FTC Safeguards for Payday Lenders

Yes. Payday lenders are a named example of a "financial institution" in 16 CFR §314.2(h), the definition the FTC Safeguards Rule (16 CFR Part 314) uses to implement the Gramm-Leach-Bliley Act for non-bank financial institutions under FTC jurisdiction. That list also includes mortgage lenders, finance companies, and check cashers. Payday and consumer lenders collect and handle exactly the nonpublic personal information the rule protects, including Social Security numbers, bank account and routing numbers, income and employment information, and government ID. Because the rule names your business as a covered financial institution, the Safeguards Rule applies directly to your lending activities. We assess your specific activities during onboarding and document how the rule applies to you.

A written information security program overseen by a designated Qualified Individual; a risk assessment; access controls with multi-factor authentication for anyone accessing your information systems (unless a documented equivalent is approved); encryption of customer information in transit and at rest; secure development practices if you build your own software; continuous monitoring of your systems, or, in its absence, annual penetration testing and vulnerability assessments at least every six months; security awareness training; a written incident response plan; notification to the FTC within 30 days of a notification event (the unauthorized acquisition of unencrypted customer information involving at least 500 consumers); and an annual written report to your board or governing body. Organizations maintaining information on fewer than 5,000 consumers are exempt from four of these elements: the written risk assessment, the penetration testing and twice-yearly vulnerability assessments, the written incident response plan, and the annual board report. They must still maintain a written program with the remaining safeguards, including access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training, and the FTC breach-notification duty applies regardless of size.

The FTC can seek civil penalties of up to $53,088 per violation, per day, and state attorneys general can bring parallel actions under state consumer protection laws. Beyond fines, a data breach involving borrower bank accounts or income information can disrupt operations, damage relationships with funding partners and payment processors, and trigger contractual and reputational consequences. The compliance program exists to prevent the breach, not just to satisfy the regulator.

We deliver the program end to end: a gap analysis against the Safeguards Rule, a written risk assessment, the WISP and supporting policies, implementation of the technical controls (MFA, encryption, access controls, logging, endpoint and email security), the penetration testing and vulnerability assessment cadence, security awareness training, the incident response plan, and the annual board report. We then manage the program on an ongoing basis so it stays current as your environment and the rule evolve. We serve commercial clients across Texas, Tennessee, and the United States.

No. A compliant loan-management or servicing platform is helpful, but the Safeguards Rule applies to your organization as a whole, not just one application. You are still responsible for your own written program, your access controls and MFA, your risk assessment, your incident response plan, your training, and your oversight of every service provider that touches customer information, including that platform vendor. We build the program around your full environment and document vendor oversight as part of it.