As of December 9, 2022, most dealerships will be required to comply with new federal regulations regarding the management and protection of customer financing information.

After the Federal Trade Commission (FTC) updated the Customer Information Protection Standards Rule under the Gramm-Leach-Bliley Act (GLBA), financial institutions, which include dealers, are mandated to strengthen the security of their customers’ information to meet minimum customer protection requirements. financial information.

Unlike the previous version, the updated rule includes criteria on what financial institutions must implement as part of their information security program. This is a big change from the general advice provided before. Now the FTC has very specific requirements for measuring a dealership’s compliance.

So what should dealers do?

Among these specific requirements, dealers will have to comply with the following standards:

  • Appoint a qualified person: A dealer should identify and designate a qualified person to be responsible for the customer information protection program. They may have other responsibilities, but compliance should be a priority.
  • Documented security and backup program: Dealerships should develop and establish a comprehensive written information protection program. This program outlines best practices and identifies the person responsible for overseeing and administering the warranty program.
  • Perform regular risk assessments: Dealers are mandated to perform regular risk assessments and put in place protective measures when risks are identified. Assessments should be documented and include criteria for assessing and identifying risks, as well as processes for addressing those risks.
  • Tests and evaluations: Dealerships are now required to perform annual penetration tests of management information systems, while vulnerability assessments must be performed every 6 months. Vulnerability assessments should include system scans and information systems reviews.
  • Identifiers and supervision of the supplier: Dealerships should take steps to select vendors and service providers who maintain the appropriate protections and provide the necessary qualifications to protect customer information. Dealerships will expect to regularly assess their suppliers and ensure that they continue to meet this benchmark. For technology vendors, it will be especially important that they offer bank-grade encryption and SSL technology while maintaining SOC 2 Type 2 certification.
  • Encryption of all customer information: Dealerships are supposed to encrypt all customer information. This encryption is expected when data is transferred to external networks (such as customers and lenders) and when stored and at rest in internal systems.
  • Multi-factor authentication: An increasingly common technology practice, dealerships are now also required to provide multi-factor authentication for all access to networks containing customer information.
  • Monitoring access to customer information: Dealerships should create policies and procedures to track and control access to customer information. This includes requirements for detecting unauthorized access and monitoring and logging the activity of unauthorized users accessing customer information.
  • Disposal of customer information: Dealerships must also create policies and practices to permanently dispose of customer information no later than two years after the information is used.
  • Training requirements: New compliance requirements and guidelines developed in the safeguards program should be shared with employees, while employee training should be developed based on risk assessments and any changes in practices. Dealers should verify that employees have satisfactorily completed this training.
  • Executive report: Anyone appointed to the essential role of safeguarding program oversight is required to provide an annual written report to the boards of directors or governing body of the concession. The report should cover the status of the dealer program and the level of compliance, as well as all key elements, such as risk assessments and program recommendations.
What to do next?

First, appoint a compliance officer. We then suggest that you work with your team and supplier to understand how you currently manage customer financial information.

How do you collect information? How is the information stored? What systems do you use? Do you have a single process or multiple processes? Do you have a way to control and track access to customer information? What level of training do you offer?

How DCR can help

DCR provides the most secure and compliant credit and financing application platform for the equipment and commercial trucking industries. Specifically designed for dealerships, the DCR platform offers bank-grade security, certified data storage, consumer options to control data access, and robust reporting of application activity.

Plus, we can help you implement a single system that can meet multiple compliance requirements and provide your team with a single platform and a single process for managing customer information.

Want to assess your compliance status? Make an appointment with one of our experts.


What can loan forgiveness mean for your credit score?


Wabash partners with northeast dealers to expand its north

Check Also