Skip to main content
New: free AI Readiness Assessment, see where your business stands
bdManagedIT

Compliance center

FTC Safeguards Rule Compliance

FTC Safeguards Rule

The FTC Safeguards Rule is the regulation under GLBA that sets out the specific security controls a financial institution must put in place to protect customer information, with major updates that took full effect in June 2023.

Who the FTC Safeguards Rule applies to

Non-bank financial institutions under FTC jurisdiction: auto dealers, mortgage lenders and brokers, tax preparers and accountants, payday and personal lenders, collection agencies, financial advisors, and similar businesses that handle customer financial information. The 2023 update widened both who is covered and what they must do.

The nine elements the rule requires

  • Designate a qualified individual to run the information security program
  • Conduct and document a written risk assessment
  • Implement access controls and keep an inventory of customer data
  • Encrypt customer information at rest and in transit
  • Require multi-factor authentication for access to customer data
  • Securely dispose of customer information and manage change
  • Continuously monitor or regularly test with vulnerability scans and penetration testing
  • Train staff and oversee vendors and service providers
  • Maintain a written incident response plan and report to the board annually

Source: FTC Safeguards Rule: What Your Business Needs to Know

How bdManagedIT helps

We map your environment to FTC Safeguards Rule, remediate the gaps, and document everything so you walk into an audit ready. Start with the free Cyber Insurance and Compliance Readiness Checker or book a first appointment.

FTC Safeguards Rule, FAQs

What is the FTC Safeguards Rule?
The FTC Safeguards Rule is the regulation under the Gramm-Leach-Bliley Act that requires non-bank financial institutions to protect customer information with a specific set of security controls. The rule was significantly updated, with the new requirements taking full effect in June 2023.
Who must comply with the FTC Safeguards Rule?
Non-bank financial institutions regulated by the FTC, including auto dealers, mortgage brokers, tax preparers, accountants, lenders, collection agencies, and financial advisors. If your business is a financial institution under GLBA, the Safeguards Rule sets your security requirements.
What are the nine elements of the Safeguards Rule?
They are: a qualified individual, a written risk assessment, access controls and data inventory, encryption, multi-factor authentication, secure disposal and change management, ongoing monitoring and testing, staff training and vendor oversight, and a written incident response plan with annual board reporting.
When did the updated Safeguards Rule take effect?
The Federal Trade Commission updated the rule and the core new requirements, including multi-factor authentication, encryption, and a qualified individual, took full effect on June 9, 2023. Businesses are expected to be compliant now.
What are the penalties for non-compliance?
The FTC can bring enforcement actions against businesses that fail to meet the rule, which can mean civil penalties and ongoing oversight. A breach without the required safeguards in place also brings legal exposure and lost customer trust.
How does bdManagedIT help meet the Safeguards Rule?
We implement and document each of the nine required elements as part of managed IT, from multi-factor authentication and encryption to risk assessment, testing, training, vendor oversight, and a written incident response plan, so your security program holds up to FTC scrutiny.