Ask most accountants, auto dealers, or wealth advisors whether they run a "financial institution," and they'll say no. Under federal law, a lot of them are wrong — and the gap between what they think the rules require and what the rules actually require has become an enforcement problem. The FTC's Safeguards Rule, the security arm of the Gramm-Leach-Bliley Act (GLBA), applies to a much wider set of businesses than the name suggests, and the amended version is fully in force today.
This isn't a warning about a distant deadline. The core security requirements have been enforceable since June 9, 2023, and a breach-notification obligation was added on top of them in May 2024. If your firm touches customers' financial information, the question isn't whether the Rule applies — it's whether you can prove you're meeting it.
A quick note before we go further: this is general information, not legal advice. Whether the Rule covers your specific business is a legal determination, and we're happy to help you get a definitive read.
You might be a "financial institution" without knowing it
The Safeguards Rule defines "financial institution" by activity, not by signage. If your business is significantly engaged in an activity that's financial in nature — or incidental to one — you're likely covered, even if you'd never describe yourself as a bank. The FTC's own guidance lists roughly a dozen examples in 16 CFR 314.2(h). In plain English, that sweeps in:
- Accountants and tax preparation firms — explicitly named in the Rule.
- Auto dealers that arrange or facilitate financing or leasing.
- Mortgage brokers and lenders, finance companies, and payday lenders.
- Investment advisers that aren't required to register with the SEC.
- Collection agencies, check cashers, and wire transferors.
- Credit counselors and other financial advisors.
- "Finders" — businesses that bring buyers and sellers together — added in the 2021 amendments.
The common thread is customer financial data: Social Security numbers, bank and loan details, account histories, tax records. If you collect it to deliver a service, the Rule almost certainly reaches you. Many finance-adjacent professional services firms are covered and have simply never been told.
What the amended Rule actually requires
Section 314.4 lays out the substance of a compliant program. It isn't a checklist of products to buy — it's a set of nine elements the FTC expects you to build, document, and keep running:
- A written information security program (WISP) scaled to the size and sensitivity of your business. "Written" is the operative word — an undocumented program is treated as no program.
- A Qualified Individual designated to oversee it. This can be an employee or a qualified service provider, but accountability has to sit with a named person.
- A written risk assessment that inventories where customer data lives and identifies the threats to it — refreshed periodically and whenever your operations change materially.
- Multi-factor authentication for anyone accessing customer information, plus encryption of that data in transit and at rest.
- Access controls that limit who can reach customer data to those who genuinely need it.
- Continuous monitoring, or annual penetration testing paired with twice-yearly vulnerability assessments, to prove your safeguards actually work.
- Service provider oversight — selecting vendors that can protect the data you hand them, and holding them to it by contract.
- A written incident response plan that assigns roles and defines how you'll contain and recover from an event.
- Regular staff training and a periodic written report from the Qualified Individual to your board or senior leadership.
None of these are exotic. What trips firms up is the word "and" — the Rule wants all of them, working together, with evidence. Turning on MFA last week doesn't satisfy an examiner asking for a year of records.
The 2024 change that raised the stakes
The newest piece is a breach-notification requirement that took effect May 13, 2024. Under the amendment, a covered financial institution must notify the FTC as soon as possible, and no later than 30 days after discovery, of a security event involving the unencrypted customer information of at least 500 consumers. The FTC posts these notifications on a public database. The FTC's own guidance on the notification requirement spells out the mechanics.
Two details matter for planning. First, the trigger is unencrypted data — which is one more reason encryption isn't optional. Second, a 30-day clock means you need an incident response plan you've actually rehearsed. Discovering a breach and then improvising the reporting process is how a bad week becomes a public one.
Why this is a business risk, not just an IT chore
The FTC enforces the Safeguards Rule directly, and it has pursued non-bank financial institutions with consent orders that mandate outside assessments, multi-year oversight, and personal accountability for executives. But regulators are only part of the pressure. Cyber-insurance carriers now ask pointed questions about MFA, encryption, and your WISP at renewal — and thin answers mean higher premiums or denied coverage. Prime contractors, franchisors, and enterprise clients increasingly write these controls into their contracts, so a compliance gap can quietly cost you deals you never see fall through.
The honest framing: the Safeguards Rule sets a floor that most well-run SMBs should want to clear anyway. The firms that treat it as a genuine risk program — rather than a form to sign — end up more resilient, more insurable, and easier to do business with.
Where Torchsec fits
Compliance here is an engineering problem wearing a legal label. Torchsec closes the gap end to end. Our vCISO and compliance engineering team scopes whether the Rule applies to you, runs the risk assessment, and authors a WISP that maps to Section 314.4 line by line — then we serve as, or support, your Qualified Individual so accountability doesn't hang on a job you don't have time to do.
From there we implement and run the controls the Rule expects: MFA and identity hardening, encryption, access controls and allowlisting, a 24/7 SOC with managed detection and response and the Torchsec SIEM for the continuous monitoring you have to demonstrate, penetration testing, email security, awareness training, managed backup and BCDR, and vendor risk oversight. One team, one documented program, evidence you can hand to an examiner or an insurer.
If your firm handles customer financial data and you're not certain you'd pass an FTC review, that uncertainty is the finding. Torchsec builds and operates GLBA-compliant security programs for finance-adjacent SMBs across Ohio and beyond — get in touch for an honest read on where you stand.
Ready to talk?
If any of this sounds familiar, we'd be happy to walk your team through it. Book a no-obligation consultation or request a free risk assessment.

