Skip to main content

FAQ: FTC Safeguards Rule

September 18, 2023
Data Privacy & Security

Download (PDF: 125 KB)

In October 2021, the Federal Trade Commission (FTC) updated the Safeguards Rule (the “Rule”) for financial institutions to protect consumer information.  Here are answers to frequently asked questions by real estate professionals, brokerages, and associations.

Is a real estate brokerage subject to the Rule?

It depends. As further explained below, a real estate brokerage that engages only in traditional real estate activities should not be subject to the FTC’s Safeguards Rule. Traditional real estate activities include acting as an agent for a party in a real estate transaction; listing or advertising for the party; providing advice or negotiating a sales price; or administering a closing. 

However, if the brokerage provides ancillary services that are financial in nature or incidental to a financial activity, the brokerage may likely be subject to the Rule and should consult an attorney for legal advice on these federal regulations, as well as any state requirements. Please check out NAR’s Washington Report, including details on exemptions for entities that maintain customer information of fewer than 5,000 consumers.

What is the FTC Safeguards Rule?

In 2003, the FTC issued regulations to protect the privacy of consumers' personal information. The Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program designed to safeguard customer information.

In 2021, the Rule was updated to:

  1. Offer guidance on information security program components (e.g., authentication);
  2. Introduce more accountability measures (e.g., periodic reports to the Board);
  3. Exempt financial institutions that collect customer information of fewer than 5,000 consumers;
  4. Expand the definition of “financial institution” to include “finders,” which are defined as companies that bring together buyers and sellers of a service or product; and
  5. Define regulatory terms and provide related examples of financial activities that are covered.

See NAR’s Washington Report for more general information and consult an attorney for compliance support in your jurisdiction.

What is a “financial institution” under the Rule?

A “financial institution” is generally an institution the business of which is significantly engaging in an activity that is financial in nature or incidental to such financial activity. These terms come from the Bank Holding Company Act (the “Act”) and are defined by the Act and regulations issued thereunder by the Board of Governors of the Federal Reserve System (“FRB”).  Bank holding companies, including financial holding companies, are generally precluded from engaging in real estate brokerage activities under the Act.

What does a financial institution have to do to comply with the Rule?

Under the Rule, financial institutions must take steps to secure customer information from unauthorized access, use, or disclosure. To do this, they must conduct a risk assessment and put in place physical, technical, and administrative safeguards appropriate to their size and complexity and the sensitivity of the customer information they hold. The Rule also requires firms to train their employees on their information security programs and practices. Financial institutions must review their information security programs periodically to ensure that they are effective in safeguarding customer information. They must also update their programs in response to changes in their business or technology.

Is a real estate broker who engages only in traditional real estate activities a “finder” subject to the Rule?

Not according to long-existing FRB rules issued in 2001.  In its revisions to the Safeguards Rule, the FTC amended the definition of “financial institution” by incorporating FRB regulations that treat the activity of “acting as a finder” as financial in nature.  The FRB regulations define “finder” as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate,” but specifically carve out real estate agents and brokers.  See 12 CFR § 225.86(d)(1)(iii)(D).  This carve out reflects the FRB’s considered position that traditional real estate brokerage activities should not be interpreted as financial in nature.  See 66 Fed. Reg. 307, 309 & n. 15 (Jan. 3, 2001).

In the preamble to the Safeguards Rule, the FTC stated that amending the definition of “financial institution” to include “finder” activities was intended to harmonize treatment of financial institutions across the agencies responsible for federal privacy requirements and would not lead to a significant expansion of the Rule’s coverage.  Moreover, neither the Rule nor its preamble states that the FTC intends to treat real estate brokerage in a manner different from the FRB.  For these reasons, real estate brokers engaged in traditional real estate activities should not be subject to the Safeguards Rule.  Please consult with an attorney for further guidance.

Disclaimer:  This information is intended for informational and educational purposes and does not constitute any form of legal advice. This should not be relied on or treated as a substitute for specific advice relevant to specific circumstances and is not intended to create, modify, or replace your company’s policies or procedures. NAR urges all members who have questions about their legal compliance to have their attorneys review the Rule’s technical language at: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314.

Advertisement