Skip to main content
New: free AI Readiness Assessment, see where your business stands
bdManagedIT
All articles

Compliance

GLBA vs FTC Safeguards Rule: What's the Difference?

GLBA is the law that requires financial institutions to protect customer data. The FTC Safeguards Rule is the regulation that spells out the controls. Here is how they differ and what your business must do.

By Wil Gibson July 7, 2026 5 min read
GLBA vs FTC Safeguards Rule: What's the Difference?

GLBA and the FTC Safeguards Rule both require financial institutions to protect customer information, but they are not the same law. GLBA is the statute. The Safeguards Rule is the FTC regulation that spells out what a written information security program must include.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their privacy practices to customers and to protect nonpublic personal information (NPI). The Safeguards Rule under GLBA is what turns that duty into specific security requirements: a qualified individual, a written risk assessment, access controls, encryption, monitoring, vendor oversight, and an incident response plan.

Read the FTC GLBA overview at ftc.gov.

What is the FTC Safeguards Rule?

The FTC Safeguards Rule applies to non-bank financial institutions: accountants, tax preparers, auto dealers that arrange financing, mortgage brokers, and similar businesses. The 2021 updates made the rule far more specific: multi-factor authentication, encryption, penetration testing or vulnerability assessment, security awareness training, and a written incident response plan are now explicit requirements.

Read the FTC Safeguards Rule at ftc.gov.

Key takeaway: GLBA is the law; the Safeguards Rule is the checklist.

If you are a CPA firm, lender, or dealer, you likely answer to both the privacy notices GLBA requires and the security controls the Safeguards Rule mandates. bdManagedIT maps your IT to both through our GLBA and FTC compliance centers and maintains the program through Compliance as a Service.

Explore our GLBA compliance center.

Explore our FTC Safeguards compliance center.

Learn about Compliance as a Service.

Frequently asked questions

Does GLBA apply to my CPA firm?
If your firm handles nonpublic personal financial information about customers, GLBA and the FTC Safeguards Rule likely apply, even if you are not a bank.
Is the FTC Safeguards Rule part of GLBA?
Yes. The Safeguards Rule is issued under GLBA and defines the specific security requirements for non-bank financial institutions.
What controls do both require?
A written information security program, risk assessment, access controls, encryption where appropriate, vendor oversight, monitoring, training, and incident response.
How does bdManagedIT help?
We map your IT to GLBA and FTC Safeguards requirements, implement the technical controls, document the evidence, and maintain the program through Compliance as a Service.
Where do we start?
Read our GLBA and FTC Safeguards compliance centers, run the free Compliance Readiness Checker, or book a first appointment.

Want a straight answer for your business?

Book a first appointment with a bdManagedIT strategist. No sales script, no obligation.

Book your first appointment