What is the FTC Safeguards Rule for Accountants?

Published: June 20, 2023

There is a myriad of good reasons to ensure your accounting firm’s cybersecurity measures are as sophisticated as possible. By protecting your clients’ data, you maintain your reputation, protect their privacy, assuage their concerns about safety, and, of course, uphold the law.

While cybersecurity might have been left to individual accountants to deal with at one point in time, those days are over. In 2003, the Federal Trade Commission (FTC) enacted the Standards for Safeguarding Customer Information, better known as the Safeguards Rule. In 2021, it updated this rule to ensure it didn’t fall behind quickly evolving technology.

Simply put, the Safeguards Rule regulates the data protection measures “financial institutions” must take. This term likely brings to mind giant stone banks or Wall Street bastions, but it covers any business whose dealings are financial in nature.

FTC Definition for Financial Institutions

Here’s the definition in legalese from the FTC’s own website:

“The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a ‘financial institution’ if it’s engaged in an activity that is ‘financial in nature’ or is ‘incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).’”

Ouch. Even if you’d like to stop reading here, don’t.

It’s extremely important to know if you count as a “financial institution” under the Safeguards Rule, because if you do, you need to have handed in proof that you’ve complied with updated data security guidelines on June 9, 2023.

If you do not comply—even if it’s because you simply weren’t aware you were considered a financial institution—the penalties are extremely harsh. The FTC is allowed to fine you up to $100,000 per violation, and this doesn’t include the $43,000 they may penalize you for a consent violation or the $10,000 fine they can choose to levy against the firm officers and directors.

Stay calm: throughout the rest of this article, we’re going to help you figure out if you count as a “financial institution” and explain what you need for compliance.

Who Counts as a Financial Institution?

The FTC considers the following financial institutions that must comply with the Safeguards Rule:

Finance companies
Mortgage brokers
Payday lenders
Collection agencies
Investment advisors who do not have to be registered with the SEC
Tax preparation firms
Credit counselors
Financial advisors
Account servicers
Accountants
Bookkeepers

The bottom line: If your business is engaged in an activity that’s financial in nature, you’re a financial institution.

One more thing to note: Only businesses with nonpublic personal information (NPI) of at least 5,000 individuals – whether those records are physical paper or digital files – must comply. So what is NPI? It covers a broad type of information, like names, addresses, phone numbers, income information, Social Security numbers, and credit history. It can be difficult to tell what’s covered, so experts encourage businesses to treat all customer information as NPI.

What Do Accountants Need to Comply with the FTC’s Safeguards Rule?

If you haven’t sent in your new documents yet, it’s crucial you don’t delay. The original deadline was in November of last year; the June 9th deadline is an extension. As quickly and thoroughly as you can, put the following together and submit to the FTC:

A written assessment of any cyber risks your firm faces, as well as the preventive measures you have in place and the ways in which you can currently respond to threats.
The name of a qualified individual who will be overseeing your cybersecurity program. If they don’t work for your company, they must be supervised by someone who does.
Proof all sensitive and financial information is encrypted and that everyone is using MFA to access any customer data.
A copy of your firm’s methods to limit and monitor individuals who have access to secure data.
A written copy of your incident response plan, which should meet the FTC’s Safeguard Rule standards.
Proof you have a mandatory cybersecurity training policy for all new employees and that all staff are re-trained at least once a year.

Additionally, ensure you periodically review the security practices of any third-party service providers with access to your data. If you notice any problems, either ensure they’re corrected right away or look for a new service provider who meets higher standards. This isn’t an exhaustive list. Make sure you read the Safeguards Rule for the full list of requirements.

How a Document Management System Can Help with FTC Compliance

True, this sounds like a lot. And if you missed the deadline, you’re probably panicking about the potential consequences right now. It’s understandable. However, you’ve probably already done a lot of this already. The Safeguards Rule isn’t new, and responsible accountants have been paying close attention to cybersecurity best practices and updates for years.

Use a document management system and client portal to protect your data and get started with compliance. SmartVault can help you with compliance requirements like: