additional obligations for financial institutions, the FTC has put the following measures in place to help relieve unnecessary burdens:

– Limited the scope of certain written security requirements to only those financial institutions with more than 5,000 consumers
– Revised requirements so exempted financial institutions are not required to perform a written risk assessment, conduct continuous monitoring or penetration testing, prepare an incident response plan, or prepare an annual report. However, they will still be required to conduct risk assessments, implement a written information security program, evaluate the program and adjust accordingly, oversee service providers, and train employees
– While these exempted institutions will not be audited for a written risk assessment, the FTC still requires firms to conduct risk assessments, regardless of size
– Created a system that is “process-based, flexible, and based on the financial institution’s size and complexity”
– Extended the effective date of many of the written security provisions of the amended Rule to one year after publication (October 27, 2022)
– Modified a Chief Information Security Officer requirement to be generalized based on the size and complexity of the financial institution
– Limited the requirement for updating employee training programs to “only as necessary”


*Este conteúdo não representa opinião legal do Compliasset, tendo o propósito puramente informativo.

Entre em contato

Ícone Contato Software Compliasset Alertas Artigos

Faça parte do futuro do compliance no mercado regulado com o Compliasset.

Descubra como o nosso software pode fortalecer seu negócio.

Fale conosco hoje mesmo e agende uma demonstração gratuita!


O Compliasset te ajuda a ter mais velocidade no dia a dia!

Tenha o melhor software de Compliance como o seu aliado. É rápido, fácil e vai te colocar entre os melhores.