skip to main content

FTC Safeguards Rule - FAQ's

The most common questions from our recent Safeguards Rule webinar


Have a question you don’t see answered below? Please contact us at

Missed the webinar?

1. Are there any exceptions in the new rule regarding the size of a dealership?

Yes, for certain requirements, there is a size exception. All other requirements are necessary, regardless of size.

The following DO NOT APPLY if you retain information for fewer than 5000 consumers that have sought credit:

  • No written risk assessment
  • No continuous monitoring, penetration testing, or vulnerability scans
  • No written incident response plan
  • No annual report to board

The following STILL APPLY if you retain information for fewer than 5000 consumers that have sought credit:

  • Designation of a Qualified Individual
  • Encryption of Customer Information at Rest and in Transit
  • Service Provider Oversight
  • Multi-factor Authentication (MA)
  • Additional Training Requirements
  • Logging and Disposal of Consumer Information

The 5000 referenced above is the total number of consumers you have retained personal information for. For example: If you have done 83.33 credit reports per month (x12), for the past 5 years (a minimum time frame which dealers are required to keep this information) then your dealership would not have any exceptions.  However Credit Reports is only one system where you are receiving consumer information.  You have to look at your service lane, DMS, CRM and your financing platforms.

First step regardless if you qualify for the under 5,000 or not is to inventory your systems. Record your findings and if you believe you are under 5,000, add your findings to your policy.

2. Does this apply to powersports, motorcycle, RV and watercraft dealers?

Yes, unless you retain information on less than 5000 consumers. If that exception is met, you are still required to comply with the Safeguards Rule, but will not need a written risk assessment, continuous monitoring, annual penetration testing, vulnerability scans, a written incident response plan, or a written annual report to the Board of Directors.

3. Regarding service lane, would some of those be excluded from the 5k count since we don't have "credit" info on them?

They would not be excluded. “Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”  Name, address, etc.

4. What does “qualified” mean in reference to a “qualified individual”?

According to the FTC, the qualified individual must oversee and implement the information security program. The person designated to coordinate the information security program need only be “qualified.” No particular level of education, experience, or certification is prescribed by the Rule. Accordingly, financial institutions may designate any qualified individual who is appropriate for their business. Only if the complexity or size of their information systems require the services of an expert will the financial institution need to hire such an individual.

5. What reporting requirements - if any - are there when a business identifies a vulnerability/flaw as a result of monitoring or penetration testing?

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses to notify individuals of security breaches of information involving personally identifiable information. The requirements will vary by state.

Your reporting to your Board of Directors should be a risk assessment.  At a minimum it should list any results and remediation steps taken as a result of your penetration testing.  It should also list any vendors who have gaps in their responses to your questionnaire.

6. Do you have a full list of the new requirements that we can compare to what we have in place?

Yes, you can download a copy of the NADA’s “Dealer Guide to the FTC Safeguards Rule” here.  This document includes best practices and sample documents.

7. Do these rules apply to transactions with customers out of state that are getting the product shipped by common carrier and are paying by cashier’s check or wire transfer?

Yes, Physical and electronic information and documents from out-of-state consumers must be safeguarded. The information and documents must be protected via the physical, administrative, and technical safeguards outlined in the Safeguards Rule.

8. If you scan documents into a secured software does the document retention policy say we need to purge those documents?

The Safeguards Rule states you must: Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Please consult your attorney for record retention requirements for specific documents and data.  The systems that are retaining those scan documents must also pass your vendor surveys.

9. What "third party vendors" are required to have MFA? IE: Service scheduling, websites, credit apps, etc.

The Safeguards Rule states you must: implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. The Safeguards Rules also states you must: Oversee service providers by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) requiring your service providers by contract to implement and maintain such safeguards; and (3) periodically assessing your service provider based on the risk they present and the continued adequacy of their safeguards.

10. What are your recommendations for training our personnel tasked with overseeing and/or implementing items/requirements?

Implement your own documented training programs or look for a third party provider.  IN addition you must record when your employees last took the training and they will need to be trained annually. This report of employees and training will need to be part of your Board of Directors reporting. Please contact to learn more about the 700Credit LMS.

Dealers must be compliant with the above rules by June 9th, 2023 or face the risk of heavy fines.

The 700Credit Learning Management System helps prepare you dealership

To further our efforts in providing the best compliance and risk mitigation services to our clients, we are pleased to provide a web-based, self-paced Compliance platform which will provide the required training your dealership needs to remain compliant with every transaction and avoid costly fines. Our learning management system will cover all of the necessary content to help your dealership comply with the new FTC Safeguard Rules.

Have questions about the new Safeguard Rules?

700Credit stands ready to help your dealership succeed. Fill out our questionnaire and a member of our team will reach out to you shortly.


I really like the new compliance-based learning management system that 700Credit provides us at the dealership. The courses provide a lot of valuable information that was new to me at the dealership. I will start to incorporate all the newly learned best practices into our current compliance practices. It is also great that I can always retake and refresh myself throughout the year. I strongly recommend this for all dealerships.

Meagan Jensen
Finance Manager
Young Powersports Centerville
  • This field is for validation purposes and should be left unchanged.