Who enforces the Safeguards Rule?

The Federal Trade Commission (FTC) and, for certain institutions, federal banking agencies.

What industries are covered?

Banks, credit unions, mortgage lenders, insurers, securities firms, auto finance companies, and fintechs.

What was new in the 2021–2022 updates?

Requirements for risk assessments, encryption, multi-factor authentication, incident response plans, and board reporting.

What are the penalties for non-compliance?

Civil penalties, regulatory enforcement actions, costly remediation obligations, and reputational damage.

GLBA Safeguards Rule Compliance

United States

2003

Privacy

Cybersecurity

Overview

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, first issued in 2003 and significantly updated in 2021–2022, requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer data. Unlike the GLBA Privacy Rule, which governs data sharing, the Safeguards Rule focuses on the security and integrity of customer information against threats, unauthorized access, and misuse. The updates introduced more prescriptive cybersecurity requirements, including risk assessments, encryption, and incident response planning, reflecting the growing sophistication of cyber risks.

The rule applies to a broad set of financial institutions, including banks, credit unions, mortgage lenders, payday lenders, auto finance companies, securities firms, insurance companies, and fintechs. It is especially important for firms that collect or process large volumes of sensitive consumer data, as it establishes minimum security expectations and aligns with global cybersecurity and privacy trends.

Key Obligations

Establish a written information security program tailored to the institution’s size and complexity
Designate a qualified individual responsible for overseeing the security program
Conduct periodic risk assessments and implement safeguards to address identified risks
Encrypt customer data at rest and in transit

Develop and test incident response and breach notification procedures
Require service providers to implement appropriate security measures
Conduct regular training, monitoring, and auditing of safeguards

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

One Touch KYC

Simplify the Know Your Customer (KYC) process with AI and sophisticated fraud detection algorithms to provide a seamless, efficient, and highly secure user verification.

AML Screening

Comprehensive Anti-Money Laundering screening solutions to detect and prevent financial crimes through advanced monitoring and compliance tools.

Transaction Monitoring

Real-time transaction monitoring and analysis to identify suspicious activities and ensure regulatory compliance across all financial operations.