Skip to Content
Governance and Compliance

What is the FTC Safeguards Rule?

The FTC Safeguards Rule is a U.S. regulation that requires non-banking financial institutions to maintain a formal information security program to protect customer data. It comes from the Gramm-Leach-Bliley Act and lists, in concrete terms, what that program must include: a named individual in charge, a written risk assessment, multi-factor authentication, encryption, and an incident response plan. It applies to any company that offers financial products or services to consumers under FTC jurisdiction, wherever it is located.

Zamak TechnologiesUpdated on July 11, 2026

How the Safeguards Rule works

The Safeguards Rule is not a suggestion of good practice; it is a requirement with mandatory elements. Section 314.4 defines nine components that the information security program must contain, and the company is accountable for keeping them alive, not just for having them on paper.

1

Name a person in charge

The program needs a Qualified Individual, someone formally responsible for implementing and overseeing information security. Without an owner, the program does not really exist.

2

Assess risk in writing

The company documents where customer data lives and what threats it faces. That assessment is what justifies each control adopted.

3

Implement the required controls

The rule explicitly names multi-factor authentication, encryption of data in transit and at rest, access control, and monitoring. They are not optional.

4

Test, train, and report

The program has to be tested (through penetration testing or continuous monitoring), the team has to be trained, and the person in charge reports to the board or senior management at least once a year.

Source: Federal Trade Commission, Safeguards Rule (16 CFR Part 314), under the Gramm-Leach-Bliley Act (GLBA).

How to tell the rule applies to you

  • You offer credit, loans, financing, or your own installment plans. 'Financial institution' here is broad: it is not only banks, and many companies never realize they fit.
  • You are an auto dealer, a real estate firm, an accounting or tax practice that handles clients' financial data. All have been treated as non-banking financial institutions.
  • You store consumer financial data: ID numbers, accounts, income, payment history. That is exactly the data the rule exists to protect.
  • You serve customers under FTC jurisdiction, even from another country. The obligation follows the financial service provided to the consumer, not your headquarters' address.

The required elements, grouped

  • Accountability and risk A named Qualified Individual and a written, periodic risk assessment. It is the foundation that guides everything else in the program.
  • Technical controls Multi-factor authentication, encryption in transit and at rest, access control, and secure disposal. The controls the rule names by name.
  • Continuous oversight Monitoring or penetration testing to verify the defenses actually work, and oversight of the service providers that also touch the data.
  • Response and readiness A written incident response plan and security training for the team. Knowing what to do before the incident happens, not during it.
  • Accountability to leadership A report to the board or senior management at least once a year, and the mandatory notification to the regulator when a breach affects 500 people or more.

What is at stake for the business

9
mandatory elements the information security program must contain (Section 314.4)
30 days
the maximum window to notify the regulator after discovering a breach of 500+ people, in force since May 2024
$ 4.44M
average global cost of a data breach, IBM 2025

The Safeguards Rule has grown teeth. Since May 13, 2024, a non-banking financial institution must notify the regulator within 30 days of discovering a breach that affects 500 people or more, and that notification is public. Before that, an incident could be handled quietly; now the same incident becomes a record visible to customers, partners, and competitors. The required program has nine mandatory elements, and enforcement has already brought penalties against companies that ignored them. Add the underlying cost: a data breach still costs, on average, $ 4.44 million worldwide (IBM, 2025), and financial services is among the most expensive sectors of all. For many companies that never saw themselves as a 'financial institution,' the surprise is twofold: learning they are within reach, and learning the deadline to comply has already passed.

How a company complies in practice

Complying with the Safeguards Rule means building a living program, not filling out a form. The path is straightforward when you follow the right order:

  1. Confirm whether you are in scopeFirst, check whether your activity qualifies as a financial institution under the FTC. Many companies are in scope without knowing it, and that discovery is what most delays compliance.
  2. Name the person in charge and map the dataDesignate the Qualified Individual and inventory where customer data lives. Without an owner and a map, the controls float loose.
  3. Turn on the controls the rule namesMulti-factor authentication, encryption, and access control are named requirements. Starting with them resolves much of the program and cuts real risk.
  4. Write the response planAn incident affecting 500 people triggers a 30-day clock. Having the plan ready, with defined roles, is what lets you meet the deadline without chaos.
  5. Document and report every yearThe evidence that the program works has to exist, and the person in charge reports to the board annually. That is what turns 'we have security' into something provable.

In practice

If your company suffered a customer-data incident today, could you say, within 30 days, exactly who was affected and what to disclose to the regulator? When the answer is 'we're not sure,' the problem is not only the incident, it is the clock running without a plan.

How Zamak supports Safeguards Rule compliance

Zamak Technologies supports Safeguards Rule compliance alongside your team: it helps confirm the scope, organizes the risk assessment, turns on the controls the rule requires, and keeps the evidence ready for the annual report, using a compliance platform as one of the roadmaps. Governance documents and proves compliance; it walks together with the technical defenses, such as strong authentication and encryption, which are the layer that actually protects the data. A good starting point is the compliance self-check, within the Governance and Compliance of the Zamak Method.

Frequently asked questions about the FTC Safeguards Rule

My company is not a bank. Does the Safeguards Rule apply to me?
It probably can. The rule covers non-banking financial institutions, and that definition is broad: auto dealers, real estate firms, accounting practices, lenders, and many others have been treated as such. If you handle consumers' financial data, it is worth confirming the scope.
What is the Qualified Individual?
It is the person formally named to implement and oversee the company's information security program. They do not have to be senior or internal, but they have to exist, have clear responsibility, and report to leadership.
What changed in May 2024?
The requirement to notify the regulator within 30 days of discovering a breach affecting 500 people or more took effect. That made public a kind of incident that could previously be handled internally, and raised the cost of not being prepared.
Does the Safeguards Rule require MFA and encryption?
Yes. The rule explicitly names multi-factor authentication and encryption of customer data, in transit and at rest, as mandatory controls, unless a formal justification for an equivalent control is approved by the person in charge.
How does the Safeguards Rule relate to GLBA?
GLBA, the Gramm-Leach-Bliley Act, is the law that created the obligation to protect consumers' financial data. The Safeguards Rule is the FTC regulation that spells out, in practice, what the security program must contain to meet the law.
Does a small company have to do all of it?
The reach of some requirements varies with size and the amount of data, but the obligation to have a program exists. For most small companies, it makes sense to run compliance as a service, without building a compliance function of their own.