Most businesses that fall under the FTC Safeguards Rule don't know it applies to them.
When people hear "financial institution," they think of banks. But the FTC's definition is much broader. Under the Gramm-Leach-Bliley Act, a financial institution is any company that is "significantly engaged in providing financial products or services to consumers." That includes car dealerships, accounting firms, mortgage brokers, tax preparers, real estate settlement companies, and more.
If your business touches consumer financial data — credit applications, Social Security numbers, tax returns, bank account numbers — there's a good chance you're covered.
What Changed in 2023
The original Safeguards Rule, dating back to 2003, was intentionally vague. It told businesses to have "reasonable safeguards" but didn't specify what those safeguards needed to look like. That gave businesses flexibility, but it also meant many treated compliance as a policy document sitting in a drawer.
The updated rule, which took full effect in June 2023, changed that. The FTC added specific, measurable technical requirements:
- Encryption of customer information at rest and in transit
- Multi-factor authentication for anyone accessing customer data
- Access controls based on the principle of least privilege
- Continuous monitoring or annual penetration testing plus semi-annual vulnerability assessments
- A designated Qualified Individual responsible for the security program
- Written incident response plan with defined roles and procedures
- Employee security training that's ongoing, not one-time
- Vendor oversight — you're responsible for your service providers' security practices
This isn't a suggestion list. These are enforceable requirements, and the FTC has the authority to audit and penalize businesses that fall short.
Who's Actually Covered?
Here's where it gets specific. The FTC considers the following types of businesses to be financial institutions under the Safeguards Rule:
- Car dealerships — because they arrange financing, process credit applications, and handle income verification
- Accounting firms and CPAs — because they handle tax returns, financial statements, and personally identifiable financial data
- Mortgage lenders and brokers — because they originate and process consumer loans
- Tax preparers — because they collect and transmit sensitive taxpayer information
- Real estate settlement companies — because they handle closing funds and financial documents
- Credit counselors and debt collectors — because they manage consumer financial accounts
- Payday lenders and finance companies — because they extend consumer credit
If you're in one of these categories and operating in Mississippi, the rule applies to you regardless of your size. There's a narrow exemption for businesses that maintain customer information on fewer than 5,000 consumers, which reduces some documentation requirements — but the core security obligations still apply.
What the FTC Is Actually Looking For
The FTC has been clear about what triggers enforcement. In recent actions against car dealerships and financial service companies, the common failures include:
- No written information security program at all
- No risk assessment, or a risk assessment that was never updated
- Customer data stored unencrypted on shared drives or in email
- No multi-factor authentication on systems that access customer records
- No designated person responsible for the security program
- Employee access that was never reviewed or revoked after role changes
Penalties are steep. The FTC can impose fines of up to $50,120 per violation, and enforcement actions have resulted in consent orders lasting up to 20 years — requiring ongoing third-party security assessments and regular reporting to the FTC.
A Practical Starting Point
If you think the Safeguards Rule applies to your business but you haven't formally addressed it, here's a reasonable starting point:
1. Determine if you're covered. If your business collects, stores, or transmits consumer financial data — credit applications, SSNs, bank account numbers, tax returns — you're almost certainly a financial institution under the rule.
2. Designate a Qualified Individual. This can be an internal employee or an outside provider. The key is that someone specific is responsible for the security program — not "IT handles it" as a general concept.
3. Conduct a written risk assessment. Identify where customer data lives, how it's accessed, who has access, and what threats are reasonably foreseeable. Document everything.
4. Implement the required technical controls. Encryption, MFA, access controls, monitoring, and secure disposal aren't optional anymore. They're spelled out in the rule.
5. Build an ongoing program. Compliance under the Safeguards Rule isn't a one-time project. It requires continuous monitoring, periodic reviews, employee training, and annual risk assessment updates.
For a detailed breakdown of every requirement and how West Computers helps businesses meet them, see our FTC Safeguards Rule compliance page.
The Bottom Line
The FTC Safeguards Rule isn't new, but the teeth are. The 2023 amendments turned a general "be secure" obligation into a specific, auditable checklist. Businesses that haven't addressed it are carrying real regulatory risk — and the FTC's enforcement actions make clear they're paying attention.
If you're a car dealership, CPA, mortgage lender, tax preparer, or any other business handling consumer financial data in Mississippi, this applies to you. The sooner you build a compliant program, the sooner you eliminate the exposure.