skip to Main Content
KPA Logo

Stay Compliant with the FTC’s Safeguards Rule

In December 2021, the FTC revised the Safeguards Rule, which is a component of the Gramm-Leach-Bliley Act (GLBA). The Rule requires that financial institutions, including dealerships, develop, implement, and maintain a comprehensive written information security program.

Qualified Individual

Dealers must designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing the information security program.

KPA provides a sample Designation of Qualified Individual Form. Additionally, during an on-site Safeguards review, your KPA Consultant will confirm the qualified individual is in place.

HR icons

Risk Assessment

Dealers must periodically conduct a written risk assessment to identify reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information.

KPA offers online GLBA Safeguards training. Additionally, during an on-site Safeguards review, your KPA Consultant will validate you have completed a yearly risk assessment and verify there is a written assessment. They will also provide a written report detailing the handling of physical
customer data with recommendations for implementing new controls.

f&i benchmark report cover

Benchmark Study

How Your Peers Graded Their F&I Programs

KPA’s study serves as an industry benchmark and helps dealers gauge their F&I departments’ regulatory risk. Curious how your F&I department stacks up with your peers?

Information Safeguards

Dealers must design and implement customer information safeguards to
control the risks identified through the assessment.

KPA provides a sample written Information Security Program template. Additionally, during an on-site Safeguards review, your KPA Consultant will inquire that you have put proper information safeguards in place that address and/or control the risks identified in the assessment, asking questions like do you encrypt data at rest (stored on a server or other computer)? Do you have multifactor authentication? And more…

row of cars
Business team in remote consultation

Safeguards Testing

Dealers must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.

KPA partners with Helion Technologies, SDP Compliance, and Infosec Institute to provide IT monitoring, Phishing Simulation and other cyber security services to help you comply with the Safeguards Rule requirements. KPA will also verify you have either put in place a continuous monitoring solution and/or have conducted both penetration and vulnerability tests in the last six months. And we’ll ensure you are putting new controls in place as a result of the assessments.

Personnel Training

Dealers must implement policies and procedures to ensure that personnel uphold the information security program. The Qualified Individual must provide personnel with security awareness training and keep current on changing information, security threats, and countermeasures.

KPA provides online General Security Awareness training. Additionally, during an on-site Safeguards review, your KPA Consultant will validate you have provided regular training programs and that security personnel are keeping up to date with security trends and program risk needs.

office workers reviewing documents

The Latest on the Safeguards Rule

In this episode of The F&I Minute, Emily is joined by KPA Senior Manager of Legal Affairs, Robert Ebin, Esq., to dig into the Safeguards Rule and what companies can do to avoid getting dinged by regulators.

Incident Response Plan

Dealers must establish a written incident response plan designed to assist in quickly responding to and recovering from a security incident involving the exposure of customer information.

KPA provides templates for both an Incident Response Plan and a Breach Notification Form. Additionally, during an on-site Safeguards review, your KPA Consultant will verify that an incident response plan is in place. They will also confirm a walkthrough of the plan is conducted annually.

Service Provider Oversight

Dealers must oversee service providers that have access to customer information. They should take reasonable steps to select and retain service providers that can maintain appropriate safeguards for customer information, and require service providers to do so contractually. You should also periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.

KPA provides a Sample Service Provider Risk Assessment and a Sample Service Provider GLBA Addendum. During an on-site Safeguards review, your KPA Consultant will inquire that the correct service provider addendum is in place and covers all providers.

office workers discussing around a table
people looking at graphs on paper

Annual Reporting

The Qualified Individual must report in writing, regularly and at least annually, to the board of directors or an equivalent governing body. The report should include the overall status of the information security program and the dealer’s compliance with the program.

During an onsite Safeguards review, your KPA Consultant will verify regular reports are being produced by the qualified individual and that they meet the minimal standards listed
above. The consultant will also ensure both Safeguard assessments and KPA’s on-site physical Safeguard security reports are incorporated into the dealer’s risk assessment remediation plans.


annual F&I
consulting visits


annual deal
jacket audits


years experience
helping clients


consulting team's
NPS score

"They just give you straight information, whether it be buyers’ guides, windows stickers missing on vehicles. To have that outside perspective definitely makes a difference. We take so many things for granted in this business. Even an experienced manager can miss things."

- Jack, General Manager

Questions About Safeguards Compliance? Let’s Talk!

Schedule a 30-minute meeting with a KPA solutions expert.
Request a Consultation
Back To Top Services: Compliance Services Services: Workplace Health and Safety Services Services: Environmental Risk Management Services About: Leadership Software: Online Training About: Who We Are Resources: Library Resources: Events and Webinars Resources: Blog YouTube Twitter LinkedIn