The FTC Safeguard Act is an extension of the Graham Leach Bliley Act, which is meant to protect consumer privacy. Car dealerships which provide financing or leasing of vehicles will be subject to provisions Safeguard Act on June 9, 2023, and defined as “non-banking financial institutions.” The deadline was extended for an additional six months due to a broad lack of understanding in the car dealership community.

Which car dealerships must comply with FTC Safeguard?

All auto dealerships with more than 5,000 customers in their database.

What PII is covered under Safeguard for auto dealerships?

Most of this legislation related to protection of personal identifiable financial information (PIFI). PIFI does not simply include social security numbers and credit card information, but all transactions that take place that might disclose a customer’s financial information. This may include basic information such as name and contact information, and applies to all consumers who inquire about financial instruments, regardless of whether a formal application is filed.

What are the requirements for PII protection under Safeguard for auto dealerships?

Your dealership must have a written, stated policy in place that includes the following:

• Ensure the safety and confidentiality of customer PII and PIFI. This includes encryption of information.
• Protect against physical and digital threats to the security of customer information
• Protect against unauthorized access to customer information. This includes access management, multi-factor authentication, and audit logs.

This policy must be oversee by someone with qualified cybersecurity training.

What privacy notices do car dealerships now need to give customers?

Car dealerships must now maintain a record of customer consent for any customers who they extend credit or assist with arranging financing for a private vehicle.

Any personal information that you collect to provide these services is covered by the Privacy Rule. Examples of personal information include
someone’s name, address, phone number, or other information that could be used to identify them individually.

You don’t need to give a privacy notice to someone who simply expresses an interest in buying a car from you or asks general questions about financing or leasing. However, if a person gives you personal information in connection with a potential transaction, even without completing a formal application — you may be obligated to obtain a privacy notice.

Whether leasing or arranging credit, you must give them a privacy notice no later than at the time of signing of the
retail installment contract or lease agreement — even if you do not disclose their personal information to others.

How can VeriScan help dealerships be compliant with FTC Safeguard regulations?

VeriScan Online Enterprise offers integration of waivers and agreements into your onboarding flow. These waivers can be automatically associated to the customer account, ensuring you are compliant from the moment a customer walks into your dealership.

Learn more about VeriScan for car dealerships.