Skip to main content
BACK_TO_INSIGHTSCOMPLIANCE

FTC Safeguards Rule for Dealerships: What You Actually Have to Do

The FTC Safeguards Rule applies to most auto and equipment dealers, and the deadline has passed. Here is the short, practical version of what compliance actually requires, drawn from taking a multi-location dealer group from no security program to compliant in six months.

Cody King · May 29, 2026

If you sell or finance vehicles, the FTC Safeguards Rule almost certainly applies to you, and the enforcement deadline has already passed. The rule treats dealerships as "financial institutions" because you handle customer financing, which means you are now expected to run a real information security program, not a folder of passwords and good intentions.

The good news: the requirements are concrete, and a focused effort can get a multi-location group from nothing to compliant in a few months. We did exactly that for a dealer group across multiple rooftops.

What the rule actually requires

At a practical level, compliance comes down to a handful of things you can point to:

  • A written information security program with a named person responsible for it.
  • A risk assessment that identifies where customer financial data lives and how it could be exposed.
  • Access controls so only the people who need customer data can reach it.
  • Encryption of customer information in transit and at rest.
  • Monitoring and logging so you can actually detect a problem.
  • Vendor oversight for the third parties that touch your data.
  • Staff training so the rule survives contact with a busy sales floor.

What it looks like in a real shop

On the ground, getting there meant centralizing endpoint management, patching, and monitoring across roughly 300 devices, deploying endpoint protection and email security, and standing up a security awareness training program that people actually passed. The policy framework was built on recognized standards rather than invented from scratch, so it holds up under scrutiny.

None of that is exotic. The hard part is that most dealerships have no central IT function, so the work is less about buying a product and more about building the operation that runs it.

Where to start

If you are not sure where you stand, start with the risk assessment. It is the cheapest step, it is required anyway, and it tells you exactly which of the items above you are missing. From there, the program is a sequence of fixable projects, not a single overwhelming mandate.

If you want a second set of eyes on where your dealership actually stands, that is the kind of thing a focused technology assessment is built for.