Changes to the Safeguards Rule and the Privacy Rule applicable to financial institutions under the Gramm Leach Bliley Act are in the works.

The FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the Rule. This will include:

  • encrypting all customer data
  • implementing access controls to prevent unauthorized users from accessing customer information
  • implementing multi-factor authentication to access customer data
  • submitting periodic reports to the boards of directors to ensure compliance

The FTC is also proposing to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to specifically include so-called “finders,” those who charge a fee to connect consumers who are looking for a loan to a lender.

Details from the FTC.