The FTC Safeguards Rule is the federal regulation that tells financial institutions exactly how to protect customer information. The rule was significantly updated in 2023, and many companies that thought they were compliant discovered they had work to do.
This article breaks down the nine required elements, what evidence you need for each, and the gaps we see most often in practice.
Who the Safeguards Rule applies to
The FTC Safeguards Rule applies to "financial institutions" under FTC jurisdiction. But the definition of "financial institution" is broader than you might think.
You're covered if you're significantly engaged in:
- Mortgage lending or brokering
- Check cashing
- Tax preparation and filing
- Consumer debt collection
- Financial or investment advising
- Real estate settlement services
- Payday lending
- Wire transfers
- Collection of consumer credit information
- Automobile dealerships that handle financing
Key point: Many companies that don't think of themselves as "financial institutions" are covered. Auto dealers, tax preparers, mortgage brokers, and fintech companies handling financial data all fall under this rule.
If you handle customer financial information as part of your business activities, assume the Safeguards Rule applies until you've confirmed otherwise.
The 9 required elements
The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program. That program must include nine specific elements—and the FTC has been clear that checking boxes isn't enough. They want to see that these elements actually work together to protect customer information.
What follows is a breakdown of each requirement, what the rule actually says, and what evidence you'll need to prove compliance. Think of this as both a compliance checklist and a gap analysis guide.
1. Designate a Qualified Individual
You must designate a single qualified individual to oversee and implement your information security program. This person is accountable for the program's success.
What the rule requires:
- A single designated individual with overall responsibility
- They can be an employee or an external service provider
- If outsourced, a senior employee must still direct and oversee them
- The Qualified Individual must have appropriate authority and resources
Evidence auditors want to see:
- Written designation letter or board resolution
- Job description outlining information security responsibilities
- Organizational chart showing reporting structure
- Documentation of relevant qualifications or experience
- If outsourced: the contract specifying responsibilities
2. Conduct a written risk assessment
You must conduct periodic risk assessments to identify reasonably foreseeable internal and external risks to customer information.
What the rule requires:
- Criteria for evaluating identified risks
- Assessment of confidentiality, integrity, and availability of information systems
- Assessment must be in writing
- Must be updated periodically (at least annually) or when changes occur
Evidence auditors want to see:
- Written risk assessment methodology document
- Completed risk assessment with identified threats and vulnerabilities
- Risk ratings or scoring criteria
- Date stamps showing when assessments were performed
- Documentation of changes triggering reassessment
3. Design and implement safeguards
This is the meat of the program—the actual security controls. Based on your risk assessment, you need to implement safeguards that address the risks you identified. The updated rule is specific about what these safeguards must include, and it's a longer list than many organizations expect.
Access controls are foundational—you need to limit who can see customer information based on job function. You'll need an inventory of all the data, people, devices, systems, and facilities involved in handling customer information. Encryption is required both in transit (when data moves across networks) and at rest (when it's stored). If you build software in-house, secure development practices apply. MFA is mandatory for anyone accessing customer information—no exceptions. Customer data can't sit around forever; you need secure disposal within two years unless you have a legal reason to keep it. Change management procedures ensure modifications to systems are tracked and controlled. And all user activity needs logging and monitoring.
Evidence auditors want to see:
- Access control policies and user access reviews
- Data and asset inventory documentation
- Encryption configuration screenshots or certificates
- Secure development lifecycle documentation
- MFA configuration evidence for all access points
- Data retention and disposal procedures
- Change management logs
- System logs and monitoring dashboards
4. Regularly test and monitor safeguards
Safeguards aren't set-and-forget. You must regularly test and monitor them to ensure they're working. The rule gives you two paths here, and the one you choose depends on your resources and risk profile.
Option one is continuous monitoring—real-time security monitoring that can detect threats as they happen. This typically means SIEM tools, intrusion detection, and security operations capabilities. Option two is a testing-based approach: annual penetration testing combined with vulnerability assessments at least every six months. Most smaller organizations choose the second option because it's more achievable without a dedicated security operations center. Either way, the testing has to be done by qualified people—whether that's your internal team or an outside firm.
Evidence auditors want to see:
- Penetration test reports (if doing annual testing)
- Vulnerability scan results (if doing semi-annual assessments)
- Continuous monitoring tool dashboards (if using that approach)
- Remediation tracking for identified vulnerabilities
- Documentation of who performed the testing and their qualifications
5. Train staff
Everyone who touches customer information needs security awareness training.
What the rule requires:
- Security awareness training for all personnel
- Training for personnel with specialized security responsibilities
- Training must be updated to reflect risks identified in assessments
- Training must cover social engineering threats (phishing, pretexting)
Evidence auditors want to see:
- Training materials and curriculum
- Training completion records with dates and attendee names
- Testing or assessment results (if applicable)
- Documentation of specialized training for IT/security staff
- Evidence training was updated after risk assessment changes
6. Oversee service providers
Your vendors who access customer information become part of your security perimeter. If your CRM provider gets breached and leaks your customer data, you're on the hook—not just them. The rule recognizes this reality and requires ongoing vendor oversight.
This isn't just about checking a box during onboarding. You need to do due diligence before selecting vendors, include security requirements in your contracts, and periodically reassess whether vendors still meet your standards. That last part trips up a lot of organizations—they do the initial assessment and then never look again until something goes wrong.
Evidence auditors want to see:
- Vendor inventory listing all service providers with access to customer data
- Security questionnaires or assessment results for each vendor
- Contracts with security clauses and data protection requirements
- Evidence of periodic vendor reviews (at least annually)
- Remediation tracking for vendor-identified issues
7. Keep your program current
Your information security program must evolve as your business and threats change.
What the rule requires:
- Evaluate and adjust the program based on testing results
- Adjust for material changes to operations or business arrangements
- Adjust for known or emerging threats
- Update when new risk assessments reveal new risks
Evidence auditors want to see:
- Program review documentation with dates
- Change logs showing program updates
- Meeting minutes or memos documenting program adjustments
- Mapping of threat intelligence to program changes
- Version control on policy documents
8. Create a written incident response plan
You must have a documented plan for responding to security events affecting customer information.
What the rule requires:
- Goals of the incident response plan
- Internal processes for responding to incidents
- Clear roles, responsibilities, and decision-making authority
- Communication and information sharing protocols
- Remediation requirements
- Documentation and reporting procedures
- Post-incident review process
Evidence auditors want to see:
- Written incident response plan document
- Contact lists and escalation procedures
- Evidence of plan testing (tabletop exercises, simulations)
- Incident response team member roles and training records
- Templates for incident documentation and reporting
9. Report to the board
The Qualified Individual must report to your board of directors (or equivalent governing body) at least annually.
What the rule requires:
- Written report to the board at least annually
- Report must cover overall status of the information security program
- Report must address compliance with the Safeguards Rule
- Report must discuss material matters related to the program
Evidence auditors want to see:
- Written board report document
- Board meeting minutes showing report was presented
- Date stamps proving at least annual reporting
- Content addressing program status, compliance, and material matters
- Documentation of board questions or directives
Compliance checklist summary
| Element | Requirement | Key Evidence |
|---|---|---|
| 1. Qualified Individual | Designate single accountable person | Designation letter, job description |
| 2. Risk Assessment | Written assessment of threats | Documented methodology, completed assessment |
| 3. Safeguards | Controls based on risk assessment | Access controls, encryption, MFA, monitoring |
| 4. Testing & Monitoring | Annual pen test + semi-annual vuln scans OR continuous monitoring | Test reports, remediation tracking |
| 5. Staff Training | Security awareness for all personnel | Completion records, training materials |
| 6. Service Provider Oversight | Due diligence and contracts | Vendor inventory, contracts, assessments |
| 7. Program Maintenance | Evaluate and adjust continuously | Review documentation, change logs |
| 8. Incident Response Plan | Documented response procedures | Written plan, tabletop exercise records |
| 9. Board Reporting | Annual written report | Board reports, meeting minutes |
Common gaps we see
After reviewing dozens of GLBA compliance programs, these are the gaps that come up most often:
No written risk assessment methodology. Companies do informal assessments but don't document how they evaluate risks. The rule requires written criteria.
Incomplete service provider oversight. Companies have contracts but no ongoing monitoring. The rule requires periodic reassessment, not just initial due diligence.
MFA gaps. MFA is enabled for some access points but not all. The rule requires MFA for anyone accessing customer information on any system.
Encryption gaps. Data is encrypted in transit (HTTPS) but not at rest. The rule requires both, unless you've documented that encryption is infeasible and implemented compensating controls.
Incident response plan exists but hasn't been tested. Having a document isn't enough. You need evidence the plan works—tabletop exercises, simulations, or actual incident response documentation.
Board reporting is informal. The Qualified Individual gives verbal updates but no written report. The rule requires written reporting to the board.
Training doesn't cover current threats. Training materials are outdated and don't address risks identified in the most recent assessment.
Frequently asked questions
What's the deadline for compliance?
The updated Safeguards Rule requirements took effect on June 9, 2023. If you're a covered financial institution, you should already be compliant. If you're still working toward compliance, document your remediation timeline and make progress demonstrable to regulators.
What are the penalties for non-compliance?
The FTC can impose civil penalties of up to $50,120 per violation (adjusted for inflation). In practice, enforcement actions have resulted in consent orders requiring comprehensive security programs, third-party assessments, and ongoing reporting to the FTC. The reputational damage often exceeds the financial penalties.
Do I need to encrypt everything?
The rule requires encryption of customer information both in transit and at rest. However, there's an exception: you don't need to encrypt if you've determined encryption is infeasible AND you've implemented effective alternative compensating controls AND you've reviewed that determination annually. In practice, encryption is rarely infeasible for modern systems. If you're claiming infeasibility, be prepared to defend it.
Who can be the Qualified Individual?
The Qualified Individual can be an employee or an outsourced service provider. If you outsource, a senior member of your organization must still direct and oversee that person. The rule doesn't specify required certifications, but the person should have knowledge and experience commensurate with your organization's size and complexity. Common backgrounds include IT directors, CISOs, or compliance officers with security expertise.
What if I have fewer than 5,000 customer records?
Financial institutions with fewer than 5,000 customer records get some relief. They're exempt from:
- The written risk assessment requirement (but should still assess risks)
- Annual penetration testing and semi-annual vulnerability assessments
- Written incident response plan requirement
- Annual board reporting requirement
However, they still need all other elements of the program. "Fewer than 5,000 records" is a low threshold—most covered companies exceed it.
Getting compliant
The Safeguards Rule isn't just about having policies in a binder. It requires operational controls, ongoing testing, and evidence that your program actually works.
If you're starting from scratch or have significant gaps, expect the initial implementation to take 2-4 months depending on your organization's size and complexity. The good news: once you have the framework in place, maintaining compliance is mostly about keeping documentation current and doing your periodic reviews.
We help financial services companies build GLBA-compliant programs. Our GLBA/FTC Snapshot includes the coverage analysis, WISP, risk assessment framework, and service provider oversight documentation you need. Fixed price, 10 business days.
For more on compliance documentation, see our guide on writing security policies that work and vendor risk management basics.
The bottom line: The FTC Safeguards Rule has nine specific elements. Each element requires documentation and evidence. The most common gaps are around written risk assessments, service provider oversight, MFA coverage, and incident response testing. If you handle customer financial information, assume the rule applies and build your program around these nine requirements.