LASER Credit Access
Hero background
Compliance Updates7 min read

FTC Safeguards Rule: Compliance Framework

By Michael Dunleavey
April 21, 2026Updated May 22, 2026
Back to LASER Insights Hub
glba complianceinformation security programfinancial institution compliance

Why the FTC Safeguards Rule Matters for Lenders

The revised FTC Safeguards Rule represents one of the most significant regulatory shifts for non-bank financial institutions in the past decade. The major provisions carried a compliance deadline of June 9, 2023, and a later amendment — effective May 13, 2024 — added a breach-notification requirement. Together they replaced the previous principles-based approach with a prescriptive standard: every covered financial institution must now maintain a written information security program built around the nine requirements set out in 16 CFR 314.4.

For lenders operating on Salesforce, the practical question is how much of this can be operationalized inside systems your team already uses, rather than managed as a separate, periodic compliance exercise. Several of the Rule's requirements map directly onto capabilities the platform already provides.

The Nine Core Requirements: What 16 CFR 314.4 Demands

The revised Safeguards Rule is organized into nine lettered requirements, §314.4(a) through (i). Understanding each — and how it maps to your operational reality — is the first step toward a compliant information security program.

1. Designate a Qualified Individual

Your institution must designate a single qualified individual to oversee and implement the information security program. This person can be an employee, an affiliate, or a service provider — but they must have demonstrable expertise and authority to direct compliance activities. The key requirement is accountability: regulators want a named individual responsible for the program, not a committee or a vague organizational reference.

2. Conduct a Written Risk Assessment

A comprehensive, written risk assessment must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This assessment must evaluate the sufficiency of existing safeguards and be documented in a format that examiners can review. Many institutions fail this element by conducting assessments informally or failing to document their methodology and findings.

3. Design and Implement Safeguards — Eight Specific Controls

This is the most extensive requirement. Based on the risk assessment, your institution must design and implement safeguards across eight specific controls:

  • Access controls — authenticate users and limit each to only the customer information needed for their duties
  • Asset inventory — identify and manage the data, devices, systems, and personnel that handle customer information
  • Encryption — protect all customer information both in transit over external networks and at rest (or document Qualified-Individual-approved compensating controls where encryption is infeasible)
  • Secure development practices — for in-house applications, plus procedures to evaluate externally developed apps
  • Multi-factor authentication — required for anyone accessing any information system, absent written approval of equivalent controls
  • Secure disposal — dispose of customer information no later than two years after its last use, with periodic review of retention policies
  • Change management — formal procedures governing changes to systems
  • Monitoring and logging — log authorized-user activity and detect unauthorized access or tampering

Institutions frequently treat encryption and access controls as "the safeguards" and overlook disposal, change management, and monitoring as named obligations. All eight are required.

4. Regularly Monitor and Test Safeguards

Safeguards must be regularly monitored and tested to ensure they remain effective. The Rule provides two compliance paths: continuous monitoring through system-level controls, or annual penetration testing combined with vulnerability assessments at least every six months. For institutions operating on Salesforce, platform-level security monitoring and automated testing tools can streamline this requirement significantly.

5. Implement Security Awareness Training

All personnel must receive security awareness training, and specialized training must be provided to personnel with hands-on security responsibilities. Training must be updated to reflect risks identified in the most recent risk assessment. This is not a one-time checkbox — it is an ongoing obligation that adapts to your institution's evolving threat landscape.

6. Oversee Service Providers

Your institution must take reasonable steps to select and retain service providers that maintain appropriate safeguards. This includes contractual requirements for service provider security practices and periodic assessment of their compliance. For lenders using third-party credit reporting agencies, data aggregation services, or CRM integrations, this element requires documented vendor risk management procedures.

7. Keep the Information Security Program Current

The information security program must be evaluated and adjusted as circumstances change — including changes in business operations, the results of testing and monitoring, security incidents, and shifts in the threat landscape. Static programs that are written once and shelved fail this requirement by design.

8. Create an Incident Response Plan

A written incident response plan must address how the institution will respond to, and recover from, security events that materially affect the confidentiality, integrity, or availability of customer information. The plan must identify the goals, internal processes, communication protocols, and remediation steps for incident response.

9. Report to the Board

The qualified individual must report in writing, at least annually, to the institution's board of directors (or equivalent governing body) on the overall status of the information security program, including compliance with the Safeguards Rule, risk assessment findings, and security events. This board-level reporting requirement ensures that information security receives executive attention and resource allocation.

The Breach Notification Requirement

Since May 13, 2024, the Rule requires covered institutions to notify the FTC of a security breach affecting 500 or more consumers no later than 30 days after discovery, using the FTC's online form. An event is considered "discovered" the first day it's known to any employee or agent other than the person responsible for the breach. This is the Rule's most recent and most time-sensitive addition — and the one most likely to catch an under-prepared institution off guard, because the clock starts at internal discovery, not at confirmation of harm.

How Salesforce-Native Compliance Streamlines Safeguards Adherence

For institutions already operating on Salesforce, the path to Safeguards compliance is more streamlined than many realize. The platform's native security architecture — role-based access controls, field-level encryption, comprehensive audit trails, and configurable sharing rules — directly addresses several of the Rule's nine elements.

The only Salesforce-native credit access platform with pre-built, pre-configured objects and no additional setup required, LASER Credit Access embeds compliance safeguards directly into the lending workflow. Rather than bolting compliance checks onto existing processes as an afterthought, institutions can operationalize Safeguards requirements into the daily activities their teams already perform.

What This Means for Your Institution

The FTC Safeguards Rule is not optional, and enforcement is accelerating. Institutions that treat compliance as a documentation exercise rather than an operational priority face increasing risk — not only from regulatory action, but from the reputational and financial consequences of security incidents that proper safeguards would have prevented. For lenders mapping Safeguards Rule obligations against the wider 2026 enforcement environment, our analysis of how Safeguards Rule expectations connect to broader 2026 enforcement priorities shows how cybersecurity documentation requirements now sit alongside UDAAP, AI model risk, and state privacy obligations as parallel examination focus areas.

Enforcement of the Safeguards Rule is active and expanding, and the staggered deadlines mean some requirements — particularly breach notification — are still new enough that many institutions haven't fully operationalized them. For lenders already on Salesforce, the most efficient path is to meet as many of the nine requirements as possible through the platform's native security capabilities and purpose-built compliance tooling, rather than maintaining a parallel compliance apparatus.

This article is for informational purposes and does not constitute legal advice. Consult qualified legal counsel for guidance on your institution's specific compliance obligations.

Frequently Asked Questions

Do I need to comply with the FTC Safeguards Rule if I only do commercial loans?

If your institution handles any consumer financial information — including personal guarantees on commercial loans — the Safeguards Rule applies. Many commercial lenders unknowingly trigger consumer compliance obligations through guarantor data.

What are the nine required security elements under the Safeguards Rule?

The Rule (16 CFR 314.4) sets out nine core requirements: (a) a qualified individual to oversee the program, (b) a written risk assessment, (c) designing and implementing safeguards — which itself spans eight controls including access controls, encryption, multi-factor authentication, secure disposal, and change management, (d) regular testing and monitoring, (e) security awareness training, (f) service provider oversight, (g) keeping the program current, (h) a written incident response plan, and (i) annual written reporting to the board.

How does Salesforce-native compliance tooling help with the Safeguards Rule?

Salesforce-native platforms automate access controls, audit logging, encryption standards, and compliance documentation — reducing manual effort and ensuring continuous compliance rather than point-in-time assessments.

Does the full Safeguards Rule apply to small lenders?

Institutions that maintain customer information on fewer than 5,000 consumers are exempt from four specific requirements: the written risk assessment, penetration testing and vulnerability assessments, the written incident response plan, and board reporting. All other elements still apply. Most active lenders cross the 5,000-consumer threshold quickly, so this exemption is narrower in practice than it first appears.

Related insights

Compliance Updates

FTC Safeguards Rule for Non-Bank Lenders

Non-bank commercial lenders must comply with the FTC Safeguards Rule under GLBA. Learn the five core requirements and how to operationalize them.

Compliance Updates

Why Credit Reports and PII Are Regulated

Credit reports and PII are among the most regulated data categories in lending. Explore FCRA, GLBA, and FTC Safeguards Rule obligations.

Michael Dunleavey

Founder — LASER Credit Access

Michael Dunleavey brings over 15 years of experience in credit infrastructure and lending compliance, helping financial institutions streamline operations on Salesforce.

Ready to Transform Your Credit Operations?

Discover how LASER Credit Access streamlines compliance and decisioning natively inside Salesforce — unified in a single app, ready from day one.