16 CFR Part 314

FTC Safeguards Rule scan-to-email compliance, mapped section by section.

The 2021 amended FTC Safeguards Rule requires every covered financial institution to encrypt customer information in transit. Multifunction printer scan-to-email is the largest unaddressed transmission path in most programs. SecureMFP closes the 314.4(c)(3) obligation on every device in the fleet without firmware changes or copier replacements.

The regulation

What the FTC Safeguards Rule actually requires

The FTC Safeguards Rule is codified at 16 CFR Part 314 and was substantially amended in 2021 with phased compliance dates running through June 9, 2023. The rule sits under section 501(b) of the Gramm-Leach-Bliley Act and applies to non-bank financial institutions outside the jurisdiction of the federal banking regulators. Covered institutions include auto dealers offering financing, mortgage brokers, payday lenders, tax preparers, collection agencies, finders, and check cashers. The amended rule introduced nine specific elements at 314.4(a) through 314.4(i) including a qualified individual, a written risk assessment, encryption of customer information in transit and at rest, multi-factor authentication, continuous monitoring, secure development practices, qualified personnel, written incident response, and annual board reporting. Multifunction printer scan-to-email touches at least four of those nine elements directly and is the single most common transmission path in scope.

The encryption obligation

Section 314.4(c)(3) encryption-in-transit explained for MFP scans

16 CFR 314.4(c)(3) states that a covered institution must protect customer information by encryption of all customer information in transit over external networks. The rule allows compensating controls only when reviewed and approved in writing by the qualified individual. The text does not name multifunction printers, but the language is path-based, not device-based. Every transmission path that carries customer information over an external network triggers the obligation. Scan-to-email is precisely such a path. The MFP packages the scanned image as an SMTP message and relays it through the institution's mail gateway. If the connection to the recipient mail server is not encrypted end to end, or if the SMTP TLS negotiation falls back to plaintext, the customer information has crossed an external network unencrypted. The qualified individual must document the safeguard or the compensating control.

Where the gap lives

Why scan-to-email is the largest unaddressed gap

Information security programs were built around servers, databases, email gateways, and laptops. Multifunction printers were treated as peripherals, not as transmission endpoints. The Quocirca 2024 Print Security Landscape found that just 16 percent of organizations are completely confident in their print security while 67 percent suffered a print-related breach in the past year. The arithmetic difference is the size of the gap. A 200-device fleet processing 30 scans per device per day sends roughly 1.5 million customer-information transmissions per year over a path the qualified individual cannot attest to. The 2021 amendment closed several other gaps, multi-factor authentication, written incident response, qualified personnel, but it did not provide device-class guidance for printers. Assessors are catching up. Scan-to-email is becoming a standard line item in the 314.4 walkthrough that did not exist three years ago.

The assessor checklist

The MFP checklist your assessor expects to see

Assessors working a 16 CFR Part 314 engagement follow a predictable walkthrough on the multifunction printer scope. The checklist below mirrors the questions asked during a 314.4(b) risk-assessment review and a 314.4(d) continuous-monitoring sample. If the program cannot produce evidence for each item, the assessor will record a deficiency in the report or in the management letter that accompanies it.

What the assessor asksWhere it maps
Show me the encryption-in-transit policy for scan-to-email.314.4(c)(3)
Where is scan-to-email in the written risk assessment?314.4(b)
How is the qualified individual notified of scan-to-email exceptions?314.4(a) and 314.4(i)
Show the audit logs from a sample MFP scan over the last 90 days.314.4(d)
Show the incident response plan section that covers an MFP breach.314.4(h)
How are MFP firmware updates tracked across the fleet?314.4(d) and 314.4(f)
Show the board report language for scan-to-email exposure.314.4(i)
Control-by-control mapping

How SecureMFP closes each 314.4 obligation

SecureMFP intercepts the scan-to-email job at a stateless gateway between the multifunction printer and the institution's mail relay. The plaintext SMTP hop is replaced with an encrypted transport channel. The control surfaces below map line by line to the 314.4 elements that scan-to-email touches. The qualified individual signs once.

ElementObligationSecureMFP control surface
314.4(a)Qualified individual designationSingle dashboard the qualified individual signs into for fleet-wide attestation.
314.4(b)Written risk assessmentScan-to-email risk-assessment delta document supplied at deployment.
314.4(c)(3)Encryption in transitEncrypted transport channel replaces plaintext SMTP for every scan.
314.4(c)(6)Multi-factor authenticationRecipient retrieves through authenticated session, not a mailbox copy.
314.4(d)Continuous monitoring and testingPer-document audit log retained for the examination retention window.
314.4(h)Written incident response planBreach-of-transport scenarios pre-mapped to the response runbook.
314.4(i)Annual board reportBoard-report language template for the scan-to-email control line.
Auto-dealer obligations

What the 2021 amendment added for auto dealers

The 2021 amended FTC Safeguards Rule explicitly captured auto dealers offering, arranging, or servicing financing. The phased compliance date for the new nine-element framework was June 9, 2023. Dealers became responsible for the qualified-individual designation, written risk assessment, encryption in transit, multi-factor authentication, continuous monitoring, qualified personnel, written incident response, and annual board reporting. The 30-day breach-notification rule took effect May 13, 2024 for incidents affecting 500 or more consumers. Multifunction printer scan-to-email is the single most common transmission path in a dealership for driver's licenses, credit applications, insurance binders, and trade-in titles. NADA, AICPA, and the major dealer-services compliance firms all flagged scan-to-email as a 314.4(c)(3) line item in their 2024 and 2025 dealer-compliance guidance. The Qualified Service Providers category, dealers who hold customer information for other institutions, faces the same obligation.

Penalties and enforcement

What the FTC has done about Safeguards violations

Civil penalties under the FTC Act can reach 51,744 dollars per violation as of the 2024 adjustment. The FTC has pursued Safeguards Rule cases against mortgage brokers, payday lenders, tax preparers, and an online retailer in recent years. Settlement orders typically include 20 years of compliance monitoring, biennial third-party assessments, named-executive personal certifications, and full payment of the assessment cost. The 2024 amendment that added the 30-day breach-notification requirement at 314.5 also expanded enforcement leverage because notification triggers attorney-general involvement at the state level. The Equifax 700 million dollar consent order and the Drizly chief executive personal-liability order both signaled the FTC's posture: the qualified individual and named executives are accountable. Scan-to-email is the kind of line item that, missed in a risk assessment, becomes the assessor finding that triggers the management letter that triggers the consent decree.

FAQ, scope and applicability

Who is in scope and what the rule covers

The two questions every program owner asks before the 314.4 walkthrough begins are whether the institution is in scope at all and whether the rule names multifunction printers explicitly. The answers below clarify both.

Does the FTC Safeguards Rule explicitly require scan-to-email encryption?

16 CFR 314.4(c)(3) requires encryption of customer information in transit over external networks. The rule does not enumerate device classes, so multifunction printers are not named. The principle applies because scan-to-email transmits customer information over networks. Assessors will ask how the obligation is satisfied for every transmission path, including MFP scans.

Is my dealership a financial institution under the FTC Safeguards Rule?

Yes if the dealership offers, arranges, or services financing. The 2021 amended rule explicitly captured auto dealers, mortgage brokers, payday lenders, check cashers, and tax preparers. Effective June 9, 2023 dealers and other non-bank financial institutions must comply with the expanded 16 CFR 314.4 requirements including the qualified-individual designation.

FAQ, encryption requirements

What 314.4(c)(3) and the qualified individual require

Encryption in transit is the heart of the Safeguards Rule for any transmission path including scan-to-email. The qualified individual carries the personal accountability for the line item.

What does 314.4(c)(3) require for encryption in transit?

Encryption of all customer information in transit over external networks, or compensating controls reviewed and approved in writing by the qualified individual. Compensating controls must provide equivalent protection. For scan-to-email, compensating controls are difficult to justify because the data path traverses external SMTP relays that the institution does not control.

What is the qualified individual requirement?

16 CFR 314.4(a) requires designation of a single qualified individual responsible for the information security program. That individual must report in writing to the board annually. Scan-to-email encryption is one of the line items the qualified individual must verify, sign off on, or document as a compensating control with approval evidence retained for examiner review.

FAQ, penalties and risk assessment

What the FTC enforces and how MFPs enter the risk assessment

The 2024 amendment that added 30-day breach notification expanded enforcement leverage at the federal and state level. The written risk assessment is where multifunction printers enter the program.

What are the penalties under the FTC Safeguards Rule?

Civil penalties under the FTC Act can reach 51,744 dollars per violation as of 2024. The 2024 amendment added a 30-day breach-notification requirement for incidents affecting 500 or more consumers. Settlement orders frequently include 20 years of compliance monitoring, biennial third-party assessments, and personal certifications from named executives.

Does the FTC Safeguards Rule require a risk assessment for MFPs?

16 CFR 314.4(b) requires a written risk assessment of foreseeable internal and external risks to customer information. Multifunction printers process and transmit customer information, so they fall in scope. The risk assessment must identify scan-to-email as a transmission path and document the safeguards selected to mitigate the risk.

FAQ, the SecureMFP control surface

How SecureMFP appears in the program and the assessment

The control surface is the artifact assessors care about. SecureMFP produces the encrypted-transport pattern and the documentation the qualified individual signs to register the control in the written information security program.

How does SecureMFP satisfy the encryption-in-transit obligation?

SecureMFP intercepts the scan-to-email job at a stateless gateway and replaces the plaintext SMTP hop with an encrypted transport channel governed by mutual authentication. The recipient retrieves the document through an authenticated session. The institution retains a per-document audit trail mapped to 16 CFR 314.4(c)(3) and 314.4(d) continuous-monitoring requirements.

Will SecureMFP appear on my next FTC compliance assessment?

The control will appear as the documented method by which the institution satisfies 16 CFR 314.4(c)(3) for multifunction printer transmissions. The deployment package includes WISP control-language drafts, the risk-assessment delta, and the per-section mapping document the qualified individual can submit to the board as part of the annual report.

Related regulations

Related compliance pages on the FTC Safeguards Rule perimeter

The FTC Safeguards Rule sits inside a broader federal framework. The pages below share the encryption-in-transit principle and the scan-to-email gap. GLBA is the parent statute. HIPAA carries the equivalent obligation for health information. HITECH adds breach notification. NIST SP 800-53 covers federal-contractor scope. SOC 2 maps the path under Trust Services Criteria.

Back to compliance overview →

Patents and head-to-head

The patent estate and the alternatives comparison

The patented Secure Digital Transport architecture is the technology layer underneath every regulation on this shelf, and the head-to-head comparison against PaperCut, uniFLOW Online, and Tungsten Automation is the procurement evaluation surface buyers use alongside the regulatory mapping. The two pages below are adjacent reading for any chief information security officer, compliance officer, or audit-firm partner already deep inside the scan-to-email replacement evaluation. Use the patents page during vendor due diligence and supply-chain risk review. Use the compare page during head-to-head selection against print management and document capture incumbents.

Talk to a specialist

Talk to a SecureMFP specialist about your FTC Safeguards Rule obligations

A SecureMFP specialist will walk through the 16 CFR Part 314 mapping for your specific fleet, supply the written information security program control-language draft your qualified individual can register, and coordinate with your assessor or external audit firm ahead of the next 314.4 walkthrough. Thirty minutes is the standard slot. The walkthrough covers the qualified-individual sign-off, the per-section 314.4(a) through 314.4(i) mapping for scan-to-email, the assessor evidence schema, and the board-report language template for the annual 314.4(i) submission. Forward-thinking dealers, mortgage brokers, and other covered institutions are closing the scan-to-email gap before the next assessment cites it. The standard rollout is two to four weeks for a typical regional fleet, with five minutes per device on site and no firmware change required on any MFP brand.