The GLBA Safeguards Rule: Compliance Essentials for US Financial Institutions
The FTC's updated Safeguards Rule under GLBA raised the security bar for non-bank financial institutions across the United States. Understanding what changed, who is covered, and what the requirements mean at an operational level is now a board-level concern.
TL;DR
The FTC's updated GLBA Safeguards Rule requires non-bank financial institutions to implement specific, prescriptive security controls—not just a 'reasonable' program. It covers mortgage brokers, auto dealers, tax preparers, and many others beyond traditional banks.
GLBA and the Safeguards Rule: An Overview
The Gramm-Leach-Bliley Act (GLBA), enacted by Congress in 1999, established the foundational privacy and security obligations for financial institutions operating in the United States. The Act has three primary components: the Financial Privacy Rule, the Pretexting Provisions, and the Safeguards Rule. Of these, the Safeguards Rule—enforced by the Federal Trade Commission (FTC)—governs how covered entities must protect the security and confidentiality of customer financial information.
For the first two decades of its existence, the Safeguards Rule was largely principles-based: organizations were expected to develop and implement a “comprehensive information security program” but had broad discretion in defining what that meant. The FTC's 2021 amendments, which took full effect in June 2023, fundamentally changed that posture. The updated rule replaces flexible principles with specific, prescriptive requirements—a deliberate shift toward the concrete cybersecurity controls that regulators see in frameworks like NIST and the New York DFS cybersecurity regulation.
Who Is Covered? The Breadth May Surprise You
A common misconception is that GLBA applies only to banks and credit unions. It does not. The Safeguards Rule covers “financial institutions” as defined by the FTC, which encompasses a substantially broader universe of US businesses.
Covered entities include, but are not limited to:
- Mortgage lenders, brokers, and servicers
- Auto dealers that arrange or offer financing
- Tax preparation services and tax return preparers
- Investment advisers not registered with the SEC (and therefore not covered by SEC rules)
- Debt collectors
- Payday lenders and check cashing businesses
- Non-federally insured credit unions
- Certain fintech companies that engage in activities traditional to finance
Banks and federally chartered credit unions are subject to GLBA but fall under the jurisdiction of their prudential regulators (OCC, Federal Reserve, FDIC, NCUA) rather than the FTC. The FTC Safeguards Rule specifically governs non-bank financial institutions, and the scope of that category is expansive.
What the Updated Rule Requires
The 2023 amendments introduced several categories of specific requirements that represent meaningful departures from the prior flexible standard.
Designation of a Qualified Individual
Covered entities must designate a single qualified individual responsible for overseeing and implementing the information security program. For smaller organizations, this may be an outsourced service provider rather than a dedicated internal hire, but the responsibility must be clearly assigned. The Qualified Individual is required to report to the Board of Directors (or equivalent governing body) at least annually.
Risk Assessment
Organizations must conduct a written risk assessment that identifies foreseeable security risks to customer information and evaluates the effectiveness of current safeguards. The assessment must be updated regularly and whenever there is a material change to the organization's operations or the threat landscape. Unlike the prior rule's general obligation, the updated rule specifies that the risk assessment must result in written documentation.
Access Controls and Encryption
The rule now explicitly requires access controls limiting user access to customer information on a need-to-know basis. Multi-factor authentication is required for any individual accessing customer information systems, though the rule provides flexibility on exact implementation. Encryption of customer information—both in transit and at rest—is required unless the Qualified Individual approves and documents compensating controls.
Incident Response and Notification
Organizations must develop and implement a written incident response plan. Additionally, a 2023 FTC rulemaking added a notification requirement: covered entities must notify the FTC within 30 days of discovering a security breach affecting 500 or more customers. This aligns GLBA enforcement more closely with the breach notification landscape that has evolved in state law across the US.
Comparing Pre- and Post-Amendment Requirements
| Requirement Area | Original Safeguards Rule | 2023 Updated Rule |
|---|---|---|
| Security program standard | Principles-based (reasonable) | Prescriptive specific controls |
| Accountability | No designated individual required | Qualified Individual must be named |
| MFA requirement | Not specified | Required for system access |
| Encryption requirement | Not specified | Required in transit and at rest |
| Breach notification | No federal FTC notification | 30-day FTC notice for 500+ customers |
| Board reporting | Not specified | Annual report to governing body required |
Exemptions and Tiered Application
The amended rule includes a partial exemption for smaller organizations. Covered entities maintaining customer information on fewer than 5,000 consumers are exempt from certain documentation requirements, including the written risk assessment mandate and the requirement for a written incident response plan. They are also exempt from the annual reporting obligation to the Board. However, these exemptions do not relieve smaller entities from the core obligation to maintain a reasonable information security program that protects customer data.
Penalties and Enforcement Reality
FTC enforcement of the Safeguards Rule carries civil penalties, injunctive relief, and the reputational cost of a public enforcement action. The FTC has increased its scrutiny of data security practices across the financial services sector, and the prescriptive nature of the updated rule makes it considerably easier for the Commission to demonstrate non-compliance through objective criteria rather than subjective reasonableness assessments.
Beyond FTC enforcement, state regulators, state attorneys general, and in some cases private litigants (particularly in states with strong consumer protection statutes) may pursue remedies following a data breach where Safeguards Rule non-compliance is a factor. US financial institutions should treat GLBA compliance not merely as a regulatory checkbox but as a component of enterprise risk management.
The Intersection with State Law
GLBA does not preempt state laws that provide greater privacy or security protection. Organizations operating in states with robust data security laws—including New York, California, and Massachusetts—must satisfy both GLBA and applicable state requirements, sometimes simultaneously. Managing this intersection requires a systematic compliance architecture rather than siloed responses to each regulatory obligation.
GR IT Services helps non-bank financial institutions across the US design and mature their information security programs to meet GLBA Safeguards Rule requirements and align with broader regulatory expectations. For an advisory conversation, reach out at inquiry@gritservices.io.
Frequently Asked Questions
Does the GLBA Safeguards Rule apply to my auto dealership?
Almost certainly yes, if your dealership arranges, facilitates, or offers financing to customers. The FTC has explicitly listed auto dealers that extend or arrange credit as covered financial institutions under the Safeguards Rule, making this one of the most common “surprise” compliance obligations in the sector.
What does the 30-day breach notification requirement mean in practice?
If a covered entity discovers a security breach affecting the customer information of 500 or more customers, it must notify the FTC within 30 calendar days of discovery. This is a federal notification to the FTC specifically and is separate from state breach notification obligations to affected consumers.
Are small financial institutions fully exempt from the updated Safeguards Rule?
Not fully. Entities maintaining information on fewer than 5,000 consumers are exempt from specific documentation requirements (written risk assessment, written incident response plan, annual board reporting) but remain obligated to implement and maintain a reasonable information security program protecting customer data.
Authoritative sources
About the author
Rachel Goldberg, Chief Information Security Officer. Rachel Goldberg is a CISSP-certified CISO with 18 years of experience guiding US financial services firms, healthcare organizations, and federal contractors through information security compliance programs.
Related Articles
HIPAA Compliance in Healthcare IT: A Complete Guide for USA Healthcare Providers
Master HIPAA compliance for your healthcare organization with our comprehensive guide covering technical safeguards, administrative requirements, and implementation strategies for USA healthcare providers.
CMMC 2.0 Compliance: What US Defense Contractors Need to Know in 2025
CMMC 2.0 reshapes cybersecurity requirements for every company in the Defense Industrial Base. Here is what the three-level model means for your contracts and your readiness posture.
FedRAMP Authorization Explained for Cloud Vendors Selling to Government
FedRAMP is the federal gateway for cloud products entering the US government market. Understanding its authorization paths, impact levels, and timelines is essential before your organization commits to the journey.