ISpectra Technologies
Financial · Privacy

What is FTC Safeguards Rule?

A US FTC rule under the Gramm-Leach-Bliley Act requiring non-banking financial institutions to protect customer information with a written security program.

Definition

The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA), requires non-banking financial institutions to develop, implement and maintain a comprehensive written information security program that keeps customer information secure. A significant 2021 amendment (with key provisions effective in 2023) added far more prescriptive requirements.

It applies to a wide range of businesses the FTC treats as “financial institutions” — including mortgage brokers, auto dealers, payday lenders, tax preparers, and many fintech and finance-adjacent companies.

Key requirements

1

Qualified Individual

Designate someone to oversee the security program.

2

Risk assessment

Document and periodically reassess risks to customer data.

3

Safeguards

Access controls, encryption, MFA and secure disposal.

4

Monitoring & testing

Continuous monitoring, or annual pen testing plus vulnerability scans.

5

Incident response

A written plan for responding to security events.

6

Oversight

Vendor management and regular reporting to the board.

Who needs to comply?

Any non-banking “financial institution” under the FTC’s jurisdiction — from lenders and tax preparers to fintechs and finance-adjacent SaaS — must comply with the Safeguards Rule.

How ISpectra helps

ISpectra builds and operationalises your Safeguards Rule program — risk assessment, technical controls (MFA, encryption, monitoring), incident response and vendor oversight — with evidence you can show the FTC.

Talk to an advisor