Ask most dealership owners whether their business is a “financial institution” and you’ll get a puzzled look. Ask the Federal Trade Commission the same question and the answer is unambiguous: yes, and it has been for years. Under the Gramm-Leach-Bliley Act and the amended Safeguards Rule, any dealership that helps a customer arrange financing — which is almost all of them — is regulated the same way a small bank would be.
The good news is that the rule is finite and specific. The bad news is that a lot of dealerships we walk into on day one meet, at best, two or three of the nine required elements. This piece is a plain-English translation of what compliance actually looks like, why it’s not as scary as it sounds, and where a mid-sized dealership tends to have the biggest gaps.
Why the FTC treats a dealership as a financial institution
The definition is broader than most people expect. Under GLBA, a “financial institution” is any entity whose business includes offering or providing financial products or services to consumers. That covers explicitly: arranging or brokering loans, offering leases, running credit checks, or extending dealership-financed payment plans. Nearly every franchise and independent dealership in the country does at least one of those, which is why the FTC named auto dealers as covered entities in the rule’s original guidance and reinforced it in the 2021 amendments.
The regulatory point is not that a dealer is a bank; it’s that the dealer collects and holds bank-grade personal information — Social Security numbers, income data, credit reports, banking details, driver’s license numbers — and therefore owes the same duty of care to safeguard it.
The nine elements the rule actually requires
Section 314.4 of the amended rule spells out exactly what a covered institution’s information-security program must include. The wording is dense; the substance is not:
- Designate a Qualified Individual. One named person who is responsible for the program. Not a title on a page — a real human with the authority to make decisions and report to leadership.
- Conduct a written risk assessment. An honest, documented look at what data you hold, where it lives, who touches it, and what could plausibly go wrong.
- Design and implement safeguards. Access controls, system inventory, encryption in transit and at rest, secure development for any custom apps, and secure disposal of data you no longer need.
- Multi-factor authentication. Required for anyone accessing customer information — not just remote workers, and not just admins. Every user, every system that touches nonpublic personal information.
- Regularly test or monitor the safeguards. Either continuous monitoring, or annual penetration testing plus semiannual vulnerability assessments. Not both required — but at least one, and evidence you did it.
- Train your people. Ongoing security awareness for all staff, with additional specialized training for anyone administering systems.
- Oversee your service providers. Written contracts that require them to implement appropriate safeguards, and periodic review of whether they still are.
- Evaluate and adjust the program. Update it in response to material changes to the business, the threat environment, or the results of your testing.
- Establish a written incident response plan. Roles, steps, communications, notification obligations. On paper. Kept current.
There is also a tenth expectation baked in: the Qualified Individual must report to the board or senior leadership in writing, at least annually, on the state of the program. That report is what an examiner will ask for first.
The “Qualified Individual” — the role most dealers still miss
Nine out of ten dealerships we’ve audited either haven’t formally named a Qualified Individual or have named the general manager without giving them the time or authority to do the job. The rule doesn’t require this person to be a full-time in-house security professional — it explicitly allows an affiliate or third party — but it does require that they be qualified, empowered, and engaged.
In practice, small and midsize dealerships fill this role in one of three ways: a senior operations lead paired with an external MSP that handles the technical program, a fractional CISO retained monthly, or the dealer group’s corporate security officer for larger chains. All three are compliant if the arrangement is documented and real. What is not compliant is a title with nobody behind it.
What counts as “nonpublic personal information” at a dealership
The rule attaches to a specific category of data — nonpublic personal information, or NPI. At a dealership, that’s a longer list than most people picture:
- Social Security numbers
- Driver’s license numbers and images
- Income, employment history, and bank statements from finance applications
- Credit reports and credit scores
- Account and routing numbers
- Trade-in payoff information
- The mere fact that someone is a customer, in some contexts
Everywhere that data lives — the DMS, the credit-application software, the finance manager’s workstation, the printer queue, the scanned copies in a shared folder, the archived deals in a backup — is inside the scope of your program. That map is the foundation of the written risk assessment.
The 30-day reporting rule people forget
A 2023 amendment added a specific reporting obligation that surprises a lot of covered institutions: if a security event affects the nonpublic personal information of 500 or more consumers, the Qualified Individual must notify the FTC electronically within 30 days of discovery. That notification is a matter of public record.
Two consequences follow. First, this is a hard deadline — not “as soon as reasonably practicable.” Thirty days from discovery. Second, the discovery clock starts when the event is known to the organization, not when it’s fully understood. Your incident response plan has to include, in writing, who decides that the threshold has been crossed and who files.
What a real Safeguards program looks like in a dealership
A compliant program does not have to be enormous. In a rooftop-count of one to five stores, the whole thing usually lives in one binder (physical or virtual) with the following contents:
- The written information security program (WISP).The one document that describes the program, names the Qualified Individual, and points to everything else.
- The risk assessment. A living document, updated annually or on material change, that maps NPI, threats, and controls.
- The controls inventory. A short list of the technical safeguards in place — MFA, EDR, encryption, backup, monitoring — and evidence they’re active.
- The vendor register. Every service provider that touches NPI, with a link to their contract and a note on the last review date.
- The training log. Who was trained on what and when. Onboarding and annual refresh, at minimum.
- The incident response plan. Roles, steps, notification checklist, and the 30-day FTC reporting workflow.
- The annual board report. A short, honest write-up from the Qualified Individual to leadership on the program’s state and any material changes.
Common gaps we find on day one
- MFA missing on the DMS or on any account with NPI access. The most-cited finding, and usually the easiest to close.
- Old employees still active in credit-app systems.Offboarding rarely reaches the third-party lender portals. Do a quarterly reconciliation.
- Nonpublic personal information saved to local drives.Scanned licenses on desktops, deal jackets on flash drives. Fix with a clear file-handling policy and a centralized secure repository.
- No named Qualified Individual. Almost always fixable with a formal designation and a monthly cadence.
- No written incident response plan. Templates exist; the work is customizing and drilling one.
Where a partner fits
The rule is finite; the muscle to keep it current isn’t. A good technology partner for a dealer group either serves as the outsourced Qualified Individual or supports the internal one — running the risk assessment, standing up the controls, keeping the vendor register honest, and preparing the annual leadership report so it reads like a real document rather than a formality.
If your dealership hasn’t worked through the nine elements recently — or is honestly not sure whether the program on paper matches the program in practice — we’ll do a Safeguards walk-through with you. Ninety minutes, a candid readout, a written punch list, and a clear picture of what compliant actually looks like from where you are.

