FTC Safeguards Rule: The 9-Element Compliance Checklist for Non-Bank Financial Institutions

Most compliance teams at banks have had the GLBA security program requirement on their radar for years. Examiners ask about it. Policies cover it. Annual reviews happen.

Your fintech probably hasn’t had a dedicated FTC information security examination yet. That’s changing.

The FTC Safeguards Rule — 16 CFR Part 314, the GLBA information security requirement for non-bank financial institutions — applies to mortgage brokers, auto dealers, payday lenders, finance companies, tax preparers, and investment advisors not registered with the SEC. In 2021, the FTC substantially expanded and formalized the requirements with nine specific program elements. In 2023, it layered in a mandatory breach notification obligation that took effect May 13, 2024.

In 2026, “we’ll get to it” is no longer a viable posture. The penalty structure runs up to $51,744 per violation per day. For a company running an information security program with three or four uncorrected gaps, that math adds up quickly.

TL;DR

• FTC Safeguards Rule (16 CFR Part 314) applies to non-bank financial institutions: fintechs, mortgage companies, auto dealers, tax preparers, and investment advisors not registered with the SEC.
• The 2021 amendment created nine mandatory program elements — including MFA, encryption, annual penetration testing, and a written incident response plan. Compliance deadline was June 2023.
• The 2023 amendment added a 30-day breach notification requirement to the FTC (effective May 13, 2024) for incidents affecting 500+ consumers.
• Penalties reach $51,744 per violation per day. Bank partner due diligence reviews also ask for Safeguards Rule documentation.
• Most common gaps: no Qualified Individual formally designated, outdated or missing risk assessment, no MFA on all customer information systems, no vendor security contract terms.

Who Actually Needs to Comply

The Safeguards Rule applies to financial institutions subject to FTC jurisdiction under the Gramm-Leach-Bliley Act — specifically, institutions that aren’t supervised by a federal or state banking regulator. Section 314.2(h) identifies 13 types:

• Mortgage lenders and mortgage brokers
• Payday lenders and finance companies
• Auto dealers that offer vehicle financing
• Account servicers and check cashers
• Wire transferors and money service businesses
• Debt collectors / collection agencies
• Credit counselors and financial advisors
• Tax preparation firms
• Non-federally insured credit unions
• Investment advisors not required to register with the SEC

The rule covers “customer information” — nonpublic personal information about individuals who obtain financial products or services from you. This includes loan applications, account numbers, credit histories, payment records, and any other financial information you collect from customers. If your fintech handles customer financial data and you’re not a chartered bank, you’re covered.

What the 2021 Amendment Actually Changed

The original 2003 Safeguards Rule was deliberately flexible — it required “reasonable” information security but left implementation details to each institution. That flexibility made compliance assessment difficult and enforcement rare. The 2021 amendment replaced vague “reasonableness” with nine specific program elements, each with defined content requirements.

Compliance with the 2021 amendments was required by June 9, 2023. If you haven’t built the program yet, you’re more than two years out of compliance.

The Nine Program Elements of Section 314.4

Element 1: Written Risk Assessment

You must conduct and document a risk assessment that:

• Identifies reasonably foreseeable internal and external risks to customer information
• Assesses the likelihood and potential damage of each risk
• Evaluates the sufficiency of existing safeguards

The key word is written. “We’ve reviewed our risks internally” isn’t enough. The assessment must be documented, and it must be updated when you experience a material change in your business — a new product line, a new technology platform, an incident, or changes in the threat environment.

Element 2: Designated Qualified Individual

Someone must own the information security program. The rule calls this person the “Qualified Individual.” There’s no required degree or certification — the standard is knowledge and experience appropriate to the size and complexity of your institution.

The Qualified Individual can be:

• An employee (doesn’t need to be a C-level hire)
• An employee of an affiliate
• A service provider (MSSP, IT vendor)

If you outsource to a managed security provider, you must have a written agreement that clearly assigns them responsibility for the Qualified Individual role and gives you the ability to monitor their performance. The QI must also report to your board or senior officer at least annually.

Element 3: Safeguards to Address Identified Risks

You must implement safeguards addressing each risk identified in your risk assessment. The 2021 amendment specifies several technical controls as mandatory regardless of your risk assessment conclusions:

Multi-Factor Authentication (MFA): Required for any individual accessing any information system that contains customer information. Password-only access is non-compliant — no exceptions for legacy systems or “low-risk” platforms. If a system touches customer data, it needs MFA.

Encryption: Customer information must be encrypted in transit over external networks and at rest. This applies to databases, file storage, backups, and any cloud services storing customer data. Default encryption settings in cloud providers aren’t always enabled — this requires a deliberate configuration audit.

Secure Application Development: In-house applications handling customer information must be developed using security best practices. The rule specifically requires security testing before release and procedures to address vulnerabilities in a timely manner.

Data Retention and Disposal: You must have documented policies for how long you retain customer information and how you securely dispose of it when it’s no longer needed. Keeping data indefinitely because deletion is operationally inconvenient is a documented compliance gap.

Element 4: Regular Testing and Monitoring

The rule offers two compliant paths:

Option A — Continuous Monitoring: Automated, ongoing monitoring of information systems for security events, anomalies, and indicators of compromise. This is the more robust approach but requires tooling investment — SIEM, EDR, or similar.

Option B — Annual Penetration Testing + Biannual Vulnerability Assessments: External penetration testing at least annually, plus vulnerability scans at least every six months. The penetration test must be conducted by independent personnel — internal “pen testing” by the same team that manages the systems isn’t sufficient.

If you choose the pen test path, document remediation of all significant findings. An annual pen test report full of open critical findings is evidence of non-compliance, not evidence of compliance.

Element 5: Service Provider Oversight

If any vendor or third party has access to customer information, you must:

1. Select and retain providers that maintain appropriate safeguards
2. Require by contract that providers implement and maintain those safeguards
3. Periodically assess providers based on the risk they present

This is the gap that catches most small fintechs. Cloud hosting providers, third-party integrations, payment processors, data analytics vendors — if any have access to customer information, you need written security requirements in the contract.

A vendor onboarding process that doesn’t include a security review and contractual security terms isn’t Safeguards Rule-compliant. Reviewing your vendor contracts for security language is a basic gap assessment you can run in a day.

Element 6: Keeping the Program Current

The information security program must be updated in response to:

• Results from testing and monitoring
• Material changes in business operations or systems
• Results from security incidents
• Changes in the threat environment

This isn’t just an annual review cadence. Acquiring a business, launching a new product, migrating to a new cloud platform, or experiencing a breach all trigger a reassessment requirement. Document when reviews occur and what changes were made.

Element 7: Employee Training

Security awareness training is required for all personnel with access to customer information. The training must be ongoing and must address current threats — a one-time onboarding module from 2022 that never gets updated doesn’t satisfy this requirement.

Training should cover: phishing awareness, password hygiene, handling customer data on personal devices, recognizing social engineering, and reporting security incidents. Document who completed training and when.

Element 8: Written Incident Response Plan

This is one of the most consistently missing elements. The incident response plan under the Safeguards Rule must specifically address:

• Internal processes for responding to a security event
• Goals of the plan (containment, remediation, notification)
• Defined roles and responsibilities
• Internal and external communication protocols — including regulatory notification
• Remediation procedures and evidence documentation requirements
• Post-incident evaluation process

For institutions with 5,000+ customers, the plan must also address individual notification procedures. For all institutions subject to the 2023 amendment, the plan must address FTC breach notification within the 30-day window.

A cyber incident response playbook should cover the full detection-to-lessons-learned workflow. A plan that lives in a Confluence page and has never been tested isn’t the same as an operational plan.

Element 9: Annual Board/Senior Officer Report

The Qualified Individual must provide a written report to the board of directors (or equivalent senior officer) at least annually covering:

• Overall status of the information security program
• Compliance with the Safeguards Rule
• Material matters relating to the program, including risk assessment results and significant incidents

This creates a paper trail of program oversight. If the FTC later investigates, the absence of annual board reports is evidence that governance was inadequate.

The 2023 Breach Notification Amendment

On October 27, 2023, the FTC finalized an amendment adding a breach notification obligation. It took effect May 13, 2024.

What triggers it: A “notification event” — acquisition of unencrypted customer information without authorization, affecting 500 or more consumers. Customer information is treated as “unencrypted” if the encryption key was also accessed by the unauthorized party. Ransomware events that exfiltrate data before encryption would typically qualify.

Timeline: Notify the FTC “as soon as possible and no later than 30 days after discovery.”

How: Through the FTC’s online notification portal. The FTC then has authority to publicly post the notification on its website — creating reputational exposure beyond the regulatory obligation.

What this doesn’t replace: State breach notification laws still apply independently. Many states have shorter deadlines — some as fast as 72 hours for certain breach types. If you have a breach affecting 500+ consumers, you may be running multiple regulatory notification deadlines simultaneously. Your incident response plan must map these parallel obligations by state.

The Small-Business Partial Exemption (Read It Carefully)

Institutions maintaining customer information for fewer than 5,000 consumers are exempt from three requirements:

This is a partial carve-out, not a general exemption. A small mortgage broker with 800 customer files still needs to designate a QI, implement MFA, encrypt data, conduct pen testing, and have vendor security terms in contracts. The exemption removes three documentation requirements — it doesn’t remove the obligation to run a functioning information security program.

What the FTC and Bank Partners Are Actually Checking

When the FTC or your bank partner’s due diligence team reviews your Safeguards Rule program, here’s where they look first:

So What? Three Things to Do This Month

1. Formally designate your Qualified Individual. If you’re outsourcing information security to an MSSP or IT provider, get that assignment in writing — a signed agreement that explicitly names them as QI and defines their responsibilities and your oversight rights. If you’re designating an internal employee, document it formally (board resolution, employment agreement addendum, or written designation).

2. Audit MFA coverage. Walk through every system that accesses customer information: your core platform, cloud databases, admin portals, third-party integrations, developer access, and backup systems. Build a list of anything that’s still password-only. That’s your remediation backlog. MFA implementation on legacy systems isn’t always fast, but you need to know the scope.

3. Review your vendor contracts for security language. Pull the agreements for every vendor with access to customer data. Check whether the contract includes security requirements, audit rights, data return/deletion obligations, and breach notification obligations running from the vendor to you. If those terms aren’t present, you’re out of compliance with Section 314.4(f) — and you have exposure if the vendor experiences a breach affecting your customers.

The Safeguards Rule isn’t new. The 2021 expansion isn’t new. Companies that have been waiting to see whether the FTC actually enforces it have their answer: it does, penalties are real, and bank partners are now asking for Safeguards Rule documentation as part of fintech due diligence. The program you build doesn’t have to be elaborate — but it has to exist, be documented, and be maintained.

Sources: FTC Safeguards Rule Official Page · FTC: What Your Business Needs to Know · 2023 FTC Breach Notification Amendment · 16 CFR Part 314 (eCFR) · FTC: Safeguards Rule Notification Now in Effect (May 2024)