Growing Financial Companies Should Revisit the FTC Safeguard Rules Annually

For many growing mortgage lenders, financial and investment advisors, and community credit unions, keeping up with the day-to-day business is enough to keep them busy. Add to that the concerns about data security, and you have a headache in the making.

Most (financial companies) do an original assessment of what regulations they need to comply with. Still, they fail to recognize when they cross the threshold required to comply with the FTC Safeguard rules. That’s because the rule exempts small businesses with less than 5,000 clients or potential clients whose information you have on record.

So who needs to be concerned about this?

Growing financial businesses that should complete an annual or semi-annual check include (mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC). In 2021 the rule also added companies that bring together buyers and sellers, and then the parties themselves negotiate and consummate the transaction.

Suppose you are one of the businesses mentioned above approaching the 5,000 mark for consumers and records. In that case, it’s time to begin addressing what you need to be prepared for – essentially implementing a complete information security program.

It’s not uncommon for businesses to snowball in this season and be understaffed, with owners/founders and original employees doing much of the work. Information security is typically outside of their areas of expertise. Even if you are only at the 3,000 consumer mark, it may be time to start preparing for what needs to be done. And to consider a partner. Being ready to meet the Safeguard Rule doesn’t necessarily need to come from an internal employee.

So what does your Information Security Program need to include?

1. It must be written and appropriate for your business, the size, and scope of your activities, and the sensitivity of the information you maintain.
2. You must designate a QUALIFIED individual to implement and monitor your program and be able to report to your BOD.
3. You must conduct an annual risk assessment.
4. You must implement safeguards to control any risks you uncover in the assessment.
5. You must monitor your program continually.
6. You must provide regular training to your entire team.
7. You must craft an incident response plan to be followed during a security incident.

You may read this and think, thank goodness we are too small to worry. But, if you are marketing your business and planning for growth – you NEED to make this part of your growth plan, not an afterthought.

There is good news!! A conversation with a partner, like Reclamere, can give you an abundance of peace. You can plan appropriately – including the costs of working with a partner in your growth plan and even estimate when you might need to “turn on” your partnership.

If you are a growing financial business, we want to chat. We aim to take this headache off your plate and earn your ongoing trust, as we have done for many other small businesses throughout the east coast.

Interested? Schedule a call today!