Most mortgage professionals have heard of the FTC Safeguards Rule. Far fewer can tell you what it actually requires of them, and fewer still can say with confidence that their organization is fully compliant. That gap is narrowing, and not in a comfortable way. The FTC has made clear that the days of treating the Safeguards Rule as a checkbox exercise are over.
The Safeguards Rule is the FTC’s implementation of Section 501(b) of the Gramm-Leach-Bliley Act, which requires financial institutions to protect the security and confidentiality of customer information. The rule was significantly updated in 2021 and became fully enforceable on June 9, 2023. Those updates added real teeth: specific technical requirements, mandatory breach reporting, and a broadened definition of who the rule actually covers.
If you originate, service, broker, or otherwise handle nonpublic personal financial information about consumers, you are almost certainly covered. The FTC’s definition of “financial institution” under GLBA is broad enough to capture mortgage lenders, mortgage brokers, account servicers, and a long list of other non-bank financial companies regardless of size. The small business exemption only applies to firms with fewer than 5,000 customer records, and even those firms are required to maintain a written information security policy.
The rule specifies nine elements that a compliant information security program must include:
- First, a designated qualified individual responsible for overseeing the program. This does not have to be a full-time CISO, but it does have to be a real person with defined responsibility, and their performance has to be reported to the board or senior management at least annually.
- Second, a written risk assessment that identifies reasonably foreseeable threats to customer information.
- Third, safeguards to control those risks, which the rule defines to include access controls, data inventory and classification, encryption of customer data both in transit and at rest, multi-factor authentication on any system that accesses customer information, and secure development practices for any in-house applications.
- Fourth, regular monitoring and testing of those safeguards, including penetration testing at least annually and vulnerability scanning at least every six months.
- Fifth, a security awareness training program for all personnel.
- Sixth, an incident response plan that is written, tested, and updated.
- Seventh, vendor oversight, meaning the lender bears responsibility for ensuring that service providers with access to customer data maintain appropriate safeguards.
- Eighth, a process for evaluating and adjusting the program based on changes in operations, risk, or the threat environment.
- Ninth, written policies and procedures that implement the program.
The breach notification requirement that took effect in 2024 added another layer of obligation. If a security event affects 500 or more customers, the covered institution must notify the FTC within 30 days of discovering it. This requirement applies regardless of whether the breach originated internally or at a vendor.
Penalties for non-compliance are not academic. The FTC can impose civil penalties of up to $46,517 per violation per day. For an organization running a deficient program across dozens of operational touchpoints, that number can reach financially catastrophic levels before a single enforcement action concludes.
The element that catches the most mortgage operations off guard is vendor oversight. The Safeguards Rule does not allow a lender to disclaim responsibility for a breach that originated at a third-party service provider. If that vendor had access to customer data, the lender had an obligation to ensure appropriate safeguards were in place and to require those safeguards by contract.
As I covered in a previous article in this series, the vendor chain in a typical mortgage transaction is long and the security posture across that chain is uneven at best. The Safeguards Rule closes the loophole that allowed organizations to treat a vendor breach as somebody else’s problem.
The firms that are genuinely compliant in 2026 built their programs with the updated requirements in mind rather than retrofitting a legacy policy to meet the new standards. The difference is visible in the details.
A compliant program has a named qualified individual, a current risk assessment, documented access controls, a tested incident response plan, and annual penetration test results on file.
A non-compliant program has a security policy that was written in 2019, last reviewed by someone who no longer works there, and lives in a shared drive that most of the staff doesn’t know exists.
The FTC has signaled through its enforcement actions that it is paying particular attention to smaller non-bank financial institutions that assumed the rule applied to someone larger than them. It does not.
The rule applies to any organization significantly engaged in financial activities that handles consumer financial data. A three-person mortgage brokerage that processes a hundred loans a year is covered. The question is whether or not the organization is ready for the day someone from the FTC decides to find out if the rule applies.