FTC Safeguards Rule

United States

25 domains

29 controls

FTC Safeguards Rule (16 CFR Part 314, revised effective 9 Jun 2023, breach notification effective 13 May 2024).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (25)

Applicability

2 controls

Controls in the Applicability domain of FTC Safeguards Rule — 2 controls
Code	Title	Description
SR-314.2-CI	Customer information definition	Customer information means any record containing nonpublic personal information about a customer of a financial institut...
SR-314.2-FI	Financial institution scoping	Confirm scope by reference to the definition of financial institution which incorporates entities significantly engaged...

Application security

1 controls

Controls in the Application security domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-4	Secure development practices	Adopt secure development practices for in-house developed applications used to transmit, access, or store customer infor...

Asset management

1 controls

Controls in the Asset management domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-2	Inventory of data, personnel, devices, systems, and facilities	Identify and manage the data, personnel, devices, systems, and facilities that enable the achievement of business purpos...

Assurance

2 controls

Controls in the Assurance domain of FTC Safeguards Rule — 2 controls
Code	Title	Description
SR-314.4-d-1	Regular testing or monitoring effectiveness	Regularly test or otherwise monitor the effectiveness of safeguards' key controls, systems, and procedures, including th...
SR-314.4-d-2	Penetration testing and vulnerability assessment	For systems supporting customer information, either implement continuous monitoring or other systems to detect on an ong...

Authentication

1 controls

Controls in the Authentication domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-5	Multi-factor authentication	Implement multi-factor authentication for any individual accessing any information system, unless the Qualified Individu...

Breach notification

1 controls

Controls in the Breach notification domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-j	Notification of security event to FTC	Notify the FTC as soon as possible, and no later than 30 days after discovery of a notification event involving the info...

Cross-regulatory alignment

2 controls

Controls in the Cross-regulatory alignment domain of FTC Safeguards Rule — 2 controls
Code	Title	Description
SR-INT-STATE	Interaction with state breach notification and sectoral laws	Comply with FTC Safeguards Rule alongside applicable state breach notification statutes, state data security laws such a...
SR-PRIV-NOTICE	Relationship with Privacy Rule (16 CFR Part 313)	While 16 CFR Part 313 (the Privacy Rule for non-bank financial institutions) was largely transferred to the CFPB as Regu...

Cryptographic protection

1 controls

Controls in the Cryptographic protection domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-3	Encryption of customer information	Protect by encryption all customer information held or transmitted both in transit over external networks and at rest. T...

Data lifecycle

1 controls

Controls in the Data lifecycle domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-6	Secure disposal of customer information	Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than...

Documentation

1 controls

Controls in the Documentation domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-DOC-EVIDENCE	Records and evidence retention	Although the rule does not prescribe a specific retention period, maintain sufficient records to demonstrate ongoing com...

Governance

1 controls

Controls in the Governance domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-a	Designation of Qualified Individual	Designate a Qualified Individual responsible for overseeing, implementing, and enforcing the information security progra...

Governance reporting

1 controls

Controls in the Governance reporting domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-i	Annual report to governing body	Require the Qualified Individual to report in writing, regularly and at least annually, to your board of directors or eq...

Human resources

1 controls

Controls in the Human resources domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-e	Personnel training and qualification	Implement policies and procedures to ensure that personnel are able to enact your information security program by provid...

Implementation

1 controls

Controls in the Implementation domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.5	Effective date and implementation	This part is effective 09 Jan 2022. The provisions of paragraphs (a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (...

Incident response

1 controls

Controls in the Incident response domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-h	Written incident response plan	Establish a written incident response plan designed to promptly respond to, and recover from, any security event materia...

Monitoring

1 controls

Controls in the Monitoring domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-8	Monitoring and logging of authorized user activity	Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect una...

Operational security

1 controls

Controls in the Operational security domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-7	Change management	Adopt procedures for change management to evaluate and manage changes to information systems that affect the security of...

Program lifecycle

1 controls

Controls in the Program lifecycle domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-g	Evaluation and adjustment of program	Evaluate and adjust your information security program in light of the results of testing and monitoring; any material ch...

Program scope and objective

1 controls

Controls in the Program scope and objective domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.3	Standards for safeguarding customer information	Develop, implement, and maintain a comprehensive written information security program containing administrative, technic...

Regulatory enforcement

1 controls

Controls in the Regulatory enforcement domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-ENF	Enforcement and penalties	Violations of the Safeguards Rule are enforceable by the FTC under Section 5 of the FTC Act. Remedies include injunctive...

Resilience

1 controls

Controls in the Resilience domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-CONT-PLAN	Business continuity considerations (implicit via CIA objective)	Although business continuity is not a standalone subsection, the rule's CIA objective and the incident response, change...

Risk assessment

1 controls

Controls in the Risk assessment domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-b	Written risk assessment	Base the information security program on a written risk assessment that identifies reasonably foreseeable internal and e...

Scope exception

1 controls

Controls in the Scope exception domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.6	Exceptions for small institutions	Sections 314.4(b)(1), 314.4(d)(2), 314.4(h) and 314.4(i) do not apply to financial institutions that maintain customer i...

Technical safeguard

1 controls

Controls in the Technical safeguard domain of FTC Safeguards Rule — 1 controls
Code	Title	Description
SR-314.4-c-1	Access controls	Implement and periodically review access controls, including technical and, as appropriate, physical controls to authent...

Third party risk

2 controls

Controls in the Third party risk domain of FTC Safeguards Rule — 2 controls
Code	Title	Description
SR-314.4-f-1	Service provider selection and contractual safeguards	Oversee service providers by taking reasonable steps to select and retain service providers that are capable of maintain...
SR-314.4-f-3	Periodic assessment of service providers	Periodically assess your service providers based on the risk they present and the continued adequacy of their safeguards...

Frequently Asked Questions

What is FTC Safeguards Rule?

FTC Safeguards Rule is a compliance framework from United States with 25 domains and 29 controls. FTC Safeguards Rule (16 CFR Part 314, revised effective 9 Jun 2023, breach notification effective 13 May 2024). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does FTC Safeguards Rule have?

FTC Safeguards Rule has 29 controls organised across 25 domains. The largest domains are Applicability (2 controls), Assurance (2 controls), Cross-regulatory alignment (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does FTC Safeguards Rule map to?

FTC Safeguards Rule does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with FTC Safeguards Rule compliance?

Start your FTC Safeguards Rule compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FTC Safeguards Rule requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 29 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required