Are you a financial institution according to the FTC? A financial institution “means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.” Examples of newly defined financial institutions include the following types of businesses:

  • Account Servicers
  • Accountants
  • Any business that wires money
  • Auto Dealers
  • Businesses that print checks
  • Career Counselors
  • Check Cashers
  • Collection agencies
  • Companies that act as Finders – i.e. if you offer your clients 3rd party financing
  • Credit Counseling Service
  • Estate & Probate Attorneys
  • Financing Companies
  • Investment Advisory Company
  • Mortgage Brokers & Lenders
  • Payday Loan Providers
  • Real Estate Appraisers
  • Retailers that offer credit cards
  • Tax Preparation Firms & CPA’s
  • Title Agencies
  • Travel Agency in connection with Financial Services

Few businesses realize that they are subject to following this law and leave themselves open to fines, not to mention data breeches.

What’s Required

Read full requirements of the law at This law went into effect June 1, 2023. In summary, your business must do the following:

  • Have a designated security officer (internal or external) who is responsible to design, maintain, and enforce information security
  • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information – including both technical and physical safeguards
  • Have a written risk assessments with a plan of action and milestones to mitigate those risks*
  • Design and implement safeguards, including data identification, data encryption, multi-factor authentication, data retention policies, and system logging
  • Regular penetration testing and security assessments*
  • Implement numerous policies and procedures
  • Provide Security Awareness Training
  • Oversee Service Providers
  • Evaluate and adjust your information security program on a regular basis
  • Have a written incident response plan*
  • Annual reports to your Board of Directors, or senior management, regarding the status of the plan and the organization’s compliance with the plan*

* – Requirement is waived if you have records for less than 5,000 consumers.

Toucan Technology Group Can Help

This is why we exist. Not all businesses can have a designated security officer on site. Few small businesses can afford the expense of everything required. Because we offer our services as a managed service provider, we can make your compliance affordable and easy with our cybersecurity offerings. Call us today at (317) 376-4874 or fill out our contact form for your free consultation.

Call Now