{"id":37141,"date":"2024-03-08T22:18:00","date_gmt":"2024-03-08T22:18:00","guid":{"rendered":"https:\/\/www.dinsmore.com\/?post_type=publications&#038;p=37141"},"modified":"2025-11-24T19:12:44","modified_gmt":"2025-11-24T19:12:44","slug":"ftc-levels-the-playing-field-between-banks-and-other-financial-institutions","status":"publish","type":"publications","link":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/","title":{"rendered":"FTC Levels the Playing Field Between Banks and Other Financial Institutions"},"content":{"rendered":"\n<p>Expanding its ability to detect and pursue security incidents, the Federal Trade Commission (FTC) finalized an amendment to the Safeguards Rule<a href=\"#_ftn1\" id=\"_ftnref1\">[1]<\/a> on October 27, 2023 requiring non-banking financial institutions to report certain data breaches. By extending this data privacy protection to customers of all financial institutions, this amendment demands fintech firms across the country revisit their cybersecurity and incident-response policies.<\/p>\n\n\n\n<p><strong>I. Background<\/strong><\/p>\n\n\n\n<p>Since the passage of the Gramm-Leach-Bliley Act (\u201cGLBA\u201d) in 1999, the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and the Office of the Comptroller of Currency have required <em>banking<\/em> institutions to report certain data breaches to regulators.<a href=\"#_ftn2\" id=\"_ftnref2\">[2]<\/a><\/p>\n\n\n\n<p>Meanwhile, the GLBA vests authority to regulate <em>non-banking<\/em> \u201cfinancial institutions\u201d with the FTC. Such financial institutions are not banks, but significantly engage in activities that are financial in nature or that are incidental to financial activities. This includes, among others:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Retailers that issue their own credit cards directly to consumers;<\/li>\n\n\n\n<li>Mortgage brokers and lenders;<\/li>\n\n\n\n<li>Certain tax preparation firms;<\/li>\n\n\n\n<li>Payday lenders;<\/li>\n\n\n\n<li>Check cashers;<\/li>\n\n\n\n<li>Non-federally insured credit unions;<\/li>\n\n\n\n<li>Finders;<a id=\"_ftnref3\" href=\"#_ftn3\">[3]<\/a><\/li>\n\n\n\n<li>Automobile dealerships that lease vehicles for more than ninety (90) days;<\/li>\n\n\n\n<li>Personal property or real estate appraisers;<\/li>\n\n\n\n<li>Wire transferors; and<\/li>\n\n\n\n<li>Collection agencies.<\/li>\n<\/ul>\n\n\n\n<p><strong>II. New Data Incident Reporting Obligations.<\/strong><\/p>\n\n\n\n<p>Until now, the FTC\u2019s Safeguards Rule only required these financial institutions to develop, implement and maintain information security programs that contain certain administrative, technical and physical safeguards to protect customer information. The FTC did not impose any data breach notification obligations separate from those that already might exist under state or other laws.<\/p>\n\n\n\n<p>That will change in May of 2024 when the recently finalized Safeguards Rule amendment takes effect. The amendment requires financial institutions to report to the FTC any incident in which unencrypted customer information involving 500 or more consumers is acquired without the authorization of the individual associated with the information. Companies that are subject to the Rule and experience an incident must report to the FTC:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The institution\u2019s name and contact information;<\/li>\n\n\n\n<li>A description of the types of information involved in the incident;<\/li>\n\n\n\n<li>The date or date range over which the incident took place;<\/li>\n\n\n\n<li>The number of affected consumers;<\/li>\n\n\n\n<li>A general description of the incident; and<\/li>\n\n\n\n<li>Whether a law enforcement official has made a written determination that notifying the public of the incident would either impede an ongoing criminal investigation or cause damage to national security, and, if so, contact information for said law enforcement.<\/li>\n<\/ul>\n\n\n\n<p>Companies must report the incident as soon as possible, but no later than thirty (30) days after the date the incident is \u201cdiscovered.\u201d An incident is discovered on the first day such event is known to any person, other than the person committing the breach, who is the financial institution\u2019s employee, officer <em>or other agent<\/em>. Breaches may be reported through the FTC\u2019s website.<\/p>\n\n\n\n<p>While the FTC intended for the amendment to extend the data protections that apply to information held by banks to information held by non-banking financial institutions, in some critical aspects the amendment sweeps even more broadly:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cCustomer information\u201d protected by the rule is defined broadly, and includes any record of nonpublic personal information\u2014personally identifiable financial information about a consumer obtained in connection with a financial product or service, regardless of who shared that information with the company\u2014that is handled or maintained by the financial institution <em>or its affiliates<\/em>.<\/li>\n\n\n\n<li>The FTC will consider customer information unencrypted if an unauthorized person accessed the encryption key.<\/li>\n\n\n\n<li>The FTC will presume that unauthorized access resulted in unauthorized acquisition unless the financial institution has reliable evidence otherwise.<\/li>\n\n\n\n<li>There is no \u201crisk of harm\u201d prerequisite to triggering the reporting requirement.<\/li>\n\n\n\n<li>The FTC intends to publish a publicly available database of notification event reports on its website, with the aim to provide more information to consumers and incentivize companies to better protect consumer information.<\/li>\n<\/ul>\n\n\n\n<p>The amendment will not require notification of the affected individuals. However, companies should expect many of these obligations to flow down to their service providers, affiliates and third-party vendors. A company\u2019s burden might also dramatically expand depending on whether its affiliates or service providers are deemed to be \u201cagents\u201d whose knowledge of a breach triggers the notification clock.<\/p>\n\n\n\n<p><strong>III. Conclusion<\/strong><\/p>\n\n\n\n<p>The FTC has stated that the intent of the amended Safeguards Rule is to incentivize financial institutions to use strong data security measures, and that \u201c[r]eceipt of these notices will enable the Commission to . . . facilitate prompt investigative response to major security breaches.\u201d<a href=\"#_ftn4\" id=\"_ftnref4\">[4]<\/a> The FTC may not only investigate security breaches, but is also authorized to bring enforcement actions under Section 5 of the FTC Act against companies that fail to properly provide notice of a data incident or otherwise run afoul of the amended rule.<\/p>\n\n\n\n<p>Given the ever-increasing rate of cybersecurity incidents and the costly (and public) consequences of failing to adhere to the applicable regulations, it is critically important to be proactive. As the effective date for the new Safeguards Rule approaches, fintech firms and other companies subject to the rule should promptly revisit their security practices and compliance strategies, including updating their security incident response plans to include the new definitions, deadlines and penalties and preparing to disclose new kinds of information to regulators if and when an incident occurs. After a security incident it\u2019s often too late to address many of these issues, and no one wants to be the company the FTC uses as an example to demonstrate the power of their new regulations.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><a href=\"#_ftnref1\" id=\"_ftn1\">[1]<\/a> 16 C.F.R. 314 <em>et seq.<\/em><\/p>\n\n\n\n<p><a href=\"#_ftnref2\" id=\"_ftn2\">[2]<\/a><em> See, e.g.<\/em> 12 CFR 53.3; 12 CFR 225.302; 12 CFR 304.23.<\/p>\n\n\n\n<p><a href=\"#_ftnref3\" id=\"_ftn3\">[3]<\/a> The FTC defines a \u201cfinder\u201d as a company that brings together buyers and sellers of a service or product.<\/p>\n\n\n\n<p><a href=\"#_ftnref4\" id=\"_ftn4\">[4]<\/a> https:\/\/www.ftc.gov\/system\/files\/ftc_gov\/pdf\/p145407_safeguards_rule.pdf.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Expanding its ability to detect and pursue security incidents, the Federal Trade Commission (FTC) finalized an amendment to the Safeguards Rule[1] on October 27, 2023 requiring non-banking financial institutions to report certain data breaches. By extending this data privacy protection to customers of all financial institutions, this amendment demands fintech firms across the country revisit\u2026<\/p>\n","protected":false},"author":8,"featured_media":0,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"tags":[],"publication-type":[8],"class_list":["post-37141","publications","type-publications","status-publish","format-standard","hentry","publication-type-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.5 (Yoast SEO v26.9) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>FTC Levels the Playing Field Between Banks and Other Financial Institutions - Dinsmore &amp; Shohl<\/title>\n<meta name=\"description\" content=\"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore &amp; Shohl LLP.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FTC Levels the Playing Field Between Banks and Other Financial Institutions\" \/>\n<meta property=\"og:description\" content=\"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore &amp; Shohl LLP.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/\" \/>\n<meta property=\"og:site_name\" content=\"Dinsmore &amp; Shohl\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-24T19:12:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2026\/02\/social-media-share.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/\",\"url\":\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/\",\"name\":\"FTC Levels the Playing Field Between Banks and Other Financial Institutions - Dinsmore &amp; Shohl\",\"isPartOf\":{\"@id\":\"https:\/\/www.dinsmore.com\/#website\"},\"datePublished\":\"2024-03-08T22:18:00+00:00\",\"dateModified\":\"2025-11-24T19:12:44+00:00\",\"description\":\"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore & Shohl LLP.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.dinsmore.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FTC Levels the Playing Field Between Banks and Other Financial Institutions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dinsmore.com\/#website\",\"url\":\"https:\/\/www.dinsmore.com\/\",\"name\":\"Dinsmore & Shohl\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.dinsmore.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dinsmore.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.dinsmore.com\/#organization\",\"name\":\"Dinsmore & Shohl\",\"url\":\"https:\/\/www.dinsmore.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dinsmore.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2025\/12\/Dinsmore-Final-Logo-Navy.svg\",\"contentUrl\":\"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2025\/12\/Dinsmore-Final-Logo-Navy.svg\",\"width\":413,\"height\":54,\"caption\":\"Dinsmore & Shohl\"},\"image\":{\"@id\":\"https:\/\/www.dinsmore.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"FTC Levels the Playing Field Between Banks and Other Financial Institutions - Dinsmore &amp; Shohl","description":"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore & Shohl LLP.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/","og_locale":"en_US","og_type":"article","og_title":"FTC Levels the Playing Field Between Banks and Other Financial Institutions","og_description":"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore & Shohl LLP.","og_url":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/","og_site_name":"Dinsmore &amp; Shohl","article_modified_time":"2025-11-24T19:12:44+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2026\/02\/social-media-share.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/","url":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/","name":"FTC Levels the Playing Field Between Banks and Other Financial Institutions - Dinsmore &amp; Shohl","isPartOf":{"@id":"https:\/\/www.dinsmore.com\/#website"},"datePublished":"2024-03-08T22:18:00+00:00","dateModified":"2025-11-24T19:12:44+00:00","description":"FTC Levels the Playing Field Between Banks and Other Financial Institutions Read insights and legal analysis from attorneys at Dinsmore & Shohl LLP.","breadcrumb":{"@id":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dinsmore.com\/publications\/ftc-levels-the-playing-field-between-banks-and-other-financial-institutions\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.dinsmore.com\/"},{"@type":"ListItem","position":2,"name":"FTC Levels the Playing Field Between Banks and Other Financial Institutions"}]},{"@type":"WebSite","@id":"https:\/\/www.dinsmore.com\/#website","url":"https:\/\/www.dinsmore.com\/","name":"Dinsmore & Shohl","description":"","publisher":{"@id":"https:\/\/www.dinsmore.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dinsmore.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.dinsmore.com\/#organization","name":"Dinsmore & Shohl","url":"https:\/\/www.dinsmore.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dinsmore.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2025\/12\/Dinsmore-Final-Logo-Navy.svg","contentUrl":"https:\/\/www.dinsmore.com\/wp-content\/uploads\/2025\/12\/Dinsmore-Final-Logo-Navy.svg","width":413,"height":54,"caption":"Dinsmore & Shohl"},"image":{"@id":"https:\/\/www.dinsmore.com\/#\/schema\/logo\/image\/"}}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/publications\/37141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/publications"}],"about":[{"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/types\/publications"}],"author":[{"embeddable":true,"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/users\/8"}],"version-history":[{"count":5,"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/publications\/37141\/revisions"}],"predecessor-version":[{"id":62035,"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/publications\/37141\/revisions\/62035"}],"wp:attachment":[{"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/media?parent=37141"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/tags?post=37141"},{"taxonomy":"publication-type","embeddable":true,"href":"https:\/\/www.dinsmore.com\/wp-json\/wp\/v2\/publication-type?post=37141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}