What is the FTC Safeguards Rule?
The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions under FTC jurisdiction to develop, implement, and maintain a comprehensive information security program to protect customer information. Originally issued in 2003, the rule was substantially amended in 2021, with most provisions taking effect in June 2023. The amendments introduced specific technical requirements that replaced the previous principles-based approach.
The Safeguards Rule applies to non-banking financial institutions, including: mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashers, wire transferors, travel agencies, real estate settlement services, tax preparers, and other entities that engage in financial activities under FTC jurisdiction.
Key Requirements
The amended Safeguards Rule imposes specific obligations across several areas of information security.
| Requirement Area | Description | Key Provisions |
|---|---|---|
| Qualified Individual | Designate a person to oversee the security program | Internal or external, reports to board, sufficient authority and resources |
| Written Information Security Program | Document a comprehensive WISP | Risk-based, covers all customer information, regularly updated |
| Risk Assessment | Identify and assess risks to customer information | Written assessment, criteria for evaluation, periodic updates |
| Access Controls | Restrict access to customer information | Least privilege, periodic access reviews, authentication controls |
| Encryption | Encrypt customer information in transit and at rest | Industry-standard encryption, key management, qualified individual approval for alternatives |
| Multi-Factor Authentication | Require MFA for accessing customer information | All users accessing customer information systems, remote access |
| Secure Development | Implement secure software development practices | Security testing, code reviews, secure coding standards |
| Change Management | Control changes to information systems | Change approval, testing, rollback procedures |
| Incident Response Plan | Maintain a written incident response plan | Response procedures, roles and responsibilities, communication protocols |
| Penetration Testing / Vulnerability Assessment | Regularly test security controls | Annual penetration testing or continuous monitoring with semi-annual vulnerability assessments |
| Board Reporting | Report to the board on security program status | Annual written report from qualified individual, material matters reporting |
| Vendor Management | Oversee service providers handling customer information | Due diligence, contractual requirements, periodic assessment |
Readiness Assessment Checklist
Before engaging in a full compliance program, evaluate where your organization stands against these six readiness questions:
- Have you designated a qualified individual to oversee your information security program, with documented authority and reporting to the board?
- Have you conducted a written risk assessment that identifies reasonably foreseeable risks to customer information?
- Are access controls, multi-factor authentication, and encryption implemented for all systems handling customer information?
- Do you have a written incident response plan with defined roles, procedures, and communication protocols?
- Have you implemented a vendor management program with due diligence, contractual requirements, and periodic assessments for service providers?
- Does your qualified individual provide annual written reports to the board on the overall status of the security program?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what the FTC expects across all security control areas, with evidence examples for each.