The FTC's amended Safeguards Rule notification requirement took effect on May 13, 2024 (16 CFR 314.5), bringing non-banking financial institutions under an affirmative federal reporting obligation for the first time since the Gramm-Leach-Bliley Act was passed in 1999. Subject firms must report to the Commission within 30 days of discovering a "notification event" affecting 500 or more consumers, defined as "the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." The 30-day window is one of the shortest in the federal regulatory landscape, the encryption-as-safe-harbor framing is a strong policy signal, and the universe of covered entities is far broader than most companies realize.
Who is actually a "non-banking financial institution"?
The Safeguards Rule defines "financial institution" by reference to the Bank Holding Company Act activities list (12 CFR 225.28) and FTC interpretations. The category is much broader than banks. Mortgage brokers, mortgage lenders, payday lenders, debt collectors, auto dealerships offering financing, real estate appraisers, tax preparation services, retail installment sellers, money transmitters, check cashers, motor vehicle title lenders, and personal property leasing companies are all subject to the rule. A 2021 expansion of the definition explicitly added "finders" who bring buyers and sellers of financial services together. The FTC's estimate at the time of the 2023 amendment publication was approximately 175,000 covered entities, a number that includes large multinationals and three-employee mortgage brokers.
What triggers a notification event?
The rule defines notification event at 16 CFR 314.2 as the unauthorized acquisition of unencrypted customer information. Three elements matter. First, "acquisition" — which the FTC's Statement of Basis and Purpose (88 FR 77499, November 13, 2023) clarifies includes any unauthorized access where the firm cannot prove that the acquirer did not, in fact, obtain the data. The presumption is acquisition unless the firm produces evidence to the contrary. Second, "unencrypted" — meaning the data was not protected by an encryption process that renders it unreadable to unauthorized parties. The Statement notes that encryption keys held by the unauthorized party negate the unencrypted classification. Third, "customer information," defined at 16 CFR 314.2 as nonpublic personal information about a customer of the financial institution.
What does the notification itself require?
The notification must be submitted electronically through the FTC's online portal at ftc.gov/safeguards. The required content is itemized at 16 CFR 314.5(a)(2): (1) the name and contact information of the institution, (2) a description of the types of information involved, (3) the date or date range of the notification event if known, (4) the number of consumers affected or estimated to be affected, (5) a general description of the notification event, and (6) whether law enforcement has determined that notification would impede a criminal investigation or cause damage to national security. The rule permits a brief delay (up to 60 days from discovery in the aggregate) when law enforcement requests it, but the delay request must be documented.
FTC Safeguards Rule notification timeline (16 CFR 314.5)
+-----------------+--------------------------------------+
| Day 0 | Discovery of notification event |
| Within 30 days | Notification to FTC via online portal |
| Up to +30 days | Law enforcement delay (with request) |
| Ongoing | Update notification with new info |
+-----------------+--------------------------------------+
Notification content required (314.5(a)(2)):
- Institution name and contact
- Types of information involved
- Date or date range of event
- Number of consumers affected
- Description of event
- Law enforcement delay status
How does this interact with state breach notification laws?
All 50 states and DC have data breach notification laws, with timelines ranging from "without unreasonable delay" (most states) to specific calendar windows (Florida: 30 days; Colorado: 60 days; California: in the most expeditious time possible). The FTC notification is in addition to, not in lieu of, state notifications. For multi-state financial institutions, the practical effect is that a single event triggers parallel reporting tracks: FTC, applicable state attorneys general, applicable state regulators (state department of banking, insurance commissioner), and, depending on event details, the SEC under Item 1.05 if the firm is a public registrant. The CIRCIA NPRM (April 2024) would add a CISA report on top of these, with a different 72-hour clock.
What has the first year of filings revealed?
The FTC has not published aggregated statistics on Safeguards Rule notifications, citing that individual filings are non-public. Anecdotally and through state filings (which often cross-reference FTC notifications), the largest reported events in 2024-2025 have involved mortgage and auto-finance breaches. The June 2024 Mr. Cooper mortgage breach, affecting 14.7 million consumers, was filed under both state notification laws and the federal Safeguards Rule. Several auto-dealership groups have filed notifications in connection with the June 2024 CDK Global ransomware event, which affected the dealer-management software platform used by approximately 15,000 dealerships. The encryption-as-safe-harbor element of the rule has produced documented investments in encryption-at-rest across mortgage and lending platforms in late 2024 and 2025.
What is the encryption safe harbor in practice?
A notification event requires unencrypted customer information. If the customer information was encrypted, the event is not a notification event under the rule. The Statement of Basis and Purpose clarifies two requirements for this carve-out. First, the encryption must be implemented in compliance with NIST guidance — referenced specifically as NIST SP 800-175B for cryptographic standards. Second, the cryptographic keys must not have been acquired along with the data. The practical engineering implications are concrete. AES-256 encryption with keys held in a dedicated key management service that the breached system does not co-locate. KMS audit logs that prove the key was not exfiltrated. Field-level encryption on customer identifiers in particular. The 2024-2025 wave of investment in tokenization platforms among non-banking financial institutions is largely a response to this carve-out.
What about enforcement?
The FTC issued its first Safeguards Rule enforcement action under the 2003 version of the rule against Mortgage Solutions in 2017 ($95,000 penalty). The 2023 amendments added the notification requirement but did not change the FTC's authority to bring enforcement actions, which proceeds under Section 5 of the FTC Act. The Commission has signaled in public statements that systemic failures — particularly failures to maintain a written information security program, failures to designate a Qualified Individual responsible for the program, or failures to provide annual reports to the board of directors — will drive enforcement priority more than individual incident facts. The most likely 2026 enforcement targets are firms that experienced a notification event and that, on investigation, also lacked the program-level controls in 16 CFR 314.4.
How Safeguard Helps
Safeguard's incident workflow stamps each detection with the metadata the Safeguards Rule notification requires: affected customer record count, data categories touched, encryption state of the affected data stores, and a draft narrative produced by Griffin AI from the underlying telemetry. The platform monitors encryption posture continuously across data stores and surfaces deviations that would invalidate the encryption safe harbor — a misconfigured RDS instance without storage encryption, a backup written without server-side encryption, a customer-record export to a location without field-level controls. For Qualified Individuals managing the Section 314.4 program-level requirements, Safeguard produces the annual board report, the risk assessment artifact, and the written information security program documentation that an FTC examination will request.