top of page

FTC Safeguards Rule: What you need to know

Originally supposed to take place on December 9th,2022, the Federal Trade Commission released

amendments to the Safeguards Rule which requires certain financial institutions to meet several data security requirements to protect customers' personal financial information and the institution's own sensitive information. The decision was made to delay the amendments until June 9, 2023. This is the first amendment to the rule since its implementation in 2023.

It's a pretty complex rule, so we've broken down some of the basics.

You can find more about the rule on the FTC's website HERE.


  • Mortgage Lenders

  • Pay-day Lenders

  • Finance Companies

  • Mortgage Brokers

  • Account Servicers

  • Check Cashiers

  • Wire Transferors

  • Collection Agencies

  • Credit Counselors

  • Tax Preparation Firms

  • Credit Unions (not federally insured)

  • Investment Advisors (not required to register with the SEC)

  • Entities Acting as Finders


  1. Designating Qualified Security Individual: designated, qualified individual responsible for implementing and overseeing its security program (third-parties permitted)

  2. Risk Assessments: including the categorization and evaluation of identified security risks, assessment of confidentiality, integrity and availability of information systems and customer information, and description of how identified risks will be mitigated based on the risk assessment and how the information security program will address the risks

  3. Access Restrictions: technical and physical access controls that authenticate only authorized users and limit access to information based on duty and function

  4. Encryption: all customer information is required to be encrypted in-transit and at-rest

  5. Training: all personnel is required to be provided with security awareness training

  6. Incident Response Plan: addresses goals, internal processes for responding to an incident, responsibilities and roles of individuals, communication plans, remediation requirements, logging and documentation of incidents, and evaluation and revision following a security event

  7. Periodic Assessments: required to have continuous monitoring to detect changes in information

  8. Data Minimization: required to develop, implement and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless such information is necessary for business operations


Like any complex project, one of the critical first-steps is to gather your stakeholders to discuss the issue at hand. Next, itemize resources by determining what you have and what you need in order to respond to the issue. Often, this leads to an assessment of potential outsourced resources or third-parties that can be brought into the project in order to address gaps in knowledge, expertise and capabilities. From here, generate a plan that allows for the inclusion of all internal and external resources required to establish a step-by-step process to get your organization to the end goal. In this case, compliance with changes in a new federal ruling.


Celerit Technologies is an established service provider in technology to the banking and financial services industry for over 30 years. Today, they work with enterprises of all sizes, across multiple industries, deploying agile technology designed to address cybersecurity, compliance, communication and customer experience.

Learn more about Celerit Technologies here.

bottom of page