FTC Safeguards Rule: Compliance for Non-Bank Financial Firms

The FTC Safeguards Rule is the data security regulation most non-bank businesses don't realize applies to them. Originally promulgated under the Gramm-Leach-Bliley Act in 2003, the rule was substantially amended in 2021 with compliance deadlines that have now passed. The scope is broader than most businesses recognize, and the FTC has been increasingly active in enforcement. Here's what businesses should know.

Who the Rule Actually Covers

The Safeguards Rule applies to financial institutions under FTC jurisdiction — but the definition of "financial institution" is much broader than people assume. Covered entities include:

• Auto dealers (financing or arranging financing)
• Mortgage brokers and lenders
• Tax preparers
• CPAs and accounting firms doing certain activities
• Investment advisers
• Real estate appraisers
• Wire transfer services
• Check cashers
• Payday lenders
• Mortgage servicers
• Collection agencies
• Financial planners
• Higher education institutions handling financial aid
• Many fintech companies

If your business handles non-public personal information (NPI) about consumers in connection with financial products or services, you're likely covered. The threshold for the more rigorous requirements is 5,000 or more consumers — but the basic requirements apply regardless of size.

What the Amended Rule Requires

The 2021 amendments added specific technical and operational requirements:

• Qualified Individual — designated person responsible for the information security program, with appropriate qualifications and authority
• Written risk assessment — documented assessment of internal and external risks to consumer information
• Written information security program — based on the risk assessment, with specific safeguards documented
• Access controls — limit access to customer information based on job role
• Encryption of customer information in transit and at rest
• Multi-factor authentication for any individual accessing customer information on the system
• Penetration testing — annual continuous monitoring or annual penetration testing plus semi-annual vulnerability assessment
• Personnel training on the information security program
• Service provider oversight — selecting service providers capable of maintaining appropriate safeguards
• Incident response plan — written plan for responding to a security event
• Annual report to Board or governing body on the program
• Encryption of all customer information in transit and at rest where commercially reasonable

The Penalties

FTC enforcement under the Safeguards Rule can produce substantial penalties:

• Civil penalties up to $50,120 per violation (each affected consumer can be a violation)
• Required compliance audits for extended periods (10-20 years in some consent orders)
• Mandatory third-party assessments
• Restrictions on business operations
• Public consent orders that affect reputation and partner relationships

Recent enforcement cases include CafePress (settlement requiring multi-year compliance program after breach), Drizly (CEO personally bound to security obligations even at future employers), and various auto dealers and educational institutions.

How Auto Dealers Got Caught

Auto dealers became aware of FTC Safeguards Rule scope when the 2021 amendments expanded technical requirements. Many had been operating with assumptions that didn't match the actual scope. The June 2023 compliance deadline (extended from earlier dates) forced the issue. Currently, most auto dealer associations have been actively educating members, but compliance variance across the industry remains significant.

The Practical Compliance Path

For covered entities that haven't fully implemented Safeguards Rule requirements:

• Designate the Qualified Individual — and ensure they have actual authority, not just a title
• Complete the written risk assessment with help from a qualified consultant if internal expertise is lacking
• Build the written information security program based on the risk assessment
• Implement the technical controls (MFA, encryption, access controls)
• Establish the penetration testing or continuous monitoring program
• Document service provider oversight processes
• Train personnel and document training completion
• Build the annual reporting cadence to the board or governing body

Where MSPs Fit

For most SMBs covered by the Safeguards Rule, building internal compliance capability is impractical. MSPs and MSSPs that understand the rule can deliver the technical controls and operational requirements as a managed service, often at less cost than building in-house. The qualifying questions: does the provider have specific Safeguards Rule experience, what controls do they cover vs. leave to the customer, and can they support the documentation and reporting requirements. If you're scoping Safeguards Rule compliance for your business, a free 30-minute conversation can frame what's required.