Definition and purpose

The Federal Trade Commission's Standards for Safeguarding Customer Information — also known as the FTC Safeguards Rule, the Safeguards Rule, or the Rule, for short — establishes guidelines and requirements for covered entities handling sensitive customer data to safeguard against anticipated threats or hazards and unauthorized access.

Its purpose is to ensure the confidentiality and security of nonpublic personal information of customers of financial institutions.

Governing Body

The Federal Trade Commission (FTC) is the governing body responsible for overseeing and enforcing the Standards for Safeguarding Customer Information. The FTC plays a crucial role in promoting consumer protection, privacy, and fair business practices.

Last updated

The last major update to the Safeguards Rule was in 2021, after public comment. The FTC amended it to make sure the Rule keeps pace with current technology.

More recently, in November 2023, the FTC issued the Final Rule to amend the Safeguards Rule to require financial institutions to report notification events, defined as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the FTC.

Applies to

The FTC Safeguards Rule applies primarily to financial institutions that handle nonpublic personal information of consumers. Examples of financial institutions include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, and tax preparation firms.

 It may also extend to various industries that deal with sensitive customer data, like auto dealerships.

More specifically, this rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. 

Controls and requirements

The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. These safeguards are just one element that your company’s information security program must include to comply with the Rule.

Other elements include:

• Designating a Qualified Individual to implement and supervise your company’s information security program
• Conducting periodic risk assessments
• Training your staff
• Monitoring your service providers
• Keeping your information security program current
• Creating a written incident response plan
• Requiring your Qualified Individual to report to your Board of Directors

Please refer to the official documentation for a detailed list of requirements and safeguards.

Audit type, frequency, and duration

The FTC Safeguards Rules requires entities to conduct periodic risk assessments and regularly test or otherwise monitor the effectiveness of their safeguards. To meet the latter requirement, entities can implement continuous monitoring or conduct periodic penetration testing and vulnerability assessments, including system-wide scans every six months.

The Rule also requires the Qualified Individuals at each covered entity to report in writing, at least annually, to their board of directors or equivalent governing body. This report must include an overall assessment of your company’s compliance with its information security program.