FTC Safeguards Rule for MFA: Mandatory Compliance Guide for non-bank Financial Institutions

The Federal Trade Commission (FTC) is an independent U.S. government agency responsible for protecting consumers and ensuring fair competition. Beyond its well-known work in antitrust and advertising oversight, the FTC also plays a central role in data security regulation, especially for non-bank financial institutions.

As cyber threats and credential-based attacks continue to rise in the USA, the FTC has strengthened its enforcement of secure authentication practices. Through its Safeguards Rule, the Commission now requires financial institutions to adopt Multi-Factor Authentication (MFA) and other technical safeguards to protect sensitive customer information. These requirements mark a clear shift from flexible, "reasonable security" expectations toward specific, mandatory security standards. In this blog we will be covering the following questions associated with this topic:

1. What are the FTC's new rules around Multi-Factor Authentication (MFA)?

2. How can financial institutions meet the FTC's MFA and data protection requirements?

3. Who needs to implement MFA under the new FTC Safeguards Rule and what roles are responsible?

The FTC enforces data-protection requirements under the Gramm-Leach-Bliley Act (GLBA) through the Standards for Safeguarding Customer Information, commonly known as the Safeguards Rule (16 CFR Part 314). This rule requires organizations under FTC jurisdiction to maintain appropriate administrative, technical, and physical safeguards to protect customer data against unauthorized access or misuse.

Unlike banking institutions regulated by federal banking agencies, the FTC's authority applies to a wide range of non-bank financial institutions, including:

1. Mortgage lenders and brokers

2. Payday and finance companies

3. Tax preparation firms

4. Collection agencies

5. Investment advisers not registered with the SEC

Originally introduced in 2003, the Safeguards Rule gave organizations broad discretion in how to protect customer data. However, with the rapid evolution of cyber threats, the FTC updated the rule in 2021 to include explicit technical requirements, turning earlier recommendations into mandatory controls.

These amendments, effective January 10, 2022, defined a stronger baseline for data protection by requiring safeguards such as MFA and encryption. The FTC initially set a compliance deadline of December 2022, later extended to June 9, 2023, to give organizations time to adapt.

By specifying technologies like MFA, the FTC made clear that relying solely on passwords is no longer acceptable. The absence of strong authentication measures is now considered an unreasonable security failure, reflecting the agency's move toward a stricter, enforcement-driven approach to cybersecurity.

The most significant change introduced by the 2021 amendments to the FTC Safeguards Rule is the mandatory use of Multi-Factor Authentication (MFA). This requirement makes MFA a fundamental security control for protecting customer information and preventing unauthorized access.

The Safeguards Rule clearly states that all covered financial institutions must use MFA for anyone accessing systems that contain customer information. This applies to employees, contractors, service providers, and customers alike.

The rule aims to protect against one of the most common causes of data breaches, compromised credentials. Compliance therefore requires not only MFA for initial system logins but also for internal access to sensitive data and administrative functions.

In practice, this means organizations must adopt a Zero Trust approach: MFA should be enforced for privileged accounts, lateral movement within networks, and all systems storing or processing customer information, such as names, Social Security numbers, or loan data.

The FTC defines MFA as a verification process that requires at least two of the following three types of authentication factors. This ensures that even if one factor is compromised, another independent factor prevents unauthorized access.

Past enforcement actions have shown that weak password-only systems are considered unreasonable security practices.

The FTC made MFA mandatory because it is one of the most effective and affordable ways to prevent unauthorized access to financial systems. MFA protects against common attack methods such as phishing, social engineering, brute-force attempts, and stolen credentials.

The Commission also addressed concerns about cost and complexity, stating that many low-cost MFA solutions are readily available and easy to implement. However, not all MFA methods are equally efficient or economical. For instance, SMS one-time passwords (OTPs) introduce ongoing operational costs, as every login or verification triggers a paid message (this is one of the reasons the UAE is already phasing out SMS OTP).

In contrast, passkeys offer a modern alternative that is both cost-effective and secure. They eliminate per-login fees, provide phishing-resistant protection by design, and significantly enhance user experience through seamless biometric authentication, offering users the security of MFA with the simplicity of a passwordless login.

The FTC's Safeguards Rule is backed by strong enforcement powers and new mandatory breach notification requirements. Together, these measures ensure that financial institutions not only implement proper safeguards like MFA but also remain accountable if a security incident occurs.

The FTC enforces the Safeguards Rule under its authority from the Gramm-Leach-Bliley Act (GLBA) and Section 5(a) of the FTC Act, which prohibits unfair or deceptive practices, including inadequate data security.

In practice, this means the FTC can bring enforcement actions against companies that fail to implement reasonable protections for customer information, even if no breach has yet occurred.

Past enforcement cases show where institutions commonly fail:

1. Weak password policies or allowing easily guessed credentials.

2. Failure to patch critical vulnerabilities, leaving systems exposed.

3. Lack of access controls leading to unauthorized account takeovers.

4. Inadequate oversight of service providers, resulting in data exposure.

High-profile cases such as Wyndham and CafePress demonstrate that the FTC views these failures as violations of both the GLBA and the FTC Act. Each reflects precisely the kind of deficiencies that MFA is designed to prevent.

Implementing MFA is therefore not only a compliance requirement , it is a practical safeguard against enforcement risk. If a breach occurs and MFA was not in place, the FTC can readily conclude that the institution's security program was "unreasonable", even if other controls existed.

In May 2024, the FTC expanded the Safeguards Rule to include mandatory data breach reporting for covered financial institutions. This change aligns the FTC's framework with broader U.S. and international incident reporting trends, adding transparency and urgency to breach response obligations.

Institutions must report a "notification event" defined as a security breach involving the unauthorized acquisition of unencrypted information belonging to 500 or more consumers.

Key requirements include:

1. Timeline: Notification must be made to the FTC as soon as possible, and no later than 30 days after discovery of the event.

2. Method: Reports must be submitted through the FTC's online reporting form.

3. Required details: Company name, event start and end dates, number of affected consumers, and a short description of what occurred.

4. Public disclosure: The FTC may publish submitted reports, increasing reputational and regulatory consequences for non-compliance.

The rule also clarifies how encrypted data is treated in breach reporting. Encrypted customer information is considered "unencrypted" if the associated encryption key was also accessed or compromised by an unauthorized party.

This definition highlights the critical importance of Key Management System (KMS) security. Losing control of encryption keys is treated as equivalent to exposing raw, unencrypted customer data, automatically triggering the 30-day reporting requirement.

To prevent this, institutions must ensure that all systems managing encryption keys are protected by MFA, strong access controls, and continuous monitoring.

The FTC's approach is clear: failing to implement mandatory safeguards such as MFA, encryption, or secure key management will likely be viewed as unreasonable data security under the GLBA.

Strong authentication, rigorous vendor oversight, and timely breach reporting are now essential not only for compliance but also for maintaining customer trust and demonstrating due diligence in the event of a cyber incident.

Compliance professionals operating across multiple regulatory domains must recognize where the FTC's explicit, prescriptive mandate for MFA diverges from the flexible, risk-based approaches found in other major frameworks, such as HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes standards to protect electronically protected health information (ePHI). Under the Technical Safeguards section, the "Person or Entity Authentication" standard (§ 164.312(d)) requires covered entities to implement procedures to verify identity.

However, HIPAA does not mandate MFA. Instead, access control implementation specifications under HIPAA are often categorized as addressable. An addressable safeguard requires the covered entity to implement it if a risk analysis deems it reasonable and appropriate; otherwise, the entity must document why it is not reasonable and appropriate or why an equivalent alternative measure was chosen.

The fundamental difference is one of prescription versus assessment:

1. FTC Safeguards Rule: MFA is a mandatory requirement for access to customer information systems (absent specific, documented QI exception).

2. HIPAA Security Rule: MFA is an addressable safeguard whose implementation is required only if justified by the entity's risk analysis.

The FTC, therefore, removes the risk-based ambiguity for this specific control, establishing MFA as a regulatory prerequisite for financial data protection.

New York's Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) also targets financial institutions and, similarly to the FTC, includes an explicit, mandatory requirement for Multi-Factor Authentication for non-exempt entities accessing internal networks and specific information systems.

However, a difference exists in incident reporting timelines. While the FTC's amended Safeguards Rule requires breach notification within 30 days of discovery of a qualifying event, NYDFS requires notice within a far more stringent

72 hours of determining that a qualifying cybersecurity event has occurred. This discrepancy forces institutions subject to both rules to adopt the shorter, more demanding 72-hour timeline for their incident response and reporting procedures, as compliance with the less rigorous FTC standard does not guarantee compliance with state requirements.

The mandatory MFA requirement exists within a broader compliance framework under the FTC's Safeguards Rule. Every covered financial institution must develop, implement, and maintain a comprehensive Information Security Program (ISP) to protect customer information from unauthorized access, misuse, or loss.

The ISP is designed to meet three fundamental objectives:

1. Protect the security and confidentiality of customer information.

2. Prevent anticipated threats or hazards to data integrity.

3. Guard against unauthorized access or misuse that could harm customers.

A key feature of this framework is the appointment of a Qualified Individual (QI) responsible for designing, implementing, and enforcing the ISP. The QI must also report at least annually in writing to the organization's Board of Directors or governing body, summarizing the program's effectiveness, compliance status, and any material issues that need executive attention.

This governance model establishes accountability at the highest level, ensuring that cybersecurity is treated as a core business priority rather than an isolated IT task.

At the heart of every ISP lies a risk assessment process. Financial institutions must identify and evaluate both internal and external risks that could compromise the security, confidentiality, or integrity of customer data.

The purpose of this assessment is twofold:

1. To understand where vulnerabilities exist, for example, weak authentication, outdated software, or insufficient encryption.

2. To determine whether existing safeguards are adequate to manage those risks.

Importantly, the risk assessment is not a one-time exercise. Institutions are required to regularly reassess risks and adjust their safeguards as technologies, threats, and business processes evolve. This continuous cycle involves:

1. Designing and implementing appropriate safeguards,

2. Regularly testing or monitoring their effectiveness, and

3. Using results to strengthen future controls.

Through this iterative process, the ISP remains a living framework that adapts to new cyber risks and organizational changes.

Regardless of size or complexity, every covered financial institution must include several baseline controls in its ISP. These serve as the foundation for compliance with the FTC's Safeguards Rule:

1. Access Controls: Restrict access to customer data to only authorized individuals.

2. Data Inventory: Maintain a current record of what customer information exists and where it is stored.

3. Encryption: Encrypt customer information both in transit and at rest. If encryption is not feasible, the QI must document and approve an equivalent alternative control in writing.

4. Secure Disposal: Establish procedures to securely dispose of customer information no later than two years after its last use, unless retention is required by law.

5. Activity Monitoring: Maintain and monitor logs of authorized user activity to detect unauthorized access attempts.

6. Testing and Evaluation: Regularly monitor and test the effectiveness of safeguards, including annual penetration testing and biannual vulnerability assessments for larger entities.

These safeguards provide a structured baseline for building a secure and compliant information environment.

Meeting the FTC Safeguards Rule is not just about deploying any form of Multi-Factor Authentication (MFA) but rather about adopting authentication methods that will stand the test of time. While traditional MFA meets today's compliance checklist, passkey-based authentication delivers the level of security, resilience, and user experience that future regulations and users will demand.

Passkeys represent the natural evolution of MFA. They eliminate passwords entirely, removing the weakest link in digital identity systems, and combine best-in-class phishing resistance with frictionless login experiences. In other words: where MFA is compliance, passkeys are a competitive advantage.

Financial institutions should take a strategic approach when implementing authentication controls. MFA deployment should begin with administrative and privileged accounts, encryption key management systems, and remote access points, and then expand to all employee and customer-facing systems that handle Nonpublic Personal Information (NPI).

The choice of technology matters. Legacy MFA solutions such as SMS codes or authenticator apps may fulfill the rule's minimum requirements, but they remain vulnerable to phishing, SIM swapping, and social engineering. Modern authentication methods (including FIDO2 security keys, device-bound biometrics, and passkeys) provide true phishing resistance and a seamless user experience across devices and platforms.

For rare situations where MFA cannot be implemented, institutions may use equivalent controls, but only if the Qualified Individual (QI) documents:

1. The specific technical or operational reason preventing MFA or passkey deployment.

2. The residual risks identified through the risk assessment.

3. A clear justification that the alternative provides equal or stronger protection against unauthorized access.

However, relying on alternatives should be the exception, not the norm. The direction of both technology and regulation is clear: passkeys are quickly becoming the new standard for secure authentication. Organizations that act early will not only meet compliance expectations more easily, they will also position themselves ahead of the curve as the rest of the market transitions to passwordless authentication.

Those that delay this shift will face increasing integration costs, user resistance, and competitive disadvantage as customers come to expect passkey-level security and convenience by default, especially when it comes to finances.

The FTC's Safeguards Rule also places strong emphasis on vendor oversight. This means MFA and passkey controls must extend into the Third-Party Risk Management (TPRM) process.

All service provider contracts should explicitly require MFA or passkey-based authentication whenever vendors access systems containing customer information. Institutions must also regularly assess and monitor vendor compliance to ensure that these controls remain in place.

Passkeys create a distinct advantage in managing third-party risk: because they rely on cryptographic key pairs instead of shared secrets, they reduce attack surfaces, eliminate credential reuse, and simplify vendor onboarding and verification. In a distributed ecosystem where multiple vendors handle sensitive data, passkeys create uniformity and control that legacy MFA methods cannot.

Maintaining compliance with the Safeguards Rule is an ongoing responsibility, not a one-time project. The Qualified Individual must have the authority, expertise, and resources to enforce controls, maintain documentation, and continuously improve the organization's security posture.

Regular penetration tests and vulnerability assessments are critical to ensuring authentication systems remain secure and resistant to emerging attack techniques. In addition, continuous security awareness training should equip employees to recognize social engineering, MFA fatigue, and other human-driven threats.

Financial institutions that move early toward phishing-resistant, passwordless authentication will be better prepared not just for compliance, but for what comes next.

Corbado enables financial institutions to meet the FTC's MFA requirements and move beyond them by adopting phishing-resistant, passwordless authentication based on passkeys.

• Secure and compliant by design: Corbado's FIDO2-based platform fulfills and exceeds the Safeguards Rule's expectations for strong authentication, encryption, and access control, without the friction of legacy MFA methods.

• Cost-efficient: Replacing SMS OTPs with passkeys eliminates ongoing message fees and reduces operational overhead, cutting MFA costs drastically.

• Proven at scale: For VicRoads, Corbado helped nearly five million Australians switch to passkey login for government services, achieving high activation rates and reducing authentication-related support calls.

• Continuous assurance: With Corbado's Passkey Intelligence layer, institutions can track adoption, authentication success, and anomalies in real time, turning compliance into a measurable, continuously improving process.

By combining compliance, usability, and long-term resilience, Corbado helps organizations implement the FTC's MFA mandate today while preparing for a fully passwordless future.

The FTC's Safeguards Rule marks a turning point in how financial institutions are expected to protect customer data. By making Multi-Factor Authentication (MFA) mandatory, the FTC has raised the baseline for what counts as reasonable security.

But meeting the rule is only the first step. The direction of both technology and regulation is unmistakable, passkeys are becoming the new standard. They combine phishing-resistant security with a seamless user experience, solving the long-standing trade-off between compliance and usability.

Organizations that adopt passkeys early will not only ensure long-term compliance but also gain a strategic edge in trust, security, and customer satisfaction. Those that delay will find themselves catching up to a security landscape that has already moved on.

In this blog we additionally covered the following topics:

1. What are the FTC's new rules around Multi-Factor Authentication (MFA)? The FTC now mandates MFA under its updated Safeguards Rule, requiring financial institutions to use multiple verification factors to protect customer data from unauthorized access.

2. How can financial institutions meet the FTC's MFA and data protection requirements? They must implement a comprehensive Information Security Program that includes MFA, encryption, risk assessments, and continuous monitoring to ensure ongoing compliance.

3. Who needs to implement MFA under the new FTC Safeguards Rule and what roles are responsible? All covered financial institutions (such as lenders, brokers, and tax preparers) must enforce MFA, overseen by a designated Qualified Individual responsible for data security governance.