The Federal Trade Commission's Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act (GLBA), has historically been overshadowed by SEC and banking-sector financial privacy regulations. That changed in 2023 when substantially updated requirements took effect, transforming the Safeguards Rule from a vague principles-based standard into a prescriptive cybersecurity program mandate with specific technical requirements. For the broad universe of non-bank financial institutions covered by the rule, the updated requirements demand attention — and enforcement has already begun.
Who the FTC Safeguards Rule Covers
The FTC Safeguards Rule applies to financial institutions as defined by the GLBA that are not subject to the enforcement jurisdiction of the federal banking regulators (OCC, Federal Reserve, FDIC, NCUA). This covers a wide swath of non-bank entities, including:
- Mortgage brokers and mortgage lenders
- Payday lenders and consumer finance companies
- Auto dealers that offer or arrange financing
- Tax preparation services and tax software providers
- Accounting firms and financial advisers not registered with the SEC
- Investment advisers not registered with the SEC (state-registered)
- Student loan servicers and college financial aid administrators
- Check cashers, wire transfer services, and money services businesses
- Real estate settlement services
The coverage is broad and the FTC takes an expansive view of who qualifies. If your organization is in the business of handling or arranging transactions involving consumer financial products or services and holds nonpublic personal information about consumers, you are almost certainly covered.
The 9 Required Elements of an Information Security Program
The updated Safeguards Rule (16 CFR Part 314), effective January 10, 2022 with a final compliance deadline of June 9, 2023 for several key provisions, requires covered financial institutions to implement a comprehensive written information security program containing nine specific elements (16 CFR 314.4). These go well beyond the prior rule's general "reasonable safeguards" language:
- Qualified individual: Designate a qualified individual to oversee, implement, and enforce the information security program. This person must report in writing to the board (or equivalent oversight body) at least annually.
- Risk assessment: Conduct a written risk assessment that identifies reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information, and assesses the sufficiency of existing safeguards.
- Safeguards: Design and implement safeguards to control the risks identified. Safeguards must include: access controls; data inventory and classification; encryption of customer information in transit and at rest; secure development practices; authentication; information disposal procedures; change management; and monitoring/testing.
- Regular monitoring and testing: Regularly monitor and test the safeguards. Covered institutions maintaining customer information on 5,000 or more consumers must conduct annual penetration testing and vulnerability assessments at least every six months, or maintain effective continuous monitoring of their information systems (16 CFR § 314.4(d)(2); the carve-out for institutions below 5,000 consumers is at § 314.6).
- Staff training: Train staff on the information security program, with training appropriate to employee roles and functions.
- Service provider oversight: Select and retain service providers that maintain appropriate safeguards. Contracts must require service providers to implement and maintain such safeguards. Periodically monitor provider performance.
- Keep current: Evaluate and adjust the program in light of changes in business operations, the results of security testing, material changes in business arrangements, and any other circumstances that may affect the information security program.
- Incident response plan: Establish and maintain a written incident response plan. The plan must address goals, internal processes for responding to a security event, clear roles and responsibilities, communications and information sharing, requirements for remediation, documentation and reporting obligations, and evaluation and revision procedures.
- Annual report to board: The designated qualified individual must report at least annually to the board of directors or equivalent governing body, including the overall status of the program and material matters related to the program.
Encryption and MFA Requirements
Two technical requirements in the updated Safeguards Rule deserve particular attention because they are now explicit and mandatory (not merely "reasonable"):
Encryption: Covered institutions must implement encryption of all customer information held or transmitted by the financial institution, both in transit over external networks and at rest. There is a limited exception allowing institutions to use effective alternative compensating controls when encryption is infeasible for specific systems, but this exception requires documented justification.
Multi-factor authentication: The rule explicitly requires MFA for "any individual accessing any information system" of the covered financial institution. This is a sweeping requirement — it applies to employees, contractors, and third-party administrators accessing systems that contain customer information. MFA exceptions require documented approval by the qualified individual and regular review.
If your organization has not yet deployed MFA across all systems containing customer information, this is the most critical gap to address. A penetration test will quickly surface accounts and systems that remain accessible without MFA.
Small Business Considerations
The updated Safeguards Rule contains a limited exemption for financial institutions that maintain customer information on fewer than 5,000 consumers. These smaller institutions are exempt from the penetration testing and vulnerability assessment requirements and from the requirement to produce an annual written risk assessment. However, all other requirements apply — including the qualified individual, encryption, MFA, incident response plan, and board reporting requirements.
This is an important nuance: the small business exemption is narrow. Most of the substantive program requirements apply regardless of size.
Enforcement and Penalties
The FTC has authority to seek civil penalties under Section 5 of the FTC Act (15 U.S.C. § 45(m)). Where penalties apply, the Commission can seek up to $53,088 per violation per day — the maximum in effect for 2025, a figure the FTC inflation-adjusts each January. Note that a first-time Safeguards Rule violation does not by itself trigger these per-violation penalties, which require a prior FTC order or rule violation. Following the 2023 rule update, enforcement activity has increased, and the FTC has explicitly stated that cybersecurity failures will be a priority area. Enforcement actions typically arise from breach investigations where the Commission identifies that a covered institution failed to implement required safeguards.
Building a compliant information security program from scratch is manageable with the right partner. Fortress MSSP offers virtual CISO services designed specifically for covered financial institutions navigating the updated Safeguards Rule. Contact us to schedule a gap assessment against the 9 required program elements.