Skip to content

Compliance

12 Key Requirements of the FTC's Updated Safeguards Rule

The FTC's updated Safeguards Rule sets 12 specific security requirements for financial institutions under the Gramm-Leach-Bliley Act. Here is what each one asks for and who has to comply.

← All articles
Filed under Compliance

Protecting personal and financial information matters more than ever. Cyberattacks and data breaches are common, and weak safeguards feed identity theft and financial loss.

The scale is real. IBM's Cost of a Data Breach report put the average US breach at $9.4 million in 2022.

In response, the Federal Trade Commission (FTC) revised its Safeguards Rule. The rule is a core part of the Gramm-Leach-Bliley Act (GLBA), which sets security and privacy requirements for consumer financial information.

The rule was first set to take effect on December 9, 2022. The FTC then extended the deadline by six months, citing public comments about staffing shortages and supply chain issues. Financial institutions had to comply by June 9, 2023.

The updated rule is prescriptive. The earlier version let each institution decide what safeguards fit its size, its activities, and the sensitivity of the information it held. The new version names specific elements that every information security program must include.

The 12 requirements at a glance

To comply, a financial institution must do all of the following:

  1. Name a qualified person to oversee and run the information security program.
  2. Base the program on a written risk assessment. The assessment identifies foreseeable internal and external risks and judges whether current safeguards control them.
  3. Put access controls in place. Limit access to customer information to what each job actually needs.
  4. Encrypt customer information in transit and at rest.
  5. Use secure development practices for in-house and third-party applications.
  6. Require multi-factor authentication.
  7. Dispose of customer information securely, and review retention policies so data is not kept longer than needed.
  8. Adopt change management procedures.
  9. Monitor and log activity. Detect unauthorized access through continuous monitoring, annual penetration testing, and vulnerability assessments twice a year.
  10. Provide security awareness training.
  11. Oversee service providers.
  12. Keep a written incident response plan.

The rule also raises accountability at the top. Institutions must report periodically to their board of directors on the state of the security program. Those reports cover material issues such as security incidents and violations, along with recommended changes.

There is a limited small-business exemption. It applies only to institutions that hold nonpublic personal information on fewer than 5,000 customers. Even then, the exemption is partial. Those institutions still need a written risk assessment, an incident response plan, and annual reporting to the board.

Once the rule is in effect, the FTC can act against institutions that violate it. Covered entities include finders, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisers that do not register with the Securities and Exchange Commission.

The takeaway is simple. The updated Safeguards Rule pushes financial institutions to protect customer information and prevent breaches. Meet the requirements early, and you avoid steep penalties for non-compliance.

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

Beyond the Buzz: Navigating Regulations in Fintech Innovation

Compliance

Beyond the Buzz: Navigating Regulations in Fintech Innovation

Navigate the complex world of regulatory compliance for fintech. Learn strategies to build a strong program & gain a competitive edge. Regulatory compliance for fintech has become the make-or-break factor that separates thriving financial technology companies from those that struggle or fail entirely. Here's what every fintech leader needs to know: Key Elements of Fintech [...]

2021 Cybersecurity Risks & Trends for the ARM Industry

Licensing

2021 Cybersecurity Risks & Trends for the ARM Industry

The ARM industry runs on data and information management. Debt collection and debt buying firms, collection law firms, and repossession partners all control or process large volumes of sensitive personal information. The industry is ready to use the benefits of digital innovation, but ransomware, hybrid work, and an evolving risk landscape make attention and planning worthwhile now.

3 Factors to Consider When it Comes to CFPB Compliance

Licensing

3 Factors to Consider When it Comes to CFPB Compliance

The Consumer Financial Protection Bureau, or CFPB, was launched with a goal of protecting consumers in financial transactions with banks and lending institutions. However, its reach has extended much further. Not all businesses are aware of the necessary requirements in order to comply with CFPB regulations now. And non-compliance can cost businesses enormous penalties, fees, [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.