Safeguarding consumer financial information provided during a transaction is a critical compliance requirement for dealerships. The Federal Trade Commission (FTC) issued a new Safeguards Rule for the Gramm-Leach-Bliley Act (GLBA) containing a series of extensive and complicated new cybersecurity requirements that some dealers must comply with by Dec. 9, 2022. Dealerships subject to the updated Rule will be required to create or revise their information security programs and implement new compliance measures by Dec. 9.

Some equipment dealerships will be partially subject to the FTC Safeguards Rule and its recent updates.

The guide below assists in evaluating whether this Rule applies to your organization:

1. Does your organization offer retail installment sales contracts or other forms of financing to consumers? 
   1. If Yes, you qualify as a financial institution, go to #2.
   2. If No, you do not qualify as a financial institution and this Rule will not apply to your organization.
2. Are these financing products (or related, equipment products) your equipment dealership offers sold to individuals for primarily personal, family or household purposes?
   1. If Yes, continue to #3.
   2. If No, this Rule will not apply to your organization.
3. Has your company sold these financing products to more than 5,000 non-business or commercial consumers and do you retain their nonpublic information?
   1. If Yes, this Rule applies to your organization.
   2. If No, this Rule will not apply to your organization.

The myriad requirements under the FTC Safeguards Rule are applicable to the offering, arranging or sale of financial products to customers for personal, family or household purposes. 

“The Safeguards Rule applies to any business or entity that provides or facilitates financial services, which includes dealership and other similar industries that gather customer financial data,” IT and Cybersecurity expert Chris Williams wrote in an article for CPA and consulting firm Eide Bailly.

Operational and business management issues arise in deciding whether your dealership will comply with the FTC Safeguards Rule for all sales and financing transactions where the dealership offers or sells a financial product or retail installment sales contract to the customer, or only those involving customers purchasing equipment for primarily personal, family or household purposes. The first scenario is not required by the FTC Safeguards Rule but may be easier to implement from an administrative and compliance perspective. The second scenario is the minimum required under the FTC Safeguards Rule for equipment dealers but could prove a nightmare in training dealership staff how to properly identify which procedure to follow and ensure the requirements for the FTC Safeguards Rule are met for applicable transactions.

Deciding how to proceed depends on how dealership information technology systems are structured and how data sharing occurs with lenders that sell financing products through dealerships. To ensure transactions comply with the FTC Safeguards Rule’s requirements, dealerships could create a separate information technology process for those primarily personal, family or household transactions. As a best practice, implementing the requirements within FTC’s Safeguards Rule across an organization will not only ensure compliance, but also provide protection from a cybersecurity attack that could negatively impact or even bankrupt a business.

Equipment dealerships that: 1) only sell to commercial or business customers or 2) do not offer financial products to customers, would not be subject to the FTC Safeguards Rule. Dealers who are concerned about the application of the FTC Safeguards Rule to more nuanced situations should get clarification before the deadline for implementation and enforcement through further guidance from the FTC. While penalties have not been specifically defined for the Rule, the GLBA has provisions for fines up to $100,000 per violation, which could be leveraged by the FTC.

Consulting companies and other resources can provide guidance on implementing an information technology program and related procedures to ensure compliance with the FTC Safeguards Rule updated requirements. Find a detailed article and video here for more information: https://www.eidebailly.com/insights/articles/2022/4/how-dealerships-can-comply-with-the-revised-safeguards-rule. 

Also, the FTC and related enforcement agencies have extensive guidance on how to comply with the FTC Safeguards Rule publicly-available on their websites. See GLBA’s Compliance Manual – Privacy of Consumer Financial Information ; FTC’s GLBA Resources Index ; FTC Safeguards Rule: What Your Business Needs to Know ; How to Comply with the Privacy of Consumer Financial Information Rule of GLBA.

Sources: Federal Trade Commission, Eide Bailly, Pioneer Equipment Dealers Association