In This Article
Your loan business already runs on Microsoft 365. Originators email borrowers, processors move documents through SharePoint and Teams, and loan files full of Social Security numbers, bank statements, and pay stubs live in mailboxes and shared drives. That is exactly the customer information the federal government now requires you to protect under a specific written program, and the agency holding you to it is probably not the one you think.
Mortgage lenders, mortgage brokers, and most other non-bank lenders answer to the Federal Trade Commission, not to the FFIEC, the OCC, or the NCUA. The FTC's Safeguards Rule has required a formal information security program since June 2023, and since May 2024 it has required you to report serious breaches to the government within 30 days. The good news for a Microsoft shop is that the rule reads almost like a configuration checklist for the tools you are already paying for.
This guide walks through who the rule covers, the nine elements it requires, how each one maps to a Microsoft 365 control you can turn on, and what it takes to run the program well enough to survive both an examiner and a real incident. The work is real, but it is not mysterious, and it does not have to slow your closings down.
Who the FTC Safeguards Rule Actually Covers
The FTC Safeguards Rule, codified at 16 CFR Part 314, implements the security provisions of the Gramm-Leach-Bliley Act. It applies to "financial institutions" that fall under the FTC's jurisdiction and are not already supervised by a federal banking regulator. In plain terms: if you are a bank or a federally insured credit union, your prudential regulator (the OCC, FDIC, or NCUA) enforces GLBA security against you. If you are a non-bank lender, the FTC does.
Section 314.2(h) of the rule lists 13 example businesses that count as financial institutions, and the list is broad. It includes mortgage lenders, mortgage brokers, finance companies, payday lenders, account servicers, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and, since the 2021 amendments, "finders" who simply bring buyers and sellers together. If your business touches consumer loan data, assume you are covered until a lawyer tells you otherwise.
The Regulator Mix-Up That Trips Up Lenders
Plenty of mortgage operators assume the rules that bind their bank counterparties also bind them, or that no one is really watching a privately held lender. Both assumptions are wrong. The FTC writes and enforces your information security standard, the requirements are specific and written, and your security program has to exist on paper before an incident, not after.
This matters because the FTC's expectations are not vague "reasonable security" language anymore. The amended rule spells out concrete controls, names a person who has to own the program, and requires evidence that you actually run it. The same Microsoft 365 platform that handles your email and documents can satisfy most of those controls, but only once it is configured for regulated data rather than left on its general-business defaults. For the banking side of this question, our companion guide on Microsoft 365 compliance for GLBA and OCC requirements covers how the prudential regulators approach the same statute.
The Nine Elements of a Safeguards Program
Here the FTC is refreshingly direct. Its own plain-language guidance states that "Section 314.4 of the Safeguards Rule identifies nine elements that your company's information security program must include." That sentence is your scope. A compliant program is not a firewall and a hope. It is a written, supervised, regularly tested system built around these nine pillars.
One named person who owns and supervises the program. They can be an employee or work for a service provider, but accountability stays with your company.
Inventory what customer information you hold and where, then document the foreseeable threats and the criteria you use to judge them. Reassess periodically.
Access controls, a data inventory, encryption at rest and in transit, secure app review, multifactor authentication, secure disposal, change management, and activity logging.
Use continuous monitoring, or run annual penetration tests plus vulnerability scans every six months. Test again after any material change.
Security awareness training for everyone, with specialized training for the people responsible for running the program.
Select vendors that can protect your data, require safeguards by contract, and reassess them over time. Your cloud provider is one of them.
Update the program as your operations, threats, and people change. A static program is a non-compliant program.
A documented plan covering goals, roles, communications, remediation, and a post-incident review the rule spells out in detail.
The Qualified Individual reports in writing, at least annually, to the board or a senior officer on the state of the program.
Read that list as an examiner would. Notice how much of it is not really about buying a product. It is about ownership, documentation, and proof. The encryption and multifactor pieces are table stakes; the harder parts are the written risk assessment, the tested incident response plan, and the annual board report that demonstrate you are running a program rather than owning some tools.
How Microsoft 365 Maps to the Nine Elements
Here is where being a Microsoft 365 shop pays off. Most of the technical safeguards in Section 314.4 correspond directly to a Microsoft control you already license or can add. The platform was not built for the Safeguards Rule, but Microsoft's security and compliance stack lines up with it cleanly once you turn the right features on and document them. As a Tier-1 Microsoft Cloud Solution Provider that manages Microsoft 365 for more than 750 financial institutions, we see the same gap on nearly every tenant we assess: the controls are licensed and idle.
| Safeguards Rule requirement | Microsoft 365 control | Default state |
|---|---|---|
| Access controls, least privilege | Microsoft Entra ID roles, Conditional Access, Privileged Identity Management | Off by default |
| Multifactor authentication | Microsoft Entra ID multifactor and phishing-resistant authentication | Off by default |
| Encryption at rest and in transit | Microsoft Purview encryption, sensitivity labels, BitLocker via Intune, TLS | Partial |
| Data inventory and classification | Microsoft Purview Data Map and data classification | Off by default |
| Secure disposal and retention | Microsoft Purview retention and disposal policies | Off by default |
| Logging of authorized-user activity | Microsoft Purview Audit and Microsoft Sentinel | Partial |
| Monitoring and testing | Microsoft Defender XDR, Secure Score, plus third-party penetration testing | Partial |
| Incident response | Microsoft Sentinel and Defender XDR playbooks | Off by default |
| Service-provider evidence | Microsoft Service Trust Portal compliance reports | Available |
That "default state" column tells the whole story. Microsoft 365 ships configured for a general business that wants its email to just work, not for a regulated lender that has to prove control over nonpublic personal information. Almost every safeguard the FTC requires is available, and almost none of it is on out of the box. Closing that gap is configuration work, and it is the work most lenders have never formally done.
Take the controls one at a time. The access-controls requirement is satisfied by Conditional Access policies in Microsoft Entra ID that limit who can reach loan data and from where. The multifactor requirement maps to Entra ID multifactor authentication, and examiners increasingly expect the stronger phishing-resistant methods like FIDO2 and passkeys rather than text-message codes. The encryption and data-handling requirements lean on Microsoft Purview, which is also the engine behind data loss prevention for AI and Copilot. And the logging and monitoring requirements run through Microsoft Purview Audit, Microsoft Defender, and Microsoft Sentinel, the same stack behind a properly tuned Defender for Office 365 anti-phishing configuration.
The Safeguards Rule's emphasis on multifactor authentication is not bureaucratic box-checking. Microsoft blocks roughly 7,000 password attacks every second across its cloud, and its own research found that enabling multifactor authentication reduces the risk of account compromise by 99.2 percent. Identity is the front door to your loan data, and it is the single most powerful control in the entire rule.
Configuration is only half the job. The rule wants evidence, and Microsoft 365 generates it. Microsoft Secure Score gives you a documented baseline and trend line, Purview Audit retains the activity logs an investigator will ask for, and the Microsoft Service Trust Portal supplies the third-party attestations that help satisfy the service-provider element. The platform can produce the paper trail that turns "we have controls" into "here is proof we run them."
The Safeguards Rule does not ask whether you own Microsoft 365. It asks whether you have configured it, documented it, and can prove you run it. Those are three different things.
The 30-Day Clock: Breach Notification
The part of the rule that changes the math is the breach-notification requirement that took effect on May 13, 2024. It is the reason security is no longer a private matter you can quietly manage in-house. Under Section 314.4(j), if you discover that an unauthorized party acquired the unencrypted information of at least 500 consumers, you have to tell the FTC through its online reporting form as soon as possible, and no later than 30 days after discovery.
A covered financial institution must notify the FTC as soon as possible, and no later than 30 days after discovery, of a notification event involving the unencrypted customer information of at least 500 consumers.
Two details in that requirement do most of the damage if you are unprepared. First, the report may be made public, which means a breach you would once have handled quietly can become a matter of record that borrowers, partners, and competitors can find. Second, the 30-day clock starts at discovery, and the threshold is counted in consumers. To know whether you crossed 500 consumers, you have to be able to reconstruct exactly whose data was touched, fast. That forensic capability is not a nice-to-have; it is what lets you answer the only question the deadline cares about.
Why "Unencrypted" Is the Word That Matters
The notification trigger is the acquisition of unencrypted customer information. Encrypted data acquired without the key is generally outside the trigger. That single word turns encryption from a checkbox into a financial decision: properly encrypted loan data that is stolen may not start the public 30-day clock at all, while the same data left in the clear almost certainly does.
This is where your detection and logging investments earn their keep. Microsoft Sentinel and Microsoft Defender are what let you scope an incident quickly enough to count affected consumers and decide whether the 30-day obligation has been triggered. Without that telemetry, you are guessing under a federal deadline, and guessing low is how a manageable incident becomes an enforcement problem.
Do Small Lenders Get a Pass?
There is a narrow exception, and it is worth understanding precisely because it almost never applies to a working lender. Section 314.6 exempts the smallest institutions from four specific requirements. Here is the actual text.
Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.
Translated, an institution holding information on fewer than 5,000 consumers is excused from the written risk assessment, the continuous-monitoring-or-penetration-testing requirement, the written incident response plan, and the annual board report. Everything else, including encryption, multifactor authentication, access controls, and staff training, still applies in full.
Now apply that to reality. A mortgage lender accumulates consumer records with every application, every co-borrower, and every prior-year file it retains for compliance. Five thousand consumers is a threshold most active originators blew past years ago, often without realizing it counts cumulative records, not current pipeline. For all practical purposes, if you are running a real lending operation, assume the full nine-element program applies to you and that the small-institution exception is not your escape hatch.
From Checklist to a Running Program
Reading the nine elements is easy. The hard part is that the Safeguards Rule does not want a one-time project. It wants a living program with a named owner, regular testing, current documentation, and an annual report to leadership. That is operational work that continues long after the initial configuration is done, and it is where a lot of lenders stall, because their IT generalist or outside helpdesk was never set up to run a regulated security program.
This is the gap Access Business Technologies was built to close. A capable generalist MSP can keep your email flowing and your laptops patched, but the Safeguards Rule asks for something most help desks were never structured to deliver: a named, security-literate program owner, controls tuned for regulated loan data, and examiner-ready evidence on demand. Our M365 Guardian operating model is that program. We configure the Microsoft Entra ID, Microsoft Purview, Microsoft Defender, and Microsoft Sentinel controls to the rule's requirements, manage them day to day, and produce the reporting an examiner or an incident will demand. For lenders already running their loan platform with us, that program sits on the same dedicated Azure environment where we host MortgageExchange and MortgageWorkSpace, so security is not bolted on later; it is part of how the operation runs.
A managed operating model gives you the senior, security-literate ownership the Qualified Individual role demands, with the accountability staying inside your company.
Entra ID, Purview, Defender, and Intune set to the rule's requirements instead of general-business defaults, and kept current as Microsoft changes the platform.
Secure Score baselines, Purview audit logs, and documented policies that turn a stressful exam or breach response into a matter of pulling existing records.
Sentinel and Defender monitoring that scopes an incident fast enough to count affected consumers and make the 30-day notification decision with facts, not guesses.
Put those four pieces together and the Safeguards Rule stops being a periodic fire drill and becomes a standing capability. That is the real difference between owning Microsoft 365 and running a documented program on it.
If you originate or service consumer loans, the FTC Safeguards Rule already applies to you, and Microsoft 365 can satisfy almost every requirement once it is configured for regulated data and run as a documented program. The lenders who get caught short are not the ones without tools. They are the ones who never turned a powerful platform into a proven program.
There is one more reason to get this right now. The same access controls and Microsoft Purview data classification that satisfy the Safeguards Rule are exactly what makes Microsoft 365 Copilot safe to turn on, because Copilot only surfaces what a user is already permitted to see. Doing the Safeguards work is also doing your Copilot readiness work. Compliance and productivity point in the same direction.
See where your Microsoft 365 tenant stands against the Safeguards Rule
ABT will assess your current Microsoft 365 configuration against the nine elements of 16 CFR Part 314, show you the gaps, and map the path to a documented, examiner-ready program built on the tools you already own.
Key Takeaway
The FTC Safeguards Rule turns Microsoft 365's optional security features into legal obligations for mortgage lenders, and the platform can meet nearly all of them. The differentiator is not whether you own the controls but whether you have configured them for regulated data, documented them, and can prove you run them on the day an examiner or an attacker asks.
Frequently Asked Questions
Yes. Mortgage lenders and mortgage brokers are explicitly listed as covered financial institutions in Section 314.2(h) of the FTC Safeguards Rule. Because they are not supervised by a federal banking regulator, the FTC enforces the Gramm-Leach-Bliley Act security requirements against them directly under 16 CFR Part 314.
Section 314.4 requires a written information security program built on nine elements: designate a Qualified Individual, conduct a written risk assessment, implement safeguards such as access controls and encryption and multifactor authentication, regularly monitor and test, train staff, oversee service providers, keep the program current, maintain a written incident response plan, and have the Qualified Individual report to the board at least annually.
Microsoft 365 provides a direct control for most technical requirements: Microsoft Entra ID for access controls and multifactor authentication, Microsoft Purview for encryption, data classification, retention, and audit logging, and Microsoft Defender and Sentinel for monitoring and incident response. The catch is that these controls are largely off by their general-business defaults and must be configured for regulated data and documented to satisfy the rule.
Under Section 314.4(j), effective May 13, 2024, a covered financial institution must notify the FTC as soon as possible, and no later than 30 days after discovery, of a notification event involving the unencrypted customer information of at least 500 consumers. The report is filed through the FTC online reporting form and may be made public.
Only partially, and rarely in practice. Section 314.6 exempts institutions that maintain customer information on fewer than 5,000 consumers from four requirements: the written risk assessment, the monitoring-and-testing requirement, the written incident response plan, and the annual board report. Encryption, multifactor authentication, access controls, and training still apply, and most active lenders hold records on far more than 5,000 consumers, so the full program usually applies.
The Qualified Individual is the single person responsible for implementing and supervising your information security program. They do not need a specific title or degree, and they can work for an affiliate or a service provider, but your company stays accountable for the program and must designate a senior employee to oversee that person. Many lenders meet this requirement through a managed security partner while keeping internal ownership.