Late last year, in an announcement that was not on the radar of most dealers, the Federal Trade Commission (FTC) amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
Most dealers have probably not heard of the GLBA, but it's about to become a significant part of their world. Starting Dec. 9, most dealerships will be expected to be compliant with these new federal regulations for managing and protecting customers’ personal and financial information.
The History of the GLBA
The GLBA, also known as the Financial Services Modernization Act of 1999, has empowered the FTC to enforce requirements on financial institutions to implement and maintain robust security programs to protect customers’ personal information, often referred to as Personal Identifiable Information (PII). Within the GLBA, there are two specific rules to note: The Privacy Rule and the Safeguard Rule.
The privacy rule requires dealers to ensure the privacy of their customers and protect the security and confidentiality of their personal data. This rule specifically addresses how dealers collect, store, and share a client’s personal and financial information. The safeguard rule officially titled the Standards for Safeguarding Customer Information, developed guidelines for financial institutions to create processes to manage and protect personal and financial information.
Up until last year, the rules within the GLBA were generally high-level and based on a company's “size and complexity, the nature and scope of [its] activities, and the sensitivity of the customer information at issue.” This sort of language created very flexible compliance standards based on a company’s intent of its processes. In other words, as long as a dealer was seemingly trying to protect the information, then that was enough. However, that is all about to change.
The update that takes effect in December replaces this flexible approach with more specific and stringent guidelines that raise the bar on the programs that must be in place to protect and safeguard consumer information.
Yes, Dealers Are Financial Institutions
Part of the reason many dealers were not aware of the changes to the GLBA Safeguards Rule (not to mention other compliance regulations on the state and federal level) is that they simply don’t think it applies to them. After all, few people think of a dealership as a financial institution.
However, federal guidance already had a broad definition of a financial institution and it just became broader. Prior to the recent GLBA amendments, this definition included any business that “significantly engaged” in financial activities or in activities incidental to financial activities. This definition included everything from real estate settlement to tax preparers.
However, the recent amendment expanded this definition even further. The guidelines specifically include “finders,” which are businesses that connect buyers and sellers of a product or service incidental to financial activities. So this includes any business connecting a customer to a financial institution. That includes most dealers.
So What Does It Mean to Dealers?
As a “financial institution,” the revised GLBA Safeguards Rule significantly increases the responsibilities of dealers to build a robust information security program to protect customer information. Dealers are now required to:
- Designate a specific qualified individual responsible for overseeing and implementing the program,
- Conduct regular risk assessments.
- Provide reports to the dealership’s boards of directors or governing body
- Encrypt customer information when sent over external networks or placed in storage.
- Provide multifactor authentication to validate access
- Provide secure disposal of customer information at a specific time period.
- Maintain continuous monitoring or periodic penetration testing and vulnerability assessments.
- Monitor and track access to customer financial information.
- Training and operational requirements for security personnel.
- Select and track vendors to ensure they meet safeguarding requirements and have the necessary security credentials.
The article, Learn What Your Dealership Needs to Do to Be Ready for New Federal Regulations, provides a further breakdown of dealer responsibilities and what they need to do to be prepared for the new regulation when they take effect in December.
What Do You Do Next?
For a dealer, the first thing you need to do is identify an internal compliance lead (the team member designated to oversee the program), and sit down and do an assessment of your current policies and practices to identify risks and threats.
Once complete, dealers should identify vendors they will work with on updating or transforming these credit applications and financial processes, and work with them to design and implement safeguards to address and control the risks highlighted in the assessment.
While this seems like a big first step, it is necessary to put your dealership on the path to a consistent and maintainable program to protect customers’ financial information.
How TRNSACT Can Help
TRNSACT provides the most secure and compliant credit application and financing platform available to the equipment and commercial trucking industries. Specifically designed for dealers, the TRNSACT platform provides bank-grade security, certified data storage, consumer options to control data access, and robust reporting on application activity.
Additionally, we can help you implement a single system that can address many of the compliance requirements and provide your team with a single platform and a single process to manage customer information.
Want to assess the state of your compliance? Schedule a time to meet with one of our experts.
Still, have questions about Trnsact software and dealer compliance? Book a QUICK DEMO to learn exactly how it all works.