16 CFR 314.6
The exemption names four paragraphs.
The Safeguards Rule does not create an all-or-nothing exemption for small firms. Section 314.6 identifies four specific paragraphs that do not apply when the institution maintains customer information concerning fewer than 5,000 consumers.
- 314.4(b)(1): the requirement that the risk assessment be written and include specified criteria.
- 314.4(d)(2): the prescribed penetration-testing and vulnerability-assessment schedule used when continuous monitoring is not employed.
- 314.4(h): the written incident response plan.
- 314.4(i): the written annual report by the Qualified Individual to the governing body or equivalent senior officer.
This is a paragraph-level exemption. It should be applied with the same precision.
What remains
The exemption does not say the institution is outside the Safeguards Rule. Other applicable duties remain, including designating a Qualified Individual, basing the program on an assessment of risk, implementing safeguards, training personnel, overseeing service providers, monitoring systems as applicable, and adjusting the program as the business changes.
The distinction matters. “You need everything” overstates the rule. “Small firms are exempt” understates it. Neither helps a principal decide what to do next.
Count the right population before relying on it.
The threshold concerns the number of consumers whose customer information the institution maintains. It is not automatically the same as the current client count, annual return count, number of employees, or number of records in one application.
A defensible scope therefore starts with the data inventory and the firm's facts. The assessment should document how the threshold was evaluated and which paragraphs were excluded. If the count or data-retention practice changes, the conclusion may need to change with it.
Why a smaller truthful scope is stronger
Applying an available exemption is not cutting a corner. It is reading the rule accurately. The remaining controls still need evidence, but the engagement should not sell four specified deliverables as mandatory when the regulation says otherwise.
That is the point of assessment before remediation: establish the boundary, apply the rule, and spend effort where the obligation and risk actually remain.