What is FTC Safeguards Rule?
A US FTC rule under the Gramm-Leach-Bliley Act requiring non-banking financial institutions to protect customer information with a written security program.
Definition
The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA), requires non-banking financial institutions to develop, implement and maintain a comprehensive written information security program that keeps customer information secure. A significant 2021 amendment (with key provisions effective in 2023) added far more prescriptive requirements.
It applies to a wide range of businesses the FTC treats as “financial institutions” — including mortgage brokers, auto dealers, payday lenders, tax preparers, and many fintech and finance-adjacent companies.
Key requirements
Qualified Individual
Designate someone to oversee the security program.
Risk assessment
Document and periodically reassess risks to customer data.
Safeguards
Access controls, encryption, MFA and secure disposal.
Monitoring & testing
Continuous monitoring, or annual pen testing plus vulnerability scans.
Incident response
A written plan for responding to security events.
Oversight
Vendor management and regular reporting to the board.
Who needs to comply?
Any non-banking “financial institution” under the FTC’s jurisdiction — from lenders and tax preparers to fintechs and finance-adjacent SaaS — must comply with the Safeguards Rule.
How ISpectra helps
ISpectra builds and operationalises your Safeguards Rule program — risk assessment, technical controls (MFA, encryption, monitoring), incident response and vendor oversight — with evidence you can show the FTC.
Talk to an advisor