The FTC Safeguards Rule is operational. Your F&I producers need to know their role in it.

What the FTC Safeguards Rule requires — and what it means for the F&I office.

The Gramm-Leach-Bliley Act's Safeguards Rule, enforced by the Federal Trade Commission and substantially updated with new requirements effective in June 2023, requires financial institutions — which includes automobile dealers who arrange financing — to develop, implement, and maintain a comprehensive information security program to protect customer financial information.

The rule's requirements include designating a qualified individual to oversee the information security program, conducting risk assessments, implementing technical safeguards like encryption and multi-factor authentication for systems containing customer financial data, providing security awareness training to all personnel who handle customer data, and reporting significant security events to the board or senior leadership.

For the F&I office specifically, the Safeguards Rule's implications are practical and immediate. F&I producers collect, process, and transmit more sensitive customer financial information than any other department in the dealership. Credit applications contain Social Security numbers, income information, employment details, and banking data. Deal jackets contain financing terms, insurance information, and product purchase records. The security of that information during collection, processing, and storage is a compliance obligation, not a best practice.

F&I producers do not need to become information security professionals. They need to understand their specific role in the dealership's written information security program: how to handle paper documents containing customer financial information, what practices are required when working with digital systems that contain customer data, how to recognize and report potential security incidents, and how to protect customer information during the box visit process. Sterling integrates this awareness into the F&I compliance module so it is part of the daily training habit, not a separate event.

The producer's specific role in the dealership information security program.

Document handling in the F&I office is the highest-risk information security point in most dealerships. Credit applications, deal contracts, and product agreements contain the full profile of customer financial information in paper form. The physical security of these documents — who has access, how they are stored during the deal, how they are disposed of when no longer needed — is part of the Safeguards Rule compliance program.

F&I producers should understand the document handling protocols their dealership has established: where completed credit applications are held during a deal, how documents are transmitted to lenders (fax, email, dealer portal), what happens with application copies after contracting, and the approved disposal method for documents containing customer financial information. These are operational practices, not abstract compliance concepts. Sterling incorporates document handling awareness into the compliance training.

Digital system security is an increasingly relevant issue for F&I producers as more of the deal process moves through dealer portals, DMS platforms, and lender submission systems. Multi-factor authentication, screen-locking on unattended workstations, and password security are basic practices the Safeguards Rule reinforces. Producers who share workstation credentials, leave DMS sessions open when away from the desk, or use personal email for deal document transmission are creating compliance exposure regardless of intent.

Security incident recognition is a practical skill that F&I producers can contribute to. A customer who provides identity information that raises red flags — inconsistency between stated income and credit history, documents that appear altered, identity questions where the customer's responses are hesitant — is a situation that the dealership's Red Flags Rule program requires be recognized and addressed. F&I producers are positioned to observe these patterns and escalate appropriately.

Customer communication about data handling is an opportunity as well as an obligation. Customers who are informed about how their financial information is protected during the financing process have a better experience in the box and a more positive impression of the dealership's professionalism. Sterling trains the brief data security assurance that fits naturally into the box visit opening — addressing the customer's implicit question about where their information goes without turning it into a compliance lecture.

Training documentation under the Safeguards Rule.

The Safeguards Rule requires that customer-facing personnel who handle financial information receive security awareness training. The rule does not prescribe the specific format or frequency of training — it requires that the training be provided and that the information security program include a training component. Documented evidence of training is the standard for demonstrating compliance.

Annual compliance certification is the most common training documentation approach. It establishes that a producer received training on a specific topic on a specific date. The FTC has noted in guidance that ongoing training — not just annual events — is the more effective approach to building genuine security awareness rather than certification-level knowledge.

Sterling's compliance module tracks training sessions by producer, including sessions that address Safeguards Rule-relevant topics: document handling, digital system security, and security incident recognition. These session records are the supplemental training documentation that sits alongside annual certification and demonstrates the ongoing training cadence the rule's guidance supports.

Finance Directors who are asked to demonstrate their training program to auditors or in response to an incident have a more complete answer when they can point to both annual certification records and ongoing session-level training documentation. Sterling's records are searchable and archived by producer. The training documentation question has a complete answer.

The Red Flags Rule — what F&I producers need to recognize.

The Red Flags Rule, implemented under the Fair and Accurate Credit Transactions Act, requires creditors and financial service providers — including dealers who arrange financing — to implement a written Identity Theft Prevention Program that identifies patterns, practices, and specific forms of activity that are 'red flags' indicating the possible existence of identity theft, detects those red flags in its daily operations, responds appropriately when red flags are detected, and periodically updates the program.

F&I producers encounter identity information in the context of credit applications and deal documentation. The Red Flags Rule requires that they be trained to recognize patterns that may indicate identity theft. Specific red flags include alerts from a consumer reporting agency, unusual account activity patterns if the customer is an existing customer, notice that the customer has recently provided conflicting information, documents that appear forged or altered, and inconsistency between the customer's responses to identity verification questions and their stated identity.

The producer's role in the Red Flags program is recognition and escalation, not investigation. A producer who observes a pattern that may indicate identity fraud should escalate to management according to the dealership's written program — not attempt to investigate independently or proceed with the deal without escalation.

Sterling incorporates Red Flags Rule awareness into the compliance training at the recognition-and-escalation level. Producers learn the categories of red flags they are positioned to observe in the box, the escalation process the dealership has established, and the documentation required when a red flag is identified. This awareness training is part of the documented training program that demonstrates compliance with the Red Flags Rule's training requirement.

OFAC screening — what dealers need to know and what producers need to do.

The Office of Foreign Assets Control maintains the Specially Designated Nationals and Blocked Persons list — the OFAC SDN list — and prohibits U.S. persons and businesses from engaging in transactions with individuals and entities on that list. Auto dealers who finance vehicle sales are considered financial service providers for purposes of OFAC compliance and are expected to screen customers against the OFAC SDN list before completing a financed transaction.

In practice, OFAC screening is typically an automated function integrated into the DMS, the credit application submission process, or the lender's approval system. Most dealerships do not require F&I producers to manually check the OFAC list on every deal. The automated screening handles the practical compliance requirement.

F&I producers should understand that OFAC screening happens, what it checks, and what happens when a customer's name generates an alert. OFAC alerts are often false positives — the customer's name matches a listed entity but the individual is not the same person. The correct response to an OFAC alert is to escalate according to the dealership's compliance program, document the resolution, and not proceed with the transaction until the alert is resolved.

Sterling covers OFAC awareness at the practical level: what it is, why it matters, and what the producer should do if an OFAC alert appears in the deal processing. This is not specialized legal training. It is operational awareness that producers need to handle the situation correctly if it arises, which it will occasionally on a high-volume floor.

Building compliance awareness into the daily F&I training habit.

The challenge with compliance training is that it competes with performance training for attention and training time. F&I producers who are focused on improving per-copy and penetration rates are less motivated to invest training time in compliance awareness than in objection handling. The training that moves the immediate performance number gets the practice time. The training that prevents a regulatory event gets deferred to the annual certification.

Sterling integrates compliance awareness into the same training sessions as performance coaching. The compliance module is not a separate event — it is built into the session structure alongside product knowledge, presentation, and objection handling. The producer who runs a Sterling session gets performance coaching and compliance reinforcement in the same 10-to-15-minute window. Neither competes with the other for calendar space.

The documented compliance training record Sterling produces is a byproduct of the daily practice habit, not a separate compliance exercise. Finance Directors who want both performance improvement and documented compliance training do not have to choose between them. Sterling delivers both in the same session framework.

The regulatory environment for automotive F&I has become more active over the past several years, with both federal and state-level enforcement attention on disclosure practices, product presentation, and data security. Dealerships that can demonstrate an ongoing, documented training program for their F&I staff — one that goes beyond annual certification — are better positioned in that environment. Sterling builds that record one session at a time.