ScalePad
ControlMap

FTC Safeguards Field Guide

FTC Safeguards compliance, made operational — the MSP's tactical playbook

A tactical playbook for managed service providers guiding GLBA "financial institutions" — auto dealers, tax and accounting firms, mortgage and finance shops — through the nine required elements, the eight technical safeguards, and running the written program, with a step-by-step ControlMap workflow.

The Rule, Decoded

The FTC Safeguards Rule at a glance — and why it lands on the MSP's desk

The Gramm-Leach-Bliley Act requires financial institutions to protect consumers' financial information. Two rules do the work: the Privacy Rule (notices and information-sharing limits) and the Safeguards Rule (16 CFR Part 314) — the security program. The FTC's amended Safeguards Rule, fully in force since June 2023, reads like a checklist written for an MSP: MFA, encryption, monitoring, testing, vendor oversight. The catch most clients miss: they don't think they're a financial institution.

"Financial institution" is broader than anyone expects. FTC-jurisdiction examples: auto dealerships with financing or leasing, tax preparers and accounting firms, mortgage brokers and lenders, payday and consumer lenders, collection agencies, non-SEC investment advisors, check cashers and money transmitters, real-estate settlement and title services, higher-ed institutions handling Title IV aid, retailers issuing their own credit, and "finders" who connect borrowers and lenders. Banks, credit unions, and SEC-registered firms answer to parallel regulators — the FTC covers everyone else "significantly engaged" in financial activities. Assume the rule applies until proven otherwise.

Scope in Two Definitions

What you're protecting

"Customer information" is any record containing nonpublic personal information (NPI) about a customer of a financial institution — SSNs, income and credit data, account numbers, loan applications, tax returns, payment histories — in paper or electronic form, whether it's the client's own customer or another institution's. Deal jackets, tax workpapers, and DMS/CRM records are all in scope.

Service providers — that's you

The rule defines a service provider as anyone permitted access to customer information through its services — your MSP, the DMS vendor, the cloud host. Clients must select you for capability, bind you by contract to safeguards, and periodically reassess you. Expect security questionnaires; better yet, arrive with answers.

Why it matters: the FTC enforces with civil penalties that run to tens of thousands of dollars per violation, per day, plus multi-year consent orders with mandated assessments — and it has pursued dealers, lenders, and tax businesses by name. Since May 2024, qualifying breaches must also be reported to a public FTC database. Add state AGs, private suits, and (for tax pros) IRS data-security obligations that point straight back to this rule — "we're just a dealership" is no defense at all.

The Operating Model

Shared responsibility — and the seat the MSP can formally hold

The Safeguards Rule has a feature no other framework in this series offers: the Qualified Individual who oversees the program may be an employee, an affiliate, or a service provider. An MSP can formally hold the role — provided the client retains a senior employee directing and overseeing the QI, and the MSP maintains its own information security program. That makes "Safeguards-as-a-Service" a first-class offering, not a workaround.

MSP × financial institution — who runs what

The QI duties row applies when the MSP is contracted as the Qualified Individual — always with a named senior client employee directing oversight.

MSP operates

  • Qualified Individual duties (if contracted)
  • MFA & access administration
  • Encryption at rest & in transit
  • Monitoring, logging & EDR
  • Vulnerability mgmt & testing
  • Change management
  • Incident detection & response

Shared

  • Risk assessment
  • Data & system inventory
  • Policies & procedures
  • Security training
  • Vendor oversight
  • Incident response plan
  • Evidence & reporting

Client owns

  • Senior oversight of the QI
  • Business data practices
  • Staff conduct & paper NPI
  • GLBA Privacy Rule notices
  • Vendor business decisions
  • Final risk acceptance
  • Receiving the annual report

Decide the QI model

Client-employee QI with MSP execution, or MSP-as-QI with a named client executive overseeing. Either works — but write the choice, the oversight line, and the reporting duty into the MSA before the program starts.

Map every element

For each of the nine elements and eight safeguards: who performs it, who approves it, where the evidence lives. The responsibility splits in this guide are the starting template — the written program makes them official.

Prove it continuously

The rule demands a written program, a written risk assessment, a written IR plan, and a written annual report. Centralize them with the evidence in a GRC platform so the paper trail writes itself.

The Safeguards Rule is a program, not a project — risk-based, written, tested, and reported on a cycle. The client can delegate the work — even the QI title — but never the accountability: a senior client officer must direct, oversee, and receive the annual report. Set that governance line on day one and every later conversation gets easier.

01

§314.4(a)–(i)

The nine required elements — anatomy of the rule

Section 314.4 requires every covered institution to develop, implement, and maintain a comprehensive, written information security program appropriate to its size, complexity, and the sensitivity of the customer information it holds — and spells out nine elements the program must contain: governance, assessment, safeguards, testing, people, vendors, currency, response, and reporting.

Effort and Ownership

The nine elements in practice

ElementWhat "done" looks likeMSP translationEffort
a · Qualified IndividualA named, accountable person overseeing the program — employee, affiliate, or service provider — documented in the written program, with a senior client officer directing oversight if the QI is a service provider.QI-as-a-service or vCISO offering; designation letter on file.Light
b · Risk assessmentWritten, criteria-based assessment of internal and external risks to customer information and how the safeguards address them — revisited periodically and on material change.Annual risk assessment engagement; risk register with treatment decisions.Moderate
c · Implement the 8 safeguardsThe technical core of §314.4(c) — access control, data inventory, encryption, secure development, MFA, disposal, change management, monitoring — unpacked in the next section.The MSP security stack, formally mapped and evidenced.Heavy
d · Test & monitorContinuous monitoring of systems — or annual penetration testing plus vulnerability assessments at least every six months and after material changes.EDR/SIEM continuous-monitoring path, or a scheduled pen-test and scan calendar.Heavy
e · Train & staffSecurity awareness training for all relevant staff; qualified information-security personnel (in-house or provider) who maintain current threat knowledge.Awareness platform campaigns with completion exports; your SOC/security team credentials.Light
f · Oversee service providersDue diligence at selection, contract clauses requiring safeguards, and periodic reassessment of each vendor that touches customer information.Vendor register with questionnaires, contract checks, and review cadence.Moderate
g · Keep it currentProgram evaluated and adjusted for test results, threat changes, new systems, M&A, and incidents — with the changes documented.Quarterly program review tied to change management and QBRs.Light
h · Incident response planA written plan addressing goals, internal processes, roles and decision authority, communications, remediation, documentation, and post-incident revision.IR plan from template, tailored, tabletop-tested annually.Moderate
i · Annual written reportThe QI's written report to the board or senior officer: program status, risk assessment results, testing outcomes, incidents, and recommendations.Generated from the GRC dashboard — the natural QBR centerpiece.Light

The small-institution carve-out

Institutions holding information on fewer than 5,000 consumers are exempt from four items: the written risk assessment, the continuous-monitoring/pen-test regime, the written IR plan, and the annual report. Everything else — QI, the eight safeguards, training, vendor oversight — still applies in full.

Don't build to the carve-out

Counting "consumers" includes past customers whose records remain, so clients outgrow 5,000 silently — and the exempted documents are exactly what insurers, lenders, and the FTC ask for after an incident. Run every client on the full program; treat the exemption as margin, not architecture.

The pattern to notice: four of the nine elements are documents (risk assessment, written program, IR plan, annual report) and two are cadences (testing, currency). Only element (c) is heavy engineering — and for most MSP clients, the technology already exists in the stack. FTC Safeguards is won or lost on paperwork discipline, which is exactly what a GRC platform automates.

02

§314.4(c)(1)–(8)

The eight safeguards — named controls, not suggestions

Section 314.4(c) names eight specific safeguards every program must implement, based on the risk assessment. Unlike the older "reasonable measures" language, these are concrete: MFA is named. Encryption is named. Where an exact control is genuinely infeasible, the Qualified Individual may approve an equivalent — in writing.

The Technical Core

Translating the safeguards to the MSP stack

SafeguardWhat it requiresDeploy thisEvidence to bank
1 · Access controlsAuthenticate and permit access only to authorized users; limit each user to the customer information their role needs; review access periodically.Identity platform with RBAC and conditional access; least-privilege admin; documented joiner/mover/leaver workflow.RBAC matrix · access-review sign-offs · offboarding tickets
2 · Data & system inventoryKnow where customer information sits: the data, the systems holding it, and how it flows — the map everything else depends on.Asset inventory from the RMM plus a data map: where NPI lives (DMS, tax software, shares, email, paper) and how it flows in and out.Asset list · data-flow diagram · annual refresh record
3 · EncryptionEncrypt customer information at rest and in transit over external networks; if truly infeasible, QI-approved compensating controls — documented.Full-disk encryption on endpoints, encrypted servers/SaaS at rest, TLS enforcement, secure email/portal for sending customer documents.Encryption status reports · TLS policy · secure-portal configuration
4 · Secure developmentSecure practices for in-house applications touching customer information — and procedures to evaluate the security of third-party apps (DMS, tax software, CRMs).For SMB clients this is mostly vendor diligence: security review of the DMS/CRM/tax platforms, patch posture, and SSO/MFA support before adoption.App security questionnaires · vendor SOC 2/attestations on file
5 · Multi-factor authenticationMFA for any individual accessing any information system holding customer information — staff, remote, vendor, and cloud logins alike — unless the QI approves an equivalent in writing.MFA on email, VPN/remote access, DMS/LOB apps, cloud consoles, and the MSP's own tooling; phishing-resistant methods where available.MFA enrollment reports · conditional-access policies · QI memos for any equivalents
6 · Secure disposalDispose of customer information no later than two years after last use unless retention is required or serves a legitimate purpose — with periodic review of retention practices.Retention schedule (2-year default for NPI past last use), automated purge jobs where possible, shredding and certified media destruction.Retention policy · purge logs · destruction certificates
7 · Change managementProcedures to evaluate the security impact of changes to systems, networks, and applications before they land.Ticketed changes with security-impact notes; maintenance windows; rollback plans — your existing RMM change process, formalized.Change tickets with approvals · post-change review notes
8 · Monitor & logMonitor and log authorized-user activity, and detect unauthorized access to — or use of — customer information.EDR on all endpoints, log collection/SIEM for systems holding NPI, alerting on anomalous access, defined triage runbook.SIEM retention settings · alert triage records · monthly monitoring summaries

The two named controls are the two named findings. Enforcement actions and breach post-mortems in this space orbit the same gaps: MFA missing on one system (the DMS, the remote desktop, the tax portal) and unencrypted customer files on shares, laptops, and email. Sweep for both in week one — they're also where a QI's written "equivalent control" memos get abused. If the memo is doing heavy lifting, the control is missing.

Who Does What

Safeguards responsibility split

Typical allocation across the eight safeguards for an MSP-supported financial institution — the written program records the real split per client.

Access, MFA, encryption, monitoring1, 3, 5, 8
MSP
Shared
Client
Data inventory & flows2
MSP
Shared
Client
LOB app evaluation & vendor diligence4
MSP
Shared
Client
Retention decisions & paper disposal6
MSP
Shared
Client
Change management7
MSP
Shared
Client
MSP leadsSharedClient leadsProportions from the source guide — the written program records the real allocation per client.

Dealerships

Deal jackets in unlocked file rooms, shared DMS logins, finance-office PCs on the showroom network — the physical and identity gaps arrive before the technical ones. Sweep them early.

Tax & CPA firms

Client returns in unencrypted email, prior-year archives kept forever (versus the 2-year disposal default), seasonal staff on shared accounts — retention and identity discipline come first.

Mortgage & title

Wire-fraud exposure makes MFA plus email security the first move, not the tenth — the highest-consequence vertical in the rule's scope.

The testing regime — pick a lane and prove it

Lane A — Continuous monitoring

Ongoing, real-time visibility into the systems holding customer information — detecting changes, vulnerabilities, and unauthorized access as they happen. What it takes: EDR everywhere, SIEM/log analytics with alerting, continuous vulnerability scanning, configuration-drift detection, and someone watching (SOC/MDR). Best for clients already on a managed security stack — the natural MSP lane, converting your existing MDR service into a named compliance deliverable.

Lane B — Scheduled testing

If continuous monitoring isn't in place, the rule prescribes the calendar itself: annual penetration testing based on the risk assessment, and vulnerability assessments at least every six months — again whenever operations change materially or new risks emerge. Evidence: test reports, remediation tickets closing the findings, and re-test confirmations — the finding-to-fix loop is what reviewers check.

Either lane is compliant — what's non-compliant is drifting between them with neither fully implemented. Lane A is recurring revenue (MDR plus reporting); Lane B is two predictable projects a year plus remediation. Quote both and let the risk assessment pick — material changes (a new DMS, an office move, an acquisition) trigger out-of-cycle testing in either lane.

03

QI, Cadence & Breach Clock

Run the program — the QI, the year, the 30-day clock

Turn the safeguards into a governed, documented, reportable program. The Qualified Individual is the engine: they oversee implementation, own the written deliverables, and report annually to leadership — and since May 2024, the program also carries a federal breach-reporting duty with a 30-day clock.

The Role, and the MSP Opportunity

The Qualified Individual

What the QI does

Oversees and enforces the whole program: drives the risk assessment, approves safeguard decisions — including any written "equivalent control" memos — owns the IR plan, and delivers the written annual report to the board or a senior officer.

Who can hold it

An employee, an affiliate, or a service provider — no certification is mandated; "qualified" is relative to the institution's complexity. A dealership's QI looks different from a lender's.

If the MSP holds it

Two conditions: the client retains a senior employee directing and overseeing the QI, and the MSP maintains its own information security program. Name the role, the oversight line, and the reporting duty in the MSA.

One Compliant Cadence to Run Per Client

The Safeguards year

  1. Q1

    Assess & review

    Risk assessment refresh · access review · vulnerability assessment #1.

  2. Q2

    Train & reassess

    Staff training campaign · vendor reassessments · retention and disposal purge check.

  3. Q3

    Test & rehearse

    Penetration test (Lane B) or monitoring review (Lane A) · vulnerability assessment #2 · IR tabletop.

  4. Q4

    Review & report

    Program-currency review · the QI's written annual report delivered to the board or senior officer.

In Force Since May 2024

The notification event clock

  1. 1

    Trigger

    Unauthorized acquisition of unencrypted customer information involving 500+ consumers — acquisition is presumed where there was unauthorized access, unless reliable evidence shows otherwise.

  2. 2

    Report to the FTC

    Within 30 days of discovery, via the FTC's online form — and the submission lands in a public database.

  3. 3

    Layer the rest

    State breach laws (often consumer and AG notice), contractual duties to lenders and partners, cyber-insurer notice — run them in parallel, not after.

  4. 4

    Feed the program

    Post-incident: document, remediate the root cause, revise the IR plan and risk assessment — element (g) in action.

The encryption dividend: the notification trigger is unencrypted customer information — or encrypted information where the key was also compromised. Safeguard #3, done properly, is what keeps an incident from becoming a public federal filing.

The Paper Trail

The document pack — what a regulator or insurer asks for first

The rule runs on paper: nine documents that prove the program exists and operated. Assessors, insurers, lenders, and the FTC ask for these in roughly this order — and the annual report only holds up if everything above it in the stack is real.

Nine Documents, One Program

The document pack

DocumentWhat it is & what good looks likeOwner / cadence
WISPWritten Information Security ProgramThe master document tying all nine elements together: scope, the QI designation, the safeguards and how each is implemented, testing lane, training, vendor oversight, and review cycle. For tax pros, this doubles as the WISP the IRS expects per Publications 4557/5708.QI owns, client approves · reviewed annually
Written risk assessmentCriteria-based: what customer information exists, the threats to it, likelihood and impact, and how the safeguards (or accepted risks) address each. The document the rest of the program must trace back to.Shared · annual + on material change
Data & system inventoryWhere NPI lives and flows — systems, apps, shares, paper, vendors. Feeds scoping, encryption coverage, and disposal.MSP-heavy · refreshed on change
QI designation & oversight memoWho the Qualified Individual is, their authority, and (if a service provider) the named senior client employee providing direction and oversight.Client signs · reviewed annually
Incident response planThe seven required topics — goals, processes, roles, communications, remediation, documentation, revision — plus the FTC 30-day reporting step and a state-law matrix with contacts pre-filled.Shared · tabletop-tested annually
Vendor oversight fileThe service-provider register: due-diligence questionnaires, contract safeguard clauses, and periodic reassessment records — including the MSP's own entry.Shared · reassessed on cycle
Training recordsAwareness campaign completion for all relevant staff, plus evidence security personnel stay current — certs, threat briefings.MSP runs · per campaign
Annual written reportThe QI's report to the board or senior officer: program status, risk assessment results, testing outcomes, incidents and responses, and recommendations. Keep every year's copy — it proves the program operated.QI delivers · annually
Equivalent-control memosAny QI-approved alternatives to encryption or MFA, with the reasoning and compensating controls. Should be rare; review at every cycle for retirement.QI approves · reviewed annually

The annual report test

Could the client's owner hand this year's report to their lender, insurer, or an FTC investigator without flinching? If it shows the risk assessment ran, the tests happened, the findings closed, and the incidents were handled — the program is real. If it's a one-page reassurance, it's a liability with a signature on it.

Stack the verticals

Most Safeguards clients carry sibling obligations on the same evidence: IRS Pub 4557 / Form W-12 WISP attestation for tax pros, PCI DSS wherever cards are taken (see this series' PCI guide), state privacy laws, and lender/OEM security addenda for dealers. Build the program once and let cross-mapping serve them all.

ControlMap by ScalePad

From "are we even covered?" to a reportable program

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the Safeguards Rule demands in writing — the risk assessment, the WISP, the eight safeguards with evidence, vendor oversight, training attestations, and the QI's annual report — lives in one workspace per client, on the cadence the rule prescribes.

The Five-Step ControlMap Workflow for FTC Safeguards

  1. 1

    Onboard & adopt the framework

    Create a dedicated client workspace and load the Safeguards control set mapped to the nine elements. Record the coverage determination, QI designation and oversight memo, and data/system inventory as foundation documents. Cross-mapping lets the same work feed IRS WISP, PCI DSS, or CIS later.

  2. 2

    Run the written risk assessment

    Use built-in questionnaires to baseline the client against every element and safeguard, then build the risk register — customer-information assets, threats, likelihood × impact, treatment decisions. The export is the written, criteria-based risk assessment element (b) requires.

  3. 3

    Implement the eight safeguards

    Each control card explains the safeguard, what "implemented" looks like, and what evidence satisfies it. Assign owners — your engineers for MFA, encryption, and monitoring; client staff for paper handling and disposal — set due dates, and track gap → in progress → implemented on the dashboard the QI reports from.

  4. 4

    Build the WISP & policies

    Draft the written program, incident response plan, retention/disposal policy, and acceptable-use set from the template library; tailor to the institution; version-control approvals; and push to staff for electronic acknowledgment — turning element (e)'s training and the written-program mandate into stored attestations.

  5. 5

    Evidence on cadence, report annually

    Attach evidence to every control — MFA enrollment, encryption status, scan and pen-test reports, vendor reassessments, training exports — automating what integrations allow. Recurring tasks enforce the semi-annual and annual clocks, and the dashboard rolls it all into the QI's written annual report for the board.

Package it as a service

Productize the program: Assess (coverage check, inventory, risk assessment) → Remediate (MFA, encryption, monitoring gaps) → Manage (monthly compliance-as-a-service with the testing cadence, vendor oversight, and the annual report). Add QI-as-a-Service as the premium tier — it's the stickiest seat at the client's table.

Make the QBR land

For Safeguards clients the QBR is a compliance instrument: walk the owner through the dashboard, and once a year that walkthrough becomes the QI's written report. "Your dealership stays off the FTC's public breach list, and here's the paper that proves the program ran" closes renewals by itself.

Keep it alive

Coverage drifts: a new finance product, a consumer-record count crossing 5,000, a new DMS or tax platform, an acquisition. Make "anything new in how you handle customer financial data?" a standing QBR question — and re-run the risk assessment whenever the answer is yes.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the Safeguards program lives in ControlMap and the records the FTC expects; a realistic first-90-days arc per client; and the ten-point quick-start checklist to put the whole guide in motion.

ControlMap in Action

Mapping ControlMap to the Safeguards program

AreaDo this in ControlMapRecords you'll bank
The 9 elementsRun each element as a tracked control with an owner; store the QI designation and oversight memo; schedule the annual risk-assessment refresh and program-currency reviews; archive each year's annual report.QI designation · written risk assessments by year · annual reports archive · program-review records
The 8 safeguardsMap MFA, encryption, access, inventory, disposal, change, monitoring, and app-evaluation controls to your stack; track any QI-approved equivalent-control memos with review dates; run the access-review and purge cadences as recurring tasks.MFA & encryption coverage reports · access-review sign-offs · disposal logs · equivalent-control memos under review
Testing & responsePick the lane — continuous monitoring or scheduled testing — and calendar it: vulnerability assessments every six months, annual pen test or monitoring review, annual IR tabletop; log incidents with the 30-day FTC clock and state-law steps built into the workflow.Scan & pen-test reports with remediation closure · tabletop minutes · incident log with notification decisions
Your own MSPStand up a workspace for your own firm — you're a service provider under element (f) of every client's program, and a prerequisite of holding the QI role is maintaining your own information security program. Document it once, answer every client questionnaire from it.Your own WISP & risk assessment · questionnaire-ready security package · proof for cyber insurance and client due diligence

Per Client

A realistic first-90-days arc

  1. W1-2

    Confirm & designate

    Coverage confirmed · QI model chosen and designated · workspace created · data/system inventory started.

  2. W3-6

    Assess & sweep

    Written risk assessment complete · MFA and encryption sweep done · remediation plan priced and approved.

  3. W7-10

    Document & train

    Safeguard gaps closed · WISP and IR plan approved · staff training launched with attestations.

  4. W11-13

    Operate & report

    Testing lane running · vendor oversight file built · evidence flowing · first program report delivered at QBR.

Take Action

Your 10-point FTC Safeguards quick-start checklist

1

Sweep for hidden financial institutions

Dealers, tax and CPA firms, lenders, collectors, title shops across your client list — and document the coverage call for each.

2

Choose the QI model per client

Client-employee QI or MSP-as-QI — and put the designation, oversight line, and reporting duty in writing.

3

Build the data & system inventory

Every place customer NPI lives — DMS, tax software, shares, email, paper — and how it flows in and out.

4

Complete the written risk assessment

In ControlMap — the criteria-based document the rest of the program traces back to.

5

Close the two named gaps first

MFA on every system holding customer information, and encryption at rest and in transit.

6

Set the retention clock

Dispose of customer information within two years of last use unless retention is justified — and log the purges.

7

Pick the testing lane

Continuous monitoring, or annual pen test plus semi-annual vulnerability assessments — and calendar it.

8

Publish the WISP and IR plan

From templates — with the FTC 30-day notification step and state-law contacts pre-filled — and train staff with attestations.

9

Stand up the vendor oversight file

Questionnaires, contract clauses, reassessment cadence — with your own MSP as the first entry.

10

Deliver the QI's annual report

To the board or senior officer — generated from ControlMap, archived every year as proof the program operated.

This guide is provided for general educational purposes and reflects the FTC Safeguards Rule (16 CFR Part 314) and related GLBA provisions as commonly understood at time of publication. It is not legal advice; coverage determinations, the small-institution exemption, breach-notification duties, and parallel obligations (state law, IRS guidance, the GLBA Privacy Rule) vary by circumstance — confirm specifics with qualified counsel and the FTC's current business guidance.

ControlMap

ControlMap by ScalePad

Turn FTC Safeguards into your next managed service

See how MSPs run multi-client Safeguards programs — risk assessments, the eight safeguards, WISPs, and the QI's annual report — in ControlMap.