Services FTC Safeguards Rule
FTC Safeguards Rule · Financial services

FTC Safeguards Rule.

An independent assessment of your information security program against the FTC Safeguards Rule (16 CFR Part 314). The rule was significantly amended in 2022 and the new requirements have been fully effective since June 2023. We assess all nine required elements of the updated rule and deliver a written report that demonstrates a defensible, current information security program.

Schedule an assessment What's included
01 / Who's subject to the rule

Wider than most businesses realize.

The FTC defines "financial institution" much more broadly than the banking regulators do. If your business handles non-public customer financial information and offers any kind of financial product or service, the Safeguards Rule probably applies to you. Many of the businesses below were surprised to learn they are subject.

Lending and credit
  • Mortgage brokers
  • Mortgage lenders
  • Non-bank lenders
  • Auto dealers offering financing
  • Payday lenders
  • Check cashers
  • Credit counselors
  • Debt collectors
Financial services and advice
  • Tax preparation firms
  • Accounting firms (tax prep)
  • Investment advisors not registered with the SEC
  • Personal financial advisors
  • Account servicers
  • Career counselors for financial roles
Real estate and settlement
  • Real estate appraisers
  • Real estate settlement services
  • Title services with financial functions
  • Personal property appraisers
Transactions and other
  • Wire transfer services
  • Money services businesses
  • Finders matching buyers and sellers
  • Travel agencies offering financial services
!

The 2022 amendments tightened the rule considerably

The original Safeguards Rule from 2003 was vague. The 2022 amendments, fully effective June 2023, added nine specific required elements, including written risk assessments, designation of a Qualified Individual, mandatory employee training, ongoing service-provider oversight, and an annual report to the board or governing body. A vague paragraph in your employee handbook is no longer enough. If your business has not formally updated its information security program since 2023, this is the gap.

02 / Who this engagement is for

A current, defensible program. Not a template.

We work with non-banking financial services firms that need an independent assessment of their information security program against the Safeguards Rule. The deliverable is a documented program with a remediation roadmap, not a generic policy template you'll never read again.

A good fit if
  • Your business falls under the FTC's definition of a financial institution (see the section above)
  • Your insurance carrier or bank partner has asked you to demonstrate a written information security program
  • Your tax software vendor is requiring a WISP for E-File renewal or platform access
  • You haven't formally updated your program since the 2022 amendments took effect
  • You have or expect to have customer information governed by the Safeguards Rule
  • You're going through M&A due diligence and need to show a current program
  • An auditor or regulator has flagged a compliance gap
Look elsewhere if
  • You don't handle customer financial information and aren't a financial institution under the FTC's definition (consider Complyn Core for a general baseline)
  • You're a healthcare practice or business associate handling PHI (consider HIPAA Compliance)
  • You need comprehensive, cross-industry coverage (consider NIST CSF 2.0)
  • You need a formal SOC 2 audit or third-party attestation
03 / What's included

All nine required elements. Assessed against your actual practice.

The 2022 amendments require the information security program to include nine specific elements. We assess every one of them. Each finding includes the relevant rule citation, what we observed in your business, and a specific recommendation to close any gap.

01

Designate a Qualified Individual

The rule requires you to designate a Qualified Individual responsible for overseeing the information security program. We assess whether you have one, whether they're actually qualified for your size and complexity, and whether their responsibilities are documented.

02

Conduct a written risk assessment

A written risk assessment must address how customer information is collected, stored, used, and disposed of, plus reasonably foreseeable risks. We evaluate whether yours exists, whether it's current, and whether it addresses what the rule actually specifies.

03

Design and implement safeguards

Technical, physical, and administrative safeguards to control the risks identified in the assessment. Access controls, encryption, authentication including MFA where appropriate. We assess what's implemented, what's missing, and what's documented but not actually in practice.

04

Regularly test or monitor safeguards

The rule requires either continuous monitoring of systems, or both annual penetration testing and vulnerability assessments at least every six months. We document which approach you use and whether the testing actually happens on schedule.

05

Implement policies, procedures, and training

Written policies and procedures, plus security awareness training that is tailored, current, and reinforced. We assess what training is delivered, how often, to whom, and whether completion is tracked.

06

Oversee service providers

You're responsible for ensuring third parties handling your customer information are themselves complying with appropriate safeguards. We evaluate your service-provider inventory, contracts, and the actual oversight process.

07

Evaluate and adjust the program

The program must be reviewed and adjusted in light of testing results, operational changes, and material changes to risk. We assess whether your program is genuinely living, or whether it was written once and forgotten.

08

Establish a written incident response plan

A written plan covering roles, communications, remediation, and post-incident review. We assess both the plan itself and whether your team would actually be able to execute it during an incident.

09

Annual written report to the board

The Qualified Individual must report in writing, at least annually, to your board or equivalent governing body. We assess whether this report exists, what it contains, and whether it actually informs governance.

04 / What you receive

A defensible program. A real conversation.

Every FTC Safeguards engagement produces the same set of deliverables. The output is structured to satisfy what an FTC investigator, a bank partner, an insurance carrier, or an acquirer would expect to see.

  1. 01

    Written assessment report

    A complete written assessment of all nine required elements of the Safeguards Rule. Each finding includes the relevant rule citation, what we observed in your business, the level of risk, and a specific recommendation. The report stands on its own as documented evidence that you have evaluated your information security program against the rule's requirements.

  2. 02

    Risk-ranked remediation roadmap

    Findings ranked by risk, with realistic time and effort estimates for each remediation. What to fix this month, what to address this quarter, and what can reasonably be scheduled longer term. Designed for a business that still has to operate while improving its compliance posture.

  3. 03

    One-hour roadmap conversation

    Once you've had time to read the report, we sit down for an hour to walk through the findings, answer questions, and align on next steps. You leave knowing exactly what to do, in what order, and why.

  4. 04

    Thirty days of follow-up support

    For thirty days after the roadmap conversation, you can reach us by email or through the Complyn Client Portal with follow-up questions at no charge. We want the engagement to land.

05 / Built to last

Your engagement doesn't end when the report is delivered.

Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.

Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.

What you get

  • A direct messaging channel to your Complyn team
  • Every report and deliverable we've produced for you, easily accessible and downloadable for three years
  • Our library of compliance framework documentation and implementation guides
  • A secure file exchange for documents that shouldn't move by email
  • Billing history and invoice access in one place
  • Works on any device, anywhere
06 / How long it takes

Most engagements complete in two to three weeks.

From the signed engagement letter to the delivered report. The exact timing depends on how quickly your team can return your existing program documents, service-provider contracts, and any prior assessments, and how soon we can schedule short interviews with the people who actually do the work.

Week 1
Discovery
Document requests, service-provider review, intake meeting, short interviews
Week 2
Assessment
Nine elements assessed, risk levels assigned, findings drafted
Week 3
Report
Delivery + roadmap
Report finalized, delivered, and one-hour roadmap call scheduled
07 / Common questions

Things people ask about the Safeguards Rule.

Does our business actually fall under the Safeguards Rule?

Probably yes if you offer any kind of financial product or service to consumers and handle their non-public personal information. The FTC's definition is intentionally broad. Tax preparation firms, mortgage brokers, auto dealers offering in-house financing, real estate appraisers, payday lenders, debt collectors, non-bank lenders, and many investment advisors are all subject. The simplest test: are you a "financial institution" as the Gramm-Leach-Bliley Act defines it, and are you NOT regulated by a federal banking agency? If yes to both, you're under the FTC Safeguards Rule. We can confirm fit during the discovery call.

What actually changed in the 2022 amendments?

The original 2003 rule had broad, principle-based requirements. The 2022 amendments added nine specific required elements. The biggest changes: a Qualified Individual must be formally designated, a written risk assessment is now required (not optional), MFA is required for systems handling customer information, penetration testing every two years OR continuous monitoring, mandatory employee training, mandatory service-provider oversight, a written incident response plan, and an annual written report to the board. If your program has not been updated since 2023, it almost certainly does not meet the current requirements.

Who has to be the Qualified Individual?

The rule does not require a specific certification or job title. The person needs to have the responsibility, the authority, and the capability to oversee and enforce the information security program. For small businesses, this is often the owner, a senior employee, or an outsourced compliance partner. For larger firms, it tends to be a CISO or equivalent. The Qualified Individual can be in-house or an outside contractor, but if you outsource it, you remain ultimately responsible. We can help you evaluate the best fit for your business.

Do we really need penetration testing?

The rule gives you a choice. You can either implement continuous monitoring of your information systems, or you can run penetration testing every two years and vulnerability assessments every six months. For most small and mid-sized businesses, the testing pathway is more practical. For businesses with mature security operations and the right tooling, continuous monitoring is the better path. We help you decide which is right for your situation, scope, and budget, and we document the choice.

My tax software vendor is requiring a WISP. Will their template work?

A template is a starting point, not a compliance program. The Safeguards Rule requires a program that is tailored to your actual business, based on a written risk assessment, with assigned responsibilities and ongoing oversight. A generic WISP downloaded from a vendor and filed away will not satisfy the rule and almost certainly will not satisfy the FTC if you are investigated after an incident. The deliverable we produce is a real, defensible assessment grounded in how your business actually operates.

What if we have an incident or get audited?

The rule requires you to notify the FTC when an incident involves the unauthorized acquisition of unencrypted customer information affecting 500 or more consumers. A current, defensible information security program and risk assessment is one of the most important things you can put in front of a regulator. We've worked engagements with active regulatory pressure and can move quickly when timing requires it. A thorough, documented program combined with a credible remediation plan materially helps your case.

How often does this need to be redone?

The risk assessment must be reviewed and updated when material changes occur, and the program itself must be evaluated and adjusted in light of testing results and operational changes. The annual report to the board provides a natural cadence for full review. Most clients return annually for an updated assessment to keep the program current and to refresh the documentation that bank partners, insurance carriers, and auditors increasingly ask for.

How much does it cost?

Pricing depends on the size of your business, the complexity of your operations, the number of service providers, and whether you need a fresh assessment or an annual update to an existing program. We provide a written scope and fixed price after a free thirty-minute discovery call. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to get a specific quote for your situation.

Ready to know where you stand?

Tell us about your business and what's prompting this. We'll review your request, propose a scope, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.

Schedule an assessment