Skip to main content
Compliance & Risk

FTC Safeguards Rule Compliance

The written information security program, risk assessment, and specific safeguards the FTC Safeguards Rule requires of non-banking financial institutions.

The FTC Safeguards Rule (16 CFR Part 314) requires non-banking financial institutions to build, document, and maintain an information security program that protects customer information.

The amended Rule has been fully in effect since June 2023 and applies far more broadly than most businesses realize. Auto dealers, mortgage brokers, tax preparers, accountants, and finance companies are all covered, even if they have never thought of themselves as a financial institution. If you collect and hold customer financial information, the Rule likely reaches you.

The Rule mandates a Qualified Individual to run your program, a written risk assessment, and specific technical safeguards including MFA, encryption, and monitoring. SOClogix can serve as your outsourced Qualified Individual, author the program, and deploy the controls the Rule requires so you can demonstrate compliance with confidence.

What's included

Written Information Security Program (WISP)

We author or co-develop the WISP the Rule requires - the central document describing the administrative, technical, and physical safeguards protecting customer information.

Written Risk Assessment

A documented assessment that identifies foreseeable internal and external risks to customer information and evaluates the sufficiency of the safeguards in place to control them.

Qualified Individual

The Rule requires a single Qualified Individual to oversee your program. Our vCISO can serve this role and report to your board or senior leadership.

Access Controls & MFA

Least-privilege access to customer information and multi-factor authentication on every system that holds it, exactly as the Rule specifies.

Encryption & Continuous Monitoring

Encryption of customer information at rest and in transit, plus continuous monitoring or periodic penetration testing and vulnerability assessments.

Annual Reporting & Oversight

The Qualified Individual's annual written report to your governing body, service provider oversight, and the recurring testing the Rule mandates.

Who needs to comply

Financial Institutions

Non-banking financial institutions: auto dealers, mortgage lenders and brokers, tax preparers, accountants, payday lenders, finance companies, and investment advisers not registered with the SEC.

Service Providers

Vendors and service providers that receive, store, or process customer information on behalf of a covered financial institution and must be overseen under the Rule.

Frequently asked questions

What is the FTC Safeguards Rule?

The FTC Safeguards Rule (16 CFR Part 314) requires non-banking financial institutions to develop, implement, and maintain a written information security program that protects the security and confidentiality of customer information. It sits under the Gramm-Leach-Bliley Act and was significantly amended to add specific, prescriptive requirements.

Who has to comply with the Safeguards Rule?

Non-banking financial institutions as the FTC defines them - which is broader than most businesses expect. Auto dealers, mortgage lenders and brokers, tax preparers, accountants, payday lenders, finance companies, and investment advisers that are not SEC-registered are all covered, along with service providers that handle customer information on their behalf.

What are the main requirements?

The amended Rule requires a written information security program, a designated Qualified Individual, a written risk assessment, access controls and MFA, encryption of customer information, monitoring and testing, staff training, oversight of service providers, and a written incident response plan.

When did the Safeguards Rule take effect?

The Gramm-Leach-Bliley safeguards obligation is long-standing, but the amended Rule with its specific technical requirements has been fully enforceable since June 9, 2023. There is no remaining grace period for the prescriptive controls.

What is a Qualified Individual and can we outsource it?

The Qualified Individual is the single person responsible for overseeing and implementing your information security program and reporting to your governing body. Yes - you can outsource the role, and a vCISO can serve as your Qualified Individual while your business retains accountability for the program.

Can a managed SOC help us comply?

Yes. A managed SOC delivers the continuous monitoring, logging, and incident response plan the Rule requires, and provides the documented evidence that your safeguards are operating and being tested over time.

Are you covered by the Rule?

Many businesses are covered without realizing it. We assess your obligations and give you a prioritized path to compliance - no commitment required.

Request a Safeguards Assessment Call (443) 409-5426

Free Risk Assessment

25 questions across 5 security domains. Get a personalized PDF report emailed to you instantly.

Meet the Safeguards Rule with confidence

The amended Rule is fully enforceable today. A Safeguards assessment gives you a clear program, a Qualified Individual, and the technical controls the FTC expects to see.

Talk to Our Compliance Team

Get FTC Safeguards Rule Compliance Pricing

We scope every engagement to your environment and team size. Get a written quote within one business day - no obligation, no lengthy sales process.

(443) 409-5426

Quote delivered within 1 business day. Annual and monthly terms available.