Does the FTC Safeguards Rule apply to me?
Many advisers assume "we're not SEC-registered, so no one regulates our data." Often the opposite is true — the FTC does.
The FTC's Safeguards Rule (16 CFR Part 314) requires "financial institutions" under the FTC's jurisdiction to maintain a formal information-security program. The phrase "financial institution" is far broader than banks — and it catches a lot of firms in and around private wealth who assume they're unregulated.
Who counts as a "financial institution"
The rule lists thirteen examples, and the common thread is being significantly engaged in a financial activity. Among them, the ones that matter most for private wealth:
- Investment advisers that are not required to register with the SEC — including many state-registered advisers and exempt reporting advisers.
- Finance and lending companies, mortgage brokers and lenders, and account servicers.
- Wire transferors, check cashers, and collection agencies.
- Tax-preparation firms and certain financial or investment advisory practices.
If you're SEC-registered, you generally fall under Reg S-P instead. If you're not SEC-registered but you're handling money or financial data for clients, you should assume the FTC Safeguards Rule is in play until proven otherwise.
SEC-registered → Reg S-P. Not SEC-registered but engaged in financial activity → likely FTC Safeguards. Genuinely unsure → that uncertainty is the finding; a coverage determination resolves it.
The five things you must have
1. A named Qualified Individual
One person must be accountable for the security program. Not a committee, not "IT in general" — a named individual responsible for overseeing, implementing, and reporting on it.
2. A written risk assessment
A documented assessment that identifies reasonably foreseeable internal and external risks to customer information, and drives the safeguards you choose.
3. Specific technical safeguards
The rule names several explicitly: multi-factor authentication for anyone accessing customer information, encryption of customer data in transit and at rest, access controls, and secure disposal. These aren't suggestions — they're enumerated requirements.
4. Testing and monitoring
You must regularly test or monitor the effectiveness of your safeguards — continuous monitoring, or annual penetration testing plus periodic vulnerability assessments — and train your people.
5. Service-provider oversight
You must select and oversee vendors capable of protecting customer information, and hold them to it by contract.
And the breach-notification rule
Since May 13, 2024, covered institutions must notify the FTC as soon as possible, and no later than 30 days after discovering a breach involving the unencrypted information of 500 or more consumers. The notice goes to the FTC directly and includes the nature and scope of the event. Note the encryption carve-out — properly encrypted data that's exposed generally doesn't trigger the notice, which is one more reason encryption is worth doing well.
This is a plain-language overview, not legal advice. Whether the Rule applies to your firm, and exactly how, should be confirmed against the current rule text with your counsel.
Find out where you stand
Securidigm's coverage determination helps determine whether the Safeguards Rule applies to you — then maps your controls to all five requirements and builds the evidence file.
Request a confidential conversation →Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.