Since June 2023, the FTC Safeguards Rule (16 CFR Part 314) has required security awareness training for ALL personnel who handle customer financial information. Non-compliance exposes you to penalties up to $50,120 per violation. One live session gives you the documented training evidence your QI and auditors need.
Our Team session ($390) delivers §314.4(j) training for all personnel in a single 90-minute live session. Attendance records with individual timestamps are provided for every participant — the primary evidence your QI can produce on request. We also provide an evidence packet with the session summary, curriculum outline, and attendance log for direct use in FTC investigations or state AG actions.
Book Team Session — $390 →Every FTC Safeguards Rule training engagement includes these artefacts for your QI documentation file:
Employee name, session date, session ID, and timestamp per participant — primary evidence for §314.4(j) QI documentation.
Date, duration, topics covered, instructor name — maps to your Written Information Security Programme (WISP) documentation.
Overview of threats covered, role-specific content — satisfies the §314.4(j) personnel training requirement appropriate to function.
Versioned curriculum with date, suitable for QI oversight documentation and FTC investigation evidence package.
§314.4(j) — The Training Mandate. The FTC Safeguards Rule requires every covered financial institution to develop, implement, and maintain a comprehensive information security programme. Section 314.4(j) specifically requires security awareness training for all personnel whose responsibilities involve handling customer information — not just the IT team, not just the QI, but everyone with access to financial customer data.
Who's Covered — Broader Than Most People Realise. Section 314.2(h) lists 13 categories of financial institutions the FTC covers. These include: tax preparation firms, certified public accountants, mortgage brokers, mortgage lenders, auto dealers that offer or arrange financing, payday lenders, finance companies, debt collectors, credit counselors, check cashers, wire transferors, finders, and non-federally-insured credit unions. If you handle customer financial data as part of any of these activities, you're likely covered.
The June 2023 Deadline Passed. The amended Safeguards Rule became enforceable on 9 June 2023. The FTC has been actively enforcing the rule — including actions against auto dealers, tax professionals, and other financial services firms. State attorneys general can also bring actions under the FTC Act, adding a second enforcement vector. The additional breach notification requirement (§314.5) became effective 13 May 2024.
An employee receives an email that looks like a client portal update from a major accounting software vendor. They enter their credentials. Within 24 hours, tax return data, SSNs, and financial statements for hundreds of clients are exfiltrated. The breach triggers mandatory FTC notification under §314.5 if 500+ consumers are affected.
The Complete BEC Guide →
A mortgage broker's processing team receives a spoofed email from the title company with updated wire instructions for a closing. The funds are sent to the wrong account. Loan origination systems containing applicant financial data are also a target for ransomware — a locked CRM means no new loans close.
Ransomware Response Checklist 2025 →
A finance company's CRM containing customer financial histories, credit applications, and payment records is encrypted by ransomware. Recovery takes 2 weeks. The incident is reportable to the FTC under §314.5, and the failure to prevent it — including the lack of documented staff training — becomes part of the regulatory record.
IRS WISP Training Requirements →
Who is the Qualified Individual? The Safeguards Rule requires every covered financial institution to designate a Qualified Individual (QI) responsible for overseeing the information security programme. For most small and mid-sized firms, this is the owner, office manager, or compliance officer — not necessarily an IT specialist.
QI Responsibilities Under §314.3. The QI must implement and oversee the security programme, report to the board or management body, and ensure the programme is maintained in accordance with the Rule. Critically, the QI must be able to demonstrate that personnel have been trained — not just that training exists on paper, but that it was delivered, completed, and documented.
How Training Documentation Supports the QI. Your training programme is the primary evidence that the QI has addressed the human-element risk in your organisation. Individual attendance records, session summaries, and completion timestamps are the artefacts that demonstrate to an FTC investigator (or a state AG in a parallel action) that the QI took the training obligation seriously. Without documented training, the QI has no defence when the question is asked.
FTC Act Civil Penalties — Up to $50,120 Per Violation. Under the FTC Act §5(m), civil penalties for violations of FTC rules can reach $50,120 per day of ongoing violation. For a firm that failed to implement the required training programme and suffered a breach as a result, the penalty exposure is not theoretical.
State AG Actions. State attorneys general can bring separate actions under the FTC Act for the same conduct. Multiple state AGs have coordinated on data security enforcement in recent years, meaning a single breach could trigger simultaneous investigations from multiple states.
Breach Notification Costs. §314.5 requires notification to the FTC for security events affecting 500+ consumers within 30 days of discovery. The breach notification itself triggers reputational damage, legal costs, and cyber insurer scrutiny — particularly if training documentation is absent.
What underwriters actually require from tax preparers, lenders, and auto dealers for cyber insurance approval. Covers training documentation, incident response plans, and QI designation evidence.
Download the Cyber Insurance Checklist →Yes, almost certainly. Tax preparation firms are specifically listed as financial institutions under §314.2(h) of the Safeguards Rule. If your firm prepares tax returns or provides accounting services involving customer financial data, you are required to implement a written information security programme including security awareness training under §314.4(j). The IRS also requires a Written Information Security Plan (WISP) under Publication 4557 — our IRS WISP compliance page covers both requirements together.
No. Cyber insurance covers financial losses after a breach; the Safeguards Rule requires you to prevent the breach in the first place. Insurance may actually increase scrutiny — if you file a claim and the insurer finds no documented training programme, they may contest coverage. Training documentation and a written security programme are required regardless of insurance status.
The Rule requires ongoing, documented training — not a single one-time event. §314.4(j) requires training for all personnel whose responsibilities involve handling customer information, with the content appropriate to the individual's role. Regulators and courts interpret this as requiring recurring training, not a one-time onboarding event. Annual training with documented attendance records is the standard expectation.
Yes, if you offer or arrange financing for vehicle purchases. The FTC's own guidance on auto dealers explicitly confirms this: dealers that extend credit or arrange financing are financial institutions under §314.2(h) and must comply with the Safeguards Rule. The training obligation applies to all personnel who access customer financial data — sales staff, finance managers, and back-office personnel alike.
Without documented training records, the QI has no evidence that the training obligation under §314.4(j) was met. In an FTC investigation or state AG action, this creates direct exposure for civil penalties under the FTC Act. Additionally, a breach without training records suggests the QI failed in their oversight duty — which can expose the individual to personal liability. Documented training is the single most important risk-reduction artefact for covered financial institutions.
One Business tier session satisfies your §314.4(j) training obligation with individual attendance records your QI can produce on request. $900 flat, unlimited participants.