As of Dec. 9, 2022, most dealerships will be expected to be compliant with new federal regulations for managing and protecting customers' financing information.
After the Federal Trade Commission (FTC) updated the Standards for Safeguarding Customer Information rule under the Gramm-Leach-Bliley Act (GLBA), financial institutions, which includes dealers, are mandated to strengthen their customer information security to meet minimum requirements to protect customer financial information.
Unlike the earlier version, the updated rule includes criteria for what financial institutions must implement as part of their information security program. This is a big change from the general guidance provided before. Now, the FTC has very specific requirements to measure a dealer's compliance.
So What Do Dealers Need to Do?
Among these specific requirements, dealers will have to meet the following standards:
- Designate A Qualified Individual: A dealership must identify and designate a qualified individual to be responsible for the customer information safeguards program. They can have other responsibilities, but compliance must be a priority.
- Documented Security & Safeguards Program: Dealers must develop and establish a comprehensive written information safeguards program. This program outlines best practices and designates the individual responsible for supervising and administering the safeguards program.
- Conduct Regular Risk Assessments: Dealers are mandated to execute regular risk assessments and put safeguards in place when risks are identified. The assessments must be documented and include criteria for evaluating and identifying risks, as well as processes to address those risks.
- Testing and Assessments: Dealerships are now required to conduct annual penetration tests of information management systems, while vulnerability assessments must be completed every 6 months. The vulnerability assessments must include system scans and reviews of information systems.
- Vendor Credentials & Oversight: Dealers must take the necessary steps to select vendors and service providers that maintain appropriate protections and offer the necessary qualifications to safeguard customer information. Dealers will expect to regularly assess their vendors and ensure they continue to meet that criterion. For technology providers, it will be particularly important they offer encryption and bank-grade level SSL technology while maintaining SOC 2 Type 2 certification.
- Encryption of All Customer Information: Dealers are expected to encrypt all customer information. This encryption is expected when data is transferred to external networks (like from customers and to lenders) and when in storage and at rest in internal systems.
- Multifactor Authentication: An increasingly standard technology practice, dealers must now also provide multifactor authentication for any access to networks that contain customer information.
- Customer Information Access Monitoring: Dealers must create policies and procedures to track and control access to customer information. This includes requirements to detect unauthorized access and monitor and log the activity of unauthorized users gaining access to customer information.
- Customer Information Disposal: Dealers must also create policies and practices to permanently dispose of customer information no later than two years after the information was used.
- Training Requirements: The new compliance requirements and guidance developed in the safeguards program must be shared with employees, while employee training must be developed based on risk assessments and any changes in practices. Dealers must verify that employees have completed this training to satisfaction.
- Executive Report: Whoever is designated to the critical role of overseeing the safeguard program is required to provide an annual written report to the dealership's boards of directors or governing body. The report must cover the dealers' program status and level of compliance, as well as all key items, such as risk assessments and program recommendations.
What to Do Next?
First, designate a compliance manager. We suggest you then work with your team and your vendor to understand how you are currently managing customers' financial information.
How are you collecting the information? How is the information stored? What systems do you use? Do you have a single process or multiple processes? Do you have a way to control and track access to customer information? What level of training do you provide?
How DCR Can Help
DCR provides the most secure and compliant credit application and financing platform for the equipment and commercial trucking industries. Specifically designed for dealers, the DCR platform provides bank-grade security, certified data storage, consumer options to control data access and robust reporting on application activity.
Additionally, we can help you implement a single system that can address many of the compliance requirements and provide your team with a single platform and a single process to manage customer information.
Want to assess the state of your compliance? Schedule a time to meet with one of our experts.
Today's top stories