FTC Safeguards Rule: Proof of Compliance Is Now the Standard

Most tax preparers, mortgage brokers, and financial advisors don't think of themselves as financial institutions under federal law. The FTC does. The Gramm-Leach-Bliley Act's Safeguards Rule covers any business "significantly engaged in financial activities," and the 2023 overhaul added specific technical requirements that are now being actively enforced. Civil penalties under FTC Act Section 5 reach $51,744 per violation per day. Businesses that treated the rule as theoretical are discovering otherwise in 2026.

Who the FTC Safeguards Rule Actually Covers

The rule applies to non-bank financial institutions. That sounds narrower than it is.

Under GLBA, the covered list includes mortgage lenders and brokers, tax preparers, auto dealers who arrange financing, collection agencies, financial advisors not registered with the SEC, credit counselors, payday lenders, money transmitters, and check cashers. Companies that connect buyers and sellers of financial products are also covered, as are colleges and universities that administer federal financial aid.

A 35-person tax firm is covered. A 90-person dealership in Parsippany that handles its own financing is covered. A boutique wealth management firm in Hoboken with 30 employees and 45 advisory clients is covered.

The small-firm exemption is narrower than most expect. Businesses with fewer than 5,000 consumer records are exempt from some requirements, including the formal written risk assessment and the required annual board report. They are not exempt from the rule itself. Every covered business, at every size, must maintain a written security program.

What the Rule Actually Requires

The 2021 update restructured the requirements. The 2023 amendment made them specific. Here is what covered businesses need to have in place.

A designated Qualified Individual who oversees the security program and reports to the board at least annually. In a smaller firm, this role often falls to the owner or an IT partner in a formal oversight capacity.

A documented annual risk assessment. Not a mental checklist. A written evaluation of what customer data the business collects, where it lives, what the threats are, and how those threats are being addressed.

Multi-factor authentication. Mandatory for every employee, contractor, and service provider accessing systems that contain customer financial data. Username and password alone is not compliant. The FTC specifically recommends authenticator apps and hardware keys over SMS-based verification, which is vulnerable to SIM-swapping attacks.

Encryption. Customer data in transit requires TLS 1.2 or higher. Data at rest requires AES-256. If encryption is not technically feasible in a specific case, the Qualified Individual must approve and document an equivalent alternative control in writing.

Annual penetration testing by an independent third party for businesses with more than 5,000 consumer records. Vulnerability scanning is required at least every six months across all covered businesses.

A written incident response plan covering containment, notification, remediation, and post-incident review. A template sitting in a shared folder that nobody has read does not satisfy this requirement.

Security awareness training for all employees with access to customer data. The training content must stay current with evolving threats.

Vendor security agreements. Every service provider handling customer information needs a contract that requires them to maintain appropriate safeguards. IT providers, cloud storage vendors, and software platforms that touch customer data all fall under this. Adding AI tools and third-party integrations without updating vendor agreements is a growing compliance gap.

FTC breach notification within 30 days when a security incident exposes the information of 500 or more consumers. That notice becomes public record.

Where Most Businesses Are Falling Short

Enforcement activity in 2026 keeps finding the same problems.

No written program. The requirement to maintain a written information security program has existed since 2003. Enforcement actions still find covered businesses operating without one.

Selective MFA. Some firms have turned on multi-factor authentication for email. Not for the accounting platform, not for the tax software, not for the CRM holding client financial data. Partial deployment does not satisfy the rule.

Vendor agreements with no security language. Long-standing service provider relationships where no contract ever included security requirements. Fixing that retroactively is uncomfortable. Not having it is a liability.

An incident response plan nobody knows exists. Some businesses have a document. Nobody who would actually respond to a breach has read it.

No annual pen test. Many covered firms have never scheduled one.

Missing documentation. When regulators ask to see the risk assessment, the training records, the pen test results, and the signed vendor agreements, "we have all of that somewhere" does not hold up.

What Businesses That Have This Figured Out Look Different

A 70-person financial advisory firm running a clean Safeguards program shares a few patterns with similar firms that don't stress about enforcement.

They have a named person. Not "our IT contact." A Qualified Individual who owns the program, knows what's in it, and can describe it.

They test annually. The pen test is on the calendar. Results feed a remediation list. The remediation list gets worked down. This happens because the test surfaces real information about their environment that they'd rather find before someone else does.

Vendors have signed security addendums. Before any service provider gets access to client data, that conversation happens and the contract reflects it.

Employees have seen current training, not a module from three years ago.

None of this is complicated. It is maintained. The firms that don't lose sleep over Safeguards enforcement are not running more sophisticated operations. They have made compliance part of the routine instead of a project that perpetually needs to get started.

What This Means for Your IT Setup

The FTC Safeguards Rule is a documented, maintained, continuously monitored compliance obligation. MFA doesn't manage itself. Encryption configurations change when systems change. Pen test findings require remediation. Vendor agreements need updating when vendors change.

The documentation requirement is where businesses underestimate their exposure. When regulators show up or a breach occurs, they ask for the written risk assessment, the training records, the pen test reports, and the signed vendor agreements. Inability to produce those is itself a violation.

A Safeguards violation at the time of a breach can also void cyber insurance coverage. Carriers have been tightening exclusion language around documented compliance failures, a pattern also visible in how insurers are responding to undisclosed AI tool exposure. Penalties, consent orders, and insurance gaps all compound.

Findings from the 2026 Verizon Data Breach Investigations Report underscored what regulators already know: missing risk assessments and unpatched systems are still the most common breach precursors. The Safeguards Rule's documentation requirements exist precisely to close those gaps before an incident happens.

An IT partner's role in a Safeguards program is specific. Building the written program. Implementing MFA across every system that touches client data. Managing vendor security language. Coordinating annual pen tests and quarterly scans. Keeping documentation current. These are legally required controls, not optional improvements. The FTC's enforcement posture in 2026 makes clear that "we were planning to get to this" is not a defense.

For covered businesses in the 25 to 250 employee range, the question isn't whether the Safeguards Rule applies. It's whether the required documentation exists and whether the required controls are running.

---

Frequently Asked Questions

Does the FTC Safeguards Rule apply to my business if I'm not a bank?

If your business is significantly engaged in financial activities including tax preparation, mortgage brokering, auto financing, financial advising, or debt collection, you are likely covered under the Gramm-Leach-Bliley Act's Safeguards Rule. The rule applies to non-bank financial institutions and is not limited to traditional banking.

What is the difference between GLBA and the FTC Safeguards Rule?

The Gramm-Leach-Bliley Act (GLBA) is the federal statute that established requirements for how financial institutions handle customer information. The FTC Safeguards Rule is the implementing regulation that tells non-bank financial institutions what their information security programs must include. GLBA is the law. The Safeguards Rule is the operational requirement.

How often does penetration testing need to happen under the FTC Safeguards Rule?

Penetration testing is required at least annually. For businesses with more than 5,000 consumer records, the test must be performed by an independent third party. Vulnerability scanning is required at least every six months for all covered businesses.

What are the penalties for violating the FTC Safeguards Rule?

Civil penalties under FTC Act Section 5 can reach $51,744 per violation per day, adjusted annually for inflation. Multiple simultaneous violations compound the total. Non-compliance at the time of a breach can also void cyber insurance coverage and expose the business to state attorney general enforcement and client litigation.

Does the FTC Safeguards Rule apply to businesses with fewer than 5,000 customers?

Businesses with fewer than 5,000 consumer records are exempt from specific requirements including the formal written risk assessment, annual board reporting, and incident response plan. They are not exempt from the rule itself. Every covered business at every size must maintain a written security program.