All notes

// NOTE · MAY 13, 2026

GLBA Safeguards Rule for collection agencies, in plain English

10 min read/Draft preview

// Draft

This article is in progress. The opening section below is the published portion; the remaining sections are outlined to give you a sense of what's coming. Have a question that can't wait? Send a message.

The Safeguards Rule is one of those regulations that everyone has heard of, half of the covered businesses think doesn't apply to them, and the FTC's 2023 amendments quietly turned into something with teeth. Collection agencies are squarely in scope — you handle consumer financial information, you have ongoing relationships with financial institutions, you are a covered financial institution yourself for the purposes of GLBA. That's the part that surprises people.

The good news is that the 2023 amendments, while stricter than what came before, are written in a way that small and mid-size agencies can actually comply with. The rule expects a risk-based program that's proportional to your size and complexity. A twelve-person agency with a hosted collection platform and Microsoft 365 does not need an enterprise security operations center. It does need a written information security program, a Qualified Individual, encryption in transit and at rest for nonpublic personal information, MFA on every system that touches NPI, and a documented incident response plan. Those are the load-bearing pieces.

This piece walks through what each of those means in practice, what I've seen auditors and security questionnaires actually ask about, and where most agencies have the biggest gaps. If you're getting a client questionnaire next week and trying to figure out what's real and what's posturing, start here.

What this article covers

  1. 01

    Who's actually covered (and the common misconception)

    The misconception: 'we don't originate credit so GLBA doesn't apply.' The reality: third-party collection agencies are financial institutions under the rule. If you collect on consumer debt, you're in scope. Most B2B agencies are out of scope, but read the definitions carefully — a 'consumer' for GLBA purposes is broader than you'd think.

  2. 02

    The Qualified Individual — what it really means

    A single named person responsible for the information security program. Doesn't need to be a CISO with twenty years of experience; doesn't need to be a full-time role. Does need to be someone with the authority to make security decisions and report to leadership. This can be outsourced to a consultant, but the agency still owns the accountability.

  3. 03

    The 9 elements your written program must include

    Risk assessment, access controls, encryption, MFA, secure development practices for any custom systems, monitoring/logging, change management, security awareness training, and incident response. Each one has a specific expectation in the rule — but for a small agency, each can be addressed in a few paragraphs of a document plus pointers to the technical implementations.

  4. 04

    MFA, encryption, and incident response — the new teeth

    The 2023 amendments are explicit: MFA for everyone accessing NPI, encryption at rest and in transit, and a written incident response plan. These three are non-negotiable. They're also the three things I see most commonly missing or implemented inconsistently.

  5. 05

    Vendor oversight without losing your mind

    You're responsible for ensuring service providers handling NPI are also implementing safeguards. For a small agency, this doesn't mean SOC 2 audits of every vendor. It means a vendor inventory, a basic due-diligence template, contract clauses requiring safeguards, and periodic review. We have a starter template that takes about a day to populate for a typical agency's vendor list.

  6. 06

    What auditors and security questionnaires actually look at

    In order of frequency: (1) Do you have a written program? Can you produce it? (2) Who is your Qualified Individual? (3) Is MFA enforced on email and collection-platform access? (4) Is data encrypted? (5) What's your incident response plan? (6) How do you oversee vendors? The first three are the ones most agencies trip over.

  7. 07

    The 60-day plan to actually get compliant

    Week 1–2: data flow inventory, designate the Qualified Individual, enable MFA where missing. Week 3–4: encryption review, vendor inventory. Week 5–6: write the program document, write the IR plan. Week 7–8: train staff, run a tabletop exercise. You don't need a year. You need a focused two-month sprint.

Want to talk through your environment?

Book a free consultation. We'll walk through what applies to your business and outline a practical plan.

Book a Free ConsultationOr send a message