FTC Safeguards Rule Enforcement Actions: What They Signal for Vendor Oversight in Financial Services

For years, the FTC Safeguards Rule was treated by many non-bank financial institutions as a compliance checkbox, something to acknowledge in a policy document and revisit annually. That approach is increasingly risky. The Safeguards Rule requires financial institutions under FTC jurisdiction to maintain measures that protect customer information, and the FTC makes clear that covered companies are also responsible for taking steps to ensure affiliates and service providers safeguard customer information in their care. (Safeguards Rule, 2025)

A series of FTC data security and Safeguards Rule enforcement actions has made one thing clear: regulators are no longer satisfied with firms that have security programs on paper but not in practice. The FTC’s Ascension Data & Analytics matter is especially instructive for vendor oversight, because the FTC alleged that the company failed to ensure that one of its vendors was adequately securing personal data about tens of thousands of mortgage holders.

As the FTC continues to enforce the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, compliance and risk leaders at financial services firms need to understand not only what the rule requires, but also what enforcement patterns reveal about where regulators are looking and what they expect to find. The current rule text expressly includes service-provider oversight, board or senior-leadership reporting, and, since May 2024, FTC breach notification for certain security events.

What the Updated FTC Safeguards Rule Actually Requires

The FTC finalized major amendments to the Safeguards Rule in 2021, with many of the more prescriptive requirements becoming enforceable in June 2023 after a deadline extension. A separate 2023 amendment added breach-notification requirements, which took effect in May 2024. The FTC’s own guidance explains that the revised rule preserved the flexibility of the original rule while providing more concrete guidance for covered businesses.

The rule applies to non-bank financial institutions subject to FTC jurisdiction under GLBA. Covered entities can include mortgage lenders and brokers, payday lenders, finance companies, account servicers, tax preparation firms, non-federally insured credit unions, and investment advisers that are not required to register with the SEC. Auto dealers may also fall within scope when they finance or lease vehicles.

For vendor oversight specifically, covered institutions must take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information. They must also require service providers by contract to implement and maintain those safeguards. In addition, they must periodically assess service providers based on the risk they present and the continued adequacy of their safeguards. (16 CFR Part 314 — Standards for Safeguarding Customer Information, n.d.)

The rule also requires covered institutions to designate a Qualified Individual responsible for overseeing and implementing the information security program. That Qualified Individual must report in writing, regularly and at least annually, to the board of directors or an equivalent governing body. If no such body exists, the report must go to a senior officer responsible for the information security program.

This matters for third-party risk because the Qualified Individual’s oversight and reporting responsibilities extend to service-provider arrangements as part of the information security program. The rule specifically requires board or senior-leadership reporting to address material matters related to the program, including service-provider arrangements. Accountability is no longer diffuse; regulators expect a documented governance structure around the program.

Key Enforcement Actions and What They Reveal

1. The Vendor Contract Problem

The FTC’s Safeguards Rule case against Ascension Data & Analytics is one of the clearest vendor-oversight examples. The FTC alleged that Ascension failed to take formal steps to evaluate whether its service providers could protect personal information, failed to require service providers by contract to implement appropriate safeguards, and failed to assess risks related to multiple service providers.

This is important because vendor contracts are not merely commercial documents. Under the Safeguards Rule, they are part of the compliance evidence. If a covered institution gives a service provider access to customer information but the contract does not require appropriate safeguards, the institution may struggle to demonstrate that it satisfied the rule’s service-provider obligations.

Other FTC data-security actions, including Drizly, are useful for understanding the agency’s broader enforcement posture, especially around executive accountability and operational security failures. Drizly was not a GLBA Safeguards Rule vendor-oversight case, but the FTC’s action against the company and its CEO shows the agency’s willingness to pursue data-security failures where consumer information is exposed.

What this signals: Contracts are no longer just legal protection; they are regulatory evidence. If a breach occurs and a service-provider contract contains no meaningful security requirements, regulators may view that as evidence that vendor oversight was not implemented in practice.

2. “Oversight” Means More Than Onboarding

One of the most consequential shifts in the revised Safeguards Rule is the explicit requirement to periodically assess service providers based on risk and the continued adequacy of their safeguards. This means vendor oversight cannot stop once due diligence is complete and the contract is signed. (16 CFR Part 314 — Standards for Safeguarding Customer Information, n.d.)

Annual questionnaires, SOC 2 reports, and contract-renewal reviews can be useful inputs, but they should not be treated as a substitute for a documented, risk-based periodic oversight process. The FTC’s guidance emphasizes that companies should have mechanisms to monitor service providers and reassess them over time, rather than relying only on initial selection.

What this signals: If a vendor oversight program is essentially a one-time due diligence exercise, the institution may be exposed. Regulators are likely to ask what the institution knew, or reasonably should have known, about a vendor’s security posture at the time of a security incident, not only what was reviewed during onboarding.

3. Risk-Based Vendor Management Is the Practical Baseline

The Safeguards Rule does not use the term “vendor tiering,” but it does require covered institutions to assess service providers based on the risk they present. In practice, that means institutions should be able to distinguish between vendors that handle sensitive customer information or critical systems and vendors that present lower risk.

Applying the same level of scrutiny to a cloud storage provider handling sensitive customer financial records as to a low-risk office supply vendor is difficult to defend as a risk-based program. A stronger approach is to scale due diligence depth, contract requirements, monitoring frequency, and escalation procedures based on data sensitivity, system access, business criticality, and exposure. (16 CFR Part 314 — Standards for Safeguarding Customer Information, n.d.)

What this signals: Institutions that cannot demonstrate a risk-informed approach to vendor management may struggle to show that their safeguards are appropriate. Risk tiering is not just a sophisticated best practice; it is the operational mechanism many institutions use to satisfy the rule’s risk-based service-provider requirements.

4. The Board Accountability Dimension

The revised Safeguards Rule requires the Qualified Individual to report to the board, an equivalent governing body, or a senior officer at least annually. The report must include an overall assessment of the information security program and material matters related to it, including service-provider arrangements.

For vendor risk specifically, this means third-party oversight is no longer only a security, procurement, or legal issue. It is also a governance issue. If a vendor-related incident occurs, weak reporting structures, superficial board updates, or missing escalation records may make it harder to demonstrate that oversight was meaningful.

What this signals: TPRM is part of enterprise governance. Boards and senior leaders do not need to manage every vendor review, but the organization should be able to show that vendor risk is reported, escalated, documented, and incorporated into the broader information security program.

What Non-Bank Financial Institutions Should Do Now

Audit Your Vendor Contracts

Start with a systematic review of every vendor relationship that touches customer information. For each vendor, ask whether the contract includes explicit data-security requirements, whether it gives the institution a practical mechanism to verify or monitor security practices, and whether it establishes notification obligations in the event of a breach or other security event. The Safeguards Rule expressly requires contracts with service providers to require appropriate safeguards, and the FTC’s breach-notification amendment now requires covered financial institutions to notify the FTC of certain security breaches involving at least 500 consumers.

If a high-risk vendor contract lacks security obligations, remediation should be prioritized. This is especially important where the vendor processes customer information, supports critical business operations, hosts sensitive systems, or has privileged access to internal environments.

Build a Vendor Inventory That Reflects Reality

Many institutions are still operating with incomplete vendor inventories: lists that reflect who procurement knows about, but not necessarily who actually has access to customer information or critical systems. Shadow IT, legacy integrations, departmental software purchases, and unmanaged data-sharing arrangements can all create gaps.

A credible vendor oversight program starts with knowing who the vendors are, what data they access, what systems they connect to, and whether they are subject to contractual and operational safeguards. Without that baseline, it is difficult to show that the institution has taken reasonable steps to select, retain, and periodically assess service providers.

Move from Point-in-Time Reviews to Periodic Oversight

The Safeguards Rule requires periodic assessment of service providers based on risk and the continued adequacy of their safeguards. Full continuous monitoring may not be feasible for every vendor, but high-risk vendors should be reassessed on a defined schedule and when material changes occur. (16 CFR Part 314 — Standards for Safeguarding Customer Information, n.d.)

This may include reviewing updated SOC 2 Type II reports when issued, monitoring vendor cybersecurity news and public breach disclosures, issuing annual security questionnaires as one input among many, tracking remediation commitments, and verifying performance against contractually required security standards. The key is to document a repeatable process that reflects the vendor’s risk level.

Document Everything

In an enforcement context, the question is not only “did you do it?” but “can you prove you did it?” The Safeguards Rule requires a written information security program, written incident-response planning for certain covered institutions, written reporting by the Qualified Individual, and documentation around security events and program updates.

For vendor oversight, documentation should include vendor assessments, review dates, findings, remediation timelines, approved exceptions, contract-review status, risk-tiering rationale, and evidence of board or senior-leadership reporting. Oversight activities that are not documented may be difficult to defend under regulatory scrutiny.

The Bigger Picture: Vendor Risk as a Regulatory Priority

The FTC’s enforcement posture does not exist in isolation. The SEC’s cybersecurity disclosure rules require public companies to disclose material cybersecurity incidents and provide disclosures about cybersecurity risk management, strategy, and governance. Those rules reinforce the broader regulatory focus on cyber-risk governance and leadership oversight.

NYDFS Part 500 also reflects this trend. The Second Amendment to 23 NYCRR Part 500 includes detailed cybersecurity governance and third-party service provider security requirements for covered financial services entities, including risk assessment, due diligence, contractual protections, and periodic assessment. (“NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES SECOND AMENDMENT TO 23 NYCRR 500,” n.d.)

In the European Union, DORA has applied since January 17, 2025 and establishes digital operational resilience requirements for financial entities, including ICT risk management and third-party risk management. Together, these frameworks show a regulatory consensus that third-party risk is a first-order concern, not a secondary issue left only to procurement or IT.

For financial services firms subject to the Safeguards Rule, the enforcement trend is clear: the FTC expects vendor oversight to be substantive, documented, risk-informed, and built into governance structures. Firms that treat vendor oversight as only a contract clause and an annual questionnaire are likely operating with meaningful regulatory exposure.

The question is not simply whether an institution has a third-party risk management program. The more important question is whether that program would survive regulatory scrutiny on its worst day.

Frequently Asked Questions

Who does the FTC Safeguards Rule apply to?

The rule applies to non-bank financial institutions subject to FTC jurisdiction under GLBA. This can include mortgage lenders and brokers, payday lenders, finance companies, account servicers, tax preparation firms, non-federally insured credit unions, and investment advisers that are not required to register with the SEC.

What does the FTC Safeguards Rule require for vendor oversight?

Covered institutions must take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards, require service providers by contract to implement and maintain safeguards, and periodically assess service providers based on risk and the continued adequacy of their safeguards.

What happens if a vendor causes a data breach and we do not have a vendor security contract?

The absence of contractual security requirements is a significant compliance gap under the Safeguards Rule. In the Ascension matter, the FTC alleged that the company’s service-provider contracts failed to specify safeguards or otherwise require service providers to take reasonable steps to secure personal information.

How often should we reassess vendors under the Safeguards Rule?

The rule does not specify a single reassessment frequency. Instead, it requires periodic assessment of service providers based on the risk they present and the continued adequacy of their safeguards. High-risk vendors should therefore be assessed more frequently and with greater depth than low-risk vendors.

Does the FTC Safeguards Rule apply to all vendors, or only those handling customer financial data?

The Safeguards Rule’s service-provider requirements focus on service providers that have access to customer information. However, as a practical matter, institutions should maintain a complete vendor inventory and apply risk-based tiering so they can identify which vendors access customer information, critical systems, or sensitive business processes.

This article is intended for informational purposes and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations under the FTC Safeguards Rule.


お問い合わせ

Slingがどのように役立つか、一緒に見ていきましょう。