The Federal Trade Commission’s Safeguards Rule is no longer a future deadline—it is active enforcement. The amended rule (16 CFR Part 314) applies to any dealership that extends credit or arranges financing, which covers nearly every rooftop in Texas. Miss a requirement and you are exposed to civil penalties of up to $50,120 per violation per day, according to the FTC’s civil penalty guidance.
The commission has already shown it will use that authority. In 2023 it fined IT provider NTS IT Care for failing to implement basic safeguards, and the same year it reminded dealers that the 2023 deadline for the nine required elements would be enforced without delay.
This guide delivers a dealership-focused roadmap: who is covered, how to operationalize the nine requirements, the pitfalls we see across Texas, and the documentation you need in your audit binder. Use it to benchmark your current posture, assign ownership, and eliminate last-minute scrambles.
Does This Rule Apply to Your Dealership?
If your store offers buy-here-pay-here financing, arranges loans through captive finance arms, or pulls credit to structure deals, you fit the FTC’s definition of a “financial institution.” That includes independent rooftops, franchise groups, powersports, and RV dealers.
Customer information covers any data that is not publicly available—names, addresses, credit applications, service records, and anything contained in your DMS, CRM, F&I menus, or aftermarket warranty portals. Outsourcing financing does not exempt you; the FTC’s FAQs make it clear that dealers remain responsible for the security of information they collect, even if a lender hosts the system.
Multi-rooftop groups can centralize the program, but every location must follow the same policies, use MFA, and participate in training. If you share systems with a parent company, document how responsibilities are split so auditors know where to direct questions.
Breaking Down the FTC’s Nine Security Requirements
1. Designate a Qualified Individual (§314.4(a))
Appoint someone with the authority and expertise to run your information security program. They can be internal or an outside partner, but they must report to senior leadership and have budget visibility. Document the appointment letter, responsibilities, and the cadence for reporting to ownership.
2. Conduct a Written Risk Assessment (§314.4(b))
Map every system that stores customer information: DMS, CRM, F&I menus, service scheduling, warranty portals, document scanning tools, and third-party call-tracking platforms. Evaluate threats, likelihood, and impact, then document gaps and remediation plans. The FTC expects a living document—not a one-time spreadsheet—reviewed at least annually.
3. Design Safeguards (§314.4(c))
Translate the risk assessment into controls: role-based access, network segmentation between sales, service, and guest Wi-Fi, physical security for deal jackets, and vendor vetting. Tie each safeguard to a responsible owner and include implementation deadlines so auditors see accountability.
4. Monitor and Test (§314.4(d))
The FTC expects continuous monitoring or frequent penetration testing plus annual vulnerability assessments. Use automated patching and SIEM monitoring, and keep evidence—screenshots, reports, remediation tickets—organized by quarter. Dealers who rely solely on external IT firms should require deliverables that prove scans were completed.
5. Train Your Workforce (§314.4(e))
Everyone with access to customer data must receive annual security awareness and role-based training. Track attendance, completion scores, and post-training phishing simulations. Leadership needed a briefing too—auditors will ask how executives support the program.
6. Manage Service Providers (§314.4(f))
Inventory every vendor touching customer data—CRM, DMS, texting platforms, warranty administrators, marketing agencies, even shredding services. Contracts must require Safeguards compliance, incident notification, and the right to audit. Maintain an annual review log summarizing each vendor’s security posture.
7. Use Multi-Factor Authentication (§314.4(g))
MFA is required for any access to customer information, including VPNs, remote DMS connections, and cloud CRMs. Implement authenticator apps or hardware tokens—text-message MFA is allowed but considered weaker. Track exceptions and document compensating controls; repeated exemptions are red flags.
8. Encrypt Customer Information (§314.4(h))
Data must be encrypted in transit and at rest. That includes emails with finance documents, USB drives, laptops, and local file shares. If a legacy system cannot support encryption, your Qualified Individual must approve an alternative with equivalent protection and a timeline for remediation.
9. Maintain a Written Incident Response Plan (§314.4(i))
Your plan should define roles, decision trees, internal and external communications (including customers and regulators), and post-incident analysis. Test it at least annually with tabletop exercises that include your lender partners and cyber insurance carrier.
Common Dealership Pitfalls
We frequently uncover shadow IT—unapproved calendar tools, personal email forwarding, or third-party texting apps storing customer data. Paper deal jackets left in open offices, shared logins for F&I systems, and unmanaged vendor accounts are close seconds.
The FTC’s enforcement actions against NTS IT Care and DealerBuilt highlight weak vendor oversight and inadequate access controls. Documented MFA and encryption exceptions without deadlines were cited as major violations. Use those cases as a mirror for your own policies.
Operationalizing Compliance Without Disrupting Sales
Roll the program out in phases. Start with high-impact wins—MFA for remote access, encryption of laptops, and documented vendor questionnaires. Assign department champions in sales, F&I, and service so training and policy updates feel collaborative, not punitive.
Automate what you can: ticketing systems for access requests, documentation platforms like IT Glue for storing evidence, and phishing simulators integrated with your email platform. The less manual effort required, the easier it is to keep pace with turnover.
Documentation Strategy
Build an audit file organized by safeguard element. Include your risk assessment, policies, training rosters, vendor questionnaires, MFA screenshots, encryption inventories, testing reports, and incident response playbooks. Version everything and track approvals with signatures or electronic attestations.
Retention should align with the rule’s six-year expectation. Digital repositories with granular access control make it easier to provide evidence to the FTC, manufacturers, and cyber insurers without duplicate work.
Ongoing Compliance
Safeguards is not a one-time project. Schedule annual risk assessments, quarterly vulnerability scans, monthly vendor access reviews, and ongoing user onboarding/offboarding audits. Trigger reviews whenever you add a rooftop, deploy a new DMS module, or integrate a digital retailing platform.
If you rely on an external partner for Qualified Individual duties, require quarterly board reports summarizing risk, incidents, and roadmap progress. Keep renewal reminders for contracts and insurance policies tied to Safeguards evidence.
Need Help? Download Our Free FTC Safeguards Checklist
Our fill-in-the-blank worksheet maps each requirement to owners, deadlines, and evidence. Grab it from our resources hub, then invite us to review your binder if you want a second opinion before regulators call.
Conclusion
FTC investigators have made it clear: “We didn’t have time” or “our vendor handles that” is not a defense. The elements are prescriptive, and the required documentation is straightforward once you assign ownership.
Texas dealerships partner with us because we deliver compliance, security, and IT operations in one predictable investment—no surprise invoices, no tiered packages. We will build your risk assessment, manage vendor reviews, deliver training, and keep leadership informed with board-ready reports.
Ready to ensure every rooftop is audit-ready? Schedule a dealership compliance assessment or call 210-343-5631. We’ll map your gaps, deliver a remediation plan, and stand beside you when the FTC asks for proof.