The US financial sector was visited by a wave of new regulatory rules during November.

At the beginning of the month, the FTC updated its Safeguard Rule to include more specific criteria for which safeguards must be implemented by financial institutions as part of their information security program. Those safeguards include limiting access authorizations to consumer information, using encryption to secure data and designating a qualified individual responsible for overseeing and implementing the institution’s information security program. In addition, the updated Safeguard Rule orders non-banking financial institutions (e.g., mortgage brokers) to develop, implement, and maintain a comprehensive security program, an obligation which had so far only applied to banking institutions. Simultaneously, the FTC published for public comments, another amendment to the Safeguard Rule, concerning the reporting of certain security incidents in financial institutions.

Later this month, the Federal Deposit Insurance Corporation, in cooperation with the Office of the Comptroller of the Currency and the Federal Reserve, issued a new rule requiring banks to notify their federal regulators of incidents that have materially affected – or will reasonably materially affect – the viability of the bank’s operations, its ability to deliver banking products and services, or the stability of the financial sector. The rule further requires banking service providers to notify affected banks of incidents as soon as possible. The rule will become effective as of April 1st, 2022, and compliance is required by May 1st.