Main Content

TCH Submitted Comments in Response to the Federal Trade Commission’s Request for Comments Regarding the Safeguarding of Customer Information

The Clearing House submitted comments to the FTC regarding the FTC’s “Standards for Safeguarding Customer Information” (“Safeguards Rule”). TCH’s comments focused on changes in technology and economic conditions since the Safeguards Rule was promulgated in 2002. TCH noted that the fintech industry has expanded significantly since the Safeguards Rule was adopted and urged the FTC to adopt stricter, more robust data security requirements for fintech companies. TCH made the following observations and recommendations:

  • Both Congress and regulators, including the FTC, have begun to express a growing interest in regulating fintech companies in a number of areas, including data security and privacy.
  • Fintech companies hold vast amounts of consumer financial data, thereby posing a risk to the security of consumer financial information, as well as to the safety and soundness to the financial system.
  • Fintech providers are subject to significantly less stringent regulatory requirements concerning data security and privacy than are banks. Key differences between the two sets of requirements include standards regarding board and management involvement, employee background checks, vendor oversight, authentication, and incident response programs. Many fintech companies dramatically limit their liability for compromises of customer financial deformation and/or unauthorized transaction in their terms and conditions that bind their customers. This results in materially weaker data security protection for consumers’ financial information held by fintech companies as compared to the protection in place for banks, when both are engaged in the same activities.
  • TCH recommends enhancing the substantive regulatory requirements applicable to fintech companies, perhaps through a two-tier regulatory structure. Banks and fintech companies engaging in functionally similar activates and possessing comparable types and volumes of consumer data should be subject to similar, heightened regulatory regimes.

To read the full comment letter click here.