Policy Briefing — FTC Safeguards Rule Modernization
The U.S. Federal Trade Commission approved amendments to the Gramm-Leach-Bliley Act Safeguards Rule on October 27, 2021, imposing risk assessments, encryption, testing, and incident response obligations on financial institutions and service providers handling consumer financial data.
Executive briefing: The U.S. Federal Trade Commission voted on to strengthen the Safeguards Rule (16 CFR Part 314). The final rule expands security program requirements for nonbank financial institutions and vendors that store or process consumer financial information.
Key updates
- Program governance. Covered institutions must designate a qualified individual, deliver annual reports to their boards, and document written risk assessments.
- Technical safeguards. Mandatory controls now include multi-factor authentication, encryption for data at rest and in transit, secure software development practices, and continuous monitoring or annual penetration tests.
- Incident readiness. Institutions need written response plans outlining roles, communication protocols, remediation steps, and post-incident reviews.
Implementation guidance
- Map fintech products and vendor integrations that fall under the expanded Safeguards Rule definition of “financial institution.”
- Update security program documentation, board reporting cadences, and penetration testing schedules ahead of compliance deadlines.
- Coordinate with engineering teams to enforce multi-factor authentication and encryption baselines across customer-facing services.