Yes. If your company provides real estate settlement services, the FTC Safeguards Rule almost certainly applies to you. The FTC's regulation expressly states that an entity providing real estate settlement services is a "financial institution," and real estate settlement services are listed among the covered examples in 16 CFR 314.2(h). That puts title and settlement companies squarely inside the same rule that covers tax preparers, mortgage brokers, and finance companies.
I am Hammad Arain, founder of Arain Systems, a Houston practice focused on security and compliance for small non-bank financial offices. Title and settlement firms are one of the clearest cases of coverage I see, partly because of what you handle at the closing table, and partly because closings are where one specific attack costs people their down payments.
Why a title company counts as a "financial institution"
The word "bank" is misleading here. Under the Gramm-Leach-Bliley Act and 16 CFR 314.2(h)(1), a "financial institution" is any business engaged in an activity that is financial in nature or incidental to it, as described in the Bank Holding Company Act. That definition is far broader than depository banks, and it turns on what your business actually does, not what it is called.
Real estate settlement services are named directly. So a title company, an escrow or settlement agent, or a closing office that handles buyer and seller funds and nonpublic personal information is the kind of business the rule was written to reach. You do not need to lend money to be covered. Holding and disbursing funds, collecting financial and personal records for a transaction, and coordinating the closing is enough.
One practical note on jurisdiction: the FTC enforces this rule over financial institutions that are not already overseen by another functional regulator. For most independent title and settlement companies, that is the FTC. (Insurance activities, by contrast, are generally overseen by state insurance authorities under GLBA section 505, which is a separate question from your settlement operations.)
The wire-fraud problem this rule is built around
Here is why this matters more for your office than for most covered businesses. At a closing you are moving large sums on a known schedule, often by wire, between parties who are emailing each other documents and instructions in the days beforehand. That is exactly the setup criminals look for in a business email compromise. An attacker gets into an email account or spoofs one, watches the thread, and sends altered wire instructions at the right moment. The money leaves, and recovering it is hard.
The Safeguards Rule does not use the phrase "wire fraud," but several of its required controls map directly onto how that fraud happens. Multi-factor authentication makes a stolen email password far less useful. Access controls limit who can see and change funding instructions. Encryption protects the financial data in transit and at rest. Staff training is what stops someone from acting on a last-minute change to wire instructions without a callback to a verified number. The rule is, in effect, asking you to close the same gaps the criminals exploit.
What the rule actually requires
The core obligation in 16 CFR 314.4 is a written information security program built around nine elements. In plain terms, the rule requires you to:
- Designate a Qualified Individual to oversee, implement, and enforce the program (314.4(a)).
- Base the program on a risk assessment (314.4(b)).
- Design and implement safeguards to control the risks you identified (314.4(c)), including access controls, encryption of customer information in transit and at rest, and multi-factor authentication for anyone accessing an information system.
- Regularly test or monitor the effectiveness of those safeguards (314.4(d)).
- Train your staff (314.4(e)).
- Oversee your service providers (314.4(f)).
- Evaluate and adjust the program over time (314.4(g)).
- Maintain a written incident response plan (314.4(h)).
- Have the Qualified Individual report in writing, at least annually, to your governing body or a senior officer (314.4(i)).
On the Qualified Individual: 16 CFR 314.4(a) does not require a specific degree or title, and the role can be filled by an employee or through a service provider. If you fill it through an outside provider, you keep responsibility and must designate a senior person inside your own company to direct and oversee that work.
The "fewer than 5,000 consumers" exemption, and what it does not do
A lot of small title offices hear that there is an exemption and assume the whole rule falls away. It does not. Under 16 CFR 314.6, if you maintain customer information on fewer than 5,000 consumers, four specific requirements do not apply: the written risk assessment (314.4(b)(1)), the continuous-monitoring or annual penetration testing plus six-month vulnerability assessment requirement (314.4(d)(2)), the written incident response plan (314.4(h)), and the Qualified Individual's regular written report to the board (314.4(i)).
That is the entire exemption. It relaxes the formal, written, and periodic-testing pieces. It does not erase the underlying duties. You still designate a Qualified Individual, still address your risks, still implement access controls and encryption and multi-factor authentication, still train staff, and still oversee vendors. For a busy closing office, those are the controls that actually stop a fraudulent wire, so the exemption changes paperwork more than it changes what you should be doing.
Breach notification
The FTC also added a notification requirement (16 CFR 314.4(j)). If unencrypted customer information of 500 or more consumers is acquired without authorization, you must notify the FTC through its online portal as soon as possible and no later than 30 days after discovery. One more reason encryption is worth getting right: it changes what a security event means for you.
Who enforces this
There is no third-party body that enforces the Safeguards Rule, and there is no official FTC compliance certificate. The rule is enforced by the Federal Trade Commission through its own investigations and actions under the Gramm-Leach-Bliley Act. Any vendor claiming to "certify" you as Safeguards-compliant is using a marketing term, not a regulatory one. Compliance is demonstrated by actually running the program 16 CFR 314.4 describes.
If you want the regulatory picture in full, I keep a longer plain-English guide to the FTC Safeguards Rule for small financial offices.
A practical next step
If you run a title or settlement office in the Houston area and you are not sure where you stand, I offer a free 14-Point Safeguards Gap Report. I look at what customer data you hold, where it lives, how it is protected today, and where the gaps sit relative to the rule, with particular attention to your wire and closing workflow. You get a written findings list and a prioritized set of fixes, with no obligation. From there I can help you close those gaps and keep the program current. To talk it through, call 832-907-5594.