New Regulations Help Secure Access to U.S. 529 College Savings Plans
In June 2018, malicious actors carried out a cyberattack on the Connecticut Higher Education Trust (CHET), which offers the state’s 529 college savings plan. But, this was not just another ho-hum cyberattack. In fact, the fraudsters identified 21 previously offline-only accounts, created online accounts using personally identifiable information (PII) obtained online, and siphoned $1.4 million from the accounts.
This attack elevated concerns around verifying identities of individuals during the account creation process and ensuring that the verified identity is really the same person accessing the account in subsequent online and offline transactions.
According to the College Savings Plans Network, the average balance in a 529 college savings plan is over $24,000. Many parents and grandparents contribute monthly, but they access their online account less frequently. Should their 529 college savings plan account be compromised, they may not realize it until weeks or months later.
Knowledge Based Authentication (KBA) was once the de facto method of verifying identities online, but with hundreds of millions personally identifiable records exposed in numerous breaches, KBA is no longer the “go to” approach. The bad guys can now answer the out-of-wallet questions presented during a static or dynamic KBA session. KBA in and of itself presents problems and issues for the consumer. Often the real person will fail to answer the questions presented. They may forget answers or do not typically manage the household finances and may, for example, not know the range of the car payments on their 2017 Toyota Camry.
The good news for consumers is that recent and forthcoming policy changes will help secure access to online accounts at financial institutions.
Regulations Protecting the 529 College Savings Plan Accounts from Future Attacks
New York’s Cybersecurity Requirements for Financial Services Companies
In response to the widespread cyberattacks on U.S. financial institutions, the New York State Department of Financial Services (NYDFS) published its Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) on March 1, 2017. The regulation requires financial institutions to implement specific policies and procedures to better protect user data.
The NYDFS regulates approximately 1,500 financial institutions and over 1,400 insurance companies. Given its wide breadth, most 529 college savings plans must comply with the regulation. Under the regulations, banks and financial services providers must secure their own systems as well as implement third-party risk management programs. Given the comprehensive list of provisions in the regulation, the NYDFS instituted a two-year transitional period to allow time for organizations to become compliant. The transitional period took place in four phases over two years. A key provision, which went into effect in March 2018, is to require multifactor authentication (MFA) for financial institution staff when accessing non-public information or information systems.
The final phase took effect on March 1, 2019 and applies to third party service providers. Financial institutions must implement policies and procedures pertaining to third-party service providers that include relevant guidelines for due diligence and contractual protections, addressing:
- Access controls, including multi-factor authentication
- Notifications to be provided to the primary organization in response to a cybersecurity event
- Representations and warranties for a third party’s cybersecurity policies and procedures
Federal Trade Commission Updates to the Safeguards Rule and the Privacy Rule
In March 2019 the Federal Trade Commission announced plans to issue a Notice of Proposed Rule Making (NPRM) to implement changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. Specifically, the FTC is looking for comments on proposed changes to the Safeguards Rule and the Privacy Rule, which require financial institutions to protect sensitive data and explain their information-sharing practices to their customers.
- The Safeguards Rule, which went into effect in 2003, requires financial institutions to have measures in place to keep customer information secure. Companies are now responsible for ensuring that their affiliates and service providers safeguard customer information.
- The Privacy Rule, which went into effect in 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
The FTC intends to create detailed requirements for what should be included in a comprehensive information security program, as mandated by the new rules. The proposal requires financial institutions to encrypt all customer data, to prevent unauthorized users from accessing customer information with access controls, and to use multifactor authentication to protect customer data. The proposed changes to the Safeguards Rule very closely resemble the NY DFS Cybersecurity Regulation, which I’m sure is by design. The FTC has also proposed requiring companies to submit periodic reports to their boards of directors to improve compliance.
529 College Savings Plans Must Be Protected
529 plans are tax-friendly way to save for college. One should not have to sacrifice security in order to save on their state income tax return. Forthcoming regulations and those already in place should vastly improve not only security, but also customer experience.