If your F&I office arranges financing, the FTC Safeguards Rule applies to you — written security plan, MFA, vendor oversight, incident response. Enforcement started in June 2023. And after the 2024 DMS outage put dealerships on paper for weeks, "what's our plan when a vendor goes down?" stopped being hypothetical.
Under the Gramm-Leach-Bliley Act, arranging or extending financing makes your dealership a "financial institution" — the FTC has said so explicitly. The Safeguards Rule (16 CFR Part 314) requires a documented security program, and since 2024 breaches affecting 500+ consumers must be reported to the FTC within 30 days. Every credit app in your F&I office is exactly the data the rule protects.
What the rule expects your dealership to have:
We run the risk assessment and write the security program the FTC expects — then keep it current as your store changes.
Multi-factor on the DMS, CRM, email, and lender portals — rolled out so sales and F&I keep moving.
A tested plan to keep selling, servicing, and funding deals when your DMS or a vendor goes dark — because 2024 proved it happens.
Training records, vendor reviews, monitoring logs — audit-ready, so an FTC inquiry or OEM security questionnaire isn't a fire drill.
One flat-rate partner for IT support, security, and the Safeguards Rule paperwork that comes with every credit application you take.
The written risk assessment and security program the rule is built on — drafted, maintained, and ready to show the FTC or your OEM.
Multi-factor across DMS, CRM, email, and lender portals — with departed-employee offboarding that actually gets done.
The rule makes you responsible for your DMS, F&I, and marketing vendors' security — we document and manage that oversight for you.
Encrypted, tested backups plus a real DMS-down playbook — deal jackets, service tickets, and payroll keep moving on the worst day.
Continuous monitoring, patching, and endpoint protection across showroom, service, and office — the "detect and respond" the rule requires.
Email protection and staff training tuned to dealership scams — fake lender payoff changes, spoofed OEM invoices, title-wire fraud.
Rate your store against 14 key Safeguards Rule requirements and get an instant readiness score with your top gaps — including whether the written risk assessment the whole rule rests on is even in place.
If your F&I office arranges or extends financing or leasing, yes — under the Gramm-Leach-Bliley Act that makes your dealership a "financial institution," and the FTC Safeguards Rule (16 CFR Part 314) applies. Full compliance has been enforceable since June 2023, and the FTC has made clear that dealerships are squarely in scope.
A written risk assessment and information security program (WISP), a designated qualified individual, multi-factor authentication on systems that touch customer financial data, encryption, access controls, continuous monitoring or annual penetration testing, staff training, oversight of service providers like your DMS and F&I vendors, and an incident response plan.
The nationwide DMS ransomware outage in June 2024 put thousands of dealerships on paper for weeks — and it made two Safeguards Rule requirements very real: overseeing your service providers, and having an incident response and continuity plan. If your dealership can't sell, service, or fund deals when a vendor goes down, that's an operational gap and a compliance gap at the same time.
If you arrange financing, yes. Dealers maintaining information on fewer than 5,000 consumers are exempt from a few written-reporting requirements, but the core safeguards — risk assessment, MFA, encryption, training, vendor oversight, incident response — apply regardless of size. Cash-only lots that never touch financing are generally outside the rule.
Yes — that's the offering: we run the risk assessment, write and maintain the WISP, roll out MFA across your DMS, CRM, and lender portals, monitor your network 24/7, document vendor oversight, train your staff against wire fraud and phishing, and build the continuity plan for the next vendor outage. Compliance becomes a byproduct of well-run IT.
Book a free, no-obligation discovery call. We'll tell you straight where your store stands against the Safeguards Rule and what closing the gaps actually takes.