FTC Safeguards Rule Training: 2023 Amendments and What You Need (2026)
The FTC Safeguards Rule at 16 CFR Part 314 requires non-bank financial institutions to maintain a written information security program, and that program must include security awareness training plus specialized training for the personnel responsible for it. The amended rule became fully enforceable on June 9, 2023, and it reaches well beyond banks.
Auto dealers, mortgage brokers, tax preparers, retailers offering in-house financing, collection agencies, and investment advisors all fall inside the FTC’s definition of a “financial institution.” Many of them spent 2023 and 2024 scrambling to document training programs their compliance teams had assumed were already in place.
What is the FTC Safeguards Rule?
Section titled “What is the FTC Safeguards Rule?”The Safeguards Rule is the FTC’s implementation of Section 501(b) of the Gramm-Leach-Bliley Act (GLBA). GLBA required every federal functional regulator to issue safeguards rules for the institutions they oversee. The FTC is the regulator for non-bank financial institutions, so its rule at 16 CFR Part 314 sets the standard for everyone not already covered by the OCC, Federal Reserve, FDIC, NCUA, SEC, or CFPB.
The original Safeguards Rule took effect in 2003. It required a written information security program, a risk assessment, and reasonable safeguards, but the text was flexible enough that enforcement was inconsistent and many small financial institutions treated compliance as informal.
In December 2021 the FTC published an amended Safeguards Rule (86 FR 70272) that tightened the requirements significantly. The compliance deadline was extended twice. Most of the rule became fully enforceable on June 9, 2023. Section 314.5, which covers notifications of security events involving 500 or more consumers to the FTC, became effective May 13, 2024.
Who must comply?
Section titled “Who must comply?”The Safeguards Rule applies to “financial institutions” over which the FTC has jurisdiction. The FTC defines financial institution broadly, and that broad definition is the source of most of the compliance surprise in the 2023 rollout.
Covered entities include:
- Auto dealers that extend credit or arrange financing
- Mortgage brokers and lenders not supervised by another federal regulator
- Tax preparation firms and CPAs that prepare consumer returns
- Retailers offering in-house credit or installment plans
- Collection agencies, check cashers, money transmitters, and payday lenders
- Finance companies and consumer lenders
- Investment advisors not registered with the SEC
- Real estate and personal property appraisers
- Credit counselors and career counselors serving financial services
FINRA-registered broker-dealers and SEC-registered investment advisors are supervised by the SEC under Regulation S-P rather than by the FTC, though Reg S-P was amended in 2024 to look more like the FTC rule.
The 2021 amendments added a size carve-out at §314.6: institutions maintaining information on fewer than five thousand consumers are exempt from the written risk assessment, the qualified individual board reporting, the incident response plan, and the written risk-assessment-based monitoring. All other provisions, including training, still apply.
Training requirements under §314.4(e)
Section titled “Training requirements under §314.4(e)”The training obligation sits inside §314.4, which lists the nine elements of a compliant information security program. Element (e) requires the entity to provide security awareness training and updates to personnel as necessary, and to utilize qualified information security personnel provided with security updates and training sufficient to address relevant security risks.
This wording creates two training tracks. The first is security awareness training for all personnel. The second is specialized, ongoing training for qualified information security personnel, which in most organizations means the Qualified Individual designated under §314.4(a) and any information security staff reporting to that person.
FTC guidance confirms that training must be appropriate to the role and keep pace with the threat landscape. Static annual training that has not been updated for current threats does not satisfy §314.4(e).
The 9 required elements of an information security program
Section titled “The 9 required elements of an information security program”Section §314.4 lists the nine elements a compliant program must contain. Training at (e) is one of nine interlocking obligations.
| Element | Citation | Summary |
|---|---|---|
| Qualified Individual | §314.4(a) | Designate a single individual responsible for the program |
| Written Risk Assessment | §314.4(b) | Document risks to customer information and the safeguards in place |
| Safeguards to Control Risks | §314.4(c) | Implement encryption, access controls, MFA, change management, disposal |
| Testing and Monitoring | §314.4(d) | Continuous monitoring or annual penetration testing plus biannual vulnerability assessment |
| Personnel Training | §314.4(e) | Security awareness training and specialized training for qualified personnel |
| Service Provider Oversight | §314.4(f) | Vet and contract with service providers; periodic reassessment |
| Program Evaluation and Adjustment | §314.4(g) | Revise the program based on test results, risk changes, and incidents |
| Written Incident Response Plan | §314.4(h) | Internal processes, roles, communication, and documentation for incidents |
| Reporting to Governance | §314.4(i) | Qualified Individual reports in writing at least annually to the board or equivalent |
Training maps primarily to (e), but elements (a), (f), (h), and (i) all produce trainable moments. The Qualified Individual needs governance-level training. Service provider oversight requires procurement training. Incident response requires drills.
Penalties for non-compliance
Section titled “Penalties for non-compliance”The FTC enforces the Safeguards Rule primarily under Section 5 of the FTC Act. Civil penalties per violation adjust annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. The 2024 maximum is $51,744 per violation, with exact current figures published in the Federal Register.
FTC enforcement typically produces consent orders that require up to twenty years of third-party assessments, extensive remediation, and specific training improvements. The reputational cost of being named in an FTC consent order usually dwarfs the civil penalty itself.
States including New York (through NYDFS Part 500), California, and Massachusetts enforce parallel cybersecurity rules. Organizations that fall short of the Safeguards Rule often trip state requirements at the same time, with class-action exposure under state privacy laws as separate risk.
Qualified Individual role and training
Section titled “Qualified Individual role and training”Section §314.4(a) requires covered institutions to designate a single Qualified Individual responsible for overseeing, implementing, and enforcing the information security program. The person can be an employee, an affiliate, or a service provider.
Under §314.4(i), the Qualified Individual has to provide written reports to the board or equivalent governing body at least annually. Those reports must cover the program’s overall status, the risk assessment results, the safeguards in place, service provider arrangements, test results, security events, and recommendations for program changes.
Training for the Qualified Individual sits inside §314.4(e)‘s second track: specialized, continuous, role-specific content updated as the threat landscape changes. Smaller institutions sometimes outsource the role to a virtual CISO or managed security provider, but the institution retains responsibility for the program and the outsourced individual still has to satisfy the training and reporting obligations.
Customer information access and authentication training
Section titled “Customer information access and authentication training”Several §314.4(c) safeguards translate directly into trainable behaviors. The ones that show up most often in FTC consent orders involve access control and authentication.
Multi-factor authentication. §314.4(c)(5) requires MFA for any individual accessing any information system unless the Qualified Individual has approved a reasonably equivalent control in writing. Training must cover MFA enrollment, recovery, and phishing resistance. An MFA setup exercise covers the practical mechanics, and a phishing awareness module covers the MFA-fatigue and MFA-bypass attacks that have become common.
Least privilege. §314.4(c)(1) requires access controls based on the principle that users should only access the information they need. Training has to reinforce this at the application level, which is where a least privilege awareness module fits.
Encryption. §314.4(c)(3) requires encryption of customer information at rest and in transit. Training should cover practical moments where encryption decisions live with the employee, such as secure email, encryption of portable devices, and removable media.
Secure disposal. §314.4(c)(6) requires secure disposal of customer information no later than two years after the last interaction with the customer, subject to exceptions. Training should cover what disposal means for paper, digital, and backup copies.
FTC Safeguards vs GLBA original - the 2023 shift
Section titled “FTC Safeguards vs GLBA original - the 2023 shift”The 2003 original Safeguards Rule and the 2021 amended Safeguards Rule are the same regulation at different points in time. The 2021 amendments sharpened what had been a flexible standard.
| Area | Original (2003) | Amended (2021, enforceable 2023) |
|---|---|---|
| Risk assessment | Required, format flexible | Required, written, annually revisited |
| Access controls | Reasonable | Explicitly include MFA |
| Encryption | Reasonable | Required at rest and in transit with limited exceptions |
| Training | Required | Explicit separate tracks for general and qualified personnel |
| Change management | Not specified | Required |
| Monitoring and testing | Reasonable | Continuous monitoring or annual pen test plus biannual vulnerability assessment |
| Incident response plan | Not required | Written plan required |
| Governance reporting | Not required | Annual written report to board |
| Service provider oversight | Required | Required with periodic reassessment |
| Notification of security events | Not required | Required for events affecting 500+ consumers (effective May 2024) |
The direction of travel matches the NYDFS Part 500 rule and the 2024 SEC Regulation S-P amendments. Covered institutions that satisfy one often satisfy the others with modest additions.
How to build a compliant training program
Section titled “How to build a compliant training program”The program that tends to satisfy examiners and survive consent-order-style scrutiny shares a few structural features.
Step 1: Inventory personnel and roles. Map every role that handles customer information against the §314.4(e) training obligation. Include contractors and temp staff. This inventory becomes the denominator for coverage reporting.
Step 2: Build two tracks. General security awareness training for all personnel handling customer information. Specialized, ongoing training for the Qualified Individual and information security staff. Do not collapse the two.
Step 3: Map content to the nine elements. Training modules should trace to §314.4(c) safeguards, §314.4(f) vendor management, §314.4(h) incident response, and §314.4(i) governance. An exercise in isolation is less defensible than an exercise mapped to a specific subsection.
Step 4: Document everything. Record completion, content version, assessment scores, and policy acknowledgments. §314.4(e) does not specify retention, but state laws and consent-order expectations often exceed seven years.
Step 5: Refresh at least annually, and after every incident. The rule requires training “as necessary,” which in practice means annual plus event-driven. After a significant incident, training has to address the gap that the incident revealed.
Step 6: Run incident-response drills. §314.4(h) requires a written incident response plan. A plan that has never been rehearsed is harder to defend under examiner questioning.
Step 7: Vendor training oversight. §314.4(f) requires service provider oversight. That oversight increasingly includes verifying that the vendor’s own workforce has been trained.
How RansomLeak covers FTC Safeguards training
Section titled “How RansomLeak covers FTC Safeguards training”RansomLeak is built for scenario-based training that maps to the §314.4 safeguards rather than reciting regulation text at employees. The security awareness catalogue covers phishing, vishing, smishing, credential hygiene, and tech-support scams that hit financial institutions daily. The privacy and compliance catalogue covers data handling, incident response, and vendor oversight scenarios that speak to §314.4(f) and §314.4(h).
Our compliance mapping guide links each §314.4 subsection to the specific courses and exercises that address it. That document makes it straightforward to respond when an examiner or consent-order monitor asks how your program covers element (e) or element (h). For a baseline workforce program, the security awareness training guide covers cadence, format, and measurement.
Frequently asked questions
Section titled “Frequently asked questions”Who enforces the FTC Safeguards Rule?
Section titled “Who enforces the FTC Safeguards Rule?”The Federal Trade Commission enforces the Safeguards Rule for non-bank financial institutions under its jurisdiction. Banks, credit unions, and federally regulated broker-dealers are covered by their prudential regulators under parallel safeguards rules. Some state regulators, notably NYDFS, enforce overlapping state rules.
When did the amended Safeguards Rule become enforceable?
Section titled “When did the amended Safeguards Rule become enforceable?”Most provisions became fully enforceable on June 9, 2023. The security event notification requirement at §314.5 became effective May 13, 2024. Earlier compliance deadlines were extended twice during the rulemaking.
Does the Safeguards Rule apply to auto dealers?
Section titled “Does the Safeguards Rule apply to auto dealers?”Yes. Auto dealers that extend credit or arrange financing are financial institutions under the FTC’s definition. Dealers that operate on a pure cash basis without offering any form of credit may not be covered, but most modern dealerships trigger the rule.
What training does the Safeguards Rule require?
Section titled “What training does the Safeguards Rule require?”Section §314.4(e) requires security awareness training for all personnel and continuing specialized training for qualified information security personnel. The content must be updated as the threat landscape changes. Annual is a common baseline, but “as necessary” language implies more frequent updates when warranted.
What are the penalties for non-compliance?
Section titled “What are the penalties for non-compliance?”The FTC enforces under Section 5 of the FTC Act. Civil penalties per violation adjust annually for inflation, with the 2024 maximum at $51,744 per violation. Consent orders typically impose twenty years of third-party assessments and specific remediation. State enforcement and class actions are additional exposure.
Who is the Qualified Individual?
Section titled “Who is the Qualified Individual?”A single individual designated under §314.4(a) to oversee, implement, and enforce the information security program. This person must report in writing to the board or equivalent governing body at least annually under §314.4(i). The role can be outsourced, but the institution retains responsibility.
Does the Safeguards Rule require MFA?
Section titled “Does the Safeguards Rule require MFA?”Yes. Section §314.4(c)(5) requires multi-factor authentication for any individual accessing any information system, subject to a narrow exception where the Qualified Individual has approved a reasonably equivalent or more secure control in writing.
What is a security event under the new §314.5?
Section titled “What is a security event under the new §314.5?”A security event involving the notification rule is an unauthorized acquisition of unencrypted customer information involving at least 500 consumers. Covered institutions must notify the FTC as soon as possible, and no later than 30 days after discovery. The rule was finalized in 2023 and became effective May 13, 2024.
How does the FTC Safeguards Rule differ from NYDFS Part 500?
Section titled “How does the FTC Safeguards Rule differ from NYDFS Part 500?”The rules share significant DNA. NYDFS Part 500 is more prescriptive on CISO governance, MFA scope, and cybersecurity event reporting to the superintendent. Institutions subject to both often satisfy the federal rule automatically if they already satisfy New York. The opposite direction usually requires additional work.
Bottom line
Section titled “Bottom line”The FTC Safeguards Rule is no longer a quiet GLBA implementation. The 2021 amendments, enforceable from June 2023 onward, added specific training, MFA, encryption, monitoring, incident response, and governance obligations. Training at §314.4(e) has two tracks: general awareness for all personnel and specialized training for qualified information security personnel.
Auto dealers, mortgage brokers, tax preparers, and other non-bank financial institutions that built informal compliance programs under the 2003 rule need to document and retrofit. Institutions that pass examiner scrutiny treat training as an element of an integrated §314.4 program rather than a standalone checkbox.
If your financial institution is rethinking Safeguards Rule training, explore the security awareness catalogue, review the compliance mapping guide, or book a walkthrough with our team.