Frequently Asked Questions

Yes. If your dealership extends credit, leases vehicles, or arranges financing -- which virtually every franchise and independent dealership does -- you are a financial institution under the Gramm-Leach-Bliley Act. That means the FTC Safeguards Rule applies to you. Compliance is not optional and has been enforceable since June 2023. The FTC does not issue warnings before fines.

Usually not. Most managed service providers handle network uptime, endpoint management, and basic security -- but FTC Safeguards compliance requires more. You need a written information security program (WISP), a designated Qualified Individual, documented vendor due diligence, an annual risk assessment, an incident response plan, and ongoing employee training -- all aligned to the rule's 9 specific requirements. IT companies rarely cover the documentation and governance side. That is where dealerships get caught.

Most dealerships reach full compliance within 60 days of engaging Safer Dealer. The timeline depends on how many gaps exist, how quickly your team can implement controls, and whether your current IT vendor needs to make technical changes. We start with a Gap Assessment, then deliver a written remediation roadmap so there are no surprises.

The Gap Assessment is a 45-60 minute structured review conducted with your team. We walk through all 9 FTC Safeguards requirements and map your current posture against each one. At the end, we deliver a written Gap Report that identifies what you have covered, what is missing, and a prioritized list of next steps. The assessment is free and comes with no obligation to engage us further.

Yes. Safer Dealer works with single-point dealers and small dealer groups, not just large auto groups. Our engagement model is designed to be proportional to your size. A one-rooftop dealership does not need an enterprise-scale compliance program -- it needs a right-sized WISP, clear documentation, and a practical plan it can actually maintain. We price accordingly.

That is a good sign, and we can work with what you have already built. The Gap Assessment will validate what is in place and surface any missing elements. In many cases, dealerships have done solid technical work but lack the written policies, annual review cadence, or board-level documentation the rule requires. We fill in the gaps rather than start from scratch wherever possible.

The FTC Safeguards Rule requires financial institutions -- including auto dealerships -- to implement a written information security program (WISP) covering 9 specific areas: a designated Qualified Individual (QI), a risk assessment, safeguards to control the identified risks, vendor oversight, employee training, an incident response plan, periodic testing and monitoring, annual reporting to the board or senior officers, and a process to evaluate and adjust the program over time. Each element must be documented.

IT companies keep your network running. Safer Dealer keeps your compliance program running. We do not sell hardware, manage servers, or compete with your MSP. Our focus is entirely on the governance, documentation, and regulatory alignment side of the FTC Safeguards Rule -- the part most IT vendors do not cover. We work alongside your existing IT team and fill the compliance gaps they were never hired to address.

The rule applies to any business that qualifies as a financial institution under the Gramm-Leach-Bliley Act. That includes auto dealerships, mortgage brokers, tax preparers, payday lenders, real estate settlement services, and others that regularly engage in financial activities. For dealerships specifically, the act of arranging or facilitating financing -- even if a third-party lender funds the loan -- is enough to qualify.

The FTC can issue civil penalties of up to $51,744 per violation per day for non-compliance with the Safeguards Rule. In an FTC investigation or audit, you will be asked to produce your written information security program, your most recent risk assessment, documentation of your vendor oversight process, evidence of employee training, your incident response plan, and annual board reports. If you cannot produce these documents, the absence itself becomes evidence of non-compliance. That is why documentation is not optional -- it is the compliance.