FTC Safeguards Rule in 2026: What Financial Services Firms Need to Know Now

By Ken Satkunam, CISM  ·  President & Founder, NorthStar Technology Group

March 2026  ·  10 min read

 

The Federal Trade Commission’s Safeguards Rule has been a moving target for financial services firms since its significant 2023 overhaul. Now in 2026, regulators are actively enforcing it, and firms that assumed they could take a minimal-effort approach are discovering that the FTC means business.

 

If you run a mortgage company, auto dealership with financing, tax preparer, financial advisor practice, or any other non-bank financial institution that touches consumer financial data, this article is for you. We cover the questions we hear most often and the answers your firm needs to act on.

 

 

What Exactly Does the FTC Safeguards Rule Require?

 

The Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA), requires non-bank financial institutions to develop, implement, and maintain a comprehensive information security program. That program must include nine specific elements:

 

1. A designated qualified individual to oversee your information security program
2. A risk assessment that identifies threats to customer information
3. Safeguards to control those risks (access controls, encryption, MFA, and more)
4. Regular testing and monitoring of your safeguards
5. Employee training on information security
6. Third-party vendor oversight for companies that handle your customer data
7. An incident response plan in case of a breach
8. Periodic program evaluation as your business and threat landscape evolve
9. Board or senior leadership reporting at least annually

 

The 2023 amendments added significant teeth to the rule, including specific technical requirements like multi-factor authentication (MFA), encryption of customer data in transit and at rest, and penetration testing at least annually.

 

 

Who Qualifies as a “Financial Institution” Under the Safeguards Rule?

 

This is one of the most common questions we receive, and the scope surprises many businesses.

 

The FTC’s definition of “financial institution” under GLBA is broad. It covers any company that is “significantly engaged” in financial activities, including:

 

• Mortgage lenders and brokers
• Auto dealers that arrange financing
• Payday lenders
• Accountants and tax preparers who handle customer financial data
• Financial advisors and investment firms not regulated by the SEC
• Debt collectors
• Check cashing businesses
• Real estate settlement services
• Wire transfer services

 

If your business receives, maintains, or transmits nonpublic personal financial information about consumers, you almost certainly fall under the Safeguards Rule. The small business exemption only applies to firms with fewer than 5,000 customer records, and even those firms must have a written security program.

 

 

What Are the Most Common Safeguards Rule Compliance Failures?

 

Based on what we see in the field, these are the gaps that trip up financial services firms most often:

 

No designated qualified individual. The rule requires someone specifically responsible for the security program. That person does not have to be a full-time employee, but they must be identified and accountable. Many smaller firms have no one in this role.

 

Outdated or missing risk assessments. A risk assessment done three years ago and filed away does not meet the standard. The rule requires ongoing assessment that reflects your current systems, data flows, and threat environment.

 

Weak multi-factor authentication. MFA is now required for any individual accessing customer information systems. Relying on passwords alone is a direct violation, and it is one of the most common gaps we find during assessments.

 

No vendor management program. If a third-party company has access to your customer data, such as a payroll processor, cloud storage provider, or IT support firm, you are required to have contracts in place with security requirements and to monitor their compliance. Most small and mid-size firms have no formal vendor oversight at all.

 

Missing or untested incident response plan. Having a plan on paper is not enough. The rule expects that your team knows what to do, and that the plan has been reviewed and tested.

 

 

What Happens If We Are Not Compliant?

 

Enforcement is real and escalating. The FTC has civil penalty authority, and violations can result in fines of up to $51,744 per violation per day. More significantly, a breach tied to a Safeguards Rule failure can trigger:

 

• FTC enforcement action and public consent orders
• State attorney general investigations
• Civil litigation from affected customers
• Reputational damage that can be devastating for firms that depend on client trust

 

In 2025, the FTC finalized its data breach notification requirement, which means firms must now report breaches involving 500 or more customers to the FTC within 30 days. That notification becomes public, which adds reputational stakes on top of regulatory ones.

 

Compliance is not just a legal obligation. It is a business continuity issue.

 

 

Does the FTC Safeguards Rule Apply to Our Accounting or Tax Practice?

 

Yes, and this is one of the most underappreciated areas of the rule.

 

Accounting firms and tax preparers that collect financial information for the purpose of providing financial services are covered non-bank financial institutions. The IRS also has its own data security requirements under Publication 4557, and many states have enacted additional requirements.

 

For a typical CPA firm or tax preparation office, the practical requirements include:

 

• Encrypting client tax files and financial records
• Implementing MFA for staff accessing client systems
• Using secure portals rather than email for document exchange
• Having a written, current incident response plan
• Conducting annual employee security training

 

If your firm has not formally assessed its Safeguards Rule posture, now is the time. The compliance burden is manageable with the right framework in place.

 

 

How Should We Handle Third-Party IT Vendors Under the Safeguards Rule?

 

This is a critical and often overlooked requirement. If you outsource any IT function that touches customer financial data, including managed IT services, cloud backup, or your accounting software provider, you have obligations under the Safeguards Rule.

 

Specifically, you must:

 

1. Select vendors that implement appropriate safeguards
2. Include contractual requirements for security in your vendor agreements
3. Periodically monitor vendor compliance with those requirements

 

This means your vendor contracts need specific language around data protection, breach notification timelines, and security standards. A generic terms-of-service agreement does not cut it.

 

When we onboard financial services clients at Northstar, vendor contract review is one of the first things we address. Many firms discover that their agreements with key vendors have no security provisions at all.

 

 

What Does a Compliant Information Security Program Actually Look Like?

 

A compliant program does not have to be expensive or complex, but it does have to be documented, current, and actually implemented.

 

For a mid-size financial services firm, a solid program typically includes:

 

• Written Information Security Program (WISP) tailored to your specific business
• Annual risk assessment with documented findings and remediation actions
• MFA enforced across all systems that access customer data
• Encryption for stored and transmitted customer data
• Annual penetration test and quarterly vulnerability scans
• Security awareness training for all staff, at least annually
• Vendor inventory and oversight documentation
• Incident response plan with defined roles and annual tabletop exercise
• Annual board or executive report from your qualified individual

 

The goal is a program that functions as a living part of your operations, not a compliance document that sits on a shelf.

 

 

How Can Northstar Technology Group Help?

 

Northstar specializes in helping financial services firms build and maintain Safeguards Rule-compliant information security programs. Our approach is practical, not theoretical: we assess your actual environment, identify real gaps, and build a program you can execute.

 

Our financial services cybersecurity services include:

 

• FTC Safeguards Rule gap assessments
• Written Information Security Program (WISP) development
• Risk assessments and remediation planning
• Penetration testing and vulnerability management
• MFA and access control implementation
• Vendor risk management program setup
• Incident response planning and tabletop exercises
• Ongoing managed security and compliance monitoring

 

Visit our Financial Services resource hub for additional guides, checklists, and industry-specific resources.

 

 

Take the First Step

 

The FTC Safeguards Rule is not going away, and enforcement is only increasing. If your firm has not conducted a formal Safeguards Rule assessment in the past year, you are likely operating with gaps you do not know about.

 

Schedule a free Safeguards Rule consultation with Northstar today. Our team will walk you through your current posture, identify your highest-priority risks, and give you a clear path to compliance.

 

Protecting your clients and your business starts with knowing where you stand.

 

 

About the Author: Ken Satkunam, CISM, is the founder of Northstar Technology Group and a Certified Information Security Manager with over two decades of experience in cybersecurity, compliance, and IT strategy for financial services, healthcare, and government contractors. He helps firms build security programs that meet regulatory requirements and actually protect their operations.

 

Find out where you stand

Run a free security assessment at northstartechnologygroup.com/security-check • 866-337-9096

 

ABOUT THE AUTHOR

Ken Satkunam, CISM
President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership serving regulated organizations. He founded NorthStar Technology Group in 2000 and holds the CISM credential from ISACA. NorthStar has been recognized on the Inc. 5000 list in 2024 (#3837) and 2025 (#2393). Ken is the co-author of the Amazon best-seller Cyber Attack Prevention.

CISM • Inc. 5000 • MSP 500 • Published Author • 25+ Years