Skip to main content

FTC Safeguards Rule (Gramm-Leach-Bliley Act)

The FTC Safeguards Rule implements GLBA's security requirements for non-bank financial institutions, mandating a written information-security program with specific controls such as encryption, multi-factor authentication, and an incident-response plan. The FTC enforces it with penalties and consent orders.

Jurisdiction
United States

What the FTC Safeguards Rule Is and Why It Exists

The FTC Safeguards Rule implements the security requirements of the Gramm-Leach-Bliley Act (GLBA) for the financial institutions under the Federal Trade Commission's jurisdiction. A major amendment, with key provisions taking effect in June 2023, made the rule far more prescriptive, replacing broad principles with specific technical and administrative controls. It requires covered institutions to develop, implement, and maintain a comprehensive written information-security program to protect customer information.

The rule exists because GLBA promised consumers that their financial data would be safeguarded, and the FTC concluded that general expectations were no longer sufficient against modern threats.

Who It Applies To

The Safeguards Rule applies to non-bank "financial institutions" under FTC jurisdiction, a category interpreted broadly to include mortgage brokers, payday lenders, auto dealers that arrange financing, tax preparers, collection agencies, investment advisers not registered with the SEC, and many fintech companies. Banks and credit unions are regulated under parallel rules by their own agencies, not the FTC version.

Key Requirements

The amended rule requires, among other things:

  • A written information-security program overseen by a designated "Qualified Individual."
  • A risk assessment that is documented and periodically updated.
  • Specific safeguards: access controls, encryption of customer information at rest and in transit, multi-factor authentication, secure development practices, and disposal of unneeded data.
  • Monitoring and testing: continuous monitoring or periodic penetration testing and vulnerability assessments.
  • An incident-response plan and oversight of service providers.
  • Reporting: written reports to the board or governing body, and notification to the FTC of certain breaches.

Penalties for Non-Compliance

The FTC can bring enforcement actions for violations, which can result in significant civil penalties and consent orders imposing years of mandatory compliance assessments. Inadequate security that leads to breaches can also expose institutions to additional FTC action under its broader authority, as well as state enforcement and private litigation. The reputational damage from a publicized failure can be severe in consumer finance.

How to Comply

  • Confirm whether your business is a covered financial institution under the FTC's broad definition.
  • Appoint a Qualified Individual and create a written information-security program.
  • Conduct and document a risk assessment that drives your controls.
  • Implement encryption, multi-factor authentication, access controls, and secure data disposal.
  • Establish monitoring or regular testing, an incident-response plan, and service-provider oversight.
  • Report to your governing body and prepare to notify the FTC of qualifying breaches.

The rule's prescriptiveness makes it a useful template even for organizations not strictly within its scope.

Service-Provider Oversight and Breach Notification

Two elements of the amended rule deserve particular engineering attention. First, covered institutions must oversee their service providers, selecting providers capable of maintaining appropriate safeguards and contractually requiring them, then periodically assessing them. Given how much customer data flows to third parties, vendor risk management is now a core obligation rather than a formality. Second, a later amendment added a breach-notification requirement, obliging institutions to notify the FTC of certain security events affecting large numbers of consumers within a defined timeframe. Together these provisions extend accountability across the supply chain and add a reporting discipline that institutions must build into their incident-response planning.