If you prepare taxes, arrange financing, or lend money, there's a federal rule you're expected to follow — and in 2026, regulators are actively enforcing it. The FTC Safeguards Rule requires a broad set of businesses to protect their customers' financial information, and many owners still assume it doesn't apply to them. It very likely does. Here's what it requires and how to know if you're covered.
The Safeguards Rule applies to "financial institutions" under the FTC's jurisdiction — and that phrase is far broader than banks. The FTC's own examples include tax preparation firms, mortgage lenders and brokers, finance companies, payday and check-cashing services, collection agencies, credit counselors, and investment advisors not registered with the SEC. For many Utah businesses, the surprise is that arranging or facilitating customer financing pulls you in. Auto dealerships that help buyers secure loans, and accounting firms handling sensitive financial records, are common examples of businesses that are covered but don't realize it.
At its core, the Safeguards Rule asks you to build and maintain a written information security program. Several specific elements stand out:
You must name someone responsible for your information security program, and that person must report in writing — at least annually — to your board or a senior officer. For many small firms, this responsibility is handled in partnership with an outside IT provider.
You need to identify where customer information lives, how it flows, and what the reasonably foreseeable risks are — documented, not just understood informally.
The rule points to concrete controls: multi-factor authentication for anyone accessing customer information, encryption of that data at rest and in transit, and access controls that limit who can reach it. These aren't optional niceties — they're expected.
You must either continuously monitor your systems or conduct annual penetration testing plus twice-yearly vulnerability assessments. This is where a lot of smaller firms fall short simply because they don't have the tooling.
Since May 2024, covered businesses must notify the FTC as soon as possible — and no later than 30 days — after discovering a security breach involving the information of at least 500 consumers.
If a third party — a payroll processor, cloud provider, or IT support firm — can access your customer data, you're required to have a contract with security requirements and to monitor their compliance. Your service providers are part of your compliance picture, not outside it.
The two hardest pieces for most small and mid-size firms are the technical controls (MFA, encryption, monitoring, penetration testing) and the documentation that proves you're doing them. That's precisely the work we do for the industries we serve — accounting and CPA firms, financial services and lenders, and auto dealerships. We can implement the required safeguards, stand behind the Qualified Individual role, and produce the documentation that keeps you audit-ready. If you're not sure whether the Safeguards Rule applies to you — or whether you'd pass scrutiny today — a quick assessment will tell you where you stand.
This article is general information, not legal advice. For a definitive read on whether and how the Safeguards Rule applies to your business, consult a qualified attorney — and we'll handle the technical safeguards.
Get a free assessment and we'll tell you whether the Safeguards Rule applies to you and where your gaps are.
Get a Free IT Assessment