The Problem
The FTC’s updated Safeguards Rule took effect in 2023, introducing a significantly more prescriptive set of requirements than the original 2003 rule. For larger institutions subject to bank regulatory oversight, many of these requirements were already embedded in FFIEC guidance. For smaller non-bank financial institutions — auto dealers, mortgage companies, tax preparers, credit counselors, and others covered by the FTC’s jurisdiction — the update represented a substantial new compliance burden.
Even for institutions that were nominally aware of the changes, implementation has been uneven. Some have updated their written information security programs on paper but haven’t changed underlying practices. Others have addressed certain requirements while missing others entirely. The most common gaps tend to cluster around a handful of specific provisions that weren’t in the original rule.
What Changed in the Updated Rule
The original Safeguards Rule required covered institutions to develop, implement, and maintain a comprehensive information security program — but left the specific requirements largely to the institution’s judgment. The 2023 update replaced that flexibility with specific, enumerated requirements. Key additions include:
- A designated qualified individual responsible for overseeing the information security program
- A written risk assessment with specific elements
- Encryption of customer information in transit and at rest
- Multi-factor authentication for any individual accessing customer information
- Secure development practices for in-house developed applications
- A written incident response plan
- Annual reporting to the board of directors (or equivalent) on the information security program
- Periodic penetration testing and vulnerability assessments
Institutions with fewer than 5,000 customer records are exempt from some of these specific requirements, but the core obligation to maintain an information security program still applies.
The Most Common Gaps
No Designated Qualified Individual
The rule requires a designated qualified individual — an employee, affiliate, or service provider — who is responsible for overseeing and implementing the information security program and reporting to the board. Many smaller institutions either haven’t formally designated anyone or have assigned the role to someone without documenting it. The designation should be in writing, and the individual’s qualifications should be documented.
MFA Not Fully Implemented
Multi-factor authentication for access to customer information is a specific requirement under the updated rule, not merely a best practice. Many institutions have MFA on remote access but not on internal systems that store customer data, or have exempted certain users or applications without documenting the decision. A full inventory of where customer information resides and what access controls protect it is the starting point for closing this gap.
Encryption Gaps
Encryption of customer information in transit is widely implemented through HTTPS and TLS. Encryption at rest — for databases, file shares, and portable media holding customer data — is less consistently applied. Institutions should be able to document where customer information is stored and confirm that encryption at rest is in place or that a risk-based decision has been made and documented.
Penetration Testing Not Conducted
The updated rule requires periodic penetration testing — at least annual external penetration testing and semi-annual vulnerability assessments — unless the institution qualifies for the small-institution exemption. Many covered institutions haven’t added penetration testing to their programs at all, often because they weren’t doing it under the old rule and the new requirement wasn’t communicated clearly. This is a specific, enumerated requirement with a defined frequency, and the absence of documentation is straightforward to identify.
Board Reporting Not Formalized
Annual reporting to the board on the information security program is required. This means a documented report — not just a verbal update — covering the overall status of the program, material risks identified, and recommendations for changes. Institutions that have been providing informal updates without a written report need to formalize the process and ensure the board is actually reviewing and engaging with the content.
Practical Checklist
- Qualified individual designated in writing as responsible for the information security program
- Written information security program updated to reflect the 2023 Safeguards Rule requirements
- Written risk assessment conducted with the specific elements required by the rule
- MFA implemented for all access to customer information (or exceptions documented)
- Customer information encrypted in transit and at rest (or compensating controls documented)
- Annual external penetration test and semi-annual vulnerability assessments conducted and documented
- Written incident response plan in place and reviewed within the last 12 months
- Annual written report to the board on the information security program documented in meeting minutes
- Service provider oversight program addresses security requirements in contracts