The Federal Trade Commission has issued a notice of proposed rulemaking that seeks to update both its Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act. The proposed rules will expand the scope of what defines a “financial institution” covered under the rule and require institutions to implement two-factor authentication procedures for any time an individual wishes to access his or her account.
Two of the five FTC commissioners — Noah Phillips and Christine Wilson — filed comments opposing the proposed changes to the Safeguards Rule. All five commissioners supported the proposed changes to the Privacy Rule.
The Safeguards Rule requires financial institutions to develop and maintain information security programs while the Privacy Rule requires financial institutions to share information-sharing practices with individuals and give them the ability to opt out of having information shared with certain third parties.
In seeking to expand the definition of “financial institution,” the FTC is looking to include what are known as “finders,” or entities that charge a fee to connect individuals who are seeking a loan from a lender.
Under the changes to the Safeguards Rule, all customer data would need to be encrypted by financial institutions and all institutions would be required to adopt multi-factor authentication processes when individuals are accessing their customer data.
“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, in a statement. “While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”
Debt collectors are one of the groups of companies covered under the Privacy Rule, along with payday lenders, mortgage brokers, and real estate appraisers.