top of page

FTC Safeguard Rule - Who Needs to Comply

  • Oct 28, 2022
  • 2 min read


The FTC’s Standards for Safeguarding Customer Information (Safeguards Rule) first became law in 2003. Late last year, these standards were finally updated to suit the modern threat landscape, and on the 9th of December 2022, compliance with the revised Safeguards Rule is expected to become mandatory.


Failure to comply with the Final Rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases.


Though a petition has been put forward to delay the Safeguards Rule enforcement until December 2023, entities subject to the FTC’s jurisdiction should assume the regulation will be enforced on schedule and start implementing compliance strategies immediately.

To learn how to establish a cybersecurity program that complies with the FTC Safeguards Rule, read on.


Who Needs to Comply with the FTC Safeguards Rule?

Entities expected to comply are still classified with the very misleading title of a “Financial Institution,” where the term “finance” refers to any relations with customer financial data, either through lines of credit, loans, or general financial information.

Some examples of businesses classified as “Financial Institutions” by the FTC include:

  • Automobile dealerships.

  • Financial career counselors.

  • Credit counselors.

  • Personal property or real estate appraisers.

  • Collection agencies.

  • A business that prints and sells checks for consumers.

  • A business that wires money between consumers.

  • Check cashing businesses.

  • Retailers providing store credit cards

  • Accountants and tax preparation services.

  • A business that operates a travel agency in connection with financial services.

  • Mortgage brokers.

  • Credit unions.

  • Any business that charges a fee to connect buyers with consumers or loans with lenders and is involved in any financial transactions between these parties (a new financial institution category defined as “finders” by the FTC).

The Federal Trade Commission may continue broadening its definition of a Financial institution as digital transformation shortens the divide between third-party service providers and their influence on financial operations. So if your business isn’t currently classified as a Financial institution, it could be in the future. Regularly reference the FTC’s definition of a Financial Institution to learn if you’re suddenly expected to comply.

 
 
bottom of page