The FTC Safeguards Rule applies to financial institutions under FTC jurisdiction, and the definition is deliberately wide. It covers any business significantly engaged in providing financial products or services to consumers, along with businesses that simply bring parties together in a financial transaction. If your business lends, finances, brokers, collects, prepares taxes, advises on investments, or handles the financial information behind those activities, you are very likely covered, whether or not you consider yourself a financial institution.
GLBA sets the obligation; the FTC Safeguards Rule is how it is enforced for non-bank institutions.
The Gramm-Leach-Bliley Act requires financial institutions to protect the security, confidentiality, and integrity of customer information. GLBA assigns enforcement to different regulators depending on the institution. Banks and credit unions answer to their prudential regulators; SEC-registered investment advisors answer to the SEC's Regulation S-P.
For the large population of non-bank financial institutions that fall under Federal Trade Commission jurisdiction, GLBA is enforced through the FTC Safeguards Rule at 16 CFR Part 314. That is the rule this program is built around. If your GLBA obligations run through a banking regulator, the SEC, or a state insurance authority instead, the underlying data-security expectations are similar but the governing standard differs, and we scope the program to the regulator that actually applies to you.
The 2021 amendments turned general expectations into nine specific, testable requirements.
The original Safeguards Rule required a reasonable written program but said little about what it had to contain. The 2021 amendments, in effect since June 2023, changed that. They name a Qualified Individual, a written risk assessment, specific technical safeguards including MFA and encryption, regular testing, service-provider oversight, a written incident response plan, and an annual written report.
That specificity cuts both ways. It tells you exactly what to implement, and it gives the FTC a concrete checklist to enforce against. A program that would have passed as reasonable a few years ago can now have named, documented gaps. We map your current controls to each of the nine elements, close the gaps, and keep the documentation that shows each element is met.
MFA, encryption, and vendor oversight are where most gaps and enforcement actions cluster.
Multi-factor authentication and encryption of customer information are two of the most concrete requirements in the rule, and two of the most common gaps. The FTC has pursued financial institutions whose weak authentication or unprotected data led to exposure of customer information. These are not abstract findings; they map directly to the safeguards the rule names.
Service-provider oversight is the other frequent gap. The rule makes you responsible for selecting providers that can protect customer information, contractually requiring them to do so, and monitoring them. A breach at a vendor that handles your customer data is still your exposure. We enforce MFA and encryption across your environment and build the vendor-oversight process that the rule requires and that a breach investigation will look for.
Breach notification to the FTC is now part of the rule.
A 2023 amendment, in effect since May 2024, added a breach-notification requirement to the Safeguards Rule itself. Covered financial institutions must notify the FTC as soon as possible, and no later than 30 days after discovery, of a security event involving the unencrypted customer information of 500 or more consumers.
That is a firm, short clock, and it rewards preparation. An institution that already has logging, monitoring, and a written incident response plan can determine what happened and meet the deadline. One that does not is exposed on both the breach and the missed notification. We build the detection, the response plan, and the notification workflow so a real event is handled inside the window rather than improvised under pressure. We implement and operate the controls; we do not provide legal advice, and your counsel confirms the specific notification obligations that apply to an event.