FTC Safeguards for Mortgage Brokers

Yes. Mortgage brokers and lenders are a named example of a "financial institution" in 16 CFR §314.2(h), the definition the FTC Safeguards Rule (16 CFR Part 314) uses to implement the Gramm-Leach-Bliley Act for non-bank financial institutions under FTC jurisdiction. That list also includes finance companies, automobile dealerships that arrange financing, and check cashers. Mortgage brokers collect and handle exactly the nonpublic personal information the rule protects, including Social Security numbers, income and employment records, bank statements, tax returns, credit reports, and property and loan details. Because the rule names your business as a covered financial institution, the Safeguards Rule applies directly to your origination activities. We assess your specific activities during onboarding and document how the rule applies to you.

A written information security program overseen by a designated Qualified Individual; a risk assessment; access controls with multi-factor authentication for anyone accessing your information systems (unless a documented equivalent is approved); encryption of customer information in transit and at rest; secure development practices if you build your own software; continuous monitoring of your systems, or, in its absence, annual penetration testing and vulnerability assessments at least every six months; security awareness training; a written incident response plan; notification to the FTC within 30 days of a notification event (the unauthorized acquisition of unencrypted customer information involving at least 500 consumers); and an annual written report to your board or governing body. Organizations maintaining information on fewer than 5,000 consumers are exempt from four of these elements: the written risk assessment, the penetration testing and twice-yearly vulnerability assessments, the written incident response plan, and the annual board report. They must still maintain a written program with the remaining safeguards, including access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training, and the FTC breach-notification duty applies regardless of size.

The FTC can seek civil penalties of up to $53,088 per violation, per day, and state attorneys general can bring parallel actions under state consumer protection laws. Beyond fines, a data breach involving borrower tax returns, bank statements, or Social Security numbers can disrupt closings, damage relationships with wholesale lenders and warehouse partners, and trigger contractual and reputational consequences. The compliance program exists to prevent the breach, not just to satisfy the regulator.

We deliver the program end to end: a gap analysis against the Safeguards Rule, a written risk assessment, the WISP and supporting policies, implementation of the technical controls (MFA, encryption, access controls, logging, endpoint and email security), the penetration testing and vulnerability assessment cadence, security awareness training, the incident response plan, and the annual board report. We then manage the program on an ongoing basis so it stays current as your environment and the rule evolve. We serve commercial clients across Texas, Tennessee, and the United States.

No. A compliant loan origination system (LOS) is helpful, but the Safeguards Rule applies to your organization as a whole, not just one application. You are still responsible for your own written program, your access controls and MFA, your risk assessment, your incident response plan, your training, and your oversight of every service provider that touches customer information, including that platform vendor. We build the program around your full environment and document vendor oversight as part of it.