The FTC Safeguards Rule: What San Antonio Financial and Professional Services Firms Need to Know
TechSage Solutions · San Antonio, TX
Most CPA firms and financial services businesses have heard of the FTC Safeguards Rule. Most assume it applies to banks. It doesn't — not exclusively. And the businesses most likely to have that assumption are often exactly the ones the rule is designed to cover.
If your firm handles consumer financial data in any capacity — tax preparation, bookkeeping, mortgage origination, financial planning, insurance — there's a meaningful chance you're covered. And if you're not yet compliant, the consequences are no longer theoretical.
This is what you need to know.
What the FTC Safeguards Rule Is
The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), a federal law that governs how financial institutions collect, store, and protect customer financial information. The FTC enforces the rule for non-bank financial institutions — a category that's broader than most people realize.
The rule was significantly updated in 2023, adding specific technical requirements that were absent from the original version. Where the old rule was largely principles-based ("implement a security program"), the updated rule specifies what that program must include — encryption, multi-factor authentication, access controls, incident response plans, and more.
That shift matters because vague obligations are easier to ignore. Specific requirements with defined elements are not.
Who It Actually Applies To
The FTC defines "financial institution" broadly under the Safeguards Rule. It includes any business that is "significantly engaged" in providing financial products or services to consumers. In practice, that means:
CPA firms and accounting practices that prepare tax returns or provide financial planning advice.
Bookkeepers and tax preparers who handle consumer financial records on behalf of clients.
Mortgage lenders and brokers outside the bank system.
Insurance agencies that act as brokers for products affecting consumer financial information.
Investment advisors not covered by the SEC.
Debt collectors and finance companies operating in the non-bank space.
If your CPA firm prepares personal tax returns, you almost certainly qualify as a financial institution under the Safeguards Rule. "We're an accounting firm, not a bank" is not a compliance defense.
There is a limited exception for businesses with fewer than 5,000 consumer records, which exempts them from some of the more detailed requirements — but not from the obligation to have a written security program at all.
What the Updated Rule Requires
The 2023 updates require covered businesses to implement a written information security program built around nine specific elements:
A documented evaluation of the risks to customer information across your environment.
Limit who can access customer data — and document the basis for that access.
Customer financial data must be encrypted both at rest and in transit.
MFA required for any system containing customer financial information.
Ongoing security awareness training for staff who handle covered data.
Written contracts with service providers who access your customer data, with security requirements spelled out.
A written plan for responding to security events — including notification obligations.
A designated person responsible for overseeing the program — can be internal or an outside provider.
The Qualified Individual must provide a written annual report to the board or senior leadership.
Taken together, this is a substantive program — not a checkbox exercise. Most small CPA firms and professional services businesses don't have all of these in place, which is the point of this post.
What Happens If You're Not Compliant
FTC enforcement under the Safeguards Rule has teeth. The FTC has brought formal actions against covered businesses for inadequate security practices, with outcomes including consent orders, required third-party audits, and civil penalties. State attorneys general can also bring actions under GLBA.
Beyond regulatory exposure, consider the insurance angle: cyber insurers are increasingly asking whether covered businesses have implemented the Safeguards Rule's requirements as part of the underwriting process. Non-compliance can affect both your eligibility for coverage and what a claim payout looks like after an incident. Here's what cyber insurance for small businesses actually requires — and how the two are increasingly connected.
The compounding risk is a breach that occurs while you're out of compliance. At that point you're dealing with the breach itself plus the exposure from the compliance failure — two separate liability problems instead of one.
How to Get Started
The rule requires a risk assessment as its foundation — and that's genuinely the right place to start. You can't design a security program without knowing what your risks actually are. A proper risk assessment looks at your current environment, identifies where customer data lives and how it's protected, and maps that against the rule's requirements.
For most small CPA firms and professional services businesses, the risk assessment will surface gaps that are fixable — many of them not particularly expensive. The harder part is the documentation and the program structure: having written policies, a designated Qualified Individual, an incident response plan, and vendor contracts that meet the standard.
This is the kind of work that benefits from a partner who has done it before. TechSage has worked with CPA firms and financial services businesses on FTC Safeguards compliance specifically — it's one of the areas covered in our compliance services, alongside CMMC, NIST CSF, and PCI-DSS.
The practical path forward is straightforward: get the risk assessment done, understand your gaps, and build the program from there. The rule doesn't require perfection on day one. It requires a genuine, documented effort — and a credible program that improves over time.
What it doesn't accommodate is not starting.
Is Your Firm FTC Safeguards Compliant?
TechSage works with CPA firms and professional services businesses across San Antonio on compliance readiness. Our cybersecurity services in San Antonio include the risk assessment, documentation, and technical controls the Safeguards Rule requires.
Book a Free Discovery Call
