Cyber One Solutions logo.
Get Support

FTC Safeguards for Consumer Finance Companies

Compliance / FTC Safeguards

FTC Safeguards Rule Compliance for Consumer Finance Companies.

Consumer finance companies handle exactly the kind of nonpublic personal information the FTC Safeguards Rule was written to protect. Installment loans, personal loans, sales finance, buy-now-pay-later, and non-bank auto finance all collect Social Security numbers, income and employment data, bank and routing numbers, and full credit reports. The rule names finance companies and installment lenders as examples of covered non-bank financial institutions under 16 CFR §314.2(h). So the Safeguards Rule applies directly to your origination and servicing operation.

Cyber One Solutions builds and manages the full compliance program. That covers the written information security program, the technical controls, the testing, and the documentation an examiner, funding source, or merchant partner expects to see. We do the work, write the evidence, and keep the program current.

What You Get
A written information security program (WISP) that satisfies 16 CFR Part 314.
A designated Qualified Individual overseeing the program.
MFA for anyone accessing your information systems, with encryption applied to customer financial information.
Penetration testing, vulnerability assessments, or continuous monitoring on the required schedule.
An incident response plan and the annual report your governing body needs.
An evidence trail ready for an FTC inquiry or a funding-source security review.
What the Rule Requires

The Safeguards Rule, Mapped to Your Finance Operation.

The 2021 amendments to 16 CFR Part 314 made the rule far more prescriptive than its original version. A 2023 amendment then added the breach-notification requirement that took effect in May 2024. These are the core elements every covered consumer finance company must put in place. Each one is paired with the work we deliver against it.

Written Information Security Program (WISP)

A documented, comprehensive program that addresses each element the Safeguards Rule requires. It is tailored to how your finance operation actually handles nonpublic personal information across origination, underwriting, and servicing.

Designated Qualified Individual

The rule requires a single accountable person to oversee the security program. We can serve as, or support, your Qualified Individual and produce the documentation that role is responsible for.

Written Risk Assessment

A documented assessment of the foreseeable internal and external risks to the customer information in your origination, underwriting, portfolio-servicing, and merchant-partner data flows. It pairs each risk with the safeguard that addresses it.

Access Controls, MFA & Encryption

Role-based access to customer financial data. Multi-factor authentication for anyone accessing your information systems, unless a documented equivalent is approved. Encryption of that information in transit and at rest.

Testing & Continuous Monitoring

Annual penetration testing and vulnerability assessments at least every six months, or continuous monitoring in their place. This element also includes audit logging of access to customer information.

Incident Response & Board Reporting

A written incident response plan and notification to the FTC within 30 days of a notification event. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. We also produce the annual written report to your board or governing body on the state of the program.

Why It Applies to Consumer Finance Companies

Consumer and installment finance is exactly what the rule protects.

The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. A consumer finance company's daily work sits squarely inside that definition. It originates and underwrites credit, services a portfolio, pulls credit reports, and moves funds through ACH and payment processors. The rule names finance companies and installment lenders as covered financial institutions.

Consumer and installment lenders hold high-value financial data.

Every application and account contains Social Security numbers, bank account and routing numbers, income and employment information, government ID, and full credit reports. That is precisely the customer financial information the Safeguards Rule is written to protect.

Account takeover, synthetic-identity fraud, and business email compromise target this data directly. The controls the rule requires are MFA, verification procedures, and encryption. They are the same controls that defend against the most common attacks on finance companies.

A written program is the baseline, not the ceiling.

The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.

We produce these documents to reflect what is actually running in your environment, so the program survives an FTC inquiry or a funding-source security questionnaire rather than reading as boilerplate.

Merchant, point-of-sale, and BNPL data flows widen your perimeter.

Sales finance and buy-now-pay-later programs pull applicant data through retail and merchant partners, checkout integrations, and lead sources before a loan is ever booked. Non-bank auto finance adds dealer and DMS handoffs. Each connection is a place Social Security numbers, bank details, and credit data can be exposed.

The rule requires you to oversee every service provider and partner that receives, transmits, or stores your customer information. We map those data flows, document the security expectations, and fold merchant and partner oversight into your written program so the requirement is met and evidenced.

The breach-notification duty applies to every finance company, regardless of size.

A 2023 amendment added a federal notification requirement that took effect in May 2024. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. If you discover one, you must report it to the FTC through the FTC reporting portal. Report as soon as possible and no later than 30 days after discovery.

The under-5,000-consumer exemption relaxes certain other elements, but it does not waive this duty, and most finance companies hold information on far more than 5,000 consumers across active and paid-off accounts. The trigger is unencrypted information. That is one more concrete reason we encrypt customer data in transit and at rest by default. We build the incident response plan, define what counts as a notification event for your origination and servicing systems, and prepare the reporting workflow. A real event is then handled inside the window rather than improvised.

Frequently asked questions.

Does the under-5,000-consumer exemption apply to us?

It might apply to specific elements, but it rarely does for an active finance company. The count includes every consumer whose information you maintain, which for installment, sales finance, or auto portfolios usually runs well past 5,000 across current and paid-off accounts. If you did qualify, you would be exempt from four requirements: the written risk assessment, penetration testing and the twice-yearly vulnerability assessment, the written incident response plan, and the annual board report. You would still maintain a written information security program and the other safeguards, including access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training. The FTC 30-day breach-notification duty still applies. We confirm your consumer count during onboarding and scope the program to what actually applies to you.

How long does it take to get a consumer finance company compliant?

It depends on your current posture, but a program built from scratch typically takes 60 to 120 days to establish. Work starts with the gap analysis and risk assessment, then moves through control implementation and documentation. We scope every engagement to what your environment actually needs rather than to a fixed package.

Do our merchant partners, dealers, and lead sources fall under our security program?

If they receive, transmit, or store the nonpublic personal information of your applicants and borrowers, they are service providers under the Safeguards Rule and belong inside your vendor-oversight program. Sales finance, BNPL, and non-bank auto finance are built on partner data flows. Applicant data often moves through a retailer, a checkout integration, a dealer system, or a lead aggregator before a loan is booked, and each handoff is a place data can leak. The rule requires you to select and retain providers and partners capable of maintaining appropriate safeguards, and to require them by contract to do so. We inventory these relationships, document the security expectations in writing, and fold them into your program. The data trail is then controlled and evidenced rather than assumed.

Common Questions

FTC Safeguards for Consumer Finance Companies, Answered.

Common questions from consumer finance companies, installment and personal-loan lenders, sales finance and BNPL providers, and non-bank auto finance companies working out whether the Safeguards Rule applies to them and what compliance actually involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question