Source identity:

ddx:
  id: resource.ftc-safeguards-rule

FTC Safeguards Rule

Source

• URL: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
• Accessed: 2026-05-12

Summary

The Federal Trade Commission explains that covered financial institutions must develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards for customer information. The guidance says the program should fit the organization’s size, complexity, activities, and the sensitivity of the information involved.

Relevant Findings

• Covered organizations need a written information security program.
• Safeguards must protect customer information, including information handled on behalf of another covered financial institution.
• The program should be risk-based and proportionate to the business and data.
• The rule creates expectations for access control, safeguards, service provider oversight, and ongoing security program management.
• Applicability depends on the business activity and data context, so legal review is required before treating it as binding for a specific project.

HELIX Usage

This resource informs Compliance Requirements, Security Requirements, and Security Architecture when a project handles financial customer information or supports businesses that may be covered by the Safeguards Rule.

Authority Boundary

This resource summarizes FTC guidance. It is not legal advice and does not determine whether a specific project is a covered financial institution, service provider, or exempt entity.