Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Jun 6, 2024   |   Georgina Stockley

Non-Banking Financial Institutions Get New Data Breach Reporting Rules

Go back


  • The new FTC Safeguards Rule requires non-banking financial institutions to establish security programs to protect customer information.
  • The GLBA Safeguards Rule amendment mandates that financial institutions implement safeguards to protect consumer information.
  • 16 CFR Part 314 outlines the requirements for financial institutions to protect customer data.
  • The recent FTC amendment extends data protection requirements to non-banking financial entities.
  • Compliance with the amended Safeguards Rule is crucial for maintaining trust and protecting customer information.


16 CFR Part 314
16 CFR Part 314

What is the new FTC Safeguards Rule 2023 and how does it relate to 16 CFR Part 314?

The new FTC Safeguards Rule, also known as 16 CFR Part 314, is a regulation that applies to non-banking financial institutions such as mortgage brokers, motor vehicle dealers, and payday lenders. It requires these institutions to establish and maintain a comprehensive security program to protect the personal information of their customers. The program should include measures such as risk assessments, employee training, and the implementation of safeguards to prevent unauthorized access to customer information. By complying with this rule, these institutions can ensure the security and privacy of their customers' information.

The Federal Trade Commission (FTC) has updated the “16 CFR Part 314 Safeguards Rule” to mandate that non-banking financial entities, such as mortgage brokers and payday lenders, report breaches of data security impacting 500 or more consumers. This amendment requires these institutions to notify the FTC within 30 days of identifying unauthorized access to unencrypted customer information. This change underscores the urgent need for robust data protection strategies

Understanding the GLBA Safeguards Rule 2023 and its connection to 16 CFR Part 314

The GLBA Safeguards Rule 2023 refers to an amendment made by the Federal Trade Commission (FTC) to the Standards for Safeguarding Consumer Information (Safeguards Rule). The Safeguards Rule is a regulation that applies to financial institutions under the jurisdiction of the FTC, as mandated by the Gramm-Leach-Bliley Act (GLBA). The purpose of the Safeguards Rule is to ensure that financial institutions implement measures to protect the security and confidentiality of consumer information.

The amendment is outlined in 16 CFR Part 314, which provides specific guidelines and standards for compliance with the Safeguards Rule. Financial institutions subject to the GLBA must adhere to the Safeguards Rule and implement appropriate safeguards to protect consumer information from unauthorized access or use. The amendment to the Safeguards Rule reflects the evolving landscape of data security and aims to address emerging threats and vulnerabilities. Compliance with the Safeguards Rule is essential for financial institutions to maintain the trust and confidence of their customers and to protect sensitive consumer information from potential breaches or misuse.

As a data protection technology provider, we see this as a critical reminder of the responsibilities these institutions bear in safeguarding consumer information. The amendment highlights the importance of transparency and proactive security measures in today's digital landscape. It's a call to action for enhanced vigilance and protection against data security threats.

Exploring the details of 16 CFR Part 314 and its significance in data security

The Standards for Safeguarding Customer Information, established under the Gramm-Leach-Bliley Act (GLBA) and codified in 16 CFR Part 314, require financial institutions to implement a comprehensive information security program. This program must protect the security, confidentiality, and integrity of customer information, detailing administrative, technical, and physical safeguards tailored to the institution's size, complexity, and the nature of its activities. The rule aims to prevent unauthorized access to or use of customer data that could result in substantial harm or inconvenience to any customer.

What is the recent FTC Amendment to the Safeguards Rule? 

Non-banking financial entities were initially not included in the original Safeguards Rule due to the scope of the rule focusing on traditional banking institutions. The original rule was designed to apply to banks and similar institutions that were clearly defined under existing financial regulatory frameworks. As the financial ecosystem evolved, including the growth of digital finance and the emergence of diverse financial service providers, it became necessary to extend these protections to include non-banking financial entities to ensure comprehensive consumer data protection across all financial sectors.

The FTC's amendment to the Safeguards Rule requires non-banking financial institutions to implement more specific security measures to protect customer information. Non-banking financial institutions, in addition to mortgage brokers, motor vehicle dealers, and payday lenders, include a wide array of entities involved in offering financial services without holding a banking license. These can encompass credit unions, finance companies, insurance companies, investment banks, money service businesses, and peer-to-peer lenders. Each of these institutions plays a crucial role in providing access to financial services such as loans, financial advice, investment opportunities, and insurance products to consumers and businesses outside the traditional banking system.

Recognizing the importance of the recent FTC Amendment and its implications for 16 CFR Part 314

The amendment aims to enhance consumer data protection by ensuring timely notification of breaches, thus enabling better response to potential threats and losses. The amendment mandates periodic risk assessments, access controls, encryption, secure development practices, multi-factor authentication, disposal procedures for customer information, and response plans for security incidents. It's a significant move towards improving transparency and accountability in how financial data is safeguarded.

Implementing best practices for compliance with 16 CFR Part 314 and the Safeguards Rule

To comply with the FTC's amended Safeguards Rule, non-banking financial institutions should conduct regular risk assessments, implement access controls, ensure data encryption, adopt secure development practices, utilize multi-factor authentication, establish procedures for data disposal, and develop incident response plans. These measures aim to enhance the protection of consumer data against breaches. 

Role of Data Protection Services 

Data protection technology like the Reveal Platform can significantly aid institutions in meeting the FTC's amended Safeguards Rule by automating critical security processes. It helps in accurately identifying and securing sensitive customer information through encryption and robust access management. Real-time monitoring and anomaly detection systems can swiftly identify potential breaches, facilitating quicker responses. Furthermore, technologies like the Reveal Platform from Next DLP, can aid in developing comprehensive incident response strategies, ensuring that institutions can meet the 30-day breach notification requirement efficiently, thereby enhancing overall consumer data protection and compliance.

Implementing Safeguards for Customer Information

Financial institutions covered by 16 CFR Part 314 are tasked with implementing safeguards to protect customer information. These safeguards should not only be applied by the institutions themselves but also by their affiliates and service providers who handle customer data on their behalf.

The Safeguards Rule requires financial institutions to develop their own safeguards and ensure that their affiliates and service providers also have measures in place to protect customer information. This collaborative approach ensures a comprehensive and consistent level of security across all entities involved in handling customer data.

Taking immediate action to protect your customers' data in accordance with 16 CFR Part 314

In an era where data breaches are not just possible but increasingly common, it's imperative that your business not only complies with the FTC's Safeguards Rule but also champions the cause of data security. Review the comprehensive guidelines set forth by the FTC and assess your current data protection measures. Review the comprehensive guidelines set forth by the FTC, including 16 CFR Part 314, and assess your current data protection measures. 

Are you doing everything you can to safeguard customer information? Don't wait for a breach to occur. Proactively enhance your security protocols, implement a robust data protection strategy with Reveal, and ensure your practices are in full compliance with the updated Safeguards Rule. Protecting your customers' data isn't just a legal obligation—it's a critical component of maintaining trust and integrity in the digital age.

For more detailed information, you can read the full press release on the FTC's website.


What is the 16 CFR rule?

The 16 CFR rule refers to a set of regulations found in Title 16 of the Code of Federal Regulations. These regulations cover various commercial practices related to the Federal Trade Commission and the Consumer Product Safety Commission. They aim to ensure fair credit and protect consumers when it comes to U.S. goods and services.

What is Section 314.4 of the Safeguards rule?

Section 314.4 of the Safeguards Rule outlines the requirements for your response plan in the event of a security incident. It includes the internal processes your company will activate, as well as conducting a post mortem analysis to learn from the incident and revise your incident response plan and information security program accordingly.

What is the new FTC Safeguards Rule 2023?

The new FTC Safeguards Rule 2023 is a regulation that mandates non-banking financial institutions, like mortgage brokers and payday lenders, to establish and maintain a robust security program to protect their customers' information. This rule aims to ensure the safety and privacy of sensitive data in these industries.

What is the GLBA Safeguards Rule 2023?

The GLBA Safeguards Rule 2023 is an amendment to the FTC's Standards for Safeguarding Consumer Information. It is a regulation that applies to financial institutions under the jurisdiction of the FTC, as mandated by the Gramm-Leach-Bliley Act. The rule aims to ensure the protection of consumer information held by these institutions.


See how Next protects your employees and prevents data loss