Why the GLBA Safeguards Rule Applies to Your Non-Bank Business, and Where Your Liability Actually Lands

Why the GLBA Safeguards Rule Applies to Your Non-Bank Business, and Where Your Liability Actually Lands
TL;DR
  • The GLBA Safeguards Rule no longer just covers banks. After the FTC's 2021 revision, the rule reaches into law firms, accounting firms, mortgage brokers, auto dealers, debt collectors, real estate firms, and any business engaged in "financial activities" on behalf of consumers.

  • Most CEOs of non-bank firms assume the Safeguards Rule does not apply to them. The FTC has made clear, in writing and in enforcement, that this assumption is wrong, and the consequences of being wrong reach the CEO's desk.

  • The right question is not whether your firm is "really" a financial institution. The right question is whether your firm handles financial information about consumers in ways the FTC has named. If it does, your firm is on the hook for the same nine-element security program a community bank operates.

The FTC Letter That Surprised a Twelve-Person Tax Firm — And What It Means for Your Business

The FTC sent an inquiry letter to a small accounting practice in 2024. The firm employed twelve people, had no relationship with any bank, considered itself a tax-preparation business, and assumed, reasonably enough at the time, that financial-services regulation was something other people had to worry about. The letter explained that the FTC believed the firm was a covered financial institution under the Gramm-Leach-Bliley Act's Safeguards Rule, that the firm was therefore obligated to maintain a written information security program with nine specific elements, and that the FTC was inquiring whether such a program existed.

It did not.

The story The CEO of a non-bank business reads about GLBA enforcement, assumes it applies to commercial banks and credit unions, and turns the page. The 2021 FTC revision quietly broadened the rule's reach in ways most non-bank CEOs have never been briefed on, and the enforcement that has followed is not theoretical. It is operational, ongoing, and aimed at the exact category of business the rule's authors did not previously see as financial institutions.

Three categories of businesses, in particular, have been surprised to learn they are now squarely inside the Safeguards Rule's scope.

 

Which Businesses Are Actually Covered by the Safeguards Rule in 2026

The term means more than it used to. The Gramm-Leach-Bliley Act in 1999 defined a financial institution as any business engaged in financial activities. The FTC's revised Safeguards Rule, which took final effect in mid-2023, expanded the working definition by clarifying through enforcement, through guidance, and through specific industry examples that "financial activities" includes activities most people associate with non-bank professional services.

The list of covered businesses is not exhaustive, but it is concrete. Mortgage brokers and lenders are covered. Auto dealers extending financing or leasing to consumers are covered. Tax preparation firms handling consumer financial information are covered. Real estate firms that finance, broker, or arrange consumer credit are covered. Debt collectors are covered. Credit reporting agencies are covered. Investment advisors below the SEC threshold are covered. Payday lenders, consumer loan finders, and check cashers are covered. Law firms that perform escrow, hold client funds, or arrange consumer financing are increasingly being treated as covered, depending on the activity profile.

The CEO test is not whether your business sees itself as a financial institution. The CEO test is whether your business engages in any of the activities the FTC has named, directly or as a substantial line of service to your consumer clients. If it does, the rule applies.

 

The Nine Elements the Safeguards Rule Requires — No Exceptions

The Safeguards Rule does not give a covered firm flexibility on what its security program must contain. It specifies. A covered firm must designate a qualified individual responsible for the information security program. The firm must perform a written risk assessment that identifies reasonably foreseeable internal and external risks to consumer information. The firm must implement and document specific safeguards, including access controls, encryption of consumer information in transit and at rest, multi-factor authentication on systems containing consumer information, secure disposal practices, change management procedures, and monitoring of authorized user activity.

The firm must oversee its service providers, since vendor risk management is no longer optional. The firm must train its workforce. The firm must regularly evaluate the program. And the firm must produce annual written reports to its governing body, which means the board of directors, the managing partner, or the CEO and the executive team where no formal board exists.

That last element is the one most non-bank CEOs are not prepared for, and it is the one the FTC has flagged most consistently. The rule expects the CEO or the equivalent governing body to be receiving, reviewing, and acting on a written annual report describing the security program, the risks identified, the controls implemented, and the incidents detected. If your firm does not produce such a report, your firm is not in compliance, regardless of how good its IT controls are.

 

Why "We're Too Small for the FTC to Bother With" Has Become an Expensive Assumption

Most non-bank CEOs eventually hear some version of this argument from inside their own organization: we are too small for the FTC to bother with, the rule was meant for the big institutions, and the cost of a full Safeguards program is disproportionate to our risk.

That is a false choice, and the FTC's enforcement record over the last several years has made it an expensive one to keep believing in. The FTC has explicitly reframed its enforcement program around the Safeguards Rule to target small and mid-sized covered firms, exactly the firms whose CEOs assumed the rule was not aimed at them. Civil penalties for Safeguards Rule violations can reach significant amounts per violation. Consent decrees commonly require twenty years of FTC monitoring, biennial third-party audits, and quarterly board reporting at the firm's expense. The firms that have signed those decrees did not believe the rule applied to them either, until the day it did.

The right framing is not whether your firm can afford to operate a full Safeguards program. It is whether your firm can afford the cost of operating one under FTC monitoring rather than on your own terms. The first option is a budgeted operating expense. The second option is a multi-year corrective-action plan, and the cost differential is rarely close.

 

The Sequence a Non-Bank CEO Should Walk Through Right Now

A non-bank CEO who has just learned the rule applies has a defined sequence to walk through.

Designate a qualified individual in writing, as a named role with documented responsibility for the security program. Commission a written risk assessment that covers consumer financial information specifically, scoped to the systems and processes your firm uses to handle it. Inventory the systems where consumer financial information lives, including those run by service providers. Implement multi-factor authentication, encryption, and access controls on those systems, with documentation of what is enforced and what is not. Update your service-provider contracts to require equivalent safeguards downstream. Train your team. Establish an annual written report to your governing body. Document the program. And, most often missed, schedule the next year's evaluation now, on the calendar, with a named owner.

Five Nines goes through this exact sequence with our partners outside traditional banking. The firms that finish it find that the Safeguards Rule program becomes part of the operating discipline, not a parallel track that competes with the work. The firms that do not finish it find that the Safeguards Rule program eventually becomes part of an FTC consent decree, and the operating discipline is no longer theirs to define.

 

Finish the Program on Your Own Terms Before the FTC Sets Them

The FTC sent its letter to a twelve-person tax firm because the rule applied to that firm, and the rule's authors do not see size as a reason it should not. The firms that finish their Safeguards programs on their own terms will find the cost defensible. The firms that wait will eventually finish them under monitoring, on someone else's terms, and the cost will not be defensible at all.

If your firm has not formally evaluated whether the Safeguards Rule applies, and if applicable, designated a qualified individual and commissioned a written risk assessment, that is the conversation worth having now, before an inquiry letter forces it.

Five Nines Technology Group is a Tech-Operations partner for professional services, banking, and consumer-financial firms. Translating regulatory and operational frameworks into operating discipline is where our team focuses.

Frequently asked questions

Does the Safeguards Rule apply to a law firm?

It depends on the firm's activities. A firm that performs only legal services and never holds client funds, never handles consumer financial information directly, and does not engage in financial-activity-adjacent work is generally not covered. A firm that handles escrow, manages client trust accounts, services financial-institution clients with access to their consumer data, or arranges financing as part of representation is increasingly being treated as covered. The activities matter, not the firm's self-identification.

Does the Safeguards Rule apply to an accounting firm?

A tax preparation firm handling consumer financial information almost certainly is covered. Other accounting and assurance work may or may not be, depending on the consumer-facing activities. The FTC has named tax preparers explicitly. Other CPA work has to be evaluated on the activity profile.

Does the Safeguards Rule apply to an auto dealer?

If the dealership extends or arranges financing for consumers, including leases, retail installment contracts, and insurance products tied to vehicle purchase, the dealership is covered. The FTC has been explicit on auto dealers and has issued specific guidance.

Is there a small-business exemption?

Yes, with significant caveats. Firms maintaining information on fewer than 5,000 consumers may be exempt from a small number of specific requirements, but the core obligations of the rule still apply. CEOs should not rely on size alone as a reason the rule does not apply.

What's the worst that could happen?

Civil penalties per violation, FTC consent decrees with multi-year monitoring, mandated third-party audits at firm expense, public disclosure of the violation, reputational damage among clients, and the operational disruption of negotiating and executing a corrective-action plan under regulatory deadline. Cyber insurance carriers also factor consent decrees into renewal pricing, often dramatically.

How does the Safeguards Rule interact with state laws?

State laws (particularly New York's DFS Cybersecurity Regulation, California's CCPA, and Massachusetts' 201 CMR 17) overlap and in some cases impose stricter requirements. Compliance with the Safeguards Rule does not automatically satisfy state requirements. The CEO's posture should be to identify the strictest applicable standard and meet it.

Can my Tech-Operations partner run the Safeguards program for me?

A managed services partner can perform almost all of the operational work and produce the documentation. The "qualified individual" designation must be a named accountability, typically inside your firm, though regulators have allowed external designations in specific circumstances. The annual report to your governing body remains the CEO's responsibility, regardless of who drafts it.

Related Blog Posts

Why Third-Party Vendor Risk Is a CFO Line Item, Not Just an IT One

Why Third-Party Vendor Risk Is a CFO Line Item, Not Just an IT One

Why the 2023 Interagency Guidance Made Vendor Risk a CFO Responsibility A community bank CFO walking into vendor risk discussions traditionally...

Read More
Why

Why "We Have a Firewall" Is No Longer a Sufficient FFIEC Answer, and What Regulators Expect Instead

Why Single-Control Answers No Longer Satisfy the FFIEC Examiner A community bank CEO walking into the next FFIEC exam interview will be asked, in...

Read More
Why Community Banks Keep Failing the Same FFIEC IT Exam Findings Year After Year

Why Community Banks Keep Failing the Same FFIEC IT Exam Findings Year After Year

Why the Same Findings Keep Appearing Every Exam Cycle A community bank CEO walking into the next FFIEC IT exam often sees a familiar list of likely...

Read More