---
url: 'https://www.corbado.com/blog/ftc-safeguards-rule-mfa-compliance'
title: 'FTC Safeguards Rule: MFA for non-bank Financial Institutions'
description: 'Learn why non-bank financial institutions must comply with the FTC Safeguards Rule for MFA and how passkeys can achieve secure, long-term MFA compliance.'
lang: 'en'
author: 'Alex'
date: '2025-10-18T02:36:24.166Z'
lastModified: '2026-03-27T07:01:49.606Z'
keywords: 'ftc safeguards rule, mfa compliance ftc, finance mfa compliance, mfa for financial institutions, phishing resistant mfa under ftc, passwordless mfa ftc, financial institutions mfa, mfa for non-bank institutions'
category: 'Authentication'
---

# FTC Safeguards Rule: MFA for non-bank Financial Institutions

## Key Facts

- The **FTC Safeguards Rule** makes MFA mandatory for all non-bank financial institutions
  accessing systems containing customer information, with compliance required since June
  9, 2023.
- **Covered entities** include mortgage lenders, payday companies, tax preparation firms,
  collection agencies and investment advisers not registered with the SEC.
- The **2021 amendments** to the Safeguards Rule converted earlier flexible security
  recommendations into mandatory controls, requiring MFA and encryption as baseline
  requirements effective January 10, 2022.
- **Breach notification** is required within 30 days of discovering unauthorized
  acquisition of unencrypted data belonging to 500 or more consumers, with reports
  submitted via the FTC's online form.
- **Passkeys** satisfy the MFA mandate with phishing-resistant, cryptographic
  authentication, eliminating per-login SMS fees and the SIM-swapping vulnerabilities that
  legacy OTP methods carry.

## 1. Introduction: The FTC's Role in Data Protection and Security

The **Federal Trade Commission (FTC)** is an independent U.S.
[government](https://www.corbado.com/passkeys-for-public-sector) agency responsible for protecting consumers and
ensuring fair competition. Beyond its well-known work in antitrust and advertising
oversight, the FTC also plays a central role in **data security regulation**, especially
for non-bank financial institutions.

As cyber threats and credential-based attacks continue to rise in the USA, the FTC has
strengthened its enforcement of **secure authentication practices**. Through its
_Safeguards Rule_, the Commission now requires financial institutions to adopt
Multi-Factor Authentication (MFA) and other technical safeguards to protect sensitive
customer information. These requirements mark a clear shift from flexible, "reasonable
security" expectations toward specific, mandatory security standards. In this blog we will
be covering the following questions associated with this topic:

1. What are the FTC's new rules around Multi-Factor Authentication (MFA)?

2. How can financial institutions meet the FTC's MFA and data protection requirements?

3. Who needs to implement MFA under the new FTC Safeguards Rule and what roles are
   responsible?

### 1.1 The Gramm-Leach-Bliley Act and the FTC Safeguards Rule

![gramm-leach-bliley-act-banner.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/gramm_leach_bliley_act_banner_e9d289c835.png)

The FTC enforces data-protection requirements under the **Gramm-Leach-Bliley Act (GLBA)**
through the _Standards for Safeguarding Customer Information_, commonly known as the
**Safeguards Rule (16 CFR Part 314)**. This rule requires organizations under FTC
jurisdiction to maintain appropriate **administrative, technical, and physical
safeguards** to protect customer data against unauthorized access or misuse.

Unlike [banking](https://www.corbado.com/passkeys-for-banking) institutions regulated by federal
[banking](https://www.corbado.com/passkeys-for-banking) agencies, the FTC's authority applies to a wide range of
**non-bank financial institutions**, including:

1. Mortgage lenders and brokers

2. Payday and finance companies

3. Tax preparation firms

4. Collection agencies

5. Investment advisers not registered with the SEC

### 1.2 The 2021 Amendments Enforcement

Originally introduced in **2003**, the Safeguards Rule gave organizations broad discretion
in how to protect customer data. However, with the rapid evolution of cyber threats, the
FTC updated the rule in **2021** to include **explicit technical requirements**, turning
earlier recommendations into **mandatory controls**.

These amendments, effective **January 10, 2022**, defined a stronger baseline for data
protection by requiring safeguards such as **MFA** and **encryption**. The FTC initially
set a compliance deadline of **December 2022**, later extended to **June 9, 2023**, to
give organizations time to adapt.

By specifying technologies like MFA, the FTC made clear that relying solely on passwords
is no longer acceptable. The absence of strong authentication measures is now considered
an **unreasonable security failure**, reflecting the agency's move toward a stricter,
enforcement-driven approach to cybersecurity.

## 2. The Mandatory MFA Requirement for non-bank financial institutions: Technical Specifications and Implementation

The most significant change introduced by the **2021 amendments** to the FTC Safeguards
Rule is the **mandatory use of Multi-Factor Authentication (MFA)**. This requirement makes
MFA a fundamental security control for protecting customer information and preventing
unauthorized access.

### 2.1 The Requirement to Use Multi-Factor Authentication

The Safeguards Rule clearly states that all covered financial institutions must use MFA
for anyone accessing systems that contain customer information. This applies to
**employees, contractors, service providers, and customers** alike.

The rule aims to protect against one of the most common causes of data breaches,
**compromised credentials**. Compliance therefore requires not only MFA for initial system
logins but also for **internal access** to sensitive data and administrative functions.

In practice, this means organizations must adopt a [Zero Trust](https://www.corbado.com/glossary/zero-trust)
approach: MFA should be enforced for privileged accounts, lateral movement within
networks, and all systems storing or processing customer information, such as names,
Social Security numbers, or loan data.

### 2.2 Definition of Multi-Factor Authentication

The FTC defines MFA as a verification process that requires at least **two of the
following three types of authentication factors**. This ensures that even if one factor is
compromised, another independent factor prevents unauthorized access.

| **Authentication Factor Type** | **Definition**            | **Examples**                                                       | **Security Context**                               |
| ------------------------------ | ------------------------- | ------------------------------------------------------------------ | -------------------------------------------------- |
| **Knowledge**                  | Something the user knows. | Password, PIN, Security Question Answer.                           | Vulnerable to phishing or keylogging.              |
| **Possession**                 | Something the user has.   | Hardware token, Mobile App token (TOTP/HOTP), Security Key (FIDO). | Strong protection against remote credential theft. |
| **Inherence**                  | Something the user is.    | Fingerprint, Facial recognition, Biometric characteristics.        | Reduces risk of credential reuse or sharing.       |

Past enforcement actions have shown that weak password-only systems are considered
_unreasonable security practices_.

![regulation-mfa.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/regulation_mfa_e97250bbd9.png)

### 2.3 Why the FTC made MFA Mandatory for non-bank financial institutions

The FTC made MFA mandatory because it is one of the most effective and affordable ways to
prevent unauthorized access to financial systems. MFA protects against common attack
methods such as [phishing](https://www.corbado.com/glossary/phishing), social engineering, brute-force attempts,
and stolen credentials.

The Commission also addressed concerns about cost and complexity, stating that many
low-cost MFA solutions are readily available and easy to implement. However, not all MFA
methods are equally efficient or economical. For instance, SMS one-time passwords (OTPs)
introduce ongoing operational costs, as every login or verification triggers a paid
message (this is one of the reasons the UAE is already phasing out SMS OTP).

In contrast, passkeys offer a modern alternative that is both
[**cost-effective**](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview/how-do-passkeys-reduce-operational-costs)
**and secure**. They eliminate per-login fees, provide **phishing-resistant protection by
design**, and significantly
[**enhance user experience**](https://www.corbado.com/blog/passkey-creation-best-practices/passkey-user-experience-benefits-non-technical-audience)
through seamless [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication),
offering users the security of MFA with the simplicity of a passwordless login.

## 3. Regulatory Enforcement and Breach Notification

The FTC's Safeguards Rule is backed by strong enforcement powers and new mandatory breach
notification requirements. Together, these measures ensure that financial institutions not
only implement proper safeguards like MFA but also remain accountable if a security
incident occurs.

### 3.1 Enforcement Priorities Under the GLBA and FTC Act

The FTC enforces the Safeguards Rule under its authority from the **Gramm-Leach-Bliley Act
(GLBA)** and **Section 5(a) of the FTC Act**, which prohibits _unfair or deceptive
practices_, including inadequate data security.

In practice, this means the FTC can bring enforcement actions against companies that fail
to implement reasonable protections for customer information, even if no breach has yet
occurred.

Past enforcement cases show where institutions commonly fail:

1. **Weak password policies** or allowing easily guessed credentials.

2. **Failure to patch critical vulnerabilities**, leaving systems exposed.

3. **Lack of access controls** leading to unauthorized account takeovers.

4. **Inadequate oversight of service providers**, resulting in data exposure.

High-profile cases such as _Wyndham_ and _CafePress_ demonstrate that the FTC views these
failures as violations of both the GLBA and the FTC Act. Each reflects precisely the kind
of deficiencies that **MFA is designed to prevent**.

Implementing MFA is therefore not only a compliance requirement , it is a practical
safeguard against enforcement risk. If a breach occurs and MFA was not in place, the FTC
can readily conclude that the institution's security program was **"unreasonable"**, even
if other controls existed.

### 3.2 New Mandatory Breach Notification Requirements

In **May 2024,** the FTC expanded the Safeguards Rule to include **mandatory data breach
reporting** for covered financial institutions. This change aligns the FTC's framework
with broader U.S. and international incident reporting trends, adding transparency and
urgency to breach response obligations.

#### 3.2.1 When and How to Notify

Institutions must report a **"notification event"** defined as a security breach involving
the unauthorized acquisition of **unencrypted information** belonging to **500 or more
consumers**.

Key requirements include:

1. **Timeline:** Notification must be made to the FTC **as soon as possible**, and no
   later than **30 days after discovery** of the event.

2. **Method:** Reports must be submitted through the FTC's **online reporting form**.

3. **Required details:** Company name, event start and end dates, number of affected
   consumers, and a short description of what occurred.

4. **Public disclosure:** The FTC may publish submitted reports, increasing reputational
   and regulatory consequences for non-compliance.

#### 3.2.2 The Role of Encryption and Key Protection

The rule also clarifies how encrypted data is treated in breach reporting. **Encrypted
customer information is considered "unencrypted"** if the associated **encryption key**
was also accessed or compromised by an unauthorized party.

This definition highlights the critical importance of **Key Management System (KMS)**
security. Losing control of encryption keys is treated as equivalent to exposing raw,
unencrypted customer data, automatically triggering the 30-day reporting requirement.

To prevent this, institutions must ensure that all systems managing encryption keys are
protected by **MFA**, strong **access controls**, and **continuous monitoring**.

### 3.3 Enforcement Takeaway

The FTC's approach is clear: failing to implement mandatory safeguards such as MFA,
encryption, or secure key management will likely be viewed as **unreasonable data
security** under the GLBA.

Strong authentication, rigorous vendor oversight, and timely breach reporting are now
essential not only for compliance but also for maintaining customer trust and
demonstrating due diligence in the event of a cyber incident.

## 4. Inter-Regulatory Comparison: FTC MFA Mandate vs. Industry Standards

Compliance professionals operating across multiple regulatory domains must recognize where
the FTC's explicit, prescriptive mandate for MFA diverges from the flexible, risk-based
approaches found in other major frameworks, such as HIPAA.

### 4.1 FTC Safeguards Rule vs. HIPAA Security Rule

The Health [Insurance](https://www.corbado.com/passkeys-for-insurance) Portability and Accountability Act (HIPAA)
Security Rule establishes standards to protect electronically protected health information
(ePHI). Under the Technical Safeguards section, the "Person or Entity Authentication"
standard (§ 164.312(d)) requires covered entities to implement procedures to verify
identity.

However, HIPAA does not [mandate MFA](https://www.corbado.com/blog/mandating-mfa). Instead, access control
implementation specifications under HIPAA are often categorized as **addressable**. An
addressable safeguard requires the covered entity to implement it if a risk analysis deems
it reasonable and appropriate; otherwise, the entity must document why it is not
reasonable and appropriate or why an equivalent alternative measure was chosen.

The fundamental difference is one of prescription versus assessment:

1. **FTC Safeguards Rule:** MFA is a **mandatory requirement** for access to customer
   information systems (absent specific, documented QI exception).

2. **HIPAA Security Rule:** MFA is an **addressable safeguard** whose implementation is
   required only if justified by the entity's risk analysis.

The FTC, therefore, removes the risk-based ambiguity for this specific control,
establishing MFA as a regulatory prerequisite for financial data protection.

### 4.2 Comparison with NYDFS 23 NYCRR Part 500

New York's Department of [Financial Services](https://www.corbado.com/passkeys-for-banking) (NYDFS) Cybersecurity
Regulation (23 NYCRR Part 500) also targets financial institutions and, similarly to the
FTC, includes an explicit, mandatory requirement for Multi-Factor Authentication for
non-exempt entities accessing internal networks and specific information systems.

However, a difference exists in incident reporting timelines. While the FTC's amended
Safeguards Rule requires breach notification within **30 days** of discovery of a
qualifying event, NYDFS requires notice within a far more stringent

**72 hours** of determining that a qualifying cybersecurity event has occurred. This
discrepancy forces institutions subject to both rules to adopt the shorter, more demanding
72-hour timeline for their incident response and reporting procedures, as compliance with
the less rigorous FTC standard does not guarantee compliance with state requirements.

| **Regulatory Framework**       | **Covered Entities**                                     | **MFA Requirement Status**                   | **Breach Notification Timeline**                        |
| ------------------------------ | -------------------------------------------------------- | -------------------------------------------- | ------------------------------------------------------- |
| **FTC Safeguards Rule (GLBA)** | Non-banking Financial Institutions                       | **Mandatory** (with narrow QI exception).    | 30 days after discovery (for 500+ consumers).           |
| **HIPAA Security Rule**        | Covered Entities and Business Associates (handling ePHI) | **Addressable** (Risk-based implementation). | 60 days after discovery (for 500+ individuals, to HHS). |
| **NYDFS 23 NYCRR Part 500**    | DFS-Regulated Financial Service Companies                | **Mandatory** for non-exempt entities.       | 72 hours of determination of qualifying event.          |

## 5. Implementing Compliance: Information Security Programs, Risk Assessments, and Exemptions

The mandatory MFA requirement exists within a broader compliance framework under the FTC's
**Safeguards Rule**. Every covered financial institution must develop, implement, and
maintain a **comprehensive Information Security Program (ISP)** to protect customer
information from unauthorized access, misuse, or loss.

### 5.1 The Information Security Program (ISP)

The ISP is designed to meet three fundamental objectives:

1. Protect the **security and confidentiality** of customer information.

2. Prevent **anticipated threats or hazards** to data integrity.

3. Guard against **unauthorized access or misuse** that could harm customers.

A key feature of this framework is the appointment of a **Qualified Individual (QI)**
responsible for designing, implementing, and enforcing the ISP. The QI must also report
**at least annually** in writing to the organization's **Board of Directors or governing
body**, summarizing the program's effectiveness, compliance status, and any material
issues that need executive attention.

This governance model establishes accountability at the highest level, ensuring that
cybersecurity is treated as a core business priority rather than an isolated IT task.

### 5.2 The Central Role of the Risk Assessment

At the heart of every ISP lies a **risk assessment process**. Financial institutions must
identify and evaluate both internal and external risks that could compromise the security,
confidentiality, or integrity of customer data.

The purpose of this assessment is twofold:

1. To **understand where vulnerabilities exist**, for example, weak authentication,
   outdated software, or insufficient encryption.

2. To **determine whether existing safeguards** are adequate to manage those risks.

Importantly, the risk assessment is **not a one-time exercise**. Institutions are required
to regularly reassess risks and adjust their safeguards as technologies, threats, and
business processes evolve. This continuous cycle involves:

1. Designing and implementing appropriate safeguards,

2. Regularly testing or monitoring their effectiveness, and

3. Using results to strengthen future controls.

Through this iterative process, the ISP remains a living framework that adapts to new
cyber risks and organizational changes.

### 5.3 Core Technical and Operational Safeguards

Regardless of size or complexity, every covered financial institution must include several
baseline controls in its ISP. These serve as the foundation for compliance with the FTC's
Safeguards Rule:

1. **Access Controls:** Restrict access to customer data to only authorized individuals.

2. **Data Inventory:** Maintain a current record of what customer information exists and
   where it is stored.

3. **Encryption:** Encrypt customer information both in transit and at rest. If encryption
   is not feasible, the QI must document and approve an equivalent alternative control in
   writing.

4. **Secure Disposal:** Establish procedures to securely dispose of customer information
   no later than two years after its last use, unless retention is required by law.

5. **Activity Monitoring:** Maintain and monitor logs of authorized user activity to
   detect unauthorized access attempts.

6. **Testing and Evaluation:** Regularly monitor and test the effectiveness of safeguards,
   including **annual penetration testing** and **biannual vulnerability assessments** for
   larger entities.

These safeguards provide a structured baseline for building a secure and compliant
information environment.

## 6. Corbado's Future-Proofing Compliance Assessment: From MFA to Passkey-Based Authentication

Meeting the FTC Safeguards Rule is not just about deploying any form of Multi-Factor
Authentication (MFA) but rather about adopting authentication methods that will **stand
the test of time**. While traditional MFA meets today's compliance checklist,
**passkey-based authentication** delivers the level of **security, resilience, and user
experience** that future regulations and users will demand.

Passkeys represent the natural evolution of MFA. They
[eliminate passwords](https://www.corbado.com/faq/boost-passkey-enrollment-reduce-password-otp) entirely,
removing the weakest link in [digital identity](https://www.corbado.com/blog/digital-identity-guide) systems, and
combine **best-in-class phishing resistance** with **frictionless login experiences**. In
other words: where MFA is compliance, **passkeys are a competitive advantage**.

### 6.1 Operationalizing the MFA Mandate

Financial institutions should take a strategic approach when implementing authentication
controls. MFA deployment should begin with **administrative and privileged accounts**,
**encryption key management systems**, and **remote access points**, and then expand to
all employee and customer-facing systems that handle Nonpublic Personal Information (NPI).

The choice of technology matters. Legacy MFA solutions such as **SMS codes** or
**authenticator apps** may fulfill the rule's minimum requirements, but they remain
vulnerable to [phishing](https://www.corbado.com/glossary/phishing),
[SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk), and social engineering. Modern
authentication methods (including **FIDO2 security keys, device-bound biometrics, and
passkeys)** provide **true phishing resistance** and a **seamless user experience** across
devices and platforms.

For rare situations where MFA cannot be implemented, institutions may use equivalent
controls, but only if the Qualified Individual (QI) documents:

1. The specific technical or operational reason preventing MFA or passkey deployment.

2. The **residual risks** identified through the risk assessment.

3. A clear justification that the alternative provides **equal or stronger protection**
   against unauthorized access.

However, relying on alternatives should be the exception, not the norm. The direction of
both technology and regulation is clear: **passkeys are quickly becoming the new standard
for secure authentication**. Organizations that act early will not only meet compliance
expectations more easily, they will also position themselves ahead of the curve as the
rest of the market transitions to
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication).

Those that delay this shift will face increasing integration costs, user resistance, and
competitive disadvantage as **customers come to expect passkey-level security and
convenience by default, especially when it comes to finances**.

### 6.2 Integrating Authentication into Third-Party Risk Management

The FTC's Safeguards Rule also places strong emphasis on **vendor oversight**. This means
MFA and passkey controls must extend into the **Third-Party Risk Management (TPRM)**
process.

All service provider contracts should explicitly require MFA or passkey-based
authentication whenever vendors access systems containing customer information.
Institutions must also **regularly assess and monitor** vendor compliance to ensure that
these controls remain in place.

Passkeys create a distinct advantage in managing third-party risk: because they rely on
**cryptographic key pairs instead of shared secrets**, they **reduce attack surfaces,
eliminate credential reuse**, and **simplify vendor onboarding and verification**. In a
distributed ecosystem where multiple vendors handle sensitive data, passkeys create
uniformity and control that legacy MFA methods cannot.

### 6.3 Sustaining Compliance Through Governance and Continuous Improvement

Maintaining compliance with the Safeguards Rule is an **ongoing responsibility**, not a
one-time project. The Qualified Individual must have the authority, expertise, and
resources to enforce controls, maintain documentation, and continuously improve the
organization's security posture.

Regular **penetration tests** and **vulnerability assessments** are critical to ensuring
authentication systems remain secure and resistant to emerging attack techniques. In
addition, **continuous security awareness training** should equip employees to recognize
social engineering, MFA fatigue, and other human-driven threats.

Financial institutions that move early toward **phishing-resistant, passwordless
authentication** will be better prepared not just for compliance, but for what comes next.

## 7. How Corbado Can Help

Corbado enables financial institutions to meet the FTC's MFA requirements and move beyond
them by adopting [phishing](https://www.corbado.com/glossary/phishing)-resistant,
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) based on passkeys.

- **Secure and compliant by design:** Corbado's [FIDO2](https://www.corbado.com/glossary/fido2)-based platform
  fulfills and exceeds the Safeguards Rule's expectations for strong authentication,
  encryption, and access control, without the friction of legacy MFA methods.

- **Cost-efficient:** Replacing SMS OTPs with passkeys eliminates ongoing message fees and
  reduces operational overhead, cutting MFA costs drastically.

- **Proven at
  scale**[**:** For **VicRoads**, Corbado helped nearly five million Australians switch to passkey login for government services](https://www.corbado.com/blog/vicroads-passkeys),
  achieving high activation rates and reducing authentication-related support calls.

- **Continuous assurance:** With Corbado's **Passkey Intelligence** layer, institutions
  can track adoption, authentication success, and anomalies in real time, turning
  compliance into a measurable, continuously improving process.

By combining compliance, usability, and long-term resilience, Corbado helps organizations
implement the FTC's [MFA mandate](https://www.corbado.com/blog/mandating-mfa) today while preparing for a fully
passwordless future.

## 8. Conclusion

The FTC's Safeguards Rule marks a turning point in how financial institutions are expected
to protect customer data. By making Multi-Factor Authentication (MFA) mandatory, the FTC
has raised the baseline for what counts as reasonable security.

But meeting the rule is only the first step. The direction of both technology and
regulation is unmistakable, **passkeys are becoming the new standard**. They combine
**phishing-resistant security** with a **seamless user experience**, solving the
long-standing trade-off between compliance and usability.

Organizations that adopt passkeys early will not only ensure long-term compliance but also
gain a strategic edge in trust, security, and customer satisfaction. Those that delay will
find themselves catching up to a security landscape that has already moved on.

In this blog we additionally covered the following topics:

**1. What are the FTC's new rules around Multi-Factor Authentication (MFA)?** The FTC now
mandates MFA under its updated Safeguards Rule, requiring financial institutions to use
multiple verification factors to protect customer data from unauthorized access.

**2. How can financial institutions meet the FTC's MFA and data protection requirements?**
They must implement a comprehensive Information Security Program that includes MFA,
encryption, risk assessments, and continuous monitoring to ensure ongoing compliance.

**3. Who needs to implement MFA under the new FTC Safeguards Rule and what roles are
responsible?** All covered financial institutions (such as lenders, brokers, and tax
preparers) must enforce MFA, overseen by a designated Qualified Individual responsible for
data security governance.

## Frequently Asked Questions

### Which non-bank financial institutions are required to implement MFA under the FTC Safeguards Rule?

Non-bank financial institutions covered include mortgage lenders and brokers, payday and
finance companies, tax preparation firms, collection agencies and investment advisers not
registered with the SEC. Unlike banking institutions regulated by federal banking
agencies, these entities fall under FTC jurisdiction and must comply with the Safeguards
Rule (16 CFR Part 314).

### How does the FTC Safeguards Rule MFA requirement differ from HIPAA's authentication requirements?

The FTC Safeguards Rule makes MFA a mandatory requirement, removing risk-based discretion
for this specific control. HIPAA classifies MFA as an addressable safeguard, meaning
covered entities implement it only if their risk analysis deems it reasonable and
appropriate. The FTC establishes MFA as a regulatory prerequisite, while HIPAA permits
documented alternatives.

### What are the legal consequences for a financial institution that experiences a breach without MFA in place under the FTC Safeguards Rule?

If a breach occurs without MFA in place, the FTC can conclude the institution's security
program was unreasonable under the GLBA. Enforcement cases involving Wyndham and CafePress
show the FTC treats weak authentication and insufficient access controls as violations of
both the GLBA and Section 5(a) of the FTC Act, even when other controls existed.

### How do passkeys compare to SMS OTPs for meeting the FTC Safeguards Rule MFA requirement?

Both passkeys and SMS OTPs satisfy the FTC's MFA definition, but they differ significantly
in security and cost. SMS OTPs generate a paid message per login and remain vulnerable to
phishing and SIM swapping. Passkeys use cryptographic key pairs, provide phishing
resistance by design and eliminate per-login fees, making them a more durable compliance
solution.

### How do the FTC Safeguards Rule and NYDFS breach notification timelines interact for institutions subject to both?

The FTC Safeguards Rule requires breach notification within 30 days of discovering
unauthorized access affecting 500 or more consumers. NYDFS 23 NYCRR Part 500 requires
notification within 72 hours of determining a qualifying cybersecurity event has occurred.
Institutions subject to both must adopt the stricter 72-hour NYDFS timeline, as meeting
the FTC standard alone does not satisfy state requirements.