The Clearing House Association, L.L.C. (TCH) responded to the Federal Trade Commission’s (FTC) request for public comment on its proposal to amend the Standards for Safeguarding Customer Information (the Safeguards Rule). The proposal would require data security event reporting for FTC-regulated financial institutions, including many fintechs engaging in activities similar to the activities undertaken by banks.
In its comments, TCH observed that the number of non-bank entities active in financial services has grown tremendously in the past decade, and that along with this growth come data security risks and lapses, such as data breaches and the sharing and use of consumer financial data without customers’ consent. TCH argued that it is vital that consumer financial data be properly handled and safeguarded, and that it is essential that fintechs engaged in functionally similar banking- and payments-related activities as banks should be subject to functionally similar requirements, including data breach notification requirements.
TCH recognized the improvement to the overall Safeguards Rule that security event reporting requirements present but noted concerns about differences that exist between the standards to which traditional financial institutions regulated by the prudential regulators are subject and those that the FTC has proposed. To further strengthen consumer safeguards and to ensure that the security event reporting component applies functionally similar requirements to FTC-regulated financial institutions as apply to banks today, TCH made the following recommendations:
- The FTC should proceed with supplementing the Safeguards Rule with standalone security event reporting requirements.
- Security event reporting requirements under the Safeguards Rule would benefit from alignment with requirements applicable to federally-supervised banks. In particular:
- The threshold for event reporting and event reporting requirements should be aligned with the notification requirements contained in “Interagency Guidance on response Programs for Unauthorized Access to Customer Information and Customer Notice” adopted by the OCC, Federal Reserve, and the FDIC; and
- The notification timeframe for qualifying security events should be expressed in a matter of hours and days, similar to guidance adopted by federal financial regulators, and the timeframe provided in the recently adopted “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” final rule.
- The FTC should further supplement the Safeguards Rule to require the reporting of material disruption or degradation, or reasonable likelihood of material disruption or degradation, of an FTC-regulated financial institution’s abilities, business lines, or operations, or similar such disruptions at FTC-regulated financial institutions’ service providers, similar to the requirements of the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” final rule.
To read the full comment letter click here.