The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. A dealership that extends credit or arranges financing meets that definition directly. The rule text names automobile dealers as an example of a covered financial institution. The moment your F&I office takes a credit application, you are handling the customer financial information the rule protects.
The F&I office is the center of gravity for your data.
Every deal jacket contains Social Security numbers, driver license data, income and employment details, and bank or lender account information. That is precisely the customer financial information the Safeguards Rule is written to protect.
Credit applications, deal structures, and lender approvals all flow through the F&I office and out to captive and third-party finance sources. The controls the rule requires, which are MFA, access controls, and encryption, are the same controls that protect that flow from theft and fraud.
A written program is the baseline, not the ceiling.
The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.
We produce these documents to reflect what is actually running in your store, so the program survives an FTC inquiry or a lender and captive-finance security questionnaire rather than reading as boilerplate.
DMS and lender-portal vendor oversight is part of compliance.
Dealerships run on a Dealer Management System and connect to credit-aggregation and lender portals to submit applications and desk deals. The rule requires you to oversee the service providers that handle your customer information.
We inventory those vendors, from the DMS platform to the credit-application and lender portals, document the security expectations, and fold vendor oversight into your written program so the requirement is met and evidenced.
The breach-notification duty reaches every covered dealership.
A 2023 amendment to the rule added a federal notification requirement that took effect in May 2024. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. If you discover one, you must report it to the FTC through the FTC reporting portal. Report as soon as possible and within 30 days of discovery.
The under-5,000-consumer exemption eases certain other elements, but it does not relax this obligation, and most franchise stores maintain information on far more than 5,000 consumers. The trigger is unencrypted information. So encrypting customer data in transit and at rest is both a core safeguard and a direct way to reduce notification exposure. We build the incident response plan, define what a notification event means for your DMS and F&I systems, and prepare the reporting workflow. A real event is then handled inside the window.