The FTC Safeguards Rule: The Law Nobody Told Your Bookkeeper About

I need to tell you about a federal law whose major requirements took effect June 9, 2023 — with a separate breach notification requirement added in 2024. A law that applies to bookkeepers, tax preparers, accountants, financial advisors, mortgage brokers, and anyone else who handles other people's financial data for a living. A law that carries real enforcement consequences — consent orders, mandatory remediation, breach reporting obligations, litigation exposure, and serious reputational damage.

And there's a decent chance nobody ever told you about it.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule — formally 16 CFR Part 314 — requires any business that qualifies as a "financial institution" under the Gramm-Leach-Bliley Act to develop, implement, and maintain an information security program that protects customer data.

When most people hear "financial institution," they think banks. That's not what the law means.

The FTC defines "financial institution" through the Bank Holding Company Act, which lists activities that are "financial in nature." Those activities include transferring or safeguarding money, providing financial or economic advisory services, and arranging or facilitating financial transactions for third parties.

The rule expressly names accountants and tax preparation services, investment advisory companies, credit counseling services, mortgage brokers, and wire transfer businesses among its covered entities. If your business activities fall into the categories the law defines as "financial in nature" — and handling client payroll, filing tax returns, and managing client financial accounts very likely qualify — then the Safeguards Rule applies to you.

The FTC's own plain-language guide on their website explicitly lists these types of businesses as covered entities. Section 314.2(h) lists 13 examples of businesses the rule treats as financial institutions. If you're unsure whether your specific business activities qualify, that's a question worth getting a definitive answer to — because the cost of assuming you're not covered and being wrong is much higher than the cost of finding out.

What the Rule Requires

The Safeguards Rule lays out nine specific elements your information security program must include. Not "should" include. Must.

1. Designate a Qualified Individual. Someone has to be named as responsible for your security program. This can be an employee or an outside provider — but someone's name has to be on it.

2. Conduct a Risk Assessment. You must identify where your sensitive data is, what the risks to that data are, and document the findings. Not in your head. On paper.

3. Design and Implement Safeguards. This is the big one. Access controls, encryption, multi-factor authentication, email security, endpoint protection, network security. The technical controls that actually protect client data. The rule specifically requires MFA for anyone accessing information systems, unless the Qualified Individual approves in writing an equivalent or more secure control. It also requires encryption of customer information in transit over external networks and at rest, unless encryption is infeasible and approved compensating controls are documented in writing.

4. Monitor and Test Your Safeguards. You can't set it and forget it. Continuous monitoring or periodic testing is required. In practice, this often means audit logs that show who accessed what and when — the kind of evidence you need if something goes wrong.

5. Train Your Staff. Security awareness training for all personnel, updated as necessary to reflect risks identified in your risk assessment. If your staff can't recognize a phishing email, all the technology in the world won't save you.

6. Monitor Your Service Providers. You must take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards, and require them by contract to implement and maintain those safeguards.

7. Keep the Program Current. Regular patching, updates, and adjustments as threats evolve. Your security program isn't a document you write once and file away — it needs to adapt as your business and the threat landscape change.

8. Create a Written Incident Response Plan. What happens when something goes wrong? Who does what? What are the internal processes? How do you contain the damage? How do you document what happened? This needs to be written down before the incident, not made up during it. Separately, the rule now requires FTC notification as soon as possible — and no later than 30 days after discovery — of certain security breaches involving the unauthorized acquisition of at least 500 consumers' unencrypted customer information.

9. Require Your Qualified Individual to Report. The person running your security program must report to firm leadership at least annually on the status of the program, security events, and recommendations.

That's not a wish list. That's federal law. Every one of those nine elements is a requirement with the force of the FTC behind it.

"But We're Small. We're Exempt."

This is the most common pushback I hear, and it's based on a misunderstanding.

There is a limited exemption in the Safeguards Rule for businesses that maintain information on fewer than 5,000 consumers. But it doesn't mean what most people think it means.

The exemption only applies to four specific provisions: the written risk assessment requirement, continuous monitoring and penetration testing, the written incident response plan, and the annual written report to leadership. You still need a Qualified Individual. You still need an information security program with appropriate safeguards. The core obligation doesn't go away.

And here's the part that catches people: the 5,000-consumer threshold counts every consumer record you handle. Not just your clients. Your clients' employees if you run payroll. Your clients' customers if you process their transactions. Vendors whose bank account numbers or Social Security numbers you have on file.

A bookkeeping firm with 30 clients, each with an average of 50 employees and 100 customers, is looking at 4,500+ consumer records before you even count the vendors. You're probably closer to the 5,000 threshold than you think. And even if you're under it, you still need safeguards.

The Consequences

Let's talk about what happens if you don't comply and something goes wrong.

Noncompliance can lead to FTC enforcement actions, consent orders, mandatory remediation programs, breach reporting obligations, litigation exposure, and serious reputational damage. If the FTC issues a consent order and you later violate it, civil penalties currently exceed $50,000 per violation. The exact penalties and remedies depend on the facts, the legal theory, and whether an order is later violated.

But the regulatory consequences are only part of the picture. On the practical side, your cyber insurance carrier may deny your claim if you can't demonstrate that reasonable safeguards were in place at the time of the incident. Your clients may sue — especially if their Social Security numbers, bank accounts, or tax records are exposed and you had no documented security program. And the reputational damage to a bookkeeping or accounting firm that loses client financial data — that's the kind of thing that closes businesses.

The absence of a documented security program doesn't just create regulatory risk. It creates legal risk, insurance risk, and business survival risk — all at the same time.

The Irony Nobody Talks About

Here's what gets me about this. I work with a lot of CPAs, bookkeepers, and financial professionals. These are people whose entire career is built on regulatory compliance. They know tax code. They know GAAP. They know state licensing requirements. They advise their own clients on compliance with financial regulations.

And yet a significant number of them are out of compliance with a federal law that applies directly to their own business.

It's not because they don't care. It's because nobody told them. The FTC Safeguards Rule didn't get the press coverage that HIPAA gets in healthcare. There was no industry-wide panic. The compliance deadline came and went in June 2023, with additional requirements added in 2024, and most small financial services firms didn't even notice.

But the law doesn't care whether you noticed. It cares whether you complied.

What Compliance Actually Looks Like

I'm not going to pretend this is simple. But I also don't want you to think it's impossible. For a small bookkeeping or accounting firm, here's what a compliant security program actually looks like in practice.

The foundation — what most firms are missing entirely:

Someone is named as the Qualified Individual responsible for the program. A risk assessment has been conducted and documented — where is sensitive data stored, what are the risks, what controls are in place. An incident response plan is written down before anything goes wrong. Staff have completed security awareness training, the training is updated as risks change, and you have the records to prove it.

The technical controls — some of which you may already have pieces of:

Multi-factor authentication is enforced on every account — the rule requires this for anyone accessing information systems, with very limited exceptions that must be approved in writing by the Qualified Individual. Encryption for customer information in transit over external networks and at rest. Full disk encryption on every laptop and workstation — because a lost laptop with unencrypted client tax returns is a breach. Email security beyond the basic spam filter — phishing protection, attachment scanning, business email compromise detection. Endpoint detection and response on every device — not antivirus, actual EDR that catches threats based on behavior. Password management — unique, complex passwords for every system, managed through an enterprise password vault.

The monitoring layer — what makes it a program instead of a checkbox:

A SIEM that provides audit logging and compliance reporting. 24/7 security monitoring — someone watching your environment even when you're not. Regular vulnerability scanning. Backup and disaster recovery with defined recovery objectives and immutable storage that ransomware can't touch.

The documentation — what you show the auditor:

Written security policies and procedures. The risk assessment report. Training completion records. Incident response plan. Annual report from the Qualified Individual to firm leadership. Evidence that all of the above is being maintained and updated.

That's the program. It's not a single product you buy. It's not a checkbox on a form. It's a living, documented, managed system that protects your clients' data and proves it if anyone asks.

The Phased Approach

Nobody builds this overnight. And nobody expects you to. The Safeguards Rule requires you to have a program — it acknowledges that the program should be appropriate to the size and complexity of your business.

For most small firms, this is a three-phase process over about four to six months.

Phase one is closing the doors that are wide open. Turn on MFA everywhere. Deploy email security. Get a password manager in place. Encrypt your hard drives. Start security training. Name your Qualified Individual. These are the items that are both high-risk and fast to implement.

Phase two is building the monitoring and documentation layer. Get a SIEM in place for audit logging. Activate 24/7 monitoring. Run a data discovery scan to find where sensitive information lives across your systems. Deploy proper backup. Conduct and document the risk assessment.

Phase three is completing the program. Write the incident response plan. Review your vendor agreements. Build the annual reporting framework. Assemble the full compliance documentation package. Now you have a program that holds up if the FTC, your insurance company, or a client's attorney comes asking questions.

Each phase is tied to specific risk reduction. Each phase has a specific cost. There's no sticker shock because you're not looking at one big number — you're looking at a ladder.

Why Starting Now Matters

There's a practical reason to start building your security program today instead of waiting.

If a breach happens six months from now and you have nothing in place — no documentation, no risk assessment, no written policies, no evidence of safeguards — you're starting from zero in the worst possible moment. You're trying to prove something you never built.

But if you start today, six months from now you have a documented program, a track record of security practices, training records, audit logs, and evidence that you took this seriously. That doesn't just protect your clients' data. It protects your business if anyone — the FTC, an insurance adjuster, a client's attorney — comes asking what you had in place when the incident occurred.

The difference between "we had a program" and "we had nothing" isn't subtle. It's the difference between a defensible position and an indefensible one. And that program takes time to build, which is exactly why starting later is always worse than starting now.

The Question You Need to Ask Yourself

I'm not going to tell you what to do. That's not my job in a blog post. My job is to tell you the truth and let you decide.

So here's the truth: for many bookkeeping, tax, payroll, and advisory firms, the FTC Safeguards Rule likely applies. It has been in effect since 2023. It requires nine specific elements in your security program. And if you can't demonstrate compliance when it matters, the consequences are real — regulatory, legal, financial, and reputational.

If your activities fall within the law's definition of "financial in nature," assuming you're exempt can be an expensive mistake. The question isn't whether to find out. It's whether you find out now, on your terms — or later, on someone else's.

You can keep doing what you've been doing and hope nobody notices. That's what most firms are doing right now. And for most of them, that bet will probably work — right up until the day it doesn't.

Or you can start building the program. Not because I told you to. Because it's the right thing to do for the clients who trusted you with their most sensitive financial information.

They trusted you to keep it safe. That trust deserves a plan.

Matt is the founder of DirectLine-IT Wayfinder Technology Partners, a managed IT security provider based in Hood River, Oregon. DirectLine-IT specializes in cybersecurity and compliance for bookkeeping firms, financial advisors, CPAs, healthcare practices, and businesses in regulated industries. If you have questions about how the FTC Safeguards Rule applies to your business, the conversation is always free.