16 CFR §314.6 — Exceptions (FTC GLBA Safeguards Rule)
16 CFR §314.6 establishes a small-institution exception for the written-risk-assessment-contents, continuous-monitoring-or-pen-test, incident-response plan, and annual-board-reporting requirements where customer information is maintained on fewer than 5,000 consumers.
Verbatim regulatory text
Verbatim provisions from 16 CFR §314.6 — Exceptions (FTC GLBA Safeguards Rule) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
16 CFR §314.6 — Small-institution exception applicability determination
Section 314.4(b)(1) , (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.
16 CFR §314.6 — Non-excepted §314.4 elements remain required for small institutions
Section 314.4(b)(1) , (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.