While an F&I agency would likely have access to consumer information both less in quantity and sensitivity than what a dealership possesses, the information it does have can be misused and needs to be protected.  -  IMAGE: Getty Images

While an F&I agency would likely have access to consumer information both less in quantity and sensitivity than what a dealership possesses, the information it does have can be misused and needs to be protected.

IMAGE: Getty Images

If you read the last article in this space (How the Safeguards Rule will Put Agents Out of Business) you know the obligations of the revised Safeguards Rule apply to F&I agents as well as their dealership clients. This hard reality flows from the Rule’s requirement that a dealership’s service providers demonstrate they follow the terms of the Rule themselves. Why does this matter? And how can agents come into compliance? We’ll tackle those questions in order.

Why Does This Matter?

It is obvious why the Safeguards Rule applies to dealerships. First, they are considered “financial institutions” as the Rule defines that term. Dealerships originate consumer financing in the form of installment sale contracts and leases, which constitute financial activities. And logically, they should protect consumer data, as dealerships collect, use, transmit, and store an abundance of it.

But why should F&I agents bear the same burden? After all, the scope of consumer data agents have access to is usually far more restricted than what dealerships possess. Agents, for example, would rarely – if ever – have access to a consumer’s credit application, credit report, or social security number. Dealerships routinely handle all three, arguably the most sensitive information in a vehicle transaction.

On the other hand, consider what agents do have access to: The make, model and year of the vehicle the consumer acquired, the date of that acquisition, the vehicle’s VIN, the fact the consumer purchased an F&I product, and whether or not the consumer made a claim under that contract. While this may not sound like the stuff of identity theft, it can be. Consider a conversation a hacker who obtained this information might have with the consumer:

Hacker:“Hello, is this Joseph D. Consumer?”


Hacker: “Mr. Consumer, I’m Dewey Hackem with Acme F&I Products. Can you please confirm you bought our 7-year 100,000-mile vehicle service contract in connection with your purchase of a silver 2022 Chevy Equinox from Gibson Chevrolet in Oshkosh, Wisconsin, VIN 1GC46789NF234567, on January 20, 2022, for $3,500?”

Consumer: “Uh, yes?”

Hacker: “In conducting a routine audit of our transactions, we discovered that you were overcharged for that service contract. Per Acme policy, we are going to refund you the full purchase price of that service contract but continue to keep it in force. Would you like us to credit that amount to your bank account or a credit card of your choice?”

I think you can see where this would lead. So while an F&I agency would likely have access to consumer information both less in quantity and sensitivity than what a dealership possesses, the information it does have can be misused and needs to be protected. Which leads us to our second question.

How Can Agents Come into Compliance?

The defining feature of the revised Safeguards Rule is that it took subjective standards that called for “reasonable” safeguards “appropriate” for a given enterprise and replaced them with objective standards that may or may not be “reasonable” or “appropriate” for a given enterprise such as an F&I agency. Thus it is safe to assume agents must employ the safeguards enumerated in the new version of the Rule, albeit (perhaps) to a somewhat lesser degree.

The Rule requires three things of dealerships with respect to their service providers:

  1. Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the customer information at issue;
  2. Requiring your service providers by contract to implement and maintain such safeguards; and
  3. Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

Let’s look at these from the agent’s perspective. Prudent agents would anticipate these requirements and address them before their dealership clients need to ask.

A reasonable step for dealerships to select and retain an agency capable of maintaining appropriate safeguards would be to request a copy of the agency’s Written Information Security Program, or “WISP.” This means the prudent agent must develop a WISP. That, in turn, requires the agent to conduct an overall risk assessment (including a vulnerability assessment of the agency’s computer network) and implement safeguards to address the risks identified by the assessment.

The safeguards most important to protecting customer information are found at 16 CFR 314.4(d)(2): continuous monitoring, or twice-annual vulnerability assessments and annual penetration testing. These are also among the most expensive elements of an information security program, and are generally billed on a per-device basis. The good news for agents is that the average agency probably has fewer connected devices on its network than the average dealership. 

Evidence that the agency conducted a meaningful risk assessment, a summary of the results, identity of the agency’s Qualified Individual, and the safeguards the agency implemented should all roll up into the WISP.

The second requirement, that dealerships require their agents by contract to follow the Rule, can be met proactively by including such terms in an updated agency agreement, or a written addendum to existing agreements. It is better to offer the dealership a contract than to wait for the dealership to present you with theirs, for two reasons. First, by taking the initiative you remove from your client’s consideration the need to replace your agency with one that is more clearly in compliance. And second, by beating the dealership to the draw you control the terms of the contract. A dealership-drafted contract, for example, may require the agency to indemnify the dealership in the vent of an agency-caused data breach. The early bird can omit that requirement, at least in the first draft. You never know.

What is the appropriate level of “assessment” of the ongoing adequacy of your agency’s safeguards, the third requirement, is still unknown. At a minimum, it should include the agency providing a copy of its Qualified Individual’s annual written report to your board of directors or equivalent governing body. Again, provide this before you are asked. 

That’s just for starters. In the issues to come, we will discuss in greater detail the specifics of Safeguards compliance from an F&I agency’s perspective. 

Jim Ganther is the president of Mosaic Compliance Services and co-founder of Automotive Compliance Education.