FTC Safeguards Rule for Financial Institutions

The FTC Safeguards Rule is a federal regulation requiring non-bank financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer financial data. Promulgated under the Gramm-Leach-Bliley Act (GLBA), the rule sits at the intersection of financial regulation and data security enforcement, giving the Federal Trade Commission direct authority over a wide range of businesses that handle sensitive consumer financial information. Understanding its scope, obligations, and enforcement thresholds is essential for any institution subject to FTC jurisdiction.

Definition and scope

The Safeguards Rule, codified at 16 C.F.R. Part 314, was originally issued in 2003 under the authority of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809). The FTC significantly revised the rule in a final amendment published in December 2021, with most provisions taking effect on June 9, 2023 (FTC Final Rule, 16 C.F.R. Part 314, 2021).

The rule applies to financial institutions as defined under GLBA — entities that are significantly engaged in financial activities but are not subject to the jurisdiction of other federal banking regulators. This category includes mortgage brokers, auto dealers, payday lenders, tax preparers, credit counseling services, investment advisers not covered by the SEC, and debt collectors, among others. Banks, credit unions, and savings associations are excluded from the FTC's Safeguards Rule because they fall under separate federal banking regulators such as the OCC, FDIC, or Federal Reserve.

A small business exemption applies to financial institutions that maintain customer financial information on fewer than 5,000 consumers. Those entities are exempt from three specific requirements: the written risk assessment, the incident response plan, and the annual reporting obligation to the board of directors (16 C.F.R. § 314.6).

For a broader view of how this rule fits within the FTC's overall regulatory authority, the FTC authority overview provides foundational context on the agency's statutory powers and enforcement structure.

How it works

The 2021 amendments restructured the rule around nine core operational requirements. Covered institutions must:

  1. Designate a Qualified Individual — a named person responsible for overseeing and implementing the information security program, who must report to the board at least annually.
  2. Conduct a written risk assessment — identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
  3. Implement safeguards — including access controls, data inventory and classification, encryption of customer information in transit and at rest, multi-factor authentication, and secure development practices for in-house applications.
  4. Oversee service providers — selecting providers capable of maintaining appropriate safeguards and requiring those safeguards contractually.
  5. Develop an incident response plan — a written plan for responding to security events affecting customer information.
  6. Conduct penetration testing — annual penetration tests and biannual vulnerability assessments, or continuous monitoring systems that meet equivalent standards.
  7. Train staff — ongoing security awareness training for personnel.
  8. Monitor and test controls — continuous or periodic evaluation of the program's effectiveness.
  9. Report to the board — the Qualified Individual must present a written information security report to the board of directors or equivalent governing body at least once per year.

A new notification obligation added in October 2023 requires covered institutions to notify the FTC within 30 days of discovering a security breach involving the unencrypted information of at least 500 customers (FTC Safeguards Rule Notification Amendment, 16 C.F.R. § 314.15).

The FTC data security enforcement program operates in parallel, providing enforcement teeth when institutions fail to meet these standards.

Common scenarios

Mortgage broker with a third-party loan origination platform: A mid-size mortgage broker using a cloud-hosted loan origination system must assess the security practices of that vendor under the service provider oversight requirement. If the vendor experiences a breach exposing 600 customers' unencrypted Social Security numbers and income data, the broker is obligated to notify the FTC within 30 days under § 314.15.

Auto dealership offering financing: Dealerships that arrange financing — even through third-party lenders — qualify as financial institutions under GLBA if they receive consumer financial information in the process. Such a dealership with 6,000 customer records must implement the full suite of controls, including annual penetration testing and board-level reporting. A dealership holding fewer than 5,000 records still must maintain an information security program but is exempt from the written risk assessment and incident response plan requirements.

Tax preparation firm: A tax preparer that files returns electronically and retains customer financial records must encrypt that data at rest and in transit, implement multi-factor authentication for any remote access, and train staff annually on social engineering and phishing risks.

Decision boundaries

Distinguishing which entities are covered — and to what degree — requires applying three threshold tests:

Covered vs. excluded institutions: The central dividing line is regulatory jurisdiction. If a financial institution is supervised by a federal banking regulator (OCC, FDIC, Federal Reserve, NCUA), the FTC Safeguards Rule does not apply. If the institution is subject to FTC jurisdiction under Section 5 of the FTC Act and is significantly engaged in financial activities, it is covered. The FTC's Section 5 authority over unfair or deceptive acts provides the underlying enforcement mechanism.

Full obligations vs. small business exemption: The 5,000-consumer threshold determines whether the written risk assessment, incident response plan, and annual board reporting requirements apply. All other Safeguards Rule provisions apply regardless of size. Counting methodology follows the number of individual consumers, not households or accounts.

Notification-triggering breach vs. non-triggering event: Not every security incident triggers the 30-day FTC notification requirement. The obligation applies only when a breach involves the unencrypted customer information of 500 or more consumers. Incidents affecting fewer than 500 consumers, or incidents involving only encrypted data where no encryption key was compromised, do not trigger the § 314.15 notification duty.

The FTC penalties and remedies framework governs the consequences for institutions that fail to comply, including civil penalty exposure and injunctive relief.

Read Next

FTC Franchise Disclosure Rule Requirements The FTC Franchise Disclosure Rule governs the pre-sale information that franchisors must provide to prospective franchisees... FTC Negative Option Rule and Subscription Cancellations The FTC's Negative Option Rule governs how businesses structure subscription programs, free trials, and continuity plans that... FTC Noncompete Clause Rule and Employer Obligations The Federal Trade Commission's noncompete rulemaking represents one of the most significant labor market interventions in the...