The FTC Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act, applies to "financial institutions" under FTC jurisdiction — a category much broader than the colloquial meaning. It captures mortgage brokers, auto dealers, tax preparers, payday lenders, check cashers, collection agencies, fintech servicers, and many SaaS firms that handle covered consumer financial data. The 2021 amendments substantially modernized the Rule's technical and program requirements. The 2023 amendment added 30-day breach notification to the FTC. The 2024 effective date and the 2025 enforcement posture turned what had been a frequently-ignored regime into a real compliance program. The 2025 finalization of the breach notification structure and the multi-million-dollar settlements in late 2025 and 2026 confirm that the FTC is now actively enforcing.
Who falls under the Safeguards Rule?
A "financial institution" under the FTC's Safeguards Rule is any non-bank business significantly engaged in financial activities, drawn from the Bank Holding Company Act's activity list. Examples include consumer lenders, mortgage originators and servicers, debt collectors, payday lenders, check cashers, investment advisors not registered with the SEC, automobile dealerships that arrange financing, tax preparers, real estate appraisers and settlement services, accountants providing financial advisory services, finders and brokers, and certain fintech firms. The Rule also reaches third-party service providers that the financial institution uses, indirectly: the financial institution is required to oversee them. A SaaS that powers a finance feature for a regulated lender is not directly regulated by the Rule but is unavoidably affected by it.
What does the amended Rule actually require?
Nine technical and administrative requirements. First, designate a qualified individual responsible for overseeing the information security program. Second, base the program on a written risk assessment that is periodically reassessed. Third, implement specific safeguards: access controls and authentication, asset inventory, encryption of customer information at rest and in transit, secure development practices for in-house applications, MFA for any person accessing customer information, secure disposal, change management, monitoring of authorized users and unauthorized access, logs reviewed periodically. Fourth, regularly test or monitor the effectiveness of safeguards. Fifth, implement security awareness training and qualified security personnel. Sixth, oversee service providers via due diligence and contractual safeguards. Seventh, evaluate and adjust the program in response to test results. Eighth, establish a written incident response plan. Ninth, the qualified individual reports to the board or equivalent governing body in writing at least annually.
What did the 2024 and 2025 amendments add?
The November 2023 amendment added a breach notification requirement: financial institutions must notify the FTC of "notification events" — defined as unauthorized acquisition of unencrypted customer information of at least 500 consumers — no later than 30 days after discovery. The Rule's notification structure became operational on May 13, 2024. Through 2025, the FTC clarified the form of the notification (an electronic submission to the FTC), confirmed that notifications become part of the public record, and brought several enforcement actions against companies that had failed both technical safeguards and notification obligations.
What recent enforcement actions illustrate the FTC's posture?
Three enforcement themes stand out. First, the FTC has continued to pursue mortgage and consumer-lending companies for failing to implement the basic program elements — written risk assessment, MFA, access controls, vendor oversight. Settlement orders have included multi-year monitoring, security program injunctions, and civil penalties. Second, the FTC has pursued non-bank financial firms for security failures that intersected with privacy or unfair-practices claims, layering Safeguards Rule allegations onto Section 5 cases. Third, individual officer liability remains on the table: the GLBA allows civil penalties against officers and directors who willfully violate, and the FTC has signaled willingness to use it. Settlement amounts in 2025 ranged from low seven figures to a December 2025 $24 million settlement with a large residential property-management firm.
What is the realistic compliance gap for mid-market firms?
The most common gaps the FTC documents in enforcement actions are foundational: no written information security program, no risk assessment, MFA absent for remote access, no vendor due diligence, no logging or log review, no incident response plan. Mid-market firms often have one or two of those elements in fragmented form (a SOC 2 report from a prior year, a partial vendor questionnaire process, an EDR product without a documented review cadence) and treat them as the program. The Safeguards Rule expects them to be integrated and to be supported by evidence the qualified individual can present to the board. The path from fragments to an integrated program typically takes six to twelve months and is constrained more by governance and documentation work than by technology spend.
# Safeguards Rule program elements with required evidence
1. Qualified Individual designated -> written charter, reporting line
2. Risk Assessment -> dated document, refresh cadence
3. Access controls and MFA -> IAM coverage report
4. Asset inventory -> CMDB / inventory tooling output
5. Encryption at rest and in transit -> coverage attestation by data type
6. Secure development -> SDLC standards, scan evidence
7. Authentication -> MFA enrollment metrics
8. Disposal -> retention schedule, destruction logs
9. Change management -> ticketed change records
10. Monitoring and logging -> SIEM coverage and review records
11. Testing -> pentest and vulnerability scan output
12. Training -> completion records, content versions
13. Service provider oversight -> vendor due diligence files
14. Program evaluation -> annual review records
15. Incident Response Plan -> plan document, tabletop after-actions
16. Annual written board report -> filed report, board minutes
What about state regimes that overlap?
Many state regulators have parallel financial-services cybersecurity rules. NYDFS Part 500 is the most prominent and shares most of the FTC Safeguards Rule's structural elements — MFA, asset inventory, incident response, vendor oversight, annual reporting to the board. The 2024 New York shield law amendments extended breach notification to financial entities, and the Massachusetts financial privacy regulations add specific requirements on top of the federal floor. A non-bank lender operating in NY, MA, and CA can find itself simultaneously satisfying FTC Safeguards Rule, NYDFS Part 500, Massachusetts 201 CMR 17.00, and California's CCPA reasonable-security expectation. Designing the program against the strictest applicable requirement and then mapping evidence into each regulator's reporting structure is the only operationally sane path.
How Safeguard Helps
Safeguard provides the asset inventory, vulnerability posture, and SBOM evidence that the Safeguards Rule expects to be continuous rather than annual, with reporting structures that map directly to the qualified individual's annual board memo. Griffin AI compiles MFA coverage, encryption coverage, and remediation SLA performance across the regulated environment, producing the kind of metrics that satisfy program-evaluation requirements without bespoke spreadsheet aggregation. TPRM workflows operationalize the service-provider oversight obligation, with due-diligence questionnaires, contractual safeguards verification, and annual refresh on a managed schedule. Policy gates can also enforce the underlying control posture at deployment time — blocking releases that introduce non-encrypted customer data flows or non-MFA admin paths — so the program is operational, not just documented.