The FTC's 2021 amendments to 16 CFR Part 314 — the Safeguards Rule under GLBA — replaced a one-paragraph principles-based standard with nine specific controls. The amended rule has been fully effective since June 9, 2023. The practical change for non-bank financial institutions: a "thoughtful security program" no longer satisfies GLBA on its own. The new rule names what the program must contain, who has to own it, and what the documentation has to look like when the FTC asks.
This guide is the long-form companion to our GLBA Safeguards Rule Data Inventory & Mapping Checklist. It walks through the rule's structure, the specific requirements that have generated enforcement actions, the design decisions a fintech compliance program has to make, and the implementation patterns we've seen work in practice.
Who is covered
The Safeguards Rule applies to "financial institutions" as defined under GLBA — a definition broader than the colloquial meaning. The covered population includes:
- Mortgage lenders, brokers, and servicers
- Tax preparers and tax-prep software providers
- Wire-transfer providers
- Check cashers and money-transmission businesses
- Credit counseling and debt-management firms
- Certain investment advisors not otherwise registered with the SEC
- "Finders" and certain referral firms
- Personal property and real estate appraisers
- Collection agencies (for consumer debts)
- Career counselors of individuals in the financial services industry
- Travel agencies operated in connection with financial services
- A long tail of activities listed in 12 USC §1843(k)(4)
The 2023 amendments specifically expanded the rule's scope to include "finders" — entities that bring together buyers and sellers of products and services. Several fintech business models that previously believed they were outside GLBA's scope discovered, on review, that they had become covered.
What the amended rule requires
The amended rule prescribes nine categories of program elements. Each is worth understanding individually.
1. Designate a Qualified Individual
§ 314.4(a) requires the firm to designate a "Qualified Individual" responsible for overseeing, implementing, and enforcing the information security program. The Qualified Individual need not be an employee — the role can be filled by an outside party — but must report to senior management or the board.
Implementation reality. Most mid-sized fintechs initially designate the CISO or the senior security engineer. The harder question is what the role's authority looks like operationally — does the Qualified Individual have authority to halt non-compliant deployments, to approve or disapprove vendor relationships, to require evidence from engineering teams? Programs that designate a Qualified Individual without operational authority produce title-only compliance.
2. Conduct a written risk assessment
§ 314.4(b) requires a written risk assessment that:
- Identifies reasonably foreseeable internal and external risks to confidentiality, integrity, and availability
- Assesses the sufficiency of existing safeguards against those risks
- Is performed periodically and re-performed when changes warrant
Implementation reality. The risk assessment is not a single annual artifact — it's a living document keyed to the firm's data flows, vendor relationships, and threat landscape.
3. Implement specific controls
§ 314.4(c) requires the firm to implement controls in eight specific areas:
| Citation | Control | |
|---|---|---|
| (c)(1) | Access controls | Identify users with access (incl. service providers); restrict to need; periodic review. |
| (c)(2) | Inventory | Documented inventory of all systems, devices, applications, and data on which customer information is created, collected, transmitted, stored, or processed. |
| (c)(3) | Encryption | Customer information encrypted at rest AND in transit. Compensating control only with documented Qualified-Individual approval. |
| (c)(4) | Application security | Secure development for in-house apps; security assessment for externally developed apps. |
| (c)(5) | MFA | MFA for any individual accessing any information system, unless QI approves an equivalent compensating control. |
| (c)(6) | Secure disposal | Secure disposal of customer information no later than two years after last use, unless retained for a legitimate business purpose. |
| (c)(7) | Change management | Procedures for change management, including security review for material changes. |
| (c)(8) | Monitoring | Monitor and log authorized user activity; detect unauthorized access to or tampering with customer information. |
Implementation reality. Each of these eight controls maps to specific engineering and operational practices that, in fintechs we've reviewed, are often implemented in some environments and not in others. Production has MFA; the analytics warehouse doesn't. Production has encryption at rest; the backup S3 bucket has it but at a key the wrong people have access to. Production has logging; the test environment that someone copied production data into doesn't.
The Safeguards Rule treats every environment containing customer information as in-scope. Programs that apply controls only to production environments are systematically non-compliant.
4. Test or monitor effectiveness
§ 314.4(d) requires either (a) continuous monitoring of the controls' effectiveness or (b) annual penetration testing and biannual vulnerability assessments. Most programs adopt the pen testing and vulnerability assessment path because it's more concretely defined.
The pen test scope must include all systems containing customer information. A pen test scoped only to the production application web tier is insufficient if the firm also maintains a customer-data-containing analytics warehouse, backup environments, or vendor-hosted systems that touch customer data.
5. Train staff
§ 314.4(e) requires implementation of policies and procedures to ensure personnel are trained sufficient to enable them to enact the information security program. Training scope must extend to non-engineering personnel with access to customer information — sales, customer success, ops.
6. Oversee service providers
§ 314.4(f) requires:
- Selection and retention of service providers capable of maintaining appropriate safeguards
- Contractual requirements that service providers implement and maintain safeguards
- Periodic assessment of service provider performance
Vendor risk management has become one of the most-scrutinized program elements post-amendment. The MOVEit cascade in 2023 produced multiple FTC actions where the affected fintech's vendor management program was a finding even though the breach itself happened at the vendor.
7. Adjust the program
§ 314.4(g) requires the program to be evaluated and adjusted in light of test results, material changes to operations or business arrangements, the results of risk assessments, and any other circumstances reasonably warranting adjustment.
8. Maintain a written incident response plan
§ 314.4(h) requires a written incident response plan addressing internal procedures, roles, communications, remediation, documentation, and periodic post-incident review.
Implementation reality. The written plan must be more than a template. The FTC has cited firms whose incident response plans were generic boilerplate that did not reflect the firm's actual data flows, system inventory, or vendor relationships.
9. Annual report to the board
§ 314.4(i) requires the Qualified Individual to report in writing, at least annually, to the board of directors or equivalent governing body. The report must address overall status, material matters, risk assessment results, risk management decisions, service provider arrangements, results of testing, security events and management's response, and recommendations.
This report is, in many fintechs we've reviewed, the highest-leverage artifact for actually driving program maturity.
The 30-day breach notification requirement
§ 314.5 requires firms to notify the FTC within 30 days of discovering an incident affecting 500 or more consumers.
Where the enforcement action risk lives
Across the published consent orders since the amendments took effect, the most-cited deficiencies cluster:
A fintech that wants to read its own future enforcement profile honestly should self-assess against this list and act on the gaps. Programs that wait for an audit, an incident, or a regulator to surface the gaps pay 10–100× more for the same remediation.
The role of synthetic data in GLBA compliance
The Safeguards Rule does not require synthetic data. It does, however, require firms to:
- Apply controls to all environments containing customer information
- Encrypt customer information at rest and in transit
- Implement MFA for access to systems containing customer information
- Maintain a complete inventory of systems containing customer information
- Securely dispose of customer information no later than two years after the last business use
For a fintech with multiple non-production environments — staging, dev, demo, analytics, ML training, vendor sandboxes, backup environments — the operational cost of applying production-grade controls to every environment containing customer data is substantial. The structural alternative is to remove customer data from those environments and replace it with synthetic data.
This is not a hypothetical recommendation. We've worked with multiple fintechs whose GLBA program effort was materially reduced once non-production environments were migrated off real customer data — because the inventory shrank, the controls scope shrank, the pen test scope shrank, the training population shrank, and the vendor exposure shrank.
Our Playbook: Migrating Non-Production Environments from Production Data to Synthetic walks through the migration in operational detail.
A defensible implementation sequence
- 1Designate the QI with operational authorityStructural prerequisite for everything else.
- 2Build the system + data inventoryMost firms find 30–50% more in-scope systems than expected.
- 3Conduct the written risk assessmentMap each in-scope system to the controls in §314.4(c). Document gaps and remediation plans.
- 4Implement the eight specific controlsSequence by risk: access + MFA first, encryption next, application security + monitoring concurrent, change management + disposal last.
- 5Build the testing + monitoring programPen test annually, VA biannually, internal monitoring continuous where possible.
- 6Build the vendor management programPre-engagement assessment, contractual safeguards, ongoing monitoring, response procedures.
- 7Write the IR planSpecific to your firm. Pre-position the FTC notification path.
- 8Stand up board reporting cadenceAnnual minimum, semi-annual in mature programs.
- 9Migrate non-prod off customer data where feasibleReduces ongoing compliance burden materially.
- 10TrainRole-specific for everyone with access to customer information. Annual minimum.
What examiners ask
The FTC, when investigating, typically asks for:
Investigation document set
- The risk assessment, with version history showing periodic re-assessment.
- The system and data inventory, with version history.
- The Qualified Individual's annual board report.
- Evidence of the eight specific controls, system by system.
- The pen test report and the vulnerability assessment reports.
- The incident response plan and any actual incident responses.
- The vendor inventory, contracts, and ongoing assessment evidence.
- The training records.
- The change management records for material changes.
A program that can produce each of these confidently, traceable to the rule citation each addresses, is in good shape. A program that has to reconstruct the answer post-investigation is not.
Closing
The amended Safeguards Rule names nine controls and a 30-day breach-notification clock. Each is a deliverable an FTC examiner can ask to see, name, and date — written program with the Qualified Individual identified, MFA evidence, encryption in transit and at rest, vendor oversight log, annual penetration test, biennial risk assessment, training records, breach-response playbook with the 30-day path pre-mapped, board reporting cadence. None of those emerge as the byproduct of a generally-good security program.
A fintech approaching the rule for the first time should plan a 6–12 month structured implementation with board reporting from the outset and a Qualified Individual whose operational authority is documented, not implied. A fintech already live should start with the system and data inventory: every program element is downstream of knowing what's in scope, and the post-MOVEit FTC follow-ups (see §"Where the enforcement action risk lives" above) repeatedly named scope-mapping and vendor-coverage failures as the root cause that let everything else slip.
Key takeaways
- GLBA's covered population is broader than the colloquial meaning — and 'finder' inclusion in the 2023 amendments brought several fintech business models into scope that previously believed they were outside.
- The nine program elements are concrete enough to engineer against, but require intentional implementation rather than emerging from a 'generally good' security program.
- The Safeguards Rule treats every environment containing customer information as in-scope; controls applied only to production are systematically non-compliant.
- Vendor management and non-production access controls are where post-amendment enforcement most reliably lands; both are materially reducible by migrating non-prod off customer data.
- The 30-day FTC breach-notification clock starts at discovery, not at forensic confirmation; pre-positioning the notification path is one of the highest-ROI IR investments a program can make.
Related reading:
- GLBA Safeguards Rule Data Inventory & Mapping Checklist
- Playbook: Migrating non-production environments from production data to synthetic
- The state of PII risk in fintech — a 2026 threat-and-compliance landscape
- SOC 2 Type II readiness data & evidence checklist for fintechs
- Playbook: Building a no-PII demo environment for sales engineering
This document is general guidance for engineering and compliance teams implementing the Safeguards Rule. It is not legal advice. Firms with active enforcement matters or specific implementation questions should consult qualified counsel.