16 CFR 314.6

The exemption names four paragraphs.

The Safeguards Rule does not create an all-or-nothing exemption for small firms. Section 314.6 identifies four specific paragraphs that do not apply when the institution maintains customer information concerning fewer than 5,000 consumers.

This is a paragraph-level exemption. It should be applied with the same precision.

What remains

The exemption does not say the institution is outside the Safeguards Rule. Other applicable duties remain, including designating a Qualified Individual, basing the program on an assessment of risk, implementing safeguards, training personnel, overseeing service providers, monitoring systems as applicable, and adjusting the program as the business changes.

The distinction matters. “You need everything” overstates the rule. “Small firms are exempt” understates it. Neither helps a principal decide what to do next.

Count the right population before relying on it.

The threshold concerns the number of consumers whose customer information the institution maintains. It is not automatically the same as the current client count, annual return count, number of employees, or number of records in one application.

A defensible scope therefore starts with the data inventory and the firm's facts. The assessment should document how the threshold was evaluated and which paragraphs were excluded. If the count or data-retention practice changes, the conclusion may need to change with it.

Why a smaller truthful scope is stronger

Applying an available exemption is not cutting a corner. It is reading the rule accurately. The remaining controls still need evidence, but the engagement should not sell four specified deliverables as mandatory when the regulation says otherwise.

That is the point of assessment before remediation: establish the boundary, apply the rule, and spend effort where the obligation and risk actually remain.