FTC Safeguards Rule: No More Grace Period.
The updated FTC Safeguards Rule has been enforceable since June 2023. Most Tennessee businesses it covers still have no idea it applies to them — until an auditor, an acquiring bank, or a breach makes it their problem.
The FTC Safeguards Rule requires any business that handles consumer financial information to maintain a formal written information security program. It is not just for banks — it covers auto dealers, accountants, tax preparers, mortgage brokers, payday lenders, and many more. Required: a designated qualified individual, written risk assessment, access controls, encryption, MFA, vendor oversight, employee training, and an incident response plan. Most businesses we audit have 5-8 gaps.
01Who this actually applies to
When people hear "FTC Safeguards Rule," they assume it is a banking regulation. It is not. It applies to any business the FTC classifies as a "financial institution" — and that definition is far broader than most owners expect.
In Tennessee, the businesses we most often see caught off guard include:
- Auto dealers — because you arrange financing, you are covered
- Accountants and tax preparers — you handle consumer financial data
- Mortgage brokers and lenders
- Real estate settlement firms
- Finance companies, payday lenders, and check cashers
- Any business that extends credit or arranges financing for consumers
If you collect a Social Security number, bank account, or income information to make a financing decision, assume you are in scope until a qualified advisor tells you otherwise.
02What compliance actually requires
The Rule requires a written information security program with nine core elements. In plain English:
- A designated Qualified Individual responsible for the program (can be internal or outsourced to an MSP)
- A written risk assessment — documented, not just "we think we are fine"
- Access controls — least privilege, who can see what
- Encryption of customer data at rest and in transit
- Multi-factor authentication on systems holding customer data
- Secure disposal of customer information you no longer need
- Change management procedures
- Logging and monitoring of authorized user activity
- A written incident response plan
- Vendor oversight — your service providers must be held to the same standard
- Annual reporting to your board or governing body
03The gaps we find most often
When we run a Safeguards Rule gap assessment for a Tennessee business, the same problems show up over and over:
No documented risk assessment. No designated Qualified Individual on paper. MFA missing on at least one system that touches customer data. No formal vendor due diligence. No written incident response plan. And critically — no documentation proving any of the controls that do exist.
That last point matters most. The penalty when something goes wrong is rarely just the breach. It is that you could not show the auditor the program you were required to maintain.
04What to do this quarter
You do not need to panic, but you do need to start. The practical sequence:
- Confirm whether you are in scope (most businesses arranging consumer financing are)
- Designate a Qualified Individual — internal or via your MSP
- Run a documented risk assessment against the nine required elements
- Close the obvious gaps: MFA, encryption, access controls
- Write the incident response plan and vendor oversight policy
- Keep the documentation — that is what proves compliance
We do this for dealers, accounting firms, and finance businesses across Tennessee. If you want a one-page checklist of the controls to verify, that is a free starting point — no engagement required.
Get the free Safeguards Rule checklist
23+ years, 700+ certifications, Microsoft Partner. Real engineers who answer the phone.
Get in Touch → 615-274-9555