Back to Insights
Compliance

FTC Safeguards Compliance Guide: Auto Dealerships & Financial Services

By THOR Security Group

The Federal Trade Commission (FTC) Safeguards Rule was revised to enforce strict, mandatory cybersecurity requirements on non-banking financial institutions. While banks have long operated under strict regulations, this rule extends banking-grade security expectations to a much broader range of mid-market businesses.

Most notably, auto dealerships, mortgage brokers, payday lenders, tax preparers, and real estate appraisers are now legally required to maintain written security programs and specific technological controls.

This guide explains who must comply under the revised rule and provides a step-by-step playbook for implementing the mandatory security controls.

Who is Covered Under the FTC Safeguards Rule?

The FTC’s definition of a “financial institution” is far broader than most business owners realize. If your organization is “significantly engaged” in financial activities, you are covered. Examples include:

  • Automotive Dealerships: Any dealership that leases, finances, or helps customers obtain financing for vehicles.
  • Lending & Financing Services: Mortgage brokers, payday lenders, auto finance companies, and check-cashing services.
  • Financial Advisory & Prep: Tax preparers, personal financial planners, and investment advisors not registered with the SEC.
  • Real Estate Services: Real estate appraisers and settlement service providers.
  • Money Transmitters: Wire transfer services and check-cashing companies.

Note: There is a “small business exemption” for companies maintaining customer records for fewer than 5,000 consumers. However, even exempt companies must comply with basic risk assessment and governance baselines.

The FTC Safeguards Security Checklist

To achieve compliance, covered institutions must implement a written information security program built around eight core technical and administrative requirements:

1. Designate a “Qualified Individual”

You must designate a single employee or coordinate with an external provider (like a vCISO / Fractional CISO) to oversee, implement, and enforce your information security program. This individual must report directly to your board or executive leadership annually.

2. Conduct a Written Risk Assessment

You must document a formal risk assessment that identifies internal and external threats to customer information. This assessment cannot be a verbal agreement; it must be a written document outlining security gaps and remediation strategies.

3. Restrict Access Controls (Least Privilege)

You must limit access to customer data to only those employees who require it to perform their jobs. System privileges must be audited quarterly, and administrative accounts must be severely restricted.

4. Enforce Data Encryption

Customer data must be encrypted both at rest (stored on servers, hard drives, or cloud databases) and in transit (transmitted over the internet or internal networks). If encryption is technically unfeasible, you must secure the data with equivalent compensating controls approved by your Qualified Individual.

5. Mandate Multi-Factor Authentication (MFA)

MFA is legally required for any user accessing systems containing customer information. This includes your email environment (Microsoft 365 or Google Workspace), CRM systems, finance databases, and local server logins.

6. Implement Continuous Monitoring or Regular Auditing

You must actively monitor your network to detect unauthorized access. You can satisfy this requirement in one of two ways:

  • Continuous Monitoring: Utilizing managed endpoint detection (EDR/MDR) to track threat activity 24/7.
  • Annual Testing: Performing an annual penetration test combined with semi-annual vulnerability scans.

7. Mandate Employee Security Training

All personnel must complete regular cybersecurity awareness training to recognize phishing, social engineering, and credential harvesting attempts. Training logs must be documented.

8. Draft an Incident Response Plan (IRP)

You must maintain a written plan to isolate, contain, and recover from a security breach. The plan must detail:

  • Internal escalation paths.
  • External reporting responsibilities (notifying insurance, lawyers, and regulators).
  • Post-incident reviews and control updates.

[!TIP] Audit Your Posture Instantly: Perform a 2-minute baseline gap analysis mapped directly to major technical and administrative standards with our free Security Self-Assessment.

Action Plan for Dealerships & Financial Providers

If you need to establish compliance quickly to satisfy FTC audits or protect against class-action liabilities:

  1. Conduct a Gap Assessment: Audit your current IT systems against the checklist. Identify where customer PII (Social Security numbers, credit applications, bank details) is stored.
  2. Appoint a Qualified Individual: If you lack internal cybersecurity expertise, engage a Fractional CISO to act as your Qualified Individual and establish governance.
  3. Deploy Core Tooling: Ensure Managed Protection is deployed across all endpoints to cover the continuous threat monitoring and data encryption expectations.

Need help achieving FTC Safeguards compliance? Schedule a consultation with a THOR advisor.

Need assistance implementing these controls?

Our fractional CISOs and security consultants are ready to help secure your organization.

Contact a Advisor or call 312.529.0672