11 Common Auto Dealer Compliance Mistakes

July 1, 2019| Zach Klempf


Compliance laws and requirements can be a headache. But there’s a high price to pay for non-compliance — even if it’s unintentional. 

Luckily, compliance can be simple with the right tools in place. Here are the top auto dealership compliance mistakes, and how YOU can avoid them: 

New call-to-action


Customer Data

Focused businessman using his laptop at new car showroom

Personal Data: Gramm-Leach-Bliley Act

Personal information and privacy are top-of-mind issues in today’s hyper-connected world. As a dealership, you have access to a great deal of sensitive personal and financial information. The purpose of the Gramm-Leach-Bliley (GLB) Act is to protect that.

Violating the GLB Act, even unintentionally, can be costly. In California, for example, a single exposed driver’s license can result in fines up to $11,000. 

So how do you avoid a similar situation? First of all, know your regulations. The GLB Act contains two sections — the Gramm-Leach-Bliley Privacy Rule and the Gramm-Leach-Bliley Safeguards Rule. 

The GLB Privacy Rule centers on protecting customer privacy and personal data. Dealers are required to collect, store, and share personal and financial information in an organized, secure method. They must also inform clients what data is collected and how that data will be shared. Finally, dealers must allow clients to opt out of sharing where possible. Take special care when it comes to third-party sharing, such as with telemarketers and other retailers. 

The GLB Safeguards Rule is requires dealers to take action to secure customer data. In other words, how are you going to protect client information from unauthorized access, fraud, and/or misuse? This rule looks for a few things: a written information security plan, a comprehensive risk analysis, safeguards from affiliates, and ongoing plan implementation and monitoring. 

Find more detailed information about GLB compliance.

Identify Theft: Red Flags Rule

Do you know what an identity thief looks like? In literal terms, yes — they look like any other person. But pinpointing the warning signs of identity theft is why we have the Red Flags Rule.

This addition to the Fair Credit Reporting Act requires creditors and lenders to create a written Identity Theft Protection Plan. The exact terms and structuring of the plan are left up to dealers. In general, a good plan of action is as follows: 

  1. Establish the warning signs of identity theft
  2. Formulate a response plan
  3. Then continue to update your plan over time. 

Common “red flags” include suspicious ID documents, fraud alerts in credit history, unusual account activity and undeliverable mail and email. 

This all might sound like a hassle, but the alternative is much more costly. While penalties from the FTC can cost up to $3,500 per violation, other fees and legal issues can ring up an even higher bill. 

Case in point: After a Georgia dealer recently financed a BMW to an identity thief, the payout added up to over $150,000. Not just from fines, but from the lender’s lawsuit and vehicle’s value. 

Reconsidering that protection plan? The FTC has a handy guide to help you create a solid strategy. 

Financing and Insurance

Closeup portrait, beautiful, young woman, dealership agent holding model black car, pink piggy bank in hand, offering credit line, isolated white background. Lease, automobile purchase, financing.


Financial Transparency: Regulation Z

Also known as the Truth in Lending Act, Regulation Z mandates that lenders clearly disclose all credit terms to consumers. Sounds obvious, right? The rule isn’t complicated, but it still requires due diligence and attention. 

Reg Z requires outlining all elements of a loan offer in a straightforward, written form, using standard terminology and rate expression. This includes: 

  • The size of the loan
  • APR
  • All finance charges and other fees
  • The payment schedule
  • The total amount to be paid across the lifetime of the loan. 

The customer should be able to easily compare different offers and face no surprises or extra costs from the loan. 

Again, more paperwork — but is it worth a few million dollars? A dealer group in Arizona and New Mexico recently filed for bankruptcy after years of court battles following FTC allegations of Truth In Lending violations. Allegations included failure to inform customers of qualifying limits on offers and failure to disclose required terms in advertisements. The class-action lawsuit sought nearly $30 million in damages. The FTC proposed a $1.3 million settlement. 

Read up on the details of Regulation Z.

Adverse Action & Risk-Based Pricing Notices

If you offer credit and financing (which is nearly all dealers), you’re likely familiar with the Fair Credit Reporting Act. But how about its two lesser-known clauses: Adverse Action Notices and the Risk-Based Pricing Rule? 

In short, if you refuse credit or offer credit on less favorable terms, you have to send a formal notice to the customer. 

Adverse Action applies to three hard credit pull outcomes: 

  • Denial of credit
  • Refusal to grant credit in the amount or terms requested
  • Negative change in the account terms. 

In these cases, the dealer is required to send an adverse action letter within 30 days of the credit application. 

If a dealer offers credit in “materially less favorable terms” (usually higher APR or worse terms than a substantial number of other customers), then a dealer must send a risk-based pricing notice to the customer. 

The penalties for violating these rules are steep. A recent case ruled that courts can enact damages up to $10,000 to individual consumers and class action suits up to $500,000. In addition, the FTC can enforce Equal Credit Opportunity Act (ECOA) violations up to $40,000 per violation. 

You can find more detailed guidelines about adverse action and risk-based pricing notices.

Lending: Hard vs. Soft Credit Pulls

When checking customer credit, many dealers think that soft credit pulls allow them to skip Adverse Action Notice requirements. But this is a common misconception

A consumer report is defined as any communication of information by a consumer reporting agency regarding credit worthiness. Whether it’s a hard or soft credit pull, you’re using the credit report to determine credit worthiness — in other words, that is a consumer report. 

As such, consumer report regulations apply to soft credit pulls. If you deny credit, an adverse action notice must still be sent to the customer. The FCRA requires this if the credit decision is “based in whole or in part on any information contained in a consumer report.” Don’t fall into this common compliance gap. 

Equal Credit Opportunity Act

As we’ve noted before, dealers are considered lenders. That means that under the Equal Credit Opportunity Act (ECOA), dealers are prohibited from discrimination when providing credit. 

Of course, we know you wouldn’t purposefully discriminate against a customer. However, the law doesn’t differentiate between accidental and intentional discrimination. As a business owner, you must make these rules explicit for both employees and customers. 

According to the ECOA, lenders can’t ask about or factor in race, color, religion, sex, age, marital status and/or national origin when considering credit. They are also required to inform customers of the credit decision within 30 days. Finally, they must notify applicants when action is taken on their applications and explain why credit is denied or terms changed. 

In short, when making credit decisions, base your analysis on the customer’s creditworthiness alone, and make sure to keep applicants clearly informed. Here are more details on the ECOA. 



Concept of sending e-mails from your computer

TCPA and Text Messaging

Sending a quick text is something you do several times a day without a second thought. Yet for businesses, overlooking this TCPA could mean fines of up $500 per text. That’s not part of your cellular plan, right? 

Under the Telephone Consumer Protection Act (TCPA), companies are required to get written consent for all communication with customers. That includes text messages and phone calls.

Violations are costly. Lithia Motors learned this the hard way in 2011 after sending out an offer text to 57,800 customers, then a follow-up to 48,000. The messages led to a $2.5 million settlement. The lawsuit argued the texts violated the TCPA ban on unsolicited phone messages and requirement of an “opt out” option. 

There are a few key steps to make sure you’re in the clear:

  • Get written consent from customers for ALL communication. 
  • Be very specific about the type and purpose of contact they’re agreeing to — whether it is for service communication, marketing, etc. 
  • Notify customers of any potential fees, such as text messaging rates.
  • Allow recipients to opt out of communication at any time. 
  • Keep up to date on changing regulations.

Learn more about TCPA and texting compliance.


How many emails flood into your inbox every day? Probably a lot. As a dealer, however, you’re required to not “spam” customers’ inboxes with unsolicited or misleading emails. 

Under the CAN-SPAM Act, dealers are subject to a set of rules regarding email communication with customers. Email messages...

  • May not contain false or deceptive headers or subject lines.
  • Must include an opt-out option, with requests fulfilled within 10 business days.
  • Must contain the sender’s valid physical postal address.
  • Must be identified as ads.

These rules apply to all commercial messages (sent to promote a product or service). Even those sent by an affiliate like a marketing company. And with FTC fines up to $16,000 per email, in addition to potential fines from other federal and state agencies and ISPs, a simple mistake can become extremely costly.

Ensure your dealership is covered with this handy guide.

Truth in Advertising

False advertising is a commonly known violation, but few dealers understand how it applies to them. 

In broad terms, advertising must be truthful, non-deceptive, substantiated, and not “unfair” (causing harm to the consumer). Vehicles must be accurately described, state the correct model, year, etc., and feature the correct images. 

In addition, certain disclosures must be included: 

  • Endorsements
  • EPA-estimated MPG confirmation
  • Discount conditions
  • For financing, the terms of repayment, any down payments, APR and the total number, amount and due dates of payments. 

Sound like a lot of boxes to check off? It is, in a way. But it’s well worth your scrutiny. A Washington dealership was recently charged $74,000 for sending out mailers deemed “deceptive advertising.” In New York, four dealers were fined $2.1 million for misrepresenting vehicle prices and failing to provide clear itemized disclosures of all costs.

Clearly, this regulation isn’t messing around. You can find a useful cheat sheet here, and NADA offers a detailed guide to compliance. 



Concentrated young hacker in glasses stealing money from different credit cards sitting in dark room

National Security: OFAC & the Specially Designated Nationals List

When you sell or lease a car to someone, dealers need to confirm that the person is not on the country’s “do not associate” list. The Specially Designated Nationals List is a database from the Office of Foreign Asset Controls (OFAC). The list includes people and groups flagged as dangerous, usually for terrorism, drug trafficking or other illegal activity. 

This check involves literally searching the SDN list for the client’s name. It’s usually done with a credit application, before a cash sale, or regularly with monthly payments. Though straightforward in concept, the penalties for non-compliance with OFAC are steep — to the tune of up to 30 years in jail and fines up to $10 million plus up to $1 million per incident. 

In other words, it’s worth getting your inspection lens out for this one, and being aware of the action to take

Reporting Payment: Form 8300

As a business dealing in large purchases, you likely see a variety of payment methods. If you receive a cash payment of over $10,000, you must file a Form 8300 with the IRS within 15 days of the payment. 

Attention — this applies even if the amount is not a single transaction, such as multiple installments adding up to over $10,000. It also applies to more than just “cash”, including cashier’s checks, money orders, and bank drafts. 

The purpose of Form 8300 is to prevent money laundering. After filing the form with the IRS, dealers are required to notify the customer in writing, keep a copy of the form, and report any suspicious activity.

There’s no joking around here. Penalties for Form 8300 filing violations can reach up to $100,000 and/or up to five years in jail. Additional guidelines and electronic filing


Compliance is Easy with the Right Tools 

If your head is spinning with acts, forms, and agencies, don’t panic. It might seem like a lot to keep track of, but the first step is to be aware of common auto dealership compliance mistakes. 

Customer relationship management (CRM) systems can help keep you up to code. CRM tools can be extremely helpful in managing compliance (and operations in general). There are even options to automate many compliance procedures. 

Bottom line: It’s worth it to invest in the knowledge and tools to keep your dealership compliant.

Tags: compliance marketing sales soft pull independent dealer finance automotive crm bhph compliance texting compliance dealership compliance glb safeguard car credit dealer credit form 8300 can spam act tcpa dealers tcpa automotive ecoa

Discover how
to increase
sales 30%

and give your dealership that extra edge!

Download the Guide: Automotive CRMs for Used Car Dealers