Back to Blog
Compliance

FTC Safeguards Rule for MSPs: A Practical Compliance Guide for Financial Services Clients

The updated FTC Safeguards Rule covers 13 categories of non-bank financial institutions — auto dealers, mortgage brokers, tax preparers, financial advisors, and more. Here's what MSPs need to know about the nine required program elements and how to deliver Safeguards compliance as a recurring service.

BC
Brett Coffin
Updated July 20267 min read

FTC Safeguards Rule for MSPs: A Practical Compliance Guide for Financial Services Clients

TLDR: The FTC Safeguards Rule — updated in 2023 and now actively enforced — covers 13 categories of non-bank financial institutions: auto dealers, mortgage brokers, tax preparers, financial advisors, insurance agencies, and more. Most are SMBs with no in-house compliance function. The Rule mandates nine specific elements of an information security program, plus a 30-day breach notification obligation that took effect May 2024. For MSPs, this is an underserved compliance market where your existing managed security services map directly to mandatory federal requirements.


If you manage IT for an auto dealer, mortgage broker, tax preparer, or independent financial advisor, there's a federal compliance framework that applies to them — and most of them have never heard of it.

The Gramm-Leach-Bliley Act (GLBA) has required financial institutions to protect customer financial information since 2000. The FTC's Safeguards Rule implements those requirements for non-bank financial institutions under FTC jurisdiction. But the 2023 update transformed the Safeguards Rule from a vague "design a security program" mandate into a specific, detailed framework with nine required program elements — closer in prescriptiveness to HIPAA than to its earlier self.

If your client roster includes any business that handles personal financial information — and it almost certainly does — the FTC Safeguards Rule applies to them. Understanding what it requires is how you turn that compliance gap into a recurring service line.

Who Is Covered: 13 Categories of Non-Bank Financial Institutions

The FTC Safeguards Rule applies to financial institutions subject to FTC jurisdiction under GLBA — which covers a broader universe than most MSPs realize. The FTC explicitly identifies covered entities including (FTC Safeguards Rule: What Your Business Needs to Know):

  • Mortgage lenders and mortgage brokers
  • Auto dealerships (when they arrange financing)
  • Payday lenders and finance companies
  • Account servicers and check cashers
  • Wire transfer services
  • Collection agencies
  • Credit counselors and other financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors not required to register with the SEC

The defining question isn't what the business calls itself — it's what the business does. Any company that significantly engages in providing financial products or services to consumers, or handles personal financial information, is a covered financial institution under GLBA.

What that means practically: the auto dealer that arranges financing is covered. The CPA firm that prepares individual and business tax returns is covered. The independent insurance agency placing coverage for small businesses is covered. The mortgage brokerage your client runs is covered.

Most of these are SMBs. Most of them use an MSP for IT. Most of them have never completed a formal security assessment under the Safeguards Rule. That's the opportunity.

What Changed in 2023–2024: The Enhanced Requirements

The original Safeguards Rule from 2003 was broadly written — it required covered entities to "develop, implement, and maintain" a security program, but provided little specificity about what that meant. The 2021–2023 overhaul changed that completely.

June 9, 2023: Enhanced Safeguards Rule requirements took effect, replacing vague obligations with nine specific program elements. The rule now looks more like a prescriptive compliance standard than a principles-based guideline.

May 13, 2024: A new breach notification requirement became effective ([FTC: Safeguards Rule Notification Requirement Now in Effect](https://www.ftc.gov/business-guidance/blog/2024/05/safeguards-rule-notification-requirement-now-effect)). Covered entities experiencing a security event involving the unencrypted information of 500 or more customers must notify the FTC within 30 days of discovery. The FTC posts these notices publicly on its website.

For MSPs, the 2024 breach notification requirement changed the calculus significantly. A covered client who has a breach without a proper incident response plan — or without an MSP who built one — now faces both FTC notification exposure and public reputational damage. That's a compelling reason to take the Safeguards Rule seriously before an incident occurs, not after.

The Nine Required Elements of a Security Program

The updated rule specifies exactly what a compliant information security program must contain (FTC Safeguards Rule Guidance). For MSPs, this list reads like a managed security services scope of work:

1. Designate a Qualified Individual. A named person responsible for overseeing the information security program. For most SMBs, this role falls to whoever their MSP designates — or to the MSP itself under a vCISO arrangement.

2. Conduct Risk Assessments. An initial risk assessment, updated periodically, that identifies reasonably foreseeable internal and external risks to customer information and evaluates current safeguards.

3. Implement Safeguards Based on Risk. Access controls, physical security, encryption of customer information at rest and in transit, and regular testing of safeguard effectiveness.

4. Know Your Data. A data inventory — where customer information is collected, stored, transmitted, and disposed of. Most SMBs have no idea what's in scope.

5. Implement Multi-Factor Authentication (MFA). Required for every individual accessing any information system containing customer data. This is mandatory, not optional.

6. Train Personnel. Documented security training for all employees with access to customer information, plus procedures to ensure staff can execute the program.

7. Oversee Service Providers. Written contracts with third-party service providers requiring appropriate safeguards — including the client's other vendors, and arguably the MSP itself.

8. Develop an Incident Response Plan. A written plan for responding to security events, including detection, containment, FTC notification procedures, and recovery.

9. Board-Level Reporting. The Qualified Individual must provide a written annual report to the board of directors (or equivalent governing body) on the status of the information security program.

Every one of these nine elements requires documentation, a deployed technical control, or ongoing operational evidence. All of them are natural extensions of managed security services that MSPs already deliver.

What This Means in Practice: The Technical Controls

The nine elements translate into concrete technical work MSPs know how to deliver:

MFA everywhere. Element five is unambiguous — MFA is required on every information system with customer data. For most SMB clients, that means MFA on email, accounting software, CRM, file storage, and remote access. Audit it, document it, and report gaps against the Rule.

Encryption at rest and in transit. Customer financial data must be encrypted wherever it lives — on endpoints, in file shares, in databases, in transit across networks. Full-disk encryption, email encryption, and TLS for web-facing applications all come into scope.

Access controls and periodic review. Who has access to systems containing customer information? Are permissions least-privilege? Is access promptly revoked when employees leave? These require both technical controls and documented periodic reviews.

Vulnerability management and testing. The rule requires regular testing of safeguard effectiveness — typically annual penetration testing and continuous vulnerability scanning.

Written incident response plan. A documented, tested plan covering detection, containment, FTC notification (30 days for events affecting 500+ customers), and recovery. See our [MSP security assessment guide](/msp-security-assessment) for building an incident response practice.

Vendor oversight. Written contracts with every third-party service provider, plus a process for assessing their security posture. Our [vendor risk management guide](/vendor-risk-management-for-msps) covers a practical approach MSPs can deliver and charge for.

How to Package Safeguards Compliance as an MSP Service

FTC Safeguards compliance maps naturally to a three-phase service structure that converts to recurring revenue:

Phase 1 — Safeguards Gap Assessment ($1,500–$3,000 one-time)

  • Identify covered entity status and scope customer data inventory
  • Assess current state against all nine program elements
  • Document or designate the Qualified Individual role
  • Prioritized remediation roadmap with effort estimates

Phase 2 — Remediation Projects (project-based)

  • MFA deployment across all in-scope systems
  • Encryption configuration for storage and transmission
  • Incident response plan development and tabletop exercise
  • Vendor risk questionnaire program and written contracts
  • Personnel security training completion and documentation

Phase 3 — Ongoing Safeguards Monitoring ($400–$1,200/month)

  • Annual risk assessment update
  • Quarterly evidence collection (access review, MFA status, patch status)
  • Annual program report to the board — delivered as a white-label PDF under your brand
  • Breach notification readiness verification — documentation current, 30-day process confirmed
  • Annual vendor reassessment cycle

At $700/month across 15 financial services clients, that's $126,000/year in Safeguards-specific recurring compliance revenue. See our compliance services guide for packaging templates and pricing across all five compliance service tiers.

Where Safeguards Overlaps With Your Existing Stack

HIPAA + Safeguards: A CPA firm that also manages employee health plan records faces both HIPAA and Safeguards obligations. The control work overlaps significantly — access controls, encryption, incident response, vendor oversight. One evidence pipeline, two compliance deliverables, premium pricing for both.

SOC 2 + Safeguards: Financial services companies seeking SOC 2 Type 2 certification (common for fintech and lending platforms) will find the Safeguards elements largely covered by Trust Services Criteria. The Safeguards assessment becomes the internal baseline; SOC 2 becomes the external attestation.

Cyber insurance + Safeguards: Nearly every control that cyber insurance carriers require for renewal — MFA, EDR, vulnerability scanning, incident response documentation — is also required under the Safeguards Rule. A Safeguards readiness assessment produces evidence that directly feeds the carrier renewal application. See our [cyber insurance compliance guide](/blog/msp-guide-cyber-insurance-compliance-2026) for the controls overlap.

NIST CSF 2.0 + Safeguards: The Safeguards program elements map neatly to the NIST CSF Govern, Identify, Protect, Detect, and Respond functions. If you're already delivering NIST CSF assessments, Safeguards is an extension, not a new framework.

For clients subject to multiple frameworks, a single MSP security assessment surfaces gaps across all of them simultaneously — and the remediation work satisfies multiple compliance obligations at once.

Getting Started This Week

1. **Audit your client list for covered entities.** Any client that arranges financing, manages personal financial data, or prepares tax returns is likely covered. If they call themselves a financial services company of any kind, assume yes and verify.

2. **Lead with the breach notification requirement.** Most clients have never heard of the 30-day FTC notification obligation that became effective May 2024. "You're required to notify the FTC within 30 days of a breach affecting 500 or more customers — and that notice is public" lands very differently than a generic compliance pitch.

3. **Start with a gap assessment.** The nine program elements give you a clear checklist. Most covered SMBs will have gaps on MFA completeness, written incident response plans, board reporting, and vendor contracts. That's four immediate remediation conversations.

4. **Check your own MSP contracts.** The Safeguards Rule requires covered clients to have written agreements with their service providers — including their MSP. If your standard agreements don't include appropriate security provisions, your clients are technically out of compliance on element seven. Updating your contracts is the first deliverable you deliver to yourself.

FTC Safeguards compliance is an underserved market sitting inside your existing client portfolio. The financial services clients are already there — they just need an MSP willing to take the compliance work off their plate.


*Ready to run FTC Safeguards assessments across your financial services clients? Start free with Nuronus — assess clients against all seven compliance frameworks, generate white-label audit-ready reports, and manage vendor risk from one multi-tenant dashboard. Free for 2 clients, no credit card required. Or see the full MSP compliance services guide to package and price this as a recurring service line.*

Ready to Add Compliance Services to Your MSP?

Free forever for 2 clients. All features included. No credit card required.

Get Started Free
BC

Brett Coffin

Founder, Nuronus

20+ years in IT infrastructure and security. Built Nuronus after watching MSPs leave compliance revenue on the table because the tooling made it impossible to deliver profitably.