Safeguards Rule Resource Center
The Gramm-Leach-Bliley Act (GLBA) requires that covered financial institutions, including debt collectors, protect the security of their customers’ financial information. In 2021, the Federal Trade Commission made the first major changes to these requirements in almost 20 years and gave companies one year to comply with the Standards for Safeguarding Customer Information—the Safeguards rule.
The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023. (This is an extension from the previous deadline of Dec. 9, 2022, which was achieved thanks in part to ACA’s advocacy on the issue.)
Read the text of the amended rule as well as articles breaking down compliance with the rule, review the comprehensive ACA SearchPoint document on the Safeguards Rule, listen to related recordings of ACA’s members-only ACA Huddle® and more.
"FTC Safeguards Rule"
▼▼▼
Safeguards Rule Compliance Countdown
06/09/2023
Safeguards Webinar Recordings
ACA How: Safeguards Rule What?
TPx and ACA will distill the Safeguards rule of GLBA to simple terms and answer what an organization needs to do and by when.
ACA How: Owning Your Security Program
At a high level, every ACA member needs an overarching security program that is documented and governed.
ISO: How TPX Can Help
There are strategic, tactical, and technical aspects of being defensible to the Safeguards rule of GLBA. During this session, TPx will go over how we can help so ACA members can focus on their business.
Blogs From TPx

- Blog Post -
Testing the Waters

- Blog Post -
Report: Cyber Vulnerabilities Skyrocket 589%

- Blog Post -
Are You Overseeing Your Third-Party Vendors?

- Blog Post -
How to Prioritize Your Cybersecurity Investments

- Blog Post -
Have You Implemented Multifactor Authentication Yet?

- Blog Post -
A Helping Hand

- Blog Post -
How Is Your Incident Response Plan?

- Blog Post -
Too Small to Fail?

- Blog Post -
How to Devise a Plan for Defensibility

- Blog Post -
Is Time On Your Side?

- Blog Post -
Addressing the FTC Safeguards Rule – One Requirement at a Time

- Blog Post -
The Importance of Cybersecurity Awareness Training

- Blog Post -
Where Does Your Company Fit In?

- Blog Post -
70% of Financial Institutions Lost Over $500K to Fraud in 2022

- Blog Post -
Where to Find Cybersecurity Experts?

Are You Ready?
- Blog Post -
Safeguards Rule Compliance Countdown: Are You Ready?

- Blog Post -
Helping You Become Cyber Secure
What to Know
Under the Gramm-Leach-Bliley Act (GLBA), a debt collector must comply with the Safeguards Rule, which requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
The Safeguards Rule took effect Jan. 10, 2021, and its requirements will apply beginning June 9, 2023.
The final Safeguards Rule contains five main modifications to the existing rule:
- It adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication and encryption.
- It adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
- It exempts financial institutions that collect less customer information from certain requirements.
- It expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the rule.
- The final rule defines several terms and provides related examples in the rule itself in one place rather than incorporate them from the Privacy of Consumer Financial Information Rule.
Helpful Links
Text of the Safeguards Rule
The Safeguards Rule as published in the Code of Federal Regulations.
FTC Safeguards Rule: What Your Business Needs to Know
Small entity compliance guide from the FTC.
CFPB Circular on the Safeguards Rule
The CFPB issued a circular stating that financial services companies with insufficient data protection or information security violate the prohibition on unfair acts or practices in the CFPA, and provides examples.
NIST Cybersecurity Framework
Debt collection agencies can use the NIST Cybersecurity Framework’s standards and best practices to help them comply with the Safeguards Rule.
ACA Resources
ACA Daily Articles About the Safeguards Rule
Read coverage of news and compliance information in these ACA Daily articles.
ACA SearchPoint
Members can read ACA SearchPoint document #2255, which was recently updated to reflect the CFPB’s compliance guidance on the Safeguards Rule.
ACA Huddle® Recording
Members-Only Resource
Best Practices for FTC Safeguards Rule Compliance
Leslie Bender, CCCO, and Kim Phan lead this ACA Huddle on the Safeguards Rule. Learn more about what your company should be doing to develop and implement an information security program that complies with the rule. Members can view a PowerPoint presentation from the Huddle here.
ACA How: Safeguards Rule Implementation
Friday, December 09, 2022 - Friday, July 14, 2023
Central Standard Time
ACA has partnered with TPx Communications for a webinar series to help you comply with the Safeguards Rule. It will run throughout October and into December.
ACA Advocacy
ACA filed extensive comments on the Safeguards Rule discussing potential compliance burdens for ACA members. Most recently, ACA International and other industry trade groups submitted a letter to the FTC requesting deadline extension from Dec. 9, 2022, to Dec. 9, 2023.
On Nov. 15, 2022, the FTC announced it is extending the deadline for companies to comply with some of the changes in the Safeguards Rule by six months to June 9, 2023.
Read more in this ACA Daily article.
Access all of ACA’s letters and comments to regulators on our Policymakers website: