View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

FTC RIN: 3084-AB35 Publication ID: Spring 2023 
Title: Standards for Safeguarding Customer Information 

The Safeguards Rule, which was issued under the Gramm-Leach-Bliley (GLB) Act, requires each financial institution subject to the FTC's jurisdiction to develop a written information security program to keep customer information secure that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Companies covered by the rule are also responsible for taking steps to ensure that their service providers safeguard customer information in their care. The Commission believes that the rule strikes an appropriate balance between allowing financial institutions flexibility and establishing standards for safeguarding customer information that are consistent with GLB's requirements.

As part of its ongoing systematic review of all rules and guides, on September 7, 2016, the Commission requested public comments on, among other things, the economic impact and benefits of the rule; possible conflict between the rule and State, local, or other Federal laws or regulations; and the effect on the rule of any technological, economic, or other industry changes. 81 FR 61632 (Sept. 7, 2016). The comment period closed on November 7, 2016. On March 5, 2019, the Commission announced a Notice of Proposed Rulemaking (NPRM). 84 FR 13158 (April 4, 2019). The public comment period as extended closed on August 2, 2019. 84 FR 24049 (May 24, 2019). Staff is reviewing approximately 50 comments that were submitted. On March 6, 2020, the Commission announced that a public workshop relating to the April 4, 2019 NPRM would be held on May 13, 2020. 85 FR 13082 (Mar. 6, 2020). However, due to the COVID-19 pandemic, the workshop was postponed until July 13, 2020.

On December 9, 2021, the Commission issued a final rule that, among other amendments, provides additional requirements for financial institutions’ information security programs. 86 FR 70272 (Dec. 9, 2021). The final rule also expands the definition of "financial institution” to include entities that are significantly engaged in activities that are incidental to financial activities, so that the rules would cover "finders" for example, companies that serve as lead generators for payday loan companies or mortgage companies. This rule was effective January 10, 2022, except that the provisions set forth in section  314.5 are applicable beginning June 9, 2023. 87 FR 71509 (Nov. 23, 2022).

On December 9, 2021, the Commission also issued a Supplemental Notice of Proposed Rulemaking that proposes to further amend the Safeguards Rule to require financial institutions to report to the Commission any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected. 86 FR 70062 (Dec. 9, 2021). The comment period closed on February 7, 2022, and staff is reviewing the comments.


Agency: Federal Trade Commission(FTC)  Priority: Substantive, Nonsignificant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Undetermined  Unfunded Mandates: No 
CFR Citation: 16 CFR 314   
Legal Authority: The Gramm-Leach-Bliley Act as codified at 15 U.S.C. 6801(b), 6805(b)(2)   
Legal Deadline:  None
Action Date FR Cite
Rule Review, Request for Public Comment  09/07/2016  81 FR 61632   
Comment Period End  11/07/2016 
NPRM  04/04/2019  84 FR 13158   
NPRM Comment Period Extended  05/24/2019  84 FR 24049   
NPRM Extended Comment Period End  08/02/2019 
Public Workshop Announcement  03/06/2020  85 FR 13082   
Public Workshop Rescheduled (Press Release)  04/21/2020 
Public Workshop  07/13/2020 
Public Workshop Comment Period End  08/12/2020 
Supplemental NPRM  12/09/2021  86 FR 70062   
Final Rule  12/09/2021  86 FR 70272   
Final Rule Effective (All Except Section 314.5)  01/10/2022 
Supplemental NPRM Comment Period End  02/07/2022 
Final Rule Effective Date Extended  11/23/2022  87 FR 71509   
Final Rule Effective (Section 314.5)  06/09/2023 
Staff Review of Public Comments  06/00/2023 
Regulatory Flexibility Analysis Required: No  Government Levels Affected: None 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: No 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Information URL:  
RIN Data Printed in the FR: No 
Related RINs: Previously reported as 3084-AA87 
Agency Contact:
David Lincicum
Federal Trade Commission
600 Pennsylvania Avenue NW, CC-8232,
Washington, DC 20580
Phone:202 326-2773