Recent changes to the FTC Safeguards have changed the types of companies we typically think of as “financial institutions,” and that’s critically important for business owners who might not realize that – surprise! – a whole new set of rules suddenly applies to them.

We asked an advanced AI to consider the implications of the recent changes to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), and see what kind of businesses fall under that “financial institution” heading, and the steps they’ll need to take in order to protect their customers’ data.

These were its answers.


Q1 Are you familiar with the FTC Safeguards Rule and how it impacts financial institutions?

Yes, I’m familiar with the FTC Safeguards Rule. The Safeguards Rule is a regulation issued by the U.S. Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act (GLBA). The rule outlines requirements for financial institutions to develop, implement, and maintain information security programs to protect the nonpublic personal information (NPI) of their customers.


The main goal of the Safeguards Rule is to ensure that financial institutions take appropriate measures to protect the confidentiality and security of customer information. This includes both electronic and paper-based records containing sensitive personal and financial data.

Q2 How could a business that’s defined as a “financial institution” take appropriate measures?

Here are some key aspects of the FTC Safeguards Rule and its impact on financial institutions:


    • Information Security Program: Financial institutions are required to develop and implement a comprehensive information security program that addresses the safeguarding of customer information. This program should include risk assessments, safeguards, employee training, and oversight of service providers.
    • Risk Assessment: Institutions are required to assess the risks to customer information in their possession, taking into account factors such as the size and complexity of their operations, the sensitivity of the information, and the security measures in place.
    • Safeguards Implementation: The rule does not prescribe specific security measures but requires institutions to implement safeguards that are appropriate to their size, complexity, and the nature of their activities. These safeguards can include access controls, encryption, authentication mechanisms, and more.
    • Employee Training: Financial institutions are expected to provide their employees with ongoing training to ensure they understand the importance of protecting customer information and know how to properly handle and secure that information.
    • Oversight of Service Providers: If a financial institution shares customer information with third-party service providers, they are required to ensure that these providers have sufficient security measures in place to protect the information.
    • Regular Evaluation and Adjustment: The information security program should be evaluated regularly to identify vulnerabilities and make necessary adjustments. This ensures that the program remains effective in addressing evolving threats and risks.
    • Security Incident Response: Financial institutions are also expected to have a plan in place to respond to security incidents and breaches. This includes notifying customers and regulatory authorities in the event of a breach.


Noncompliance with the Safeguards Rule can result in significant penalties and enforcement actions by the FTC. It’s important for financial institutions to stay up to date with any changes to the rule and to ensure that their information security programs are robust and effective.


Please note that regulations and compliance requirements can evolve over time, so it’s always a good idea to refer to official sources and legal counsel for the most accurate and current information regarding the FTC Safeguards Rule and its impact on your business.


Q3 When I think of financial institutions I think of banks and credit unions, but the FTC defines a number of businesses as “financial institutions,” doesn’t it?

Absolutely, you’re correct. The definition of “financial institution” under the FTC Safeguards Rule is quite broad, and encompasses a wide range of businesses beyond traditional banks and credit unions.


The rule includes any institution that is significantly engaged in activities that are financial in nature or that are incidental to such financial activities. This broader definition is in line with the GLBA’s goal of ensuring the privacy and security of customer information across various sectors of the financial industry.


Here are some examples of businesses that the FTC might consider to be “financial institutions” under the Safeguards Rule:


    • Banks and Credit Unions: Traditional banks and credit unions that offer banking services, including deposit accounts, loans, and other financial products.
    • Mortgage Lenders and Brokers: Businesses involved in originating or brokering mortgage loans.
    • Insurance Brokers: Entities that provide insurance products and services, including life insurance, health insurance, property insurance, and more.
    • Financial Advisors/Planners: Professionals who provide financial planning and investment advice to clients.
    • Payment Processors: Entities that handle electronic payment transactions, including credit card processing.
    • Credit Reporting Agencies: Companies that collect and maintain consumer credit information.
    • Debt Collectors: Entities that collect debts on behalf of creditors.
    • Tax Preparation Services: Businesses that provide tax preparation and filing services.
    • Student Loan Servicers: Companies that manage and service student loans.
    • Dealerships: Businesses that offer vehicle financing services to customers.


These examples illustrate the diversity of businesses that fall under the FTC’s definition of “financial institutions” for the purpose of the Safeguards Rule. Regardless of the specific type of financial activity, if an entity collects and holds nonpublic personal information from customers, it is likely subject to the requirements of the Safeguards Rule and must implement appropriate measures to protect customer information.


Q4 On your list, “dealerships” is interesting, because we usually think of car dealerships — but it’s not specific to cars, correct? Bicycle stores, RV dealers, anyone who offers on-site financing or “same as cash” credit offers could qualify as a “financial institution,” then. Is that your understanding?

Absolutely, you’re correct. The term “dealerships” is not limited to car dealerships alone. It can encompass a wide range of businesses that offer on-site financing or credit options, regardless of the type of product they sell. This could indeed include businesses like bicycle stores, RV dealers, furniture stores, electronics retailers, and more, as long as they meet the criteria of engaging in financial activities and collecting nonpublic personal information (NPI) from customers.


If these types of businesses offer financing or credit arrangements that involve the collection of sensitive financial and personal information, they could fall under the definition of “financial institution” as outlined in the FTC Safeguards Rule. This means they would be subject to the rule’s requirements for developing and maintaining information security programs to protect customer information.


The key factor is whether the business engages in financial activities and collects customer NPI as part of those activities. If they do, they should carefully assess whether they fall under the scope of the FTC Safeguards Rule and take the necessary steps to ensure compliance with its requirements.


Q5 That’s a pretty broad definition, but it makes sense. With that understanding of “financial institutions,” what are some of the most non-intuitive types of businesses that could fall under that definition?

Indeed, the definition of “financial institutions” under the FTC Safeguards Rule is intentionally broad to encompass a variety of businesses that engage in financial activities and collect nonpublic personal information (NPI) from customers. Here are some non-intuitive types of businesses that could potentially fall under this definition:


    • Funeral Homes: Funeral homes that offer pre-need funeral planning and financing options could be considered financial institutions since they offer financial services and collect customer NPI.
    • Healthcare Providers: Some healthcare providers that offer patient financing options or installment payment plans for medical treatments could be subject to the rule if they collect sensitive patient information as part of these arrangements.
    • Educational Institutions: Educational institutions that provide student loans or financing options for tuition could be considered financial institutions if they collect NPI from students and their families.
    • Jewelry Stores: High-end jewelry stores that offer financing plans for expensive jewelry purchases may collect customer financial information, making them subject to the rule.
    • HVAC and Home Improvement Companies: Businesses that provide financing for home improvement projects or heating, ventilation, and air conditioning (HVAC) services may collect sensitive financial information, potentially making them subject to the rule.
    • Lifestyle Subscription Services: Subscription services that offer installment plans for products or services, such as fitness equipment or meal kits, may collect financial information and fall under the rule.
    • Mobile Phone Retailers: Retailers that offer installment plans or financing options for smartphones and other devices could be considered financial institutions.
    • Insurance Adjusters: Insurance adjusters that collect and handle nonpublic personal information while assessing and processing insurance claims, which involves financial activities.


Remember that whether a particular business qualifies as a financial institution under the Safeguards Rule depends on factors such as the nature of their financial activities and the type of customer information they collect and retain. It’s important for these businesses to carefully evaluate their practices and consult experts to determine their compliance obligations.


Q6 You mentioned “lifestyle subscription memberships,” and I think of gym memberships. Specifically memberships that are virtual, that allow you to store and track biometric data. Is that considered nonpublic, personal information?

Yes, biometric data, including information like fingerprints, iris scans, voiceprints, and other biologically unique identifiers, is generally considered nonpublic personal information (NPI). If a virtual gym membership or a similar lifestyle subscription service collects and stores customers’ biometric data for the purpose of tracking their fitness progress or providing personalized experiences, they could potentially fall under the definition of “financial institutions” under the FTC Safeguards Rule.


This would depend on factors such as the nature of the service, the collection and storage of biometric data, and whether the business engages in financial activities, such as offering payment plans or financing options. If the business collects biometric data as part of its operations and provides financial services, it might be subject to the Safeguards Rule’s requirements for protecting customer information, including biometric data.


It’s important to note that regulations related to biometric data can vary by jurisdiction.

Q7 That’s wild stuff, AI — thanks for doing this with me. Do you have any closing thoughts for business owners and brand managers trying to navigate all these new rules and what kind of professional services they might want to seek out to ensure compliance?

You’re welcome! Navigating complex regulations like those related to data privacy and information security can be challenging for business owners and brand managers. Here are a few closing thoughts and recommendations:


  1. Stay Informed: Regulations and compliance requirements can evolve over time. It’s important to stay informed about changes in relevant laws and regulations that may impact your business. Subscribe to reputable sources, attend industry conferences, and engage with legal experts to stay up to date.
  2. Seek Legal Counsel: Given the intricacies of compliance and the potential legal implications, it’s advisable to seek legal counsel from professionals who specialize in data privacy, information security, and regulatory compliance. These experts can provide tailored guidance based on your business’s specific activities and needs.
  3. Consult Cybersecurity Experts: For businesses dealing with sensitive customer information, engaging with cybersecurity experts can help identify vulnerabilities, assess risks, and implement appropriate safeguards to protect customer data from breaches and unauthorized access.
  4. Data Protection Officers (DPOs): Depending on the scale and nature of your data processing activities, it might be beneficial to appoint a Data Protection Officer to oversee and ensure compliance with data protection laws.
  5. Vendor Management: If your business relies on third-party service providers, ensure they also comply with relevant regulations and have appropriate safeguards in place to protect customer data.
  6. Document Policies and Procedures: Develop clear and comprehensive data privacy policies, information security procedures, and incident response plans. These documents can serve as guidelines for employees and evidence of compliance in case of audits or investigations.
  7. Transparency and Communication: Clearly communicate your data privacy practices to customers, including how their information is collected, used, and protected. Transparency builds trust and helps customers understand how their data is being handled.
  8. Regular Updates: Regularly review and update your compliance strategies and procedures to adapt to changes in regulations, business activities, and emerging cybersecurity threats.


Remember that compliance is an ongoing effort, and proactively addressing data privacy and security can not only help you avoid potential legal consequences but also enhance your reputation and build trust with your customers. Engaging with a combination of legal experts, cybersecurity professionals, and compliance consultants can provide you with a well-rounded approach to managing these complex requirements.

Great advice.


Co-authored by Jo Borrás & Open AI’s ChatGPT 3.5.