The FTC Safeguards Rule, in Plain English

The FTC Safeguards Rule is a federal data-security regulation that requires non-bank "financial institutions" to build and maintain a written information security program protecting customer information. If you run a small financial office in the Houston area (a tax practice, a title company, a small advisory, a finance company), there is a good chance it applies to you, even though you are not a bank and may have only a handful of employees. The rule lives at 16 CFR Part 314, and it is enforced by the Federal Trade Commission. This guide walks through who it covers, what the program has to contain, and what a small office below the 5,000-consumer threshold actually has to do.

Who the rule covers

The word "bank" is misleading here. Under 16 CFR 314.2(h)(1), a "financial institution" is any business engaged in an activity that is financial in nature or incidental to it, drawing on the same broad list of activities used in the Bank Holding Company Act. The test turns on what your business does, not on whether you call yourself a financial company.

The FTC's business guidance, "FTC Safeguards Rule: What Your Business Needs to Know," lists 13 examples of covered businesses. They include mortgage lenders, mortgage brokers, payday lenders, finance companies, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the SEC. The 2021 amendments added "finders," meaning companies that bring buyers and sellers together so the parties can negotiate and close a deal themselves.

Two categories that come up often in my conversations with local owners:

• Tax and accounting practices. The regulation expressly treats an accountant or tax preparation service that completes income tax returns as a financial institution (16 CFR 314.2(h)). The IRS confirms this directly. IRS Publication 4557, "Safeguarding Taxpayer Data," states that the financial-institutions definition includes professional tax preparers and that tax return preparers must create and enact security plans to protect client data. IRS Publication 5708 puts it plainly: under the GLBA and Safeguards Rule, tax and accounting professionals are considered financial institutions, regardless of size.
• Title and settlement companies. The regulation also lists real estate settlement services among the covered examples (16 CFR 314.2(h)).

A few businesses sit in adjacent regimes. Investment advisors registered with the SEC are not under the FTC rule; they follow the SEC's Regulation S-P (17 CFR 248.30) instead. Insurance agencies are covered by the Gramm-Leach-Bliley Act, but under GLBA section 505 (15 U.S.C. 6805) they are generally overseen by state insurance regulators rather than the FTC. If you are not sure which regime you fall under, that is exactly the kind of question worth sorting out before you build anything.

What the written program must contain

The core obligation in 16 CFR 314.4 is to develop and maintain a written information security program. The rule names nine required elements:

1. Designate a Qualified Individual (314.4(a)) to oversee, implement, and enforce the program.
2. Base the program on a written risk assessment (314.4(b)).
3. Design and implement safeguards to control the risks you identified (314.4(c)).
4. Test or monitor the effectiveness of those safeguards (314.4(d)).
5. Train your people so they can carry out the program (314.4(e)).
6. Oversee your service providers (314.4(f)).
7. Evaluate and adjust the program as things change (314.4(g)).
8. Maintain a written incident response plan (314.4(h)).
9. Report to the board in writing, at least annually, through the Qualified Individual (314.4(i)).

Within the safeguards element, 314.4(c) calls out specific controls. You have to implement and periodically review access controls. You have to encrypt customer information both in transit over external networks and at rest, with the Qualified Individual permitted to approve documented compensating controls in writing where encryption is not feasible. And you have to use multi-factor authentication for anyone accessing an information system, unless the Qualified Individual has approved a reasonably equivalent or more secure control in writing. Notice how often "in writing" appears. The rule is built around being able to show your work, not just assert that you are careful.

The Qualified Individual

One requirement that surprises small-office owners is the Qualified Individual under 16 CFR 314.4(a). You must name a single person responsible for the program. The good news for a small office is that the rule is flexible about who that is. The FTC's guidance is clear that the Qualified Individual can be your own employee, or can work for an affiliate or an outside service provider, and that no particular degree or title is required.

If you fill the role through a service provider, the rule does not let you hand off the responsibility and forget about it. You must keep responsibility for the program and designate a senior person inside your own office to direct and oversee that outside individual. In practice, for a two-person tax office, that often means the owner stays accountable while an outside provider does the implementation work.

The 5,000-consumer threshold

Here is the part most often misread. Under 16 CFR 314.6, an office that maintains customer information on fewer than 5,000 consumers is exempt from four specific provisions:

• The requirement that the risk assessment be written (314.4(b)(1)).
• The continuous-monitoring or annual penetration testing plus six-month vulnerability assessment requirement (314.4(d)(2)).
• The requirement for a written incident response plan (314.4(h)).
• The Qualified Individual's regular written report to the board (314.4(i)).

That is the whole exemption. It relaxes certain written and periodic-testing formalities. It does not erase the underlying obligations. A smaller office still has to do a risk assessment, still has to implement safeguards including access controls, encryption, and multi-factor authentication, still has to train staff, still has to oversee vendors, and still has to be able to respond to a security event. You also still need to designate a Qualified Individual. The exemption shrinks the paperwork, not the program.

What compliance looks like in practice

Compliance is not a certificate you hang on the wall. There is no official FTC "certification" for the Safeguards Rule, and no government or third-party body issues a binding certificate of compliance. Any vendor selling you a "certified compliant" stamp is selling marketing language, not a regulatory designation. Compliance means you have actually implemented the program that 16 CFR 314.4 describes, and it is assessed through FTC enforcement, not through any certification scheme.

The FTC enforces the rule directly under the authority of the Gramm-Leach-Bliley Act (15 U.S.C. 6801-6809). There is no separate body that does it on the FTC's behalf. For a small office, the practical work is straightforward to describe even when it takes effort to do: figure out what customer data you hold and where it lives, assess the risks to it, put the named safeguards in place, write down enough to show what you did, and keep it current.

A simple next step

If you are not sure whether the rule applies to your office, or whether what you have today would hold up, I offer a free 14-Point Safeguards Gap Report. I look at what customer data you hold, where it lives, how it is protected now, and where the gaps are against 16 CFR 314.4. You get a written findings report and a prioritized fix list, with no commitment to receive the findings. This is a gap report and remediation, not a certification or a guarantee of compliance. If you would rather talk it through first, call me at 832-907-5594.

Hammad Arain is the founder of Arain Systems, a Houston security and compliance practice for small financial offices under the FTC Safeguards Rule.