In a little-noticed consent decree in the fall of 2019, the Federal Trade Commission took the position that businesses whose services facilitate financial operations on behalf of financial institutions may themselves be financial institutions subject to the privacy and data security requirements under the Gramm-Leach Bliley Act. This decision may affect companies offering technology that enables credit, mortgage loans or insurance transactions, investment advice, payroll services and other financial product or services, or the brokering of those products or services. The order suggests that the FTC may enforce violations of the GLBA’s privacy or security requirements directly against these companies, irrespective of whether the companies are consumer-facing.
The ruling came in the FTC’s enforcement action against LightYear Dealer Technologies (Dealerbuilt). Dealerbuilt developed and sold dealer software and data processing services to automotive dealerships nationwide. While Dealerbuilt itself did not provide financial products or services to consumers, it enabled data collection and processing to allow dealers to – among other things – extend credit to consumers, which is a GLBA-covered activity. Specifically, DMS helped dealers collect and maintain large quantities of personal and sensitive information, including details such as name, gender, physical and mailing address, phone number, email address, date of birth, Social Security number, driver’s license number and payment card number.
The FTC ruled that Dealerbuilt is a financial institution because it is significantly engaged in data processing of nonpublic personal information to facilitate extension of credit to consumers by Dealerbuilt’s customers – dealerships – which are also financial institutions under the GLBA.
The FTC’s position in Dealerbuilt is consistent with the FTC’s proposed expansion of the GLBA safeguards rule. In the proposed rule, the FTC seeks to broaden the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The expansive view of the term is also consistent with a 2018 US Treasury report, which took the view that data aggregators and consumer fintech application providers – firms that access consumer financial account and transaction data to provide value-added products and services to consumers – are financial institutions subject to the GLBA.
The increased scope of “financial institution” is noteworthy, but the impact may not be quite so profound. Many of the businesses that receive customer information from financial institutions already take measures to secure that data, even if not obligated to do so under the act, as entities may be contractually bound by partnerships or encouraged to do so by competitive markets.
The direct applicability of the GLBA, however, gives the FTC a stronger hand in enforcement because it establishes a statutory privacy and security standard for the companies’ data practices and lowers the threshold for the FTC’s imposition of financial penalties for privacy and security violations. Penalties for noncompliance with the GLBA can include fines up to $100,000 per violation and $192 per record lost in restitution. This also includes fines for officers and directors of up to $10,000 per violation, criminal penalties of up to five years in prison and revocation of professional licenses.
The FTC recommends the following steps to stay in compliance with the GLBA’s information security requirements:
- Designate one or more employees to coordinate the company’s information security program
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards and oversee their handling of customer information
- Evaluate and adjust the program in light of relevant circumstances, including changes in the company’s business or operations, or the results of security testing and monitoring