Skip to main content

Nonbank Model Data Security Law

A Comprehensive Framework for Safeguarding Sensitive Information at Nonbank Financial Institutions

·       In an increasingly digital world, data security is paramount for nonbank financial institutions. The CSBS Nonbank Model Data Security Law leverages the FTC Safeguards Rule to establish a robust framework to ensure that nonbank financial institutions have the necessary measures in place to mitigate cyber threats, prevent data breaches, and uphold the integrity of the financial system. By prioritizing data security, state regulators ensure these institutions are taking the appropriate action to protect themselves and their customers against evolving risks, thereby fostering a secure and resilient state financial system.  


The Nonbank Model Data Security Law is model statutory language that establishes comprehensive standards for data security in financial institutions. It provides a robust framework to protect sensitive information and mitigate cyber threats across the industry.

The model law is largely based on the FTC Safeguards Rule, including the amendments which are effective from June 9, 2023. By leveraging the existing applicability of the Safeguards Rule to state covered nonbanks, adopting the model law imposes minimal additional compliance burden. This alignment ensures a streamlined approach to data security regulations and facilitates smoother implementation for financial institutions.

In addition to the full model law, there is alternative language available which requires nonbank financial institutions to conform to the FTC Safeguards Rule. This is a streamlined legislative or rule approach for states looking to implement comparable language.

By adopting the Nonbank Model Data Security Law, state regulators empower financial institutions to meet and exceed data security standards, promoting a secure environment for customer information and reinforcing trust in the industry.

Key Provisions

Here is an overview of the essential provisions within the model law, outlining the standards it establishes for data security in nonbank financial institutions. By reviewing these key provisions, you will gain insights into the framework designed to protect sensitive information, mitigate cyber threats, and foster a secure financial ecosystem.

Section 4 | Standards for Safeguarding Customer Information

This section requires entities to “develop, implement, and maintain a comprehensive Information Security Program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any Customer Information at issue.”

Section 5 | Elements

This section lists the ten elements that must be found in the nonbank financial institution’s information security program, including:

  1. Designate a Qualified Individual to implement and supervise the information security program.
  2. Conduct a risk assessment.
  3. Design and implement safeguards to control the risks identified through the risk assessment.
  4. Regularly monitor and test the effectiveness of the safeguards.
  5. Train staff.
  6. Monitor service providers.
  7. Keep the information security program current.
  8. Create a written incident response plan.
  9. Require the Qualified Individual to report to your Board of Directors.
  10. Create a written business continuity and disaster recovery plan.

Section 9 | Notification of a Security Event

This optional section requires entities to notify the commissioner in the wake of a security event. Since the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.

Language of the Model Law

Resources for Adopting the Law

Additional Information


CSBS Staff Contact: Mike Bray, [email protected], 202-559-1953


1300 I Street NW, Suite 700 East, Washington, DC 20005 | Tel. 202.296.2840 | Fax. 202.296.1928