FTC Safeguards Rule 2023: What It Means for Document Shredding at Financial Institutions

FTC Safeguards Rule 2023 document shredding financial institutions
/ Uncategorized / By

The Federal Trade Commission’s updated Safeguards Rule — finalized in 2021 and with key provisions taking effect in 2023 — significantly expanded the scope of businesses required to implement formal information security programs, including specific requirements for the physical disposal of customer financial records. For New York’s vast ecosystem of financial services businesses — mortgage brokers, auto dealerships, tax preparers, payday lenders, financial advisors, insurance companies, and more — FTC Safeguards Rule 2023 document shredding compliance is now a legal imperative, not an option. If your business handles non-public financial information about customers, you need to understand exactly what the Safeguards Rule requires and how document shredding fits into your compliance program.

The 2023 updates dramatically extended the rule’s reach beyond traditional banks and financial institutions to include a much broader class of “non-bank financial institutions.” This guide explains the key changes, who is now covered, and what specific document disposal requirements apply to your New York business.

FTC Safeguards Rule 2023 document shredding financial institutions

What Is the FTC Safeguards Rule and What Changed in 2023?

The FTC Safeguards Rule was originally enacted in 2003 under the Gramm-Leach-Bliley Act (GLBA) to require non-bank financial institutions to protect customer financial information. The 2021 amendments (phased in through 2023) made sweeping changes that significantly strengthened the rule’s requirements:

  • Expanded definition of “financial institution”: The updated rule explicitly covers mortgage brokers, auto dealerships, tax preparation services, payday lenders, check cashing businesses, financial planners, and many others who were previously in a gray area.
  • New specific security program requirements: The updated rule specifies detailed technical and operational requirements for information security programs, replacing the previous “flexible principles” approach with more concrete obligations.
  • Specific disposal requirements: The rule now explicitly requires covered businesses to implement policies for the secure disposal of customer information, including physical records.
  • Encryption requirements: Data in transit and at rest must be encrypted — but the physical document disposal requirements apply separately to paper records.

Learn more about your compliance obligations and how certified shredding helps you meet them.

Who Must Comply with the FTC Safeguards Rule?

The Safeguards Rule applies to any “financial institution” under GLBA — and the definition is broader than most people expect. Covered businesses include any entity that is “significantly engaged in financial activities,” which encompasses:

  • Mortgage companies, brokers, and lenders
  • Auto dealerships that arrange financing
  • Tax preparation services and tax planning advisors
  • Payday lenders and check cashing services
  • Credit unions and savings associations (some of which were previously regulated by other agencies)
  • Investment advisors (RIAs) with fewer than $25 million in AUM (regulated by FTC rather than SEC)
  • Financial planners and wealth managers
  • Insurance companies and brokers
  • Debt collection agencies
  • Certain real estate settlement service providers

Many New York businesses in these categories were caught off guard by the 2023 changes. If your business handles any non-public personal financial information — names combined with account numbers, credit scores, loan amounts, tax information, or similar data — the Safeguards Rule almost certainly applies to you.

FTC Safeguards Rule Document Disposal Requirements

Section 314.4(f)(2)(iii) of the updated Safeguards Rule specifically addresses the disposal of customer information, requiring covered businesses to implement “policies and procedures for the secure disposal of customer information in any format, including paper.” The rule requires that disposal be done in a manner that protects against unauthorized access, which in practice means:

  • Paper records containing customer financial information must be shredded or destroyed before disposal
  • The disposal method must render information unreadable and irrecoverable
  • Disposal must occur when records are no longer needed for business or legal purposes
  • Third-party disposal vendors must be monitored to ensure compliance

Throwing financial records in the trash or recycling — even in a secure facility — does not meet the Safeguards Rule standard. Only physical destruction through certified shredding provides the level of security the rule demands. Our Safeguards Rule-compliant shredding services ensure your business meets these requirements.

Penalties for Non-Compliance

The FTC actively enforces the Safeguards Rule, and the consequences of non-compliance can be severe for New York financial businesses:

  • Civil penalties: The FTC can seek civil penalties of up to $50,120 per violation, per day, for companies found in violation of a final FTC order
  • Injunctive relief: Courts can order businesses to cease non-compliant practices and implement specific compliance measures
  • Mandatory compliance programs: Businesses found in violation may be required to implement FTC-supervised compliance programs for years
  • Reputational damage: FTC enforcement actions are public, potentially damaging your business’s reputation with customers and partners
  • Class action litigation: Customers whose data is improperly disposed of may have private rights of action

Building a Safeguards Rule-Compliant Document Disposal Program

Achieving FTC Safeguards Rule 2023 document shredding compliance requires both a written policy and operational implementation. Here’s what a compliant program looks like:

  1. Written disposal policy: Document what types of customer information you maintain, how long it must be retained, and how it must be disposed of at end of retention.
  2. Employee training: All employees who handle customer financial information must know the disposal requirements and follow them consistently.
  3. Locked secure consoles: Deploy locked document shredding consoles throughout your office for secure, convenient disposal.
  4. Certified vendor: Partner with a certified shredding company — the Safeguards Rule requires you to monitor your service providers to ensure they’re adequately protecting your customers’ information.
  5. Certificate of Destruction: Obtain and retain Certificates of Destruction for all shredding events as your audit documentation.

Check our service pricing and contact us for a compliant shredding program tailored to your financial business.

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top