Compliance
Understanding the FTC Safeguards Rule
The FTC Safeguards Rule (16 CFR Part 314) requires non-bank financial institutions such as auto dealers, mortgage brokers, tax preparers, and title companies to build a written information security program. This guide explains who the rule covers, the controls it requires, and a practical path to alignment.
If your business extends credit, arranges financing, prepares taxes, closes real estate transactions, or collects debts, you may be a "financial institution" under federal law even if you never think of yourself that way. The Federal Trade Commission enforces a data security regulation, the Safeguards Rule, that applies to a wide range of non-bank businesses that handle customer financial information.
The rule is part of the Gramm-Leach-Bliley Act framework and is codified at 16 CFR Part 314. It was amended in recent years to add specific, technical security requirements that go well beyond a general instruction to "keep data safe." For a covered business, the requirements are now concrete enough that you can build a checklist against them.
This article explains who the rule covers, what it requires, and what a practical path to alignment looks like. It is written for owners and managers of covered businesses, not for compliance specialists. Cyber One Solutions helps businesses implement and maintain the security controls behind the rule; the compliance determination itself belongs to the business and its legal counsel.
Who The Rule Covers
The Safeguards Rule applies to non-bank financial institutions under the FTC's jurisdiction. Common examples include automobile dealers, mortgage brokers and lenders, tax preparers and accounting firms, collection agencies, payday lenders, title companies, and finance companies. If your business handles nonpublic customer financial information as part of offering a financial product or service, you should assume the rule is in scope until your counsel confirms otherwise.
A few distinctions matter. Banks and credit unions are supervised by their own federal banking regulators rather than the FTC, so this rule is about the businesses the FTC covers. Insurance companies and agencies are generally supervised for Gramm-Leach-Bliley purposes by state insurance regulators rather than the FTC. If you operate in insurance, your obligations usually run through your state regulator, not through FTC enforcement.
Tax and accounting firms are a frequently overlooked category. If that describes you, see our guidance for tax and accounting firms for a closer look at how the rule maps to that work.
What The Rule Requires
The amended rule centers on a Written Information Security Program (WISP): a documented, maintained program that describes how your business protects customer information. The following elements make up that program.
1. Designate a qualified individual. Name one person responsible for overseeing and implementing your information security program. This can be an employee, an affiliate, or a qualified service provider, but accountability must sit with a named individual.
2. Conduct a written risk assessment. Identify reasonably foreseeable internal and external risks to customer information, and document them in writing. The risk assessment is the foundation the rest of the program is built on, so it needs to be specific to your systems and updated as things change.
3. Develop and maintain the WISP. Produce a written information security program that addresses the safeguards below. The WISP is a living document, not a one-time filing, and it should reflect how your business actually operates.
4. Implement access controls. Limit access to customer information to the people who need it for their work, and review those permissions periodically. This includes both technical access and physical access to records and systems.
5. Inventory data and systems. Know where customer information lives. Maintain an inventory of the data you hold and the systems, devices, and applications that store, process, or transmit it, because you cannot protect what you have not accounted for.
6. Encrypt customer information. Encrypt customer information both at rest and in transit. If encryption is not feasible for a given system, the qualified individual may approve an equivalent compensating control, but that decision should be documented.
7. Implement multi-factor authentication. Require multi-factor authentication for anyone accessing customer information. Passwords alone are no longer sufficient, and MFA is one of the most direct, high-impact controls in the rule.
8. Adopt secure development and change management. Apply secure development practices to applications you build or maintain, and manage changes to your systems in a controlled way so that updates do not quietly introduce risk.
9. Dispose of customer information securely. Establish procedures to securely dispose of customer information when it is no longer needed for business or legal reasons, and apply the same care to hardware that stored it.
10. Monitor, log, and test safeguards. Monitor and log activity on systems that hold customer information, and test the effectiveness of your safeguards. Testing is satisfied through continuous monitoring, or through annual penetration testing combined with periodic vulnerability assessments.
11. Provide security awareness training. Train your staff to recognize and respond to security risks such as phishing and social engineering, and keep that training current as threats evolve.
12. Oversee your service providers. Select service providers capable of protecting customer information, require them by contract to maintain appropriate safeguards, and periodically assess whether they are meeting that obligation.
13. Establish a written incident response plan. Maintain a documented plan for responding to a security event affecting customer information, covering roles, internal and external communication, remediation, and review after the fact.
14. Report to a governing body. The qualified individual must report periodically, in writing, to your board of directors or an equivalent senior governing body on the state of the program and any material matters.
A Practical Path To Alignment
The list above can look heavy, but most covered businesses already have some of these controls in place in a partial or informal way. The work is usually about formalizing, documenting, and closing gaps rather than starting from zero.
A workable sequence looks like this. Start with the inventory and the written risk assessment, because they tell you where customer information lives and where the real exposure is. Use those findings to draft the WISP and name your qualified individual. From there, close the highest-impact technical gaps first: MFA on every path to customer information, encryption at rest and in transit, and access controls that follow the principle of least privilege. Then layer in logging and monitoring, a testing cadence, security awareness training, vendor oversight, and a written incident response plan you have actually walked through.
Cyber One Solutions helps businesses implement and maintain these controls: deploying and managing MFA and encryption, building access controls and logging, running vulnerability assessments and monitoring, and helping stand up the operational side of the WISP. Our compliance support works alongside your leadership and legal counsel so that the security program aligns with what the rule requires. The compliance judgment stays with you and your counsel; our role is to build and run the controls behind it.
If you want to see where you stand before committing to a full engagement, our free FTC Safeguards readiness self-assessment walks through the major requirements and shows you which elements are covered and which need attention.
Article FAQs
Which Businesses Does The FTC Safeguards Rule Actually Cover?
It covers non-bank financial institutions under the FTC's jurisdiction, including automobile dealers, mortgage brokers and lenders, tax preparers and accounting firms, collection agencies, payday lenders, title companies, and finance companies. Banks and credit unions are supervised by their own federal banking regulators instead. Insurance companies and agencies are generally overseen for Gramm-Leach-Bliley purposes by state insurance regulators rather than the FTC. If you handle nonpublic customer financial information as part of a financial product or service, assume you are in scope until your counsel confirms otherwise.
What Is A WISP And Why Does It Matter?
A Written Information Security Program (WISP) is the documented, maintained program at the center of the rule. It describes, in writing, how your business protects customer information across the required safeguards, from access controls and encryption to incident response and vendor oversight. It is a living document that should reflect how your business actually operates, and it is one of the first things an examiner or auditor will ask to see.
Does The Rule Really Require Multi-Factor Authentication And Encryption?
Yes. The amended rule requires multi-factor authentication for anyone accessing customer information and encryption of customer information both at rest and in transit. Where encryption is not feasible for a particular system, the qualified individual may approve an equivalent compensating control, and that decision should be documented. These are two of the most direct, high-impact controls in the rule.
Does Working With Cyber One Solutions Make My Business Compliant?
No, and any provider that promises that is overstating what an IT firm can do. Cyber One Solutions helps implement and maintain the security controls behind the rule and helps align your security program with its requirements, but the compliance determination itself rests with your business and its legal counsel. The alignment work supports that judgment; it does not replace it.
How Should A Covered Business Get Started?
Begin with a data and systems inventory and a written risk assessment, since those define where customer information lives and where your real exposure is. Use the findings to draft the WISP, name a qualified individual, and close the highest-impact technical gaps first, such as MFA, encryption, and access controls. A readiness review is a low-commitment way to see which elements are already covered and which need attention.
If you would like a second set of hands on the technical controls, talk with us or start with our free readiness self-assessment.
