Announced earlier this month, the FTC has extended the deadline for compliance with the Safeguards Rule to June 9, 2023. According to the FTC, this six-month extension is largely due to a shortage of personnel and ongoing supply chain issues.


In October of last year, the Federal Trade Commission (FTC) announced amendments to the Standards for Safeguarding Customer Information, or “Safeguards Rule,” for short. With changes in technology, the FTC saw opportunities for an update to protect the security and integrity of consumer’s personal information.

The Safeguards Rule requires non-banking financial institutions to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. Non-banking financial institutions are anyone who acts as a “finder,” bringing together buyers and sellers while the parties themselves negotiate and complete the transaction. This includes businesses such as car dealerships, furniture companies, big box electronic retailers, home builders, and construction companies, who put customers in touch with lenders in order to pay for their services.

Previously, qualifying organizations were told they had until December 9th, 2022 to comply with the data security provisions. However, the FTC is extending the deadline to June 9, 2023 due to petitions from those affected by the new rules. Many are reporting there is both a shortage of qualified personnel able to implement the information security programs and supply chain issues have created delays in obtaining necessary equipment for security system upgrades. This largely affects small businesses, who lack the same resources as the larger corporations in their field.


If you are one of the financial institutions identified by the FTC and have not yet started your search for qualified personnel to implement your information security programs, we urge you to do so immediately. At Xamin, we’ve identified the average time needed for a business to become compliant is 90 days. Because of this, we strongly recommend allowing yourself at least three months (90 days) after finding an IT compliance expert to create, fortify, or maintain your information security program.

In order to meet the requirements of the Safeguards Rule, you need:

  • Annual penetration tests and biannual vulnerability assessments
  • Comprehensive data and systems inventory
  • Employee training
  • Risk assessments that test your physical, electronic, technical, and administrative safeguards

In selecting an IT partner, it’s important to find cybersecurity experts with high efficiency and accuracy, including a full understanding of compliance. Non-compliance has severe penalties, including fines up to $100,000 per incident for institutions and up to $10,000 for individuals with potential prison time of up to five years for egregious and/or repetitive violation.

To understand more about the Safeguards Rule, you can watch our webinar below or read the recap on our blog: