A lot of independent and used-car dealers assume the FTC Safeguards Rule is a "big franchise store" problem. It isn't. The rule doesn't care whether you sell new or used, whether you have one lot or ten, or whether you call yourself a dealership or a car lot. It cares about one thing: do you arrange or facilitate financing or leasing for your customers?
If the answer is yes — and for most independents and virtually every buy-here-pay-here (BHPH) operation it is — then under the FTC's definition you are a "financial institution," and the Safeguards Rule applies to you the same way it applies to a franchise megastore.
The applicability test
Walk through this honestly:
- Do you help customers obtain financing (collect credit apps, submit to lenders)? → In scope.
- Do you offer in-house financing or BHPH (you are the lender)? → In scope.
- Do you arrange leases? → In scope.
- Do you sell strictly cash-only, never touch a credit application, never arrange financing? → Likely out of scope for this rule — but rare, and easy to slip back into scope the first time you help finance a deal.
Why BHPH dealers are the clearest case of all
The one exemption that matters — and what it does NOT do
There is no exemption for simply being small or independent. The only relevant carve-out is for financial institutions that maintain customer information on fewer than 5,000 consumers. If you're under that threshold, the rule exempts you from four specific requirements:
- The written risk assessment
- Continuous monitoring or annual penetration testing + vulnerability assessments
- The written incident response plan
- The annual written report to ownership from the Qualified Individual
That's it. Everything else still applies. And read the threshold carefully: it's the total number of consumers whose information you maintain— across current customers, past customers, and even applicants who didn't buy. Most dealers that have been open more than a year or two are well past 5,000 records and don't realise it.
Don't over-rely on the small-dealer carve-out
What every independent & used dealer must do regardless
Whether or not you qualify for the small-dealer carve-out, these core safeguards apply:
Core safeguards — no size exemption
- 1Designate a Qualified Individual to oversee the program
- 2Implement access controls and least-privilege on systems holding customer data
- 3Inventory where customer information lives (DMS, deal jackets, scans, spreadsheets)
- 4Encrypt customer information in transit and at rest
- 5Enforce MFA on systems that access customer information
- 6Run vendor due diligence on providers that touch customer data
- 7Securely dispose of customer data on a defined schedule
- 8Train staff on safeguarding customer information
Four myths that get small dealers in trouble
“We’re used-only, so the rule doesn’t apply.”
Reality: New vs used is irrelevant. What matters is whether you arrange or facilitate financing or leasing. A used-car lot that helps customers get financed is a financial institution under the rule.
“We’re too small to be covered.”
Reality: There is no size exemption from the rule itself. A small-dealer carve-out only relaxes a few specific requirements (below) — it does not exempt you from the program.
“Buy-here-pay-here means we’re not really lending.”
Reality: BHPH dealers extend credit directly to customers — that is squarely the activity the rule targets, and you hold the customer financial data to match.
“We only pass deals to a lender, we don’t lend.”
Reality: Arranging or facilitating financing — collecting credit apps, sending them to lenders — also brings you in scope. You still handle the sensitive data.
The bottom line
Independent and used-car dealers are not a special case under the FTC Safeguards Rule — they're a central one. If you arrange financing in any form, you're a financial institution, you handle exactly the data the rule protects, and the same enforcement exposure applies. The small-dealer carve-out trims four paperwork requirements; it doesn't exempt you from running a real program.
The good news: an independent lot's program is simpler to stand up than a multi-rooftop group's. See how we help on our cybersecurity for auto dealerships page.
Related reading: the 9 required WISP elements for dealers and who should be your Qualified Individual.
Free FTC Safeguards WISP template — sized to work for independent and used-car dealers.
All 9 control families with template language you can adapt to a single lot or a small group, plus evidence checklists.
Get the free templateIndependent or BHPH dealer? Find your gaps in 30 minutes.
We map your lot against the Safeguards Rule and hand you a one-page roadmap — right-sized for an independent operation. No obligation.
Get Free Assessment