Regulations, whether on the federal level or the state level, can feel like a burdensome and painful ordeal for dealers, but not meeting those requirements and undergoing a compliance audit is far more painful. That is especially true if compliance violations result in fines, which can add up quickly and reach millions with just one repeated failure.

The only thing worse than the fines is the complete loss of trust you will have with many of your customers, and that is a lot more difficult to fix than the issues you may need to address in your handling of customer data and personal information.

So to help dealers, we have compiled nine important regulations that dealers need to know and be prepared to take action on to protect their dealership and their customers.  This is not an exhaustive list and there are other regulations you need to consider, especially at the state level. However, it is a good place to start.

Regulation written on multiple road sign

1. Gramm-Leach-Bliley Act Privacy Rule

Known simply at the GLBA, this act set forth several regulations that need the attention of dealerships. The privacy rule requires dealers to ensure the privacy of their customers and protect the security and confidentiality of their personal data. The GBLA privacy rule set the standards for how dealers collect, store, and share a client’s personal and financial information. With the collection and transfer of financial information part of more than 90 percent of dealer transactions, dealers must be vigilant and take steps to ensure to develop secure data collection and management processes and ensure that customers understand how their data is being shared.

2. Gramm-Leach-Bliley Act Safeguards Rule

Under another GLBA regulation, the Federal Trade Commission (FTC) issues Standards for Safeguarding Customer Information. Under the latest rule revision, dealers were fully required to comply with the more stringent and specific Safeguards Rule by December 9, 2022. This applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. There are many steps to comply with the GLBA Safeguards Rule like:

  • designating an Information Security Officer
  • developing customer data security program
  • conducting periodic risk assessments
  • vetting vendors for minimum security credentials and practices

Watch Webinar

3. California Consumer Protection Act (CCPA)

The CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California, but the impact goes far beyond state borders. A dealer who uses consumer lenders based in California – Sheffield, Synchrony, and many others – need to be aware of this regulation and its impacts. Additionally, the states across the country are considering regulations modeled after the CCPA. 

4. Disposal Rule 

Another regulation enforced by the FTC, the disposal rule requires companies that collect consumer financial and personal data to dispose of them in a secure format that ensures customer privacy. Proper disposal includes shredding papers, securely erasing digital records, and other methods depending on format. Because dealerships must also meet the GLBA Safeguards Rule, practices and processes for disposal of consumer information should be part of any information security program.

5. Equal Credit Opportunity Act 

The ECOA was enacted to help limit and combat discrimination in the lending industry. The regulations mandates that lenders and dealers cannot discriminate on the basis of race, color, gender, religion, national origin, age or because one’s income is derived from public assistance. This law also requires that dealers notify applicants of action taken on their applications, report credit history in the names of both spouses on an account, retain records of credit applications, and more.

6. Red Flags Rule 

Another regulation enforced by the FTC, this rule requires that dealers have a written Identity Theft Protection Plan (ITPP) designed to detect and protect against the common warning signs of identity theft. This includes checking for suspicious documents, reviewing unusual changes in a customer’s credit report or account activity, and more. Dealers must be proactive in protecting against identity fraud to comply with the Red Flags Rule. 

7. Form 8300

Dealers may deal with large cash payments when selling cars, and as such must comply with these federal reporting requirements. Your dealership must file a Form 8300 whenever a cash payment of over $10,000 is received. This form is used by the IRS and Financial Crimes Enforcement Network (FinCEN) in protecting against money laundering.

8. Office of Foreign Assets Control (OFAC)

The OFAC administers and enforces economic and trade sanctions against targeted countries and groups, especially groups involved with terrorism, drug trafficking, and other crimes. Dealers are expected to check customers’ names against the Specially Designated Nationals List, a list of people and groups targeted by the OFAC.

9. Occupational Safety and Health Administration (OSHA) 29 CFR 1910.38

Almost every business, including dealers, is required to have an Emergency Action Plan to “facilitate and organize employer and employee actions during workplace emergencies.” Your dealership must have a written document meeting the specified requirements to protect employees and comply with OSHA standards.

As noted before, this is not the entirety of the regulations that dealers need to consider. Specifically, there are also more regulations at the state level, and new ones being proposed pretty much every legislative cycle. To monitor rules and regulations, connect with your dealers’ association and track updates from dealer publications.