Tell us
what you think
Our Sponsors
 |
Our Sponsors
|
FTC's Safeguard Rule
In the June issue of the BANKERS' HOTLINE the front-page article entitled "Privacy II" talks about implementing the provisions of the Gramm-Leach Bliley Act (GLBA) 501(b). I wasn't aware that commercial banks would be subject to another set of rules for that.
Last year, the Federal Banking Agencies issued "Guidelines Establishing Standards for Safeguarding Customer Information", which were effective July 1, 2001.
According to your article "each financial institution in the United States" must comply with the Safeguard Rule. However, the scope of the Safeguard Rule, finalized by the Federal Trade Commission at 16 CFR Part 314, extends to "financial institutions subject to its [FTC] jurisdiction." On page 36492 of the Federal Register FTC states that the GLBA does not specify the categories of financial institutions subject to the Commissions jurisdiction: rather, section 505(a)(5) vests the Commission with enforcement authority with respect to 'any other financial institution or other person that is not subject to the jurisdiction of any [other] agency or authority [charged with enforcing the statute].''
Please clarify this for me. Although I think there is some useful information in FTC's analysis and regulation, I don't want to report to our board of directors on something that is not applicable to us.
Vicki Garrett
Compliance & Loan Review Officer
Jonestown Bank and Trust Company
Reply by Mary Beth Guard, Esq., Executive Editor, BankersOnline.com
Although the FTC rule does not apply to banks, there are at least two reasons why banks will want to be cognizant of the FTC information safeguards rule.
The FTC information safeguards rule will affect all insured depository institutions in an indirect manner because it will affect some of their service providers. (This would include credit reporting agencies, MasterCard, Visa, traveler's checks companies, accounting firms, and law firms that provide certain types of financial services.)
To the extent that the insured institutions use service providers who fall within the FTC's regulatory jurisdiction as "financial institutions", the insured institutions will be able to take that information into account in determining the level of monitoring and scrutiny they must give to the information security safeguards of such an entity.
An example might be helpful. Let's say Bank A utilizes Company B to provide certain insurance products to its customers as a benefit of having an account with Bank A. In the course of its relationship with Company B, Bank A provides information about customers to Company B. The information security guidelines applicable to Bank A says that it must have a contractual provision with Company B that requires Company B to implement and maintain an information security program designed to achieve the objectives of the infosec guidelines applicable to the bank. There is a requirement, in some instances, for testing and monitoring the other company's infosec program. Where, however, the other company is directly bound by infosec guidelines, that relieves much of the burden from the bank.
Because the FTC's rule was promulgated more than a year after the banking industry's infosec guidelines, it contains additional discussion and guidance that may be instructive to all financial institutions, not just those directly bound by it.
For example, it requires a specific employee or employees to be placed in charge of implementing the infosec program. It says the program can be "in one or more readily accessible parts". I found the entire document very interesting reading.
Copyright © 2003 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 10, 1/03
|