AFSA Requests FTC Change Safeguards Rule August 07, 2019 AFSA submitted a letter on August 2 to the Federal Trade Commission (FTC) seeking changes to its proposed rule amending the Standards for Safeguarding Customer Information before it is implemented. Known as the Safeguards Rule, AFSA laid out five key problematic areas. First, the proposed rule seems to discount that financial institutions of all sizes have a vested interest in ensuring that their customers’ information is protected. AFSA members have no desire to become the target of the next large data breach and have expended significant resources to mitigate such breaches. Reputational risks and financial costs from data breaches mean every financial institution has a strong incentive to ensure data is held and maintained in a secure manner. Second, the rule does not include an adequate safe harbor. The FTC wants financial institutions to ensure that they “have information-security plans that protect customer information” in place while simultaneously ensuring that any rule is flexible. A safe harbor for those companies that are complying with established standards from any one of several regulatory bodies will ensure protections and credit access for consumers. Third, AFSA strongly supports a single, federal, risk-based standard that preempts state law regarding cybersecurity. The current law does not give the FTC authority to preempt state laws. AFSA believes, however, that the FTC should seek congressional approval to do so. The result of inconsistent state laws on data security leads to uneven consumer protections and the inability for businesses to effectively comply, reducing credit broadly. Next, smaller institutions should be exempt from the amended Safeguards Rule. Current security standards are and should be scaled to the size of the institution. The proposed rule would impose national bank-data-security requirements on both large and small financial institutions, those with thousands of branches and those with just a handful. This is unfair and unworkable for smaller financial institutions that do not have a broad, national exposure to cyber-threats. However, some regulation is needed. AFSA proposed that the FTC adopt the same standard as the California Consumer Privacy Act, which provides an exemption for any institution that has fewer than 50,000 or more consumer records in their database. Finally, the proposed rule, as written, is highly prescriptive, which runs the risk of becoming a “check the box” exercise as opposed to producing a robust, enhanced security posture. AFSA encouraged the FTC to implement a risk-based approach that provides flexibility to financial institutions, while requiring compliance with the law. AFSA will continue to work closely with the FTC as it considers this rulemaking.