During a recent, nationwide sweep of mortgage companies, the Federal Trade Commission ("FTC") found that two mortgage companies, Nationwide Mortgage Group, Inc. ("Nationwide"), and Sunbelt Lending Services, Inc. ("Sunbelt"), failed to comply with the FTC's Gramm-Leach-Bliley Act Safeguards Rule. Although many companies are in compliance with its Safeguards Rule, the FTC's charges against Nationwide and Sunbelt should give pause to all residential mortgage lenders and brokers. For more information about the administrative action filed by the FTC against these two mortgage companies, go to FTC Enforces Gramm-Leach-Bliley Act's Safeguards Rule Against Mortgage Companies.

Introduction

The Safeguards Rule stems from the Gramm-Leach-Bliley Act ("GLB Act" or the "Act"), which President Clinton signed into law on November 12, 1999.1 One of the primary purposes of the Act was to eliminate certain types of barriers between banking and commerce. With the passage of the GLB Act, banks may now engage in a broad range of activities, including insurance and securities brokering, with new affiliated entities.

In addition to reforming the financial services industry, the GLB Act also addressed concerns relating to the protection of consumers' financial privacy, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The provisions of the GLB Act that are designed to protect consumers' financial privacy are referred to as "privacy requirements." Click here for the "privacy requirements" portion of the Act.

The Safeguards Rule is one of three (3) principal parts to the privacy requirements of the GLB Act. Under the GLB Act, the FTC and seven (7) other federal agencies2 were required to establish standards for financial institutions that each agency regulates relating to administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. Although each of these federal agencies has its own safeguards rule, this article will focus only on the FTC's Safeguards Rule, as residential mortgage lenders and brokers are subject to the FTC's jurisdiction.

There are three (3) principal parts to the Act's "privacy requirements," which are described as follows:

1. Financial Privacy Rule - Subtitle A of Title V of the GLB Act, entitled "Disclosure of Nonpublic Personal Information," limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose certain privacy policies and practices with respect to its information sharing with both affiliates and nonaffiliated third parties. Click here for the FTC's Financial Privacy Rule. See also Frequently Asked Questions for the Privacy Regulation, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, and How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act.
2. Safeguards Rule - Subtitle A of Title V of the Act (Section 501(b) of GLB Act) also requires the FTC and other federal agencies, such as the Office of the Comptroller of the Currency ("OCC"), the Board of Governors of the Federal Reserve System ("Board"), the Office of Thrift Supervision ("OTS"), and the National Credit Union Administration ("NCUA"), to establish standards for the financial institutions that they regulate relating to administrative, technical, and physical safeguards for certain customer information. Click here to view a complete text of the Safeguards Rule. The FTC has published a few articles to educate financial institutions subject to the FTC's jurisdiction about compliance with the Safeguards Rule. These articles can be found at Financial Institutions and Customer Data: Complying with the Safeguards Rule, Information Compromise and the Risk of Identity Theft: Guidance for Your Business and here.
3. Pretexting Provisions - These provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses. This practice is called "pretexting." An FTC article that describes pretexting in more detail can be found at Pretexting: Your Personal Information Revealed.

Under the GLB Act, eight (8) federal agencies3 and the states administer and enforce the Financial Privacy Rule and the Safeguards Rule. Both Rules apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers (e.g., lending, brokering or servicing of any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts).

The FTC'S Safeguards Rule

The objectives of the FTC's Safeguards Rule are:

1. To ensure the security and confidentiality of customer records and information;
2. To protect against any unanticipated threats or hazards to the security or integrity of such records; and
3. To protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.4

When Safeguards Are Required

The Safeguards Rule applies to "customer information" handled by all financial institutions over which the FTC has jurisdiction.5 A "financial institution" covers a broad range of entities, such as non-depository lenders; consumer reporting agencies; debt collectors; data processors; courier services; retailers that extend credit by issuing credit cards to consumers; personal property or real estate appraisers; check-cashing businesses; mortgage brokers, and any other entities meeting the definition of "financial institution."6

Information Security Program

The FTC's Safeguards Rule requires that financial institutions develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The information security program should be appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue.7

Each financial institution's information security program must contain the following elements:

1. A designation of one or more employees to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.8
2. An identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of the financial institution's operations, including:
   1. Employee training and management;
   2. Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
   3. Detecting, preventing and responding to attacks, intrusions, or other systems failures.9
3. Design and implementation of information safeguards to control the risks identified through risk assessment, and regularly testing or otherwise monitoring the effectiveness of the safeguards' key controls, systems, and procedures.10
4. Overseeing of service providers by:
   1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
   2. Requiring service providers, by contract, to implement and maintain such safeguards.11
5. An evaluation and adjustment of the financial institution's information security program in light of the results of the testing and monitoring required by Section 314.4(c) of the Safeguards Rule; any material changes to operations or business arrangements, such as in technology; or any other circumstances that the financial institution knows or has reason to know may have a material impact on the information security program. These circumstances could include changes to operations or business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, or changes to the services provided by the financial institution.12

Some examples of what an information security program may include are as follows:

• A check of all references prior to hiring employees who will have access to customer information;
• Requiring new employees to sign confidentiality agreements;
• A simple locking up of rooms and file cabinets where paper records are kept;
• Using password-activated screensavers;
• Using strong passwords (at least eight characters long);
• Changing passwords periodically;
• Encrypting sensitive customer information that is transmitted electronically over networks or stored online;
• Referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• Recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.

Each financial institution subject to the FTC's jurisdiction must have implemented an information security program by not later than May 23, 2003. For service contracts entered into by a financial institution with a service provider on or before June 24, 2002, compliance with the Safeguards Rule was required as of May 23, 2004.

Conclusion

The lesson to be learned from the Nationwide and Sunbelt cases is not to get caught off-guard. In view of the FTC's administrative complaints against Nationwide and Sunbelt, it would be prudent to review your information security program to make sure it complies with the Safeguards Rule or to implement a program if one is already not in place.