FTC Safeguards Rule 2023 Amendments: What Financial Institutions Must Do Now

What changed

The FTC finalized amendments to 16 CFR Part 314 in December 2021, with most provisions taking effect June 9, 2023. The original rule required a written information security program but left the details to the institution. The amended rule specifies nine categories of safeguards that must be implemented. This is no longer a principles-based regulation — it has teeth.

The key requirements

Qualified individual

Under 16 CFR 314.4(a), you must designate a single qualified individual to oversee and implement your information security program. This person can be an employee, an affiliate, or a service provider — but someone specific must own it. "The IT department" is not a qualified individual. The person needs sufficient knowledge and authority to make decisions about your security posture.

Written risk assessment

The amended rule at 16 CFR 314.4(b)(1) requires a written risk assessment that identifies reasonably foreseeable internal and external risks, assesses the sufficiency of existing safeguards, and is periodically updated. Unlike the old rule, the risk assessment must include criteria for evaluating risks and threats, and criteria for assessing the adequacy of your safeguards. A generic risk register is not enough — you need methodology.

Access controls

Section 314.4(c)(1) requires access controls to limit who can access customer information to authorized users with a legitimate business need. This means role-based access, periodic access reviews, and prompt deprovisioning when employees leave or change roles. If every employee at your mortgage brokerage can access every loan file, that is a violation.

Encryption

Customer information must be encrypted both in transit and at rest under 314.4(c)(3). If encryption is infeasible for a specific system, you must document why and implement alternative compensating controls approved by your qualified individual. "Our legacy system does not support encryption" is not a free pass — you need a documented exception with compensating controls.

Multi-factor authentication

MFA is required under 314.4(c)(5) for any individual accessing customer information on your systems. This applies to employees accessing internal systems remotely and to any system accessible from the internet that contains customer information. SMS-based MFA satisfies the requirement, though the FTC encourages stronger methods.

Incident response plan

Section 314.4(h) requires a written incident response plan addressing goals, internal processes for responding to incidents, clear roles and responsibilities, communication and information sharing protocols, remediation requirements, documentation and reporting procedures, and post-incident review. The plan must exist before an incident — not be drafted in response to one.

Annual board reporting

The qualified individual must report in writing at least annually to the board of directors (or equivalent governing body) on the overall status of the information security program and the institution's compliance with the Safeguards Rule. This report must cover material security events and management's responses. If you do not have a board, the report goes to a senior officer responsible for the program.

The small business threshold

Institutions maintaining customer information on fewer than 5,000 consumers get a partial exemption. They still must have an information security program and a qualified individual, but they are not required to conduct a written risk assessment, implement continuous monitoring or annual penetration testing, maintain a written incident response plan, or provide annual board reports. If you are close to the 5,000 threshold, plan as if you are above it — you may cross it at any time.

Enforcement

The FTC enforces the Safeguards Rule through its Section 5 authority. Violations can result in consent orders, civil penalties, and mandatory compliance monitoring. The FTC has brought enforcement actions against auto dealers, tax preparers, and other non-bank financial institutions that failed to implement adequate safeguards. The amended rule gives the FTC specific standards to enforce against, which makes enforcement actions more straightforward.

What to do

1. Designate your qualified individual. Name them, document their qualifications, and ensure they have the authority and resources to run the program.
2. Write your risk assessment. Use a defined methodology. Identify risks, evaluate safeguards, document gaps, and create remediation timelines.
3. Implement MFA and encryption. These are binary requirements. You either have them or you do not.
4. Review access controls. Audit who has access to customer information. Remove access that is not justified by job function.
5. Draft your incident response plan. Cover the seven areas specified in 314.4(h). Test it with a tabletop exercise.

How BlackSheep helps

BlackSheep's GLBA Safeguards compliance platform walks financial institutions through each requirement of the amended rule. It generates the written risk assessment with the methodology the FTC expects, tracks MFA and encryption implementation status across your systems, and produces the annual board report in a format that meets 314.4(i).