GLBA Safeguards Rule: what US financial institutions must know
The GLBA Safeguards Rule is the information security standard that the Federal Trade Commission (FTC) enforces for financial institutions operating in the United States. Under the Gramm-Leach-Bliley Act (GLBA), every covered financial institution must design, implement and maintain a comprehensive written information security program that protects the confidentiality and integrity of customer financial data. Non-compliance carries enforcement action, civil penalties and reputational damage.
GLBA's three core components
The Gramm-Leach-Bliley Act is organized around three interrelated rules that together define the privacy and security obligations of financial institutions:
Privacy Rule — Requires financial institutions to notify customers about their information-sharing practices and give them the opportunity to opt out of sharing with certain third parties.
Safeguards Rule — The operational heart of GLBA. Mandates a written information security program with administrative, technical and physical safeguards designed to protect customer information from unauthorized access, use or disclosure.
Pretexting Rule — Prohibits obtaining customer financial information through fraudulent pretenses, impersonation or deception.
The Safeguards Rule is where most organizations need to focus their cybersecurity investments, as it drives the technical and organizational controls the FTC audits.
Information Security Program requirements
Under the Safeguards Rule, covered institutions must designate a qualified individual to oversee their information security program and report to the board of directors at least annually. The program must be based on a written risk assessment and address safeguards across three dimensions:
- Administrative safeguards — staff training, security awareness programs, vendor access controls, and documented incident response procedures.
- Technical safeguards — encryption, access controls, multi-factor authentication, continuous monitoring and penetration testing to validate defenses.
- Physical safeguards — secure data centers, access logging, environmental controls and secure disposal of customer records.
The program must also address how the institution monitors and manages the security practices of its service providers and third-party vendors.
Final Rule: key dates
The FTC published the updated Final Rule on September 12, 2021, with a compliance deadline of September 6, 2023 for most requirements (certain provisions had an earlier deadline of December 2022). Organizations that had not completed their program by September 2023 are considered non-compliant and subject to enforcement action.
The 2021 update significantly expanded the rule's specificity, moving from a principles-based framework to concrete, enumerable requirements — making it far easier for regulators to assess compliance objectively.
Specific technical requirements
The updated Safeguards Rule introduced several concrete technical controls that go beyond the previous general language:
Breach notification — Financial institutions must notify the FTC of any security event affecting more than 500 customers as soon as possible and no later than 30 days after discovering it. This is a hard deadline, not a best-effort target.
Continuous monitoring and penetration testing — Covered institutions must implement continuous monitoring of their systems or perform periodic vulnerability assessments and penetration tests. The NIST Cybersecurity Framework provides a widely accepted reference architecture for organizing these activities.
Encryption — Customer information must be encrypted both in transit and at rest.
Vendor and third-party management — Organizations must oversee service providers through contracts that require them to implement appropriate safeguards, with ongoing monitoring of compliance.
Multi-factor authentication (MFA) — Required for any individual accessing customer information systems from outside the network. Internal access policies must also enforce least-privilege principles.
A mature vulnerability management program is the operational backbone that connects all these requirements: it tracks vulnerabilities over time, prioritizes remediation based on risk, and provides the evidence auditors need.
Who does the FTC Safeguards Rule cover?
The rule applies to "all businesses significantly engaged in financial services" — a broader scope than many compliance officers expect. This includes mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies that operate in connection with financial services, collection agencies, credit counselors, tax preparers, non-federally insured credit unions and financial advisors not regulated by the SEC.
If your business handles customer financial data as part of a financial service — even if banking is not your primary business — you likely fall within GLBA's scope.
2025 enforcement actions
The FTC has demonstrated willingness to bring enforcement actions against companies well outside the traditional banking sector. Prominent 2025 enforcement actions include Tractor Supply, Todd Snyder and American Honda — companies in retail, fashion and automotive finance respectively. These cases confirm that the FTC's interpretation of "businesses significantly engaged in financial services" is expansive and actively enforced.
For companies that also operate in the United Kingdom, the equivalent frameworks are the UK GDPR and Data Protection Act 2018 and the PSTI Regulations.
Is your organization prepared for a GLBA audit? Talk to WhiteJaguars to assess your information security program and close any compliance gaps before an FTC review.