ServicesFTC Safeguards Assessment

Free, no commitment

FTC Safeguards assessment.

You are a covered financial institution under the FTC Safeguards Rule, and the FTC does not grade on size. If an incident happened today, could you produce the written program the Rule requires?

The regulation

What the FTC Safeguards Rule requires

The FTC Safeguards Rule (16 CFR Part 314), enacted under the Gramm-Leach-Bliley Act, requires financial institutions to develop, implement, and maintain a written information security program. The rule applies to tax preparers, CPA firms, insurance agencies, investment advisors, mortgage companies, and real estate settlement services companies, among others.

The written program must include a documented risk assessment, a Qualified Individual to oversee the program, specific technical and administrative safeguards, workforce training, service provider oversight, and an annual report to the governing body. The 2021 update to the rule significantly expanded these requirements and became effective in December 2022.

Without a documented risk assessment, you have no compliance baseline and no record of due diligence if an incident occurs. A written assessment is also a requirement of the rule itself, not just good practice.

The 14 points I review

The FTC Safeguards Rule sets the requirements; these 14 points are how I check your office against them, plus the email, wire-fraud, and backup gaps that decide whether you survive an incident. The full rule, element by element, is in the Safeguards explorer.

  • Systems and applications that store or access customer financial information
  • Workstations, laptops, mobile devices, and servers
  • Network configuration and remote access controls
  • Multi-factor authentication across email, remote access, and admin accounts
  • Encryption of customer information at rest and in transit
  • Access controls and least-privilege review
  • Email systems, authentication (SPF, DKIM, DMARC), and communication channels
  • Wire and payment-instruction handling, including out-of-band verification
  • Backup and recovery procedures, and tested restores
  • Existing written policies and workforce procedures
  • Staff security-awareness training and its records
  • Vendor relationships that involve access to customer data
  • Incident response readiness and the breach-notification process
  • Current documentation: written program, risk assessment, Qualified Individual

What you receive

  • Written findings report documenting identified gaps
  • Risk rating for each finding (likelihood and impact)
  • Prioritized fix list ordered by risk level
  • Assessment of your current written program status
  • Documentation you can use as your starting risk analysis

Get the 14-point Safeguards checklist

A one-page PDF of the 14 points I review, mapped to the FTC Safeguards Rule. Yours to keep.

What this assessment is not

  • Not a compliance certification. No third party certifies financial offices as FTC Safeguards compliant. Any vendor claiming to issue such a certification is misrepresenting the regulatory framework.
  • Not a guarantee of compliance. A risk assessment identifies gaps and establishes a baseline. It is a required part of a written information security program, not the end of one. Acting on the findings is the work that follows.
  • Not an FTC audit. This assessment is conducted by Arain Systems, not the FTC or a state regulator. The findings are for your use to improve your security posture and document your compliance efforts.
  • Not a one-time fix. The FTC Safeguards Rule requires that your written program be reviewed and updated when circumstances change. A documented assessment is the right starting point, not the finish line.

Frequently asked

Most CPA firms and tax preparers are covered. The FTC Safeguards Rule (16 CFR Part 314) was enacted under the Gramm-Leach-Bliley Act, which defines "financial institution" broadly to include tax preparation firms, accounting firms that handle customer financial information, insurance agencies, investment advisors, and real estate settlement services companies. If your firm prepares tax returns or manages client financial records, the rule almost certainly applies. The free 14-Point Safeguards Gap Report reviews your current environment against the rule requirements and shows you where the gaps are.

Free, no commitment

The initial 14-Point Safeguards Gap Report is free, with written findings delivered to your inbox.

Get my free gap report

Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.