Federal Trade Commission (FTC) Safeguards Rule changes were proposed this past April, and since then this has been a hot topic for discussion among dealerships and related organizations. If approved, these changes could significantly impact BHPH dealers. Here’s what you need to know.
Of course, it’s no secret that compliance has become an increasingly important concern for BHPH dealerships, but this could make the issue even more serious and difficult. Currently the FTC Safeguard Rule is limited in scope since the Dodd-Frank Act gave the Consumer Financial Protection Bureau (CFPB) much of the privacy rule-making authority formerly held by the FTC. These new proposed changes would expand the FTC’s power again by changing the definition of “financial institution” to include any “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities,” such as those who function as mediators between customers and lenders. So depending on how broad the definition is and just what determines a lender to be a separate financial company, it’s easy to see how BHPH dealerships could potentially fit into that category.
This would mean that most dealers would have to adhere to the FTC Safeguards Rule and Privacy Regulations. Under the proposed changes, this would mean that many BHPH dealerships would have to adopt an increased number of cyber security and privacy protection measures, some of which could prove expensive. These include: appointing a Chief Information Security Officer, more specific security system controls and risk assessments, adopting multi-part authentication for employees accessing customer information, regular testing of information security systems and key controls, implementing new safeguards and management change processes, and regular monitoring and audits of information security systems. While many BHPH dealerships may already adhere to some of this, some requirements, such as hiring an Information Security Officer, may strain the budgets of some dealers.
There is, however, one piece of possible good news for BHPH dealership in the FTC Safeguards Rule changes: lenders qualifying as small businesses– meaning those who handle information for less than 6,000 customers per year– will be exempt from some of the requirements. Small BHPH dealers may benefit from this, but large BHPH auto groups will still feel the full impact. However, even small BHPH lenders will have to fulfill some of the requirements, especially if they and their associated dealerships are deemed to be different entities.
The other good news is that these regulations haven’t been set in stone yet. Christine Wilson and Noah Phillips, both Commissioners from the Republican party, objected to these FTC Safeguards Rule changes saying that mandating such restrictions on the entire market may prove detrimental, and suggesting updated FTC guidelines instead. Currently nothing has been finalized, and it remains to be seen what changes will actually take place.
So, while BHPH dealerships should certainly hope for the best, it would be wise to prepare for the worst. This is an excellent time for BHPH dealers to begin considering privacy rules and thinking about instituting a privacy and information security policy. That may save dealerships from having to scramble later if these FTC Safeguards Rule changes are instituted.