Updating the Safeguards Rule, But Not for Federally-Insured Credit Unions
Earlier this year, the Federal Trade Commission (FTC) issued a proposed rule updating and enhancing its implementing regulations for the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule. NAFCU has written of its support for the proposal. Several credit union compliance officers have asked about the proposal and its applicability to credit unions. The short story is that the update does not apply to federally-insured credit unions. The long story, including why this matters to credit unions, is below.
Which Safeguards Rule?
The Safeguards Rule is one of two central privacy provisions of the GLBA (the other being the Financial Privacy Rule which requires disclosure of a credit union’s privacy policy). The text of the Safeguards Rule can be found at 15 USC §6801(b) and is only 105 words long. It states that the enforcement agencies listed under section 6805(a) (except the CFPB) must establish “appropriate safeguards” for the protection of customer records and information for the financial institutions under their jurisdiction.
Section 6805(a)(2) indicates that for federally-insured credit unions, that enforcement agency would be NCUA. NCUA established those implementing regulations at Part 748 of its rules and regulations. Part 748 is not being amended or updated by NCUA at this time.
Rather, what is being updated and amended is Title 16, Part 314 in the FTC’s regulations. Under section 6805(a)(7) of the GLBA, the FTC is the enforcement agency for purposes of the Safeguards Rule for any financial institution that is not subject to the jurisdiction of OCC, FDIC, Federal Reserve, NCUA, SEC or a state insurance authority.
Which “financial institutions” are subject to FTC jurisdiction?
The Safeguards Rule applies to any “financial institution” as defined by the GLBA. Under section 6809(3)(A), “financial institution” refers to any institution of business that is “engaging in financial activities” as defined by the Bank Holding Company Act in 12 USC §1843(k).
The law defines “financial activities” very broadly, and goes beyond banking or investment activities. It includes financial activities by non-bank entities and activities that are incidental or related to banking or lending, for example, activities of third-party collections agencies or credit reporting agencies. These types of entities that do not fall under the jurisdiction of the OCC, FDIC, Federal Reserve, NCUA, SEC or a state insurance authority would likely fall under the FTC’s jurisdiction and therefore be subject to the Safeguards Rule’s implementing regulations at 16 CFR Part 314.
What does this mean for credit unions?
Even though federally-insured credit unions will not be subject to the FTC’s updated regulation, credit unions would benefit from having stronger regulatory requirements from the FTC. While word count is definitely not a direct correlator for robust or appropriate regulations, it is notable that NCUA’s Part 748 is more than 7 times longer than the FTC’s Part 314. Current Part 314 contains some very high level, principal-based requirements, for example, to “design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.” 16 CFR §314.4(c). However, it lacks the kinds of guidelines for safeguard programs or any requirements regarding breach response, which are found in the appendices to Part 748. There is no reason that credit unions should be required to have these robust requirements in place but an organization like Equifax is not. On August 2, 2019, NAFCU wrote to the FTC to offer its support of the proposal, and to recommend some more thorough provisions and clarification that CUSOs are not subject to the FTC’s jurisdiction under the GLBA. That letter can be read in full here.
So, credit unions may want to monitor the FTC’s proposal to be aware of a potential tightening of cybersecurity requirements in the overall cyber environment, however, the FTC’s amended regulations would not have any direct effect on credit union requirements.