The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. A consumer finance company's daily work sits squarely inside that definition. It originates and underwrites credit, services a portfolio, pulls credit reports, and moves funds through ACH and payment processors. The rule names finance companies and installment lenders as covered financial institutions.
Consumer and installment lenders hold high-value financial data.
Every application and account contains Social Security numbers, bank account and routing numbers, income and employment information, government ID, and full credit reports. That is precisely the customer financial information the Safeguards Rule is written to protect.
Account takeover, synthetic-identity fraud, and business email compromise target this data directly. The controls the rule requires are MFA, verification procedures, and encryption. They are the same controls that defend against the most common attacks on finance companies.
A written program is the baseline, not the ceiling.
The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.
We produce these documents to reflect what is actually running in your environment, so the program survives an FTC inquiry or a funding-source security questionnaire rather than reading as boilerplate.
Merchant, point-of-sale, and BNPL data flows widen your perimeter.
Sales finance and buy-now-pay-later programs pull applicant data through retail and merchant partners, checkout integrations, and lead sources before a loan is ever booked. Non-bank auto finance adds dealer and DMS handoffs. Each connection is a place Social Security numbers, bank details, and credit data can be exposed.
The rule requires you to oversee every service provider and partner that receives, transmits, or stores your customer information. We map those data flows, document the security expectations, and fold merchant and partner oversight into your written program so the requirement is met and evidenced.
The breach-notification duty applies to every finance company, regardless of size.
A 2023 amendment added a federal notification requirement that took effect in May 2024. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. If you discover one, you must report it to the FTC through the FTC reporting portal. Report as soon as possible and no later than 30 days after discovery.
The under-5,000-consumer exemption relaxes certain other elements, but it does not waive this duty, and most finance companies hold information on far more than 5,000 consumers across active and paid-off accounts. The trigger is unencrypted information. That is one more concrete reason we encrypt customer data in transit and at rest by default. We build the incident response plan, define what counts as a notification event for your origination and servicing systems, and prepare the reporting workflow. A real event is then handled inside the window rather than improvised.