According to the nonprofit Identity Theft Resource Center, more than half of all small businesses in the US experienced at least one security or data breach in 2021, a 17 percent increase from 2020, at an average expense of $250,000 to $500,000 per incident. As automotive lenders and dealers increase their use of digital sales and technology to house personal and confidential information, data breach incidents have a direct impact on both revenue and regulatory compliance.
The Safeguards Rule
The Federal Trade Commission issued a final rule that amends the Safeguards Rule (the “Rule”) that went into effect January 10, 2022. The Rule places requirements on “financial institutions” regarding information security programs and the use of customer information. The amended rule notably expands the “financial institution” definition, which is now applicable to debt collectors and certain debt buyers, among others. Many businesses are now finding themselves subject to the Rule for the first time.
Update: Prior to the revisions, the Rule required covered entities to perform a risk assessment and then develop and implement safeguards to address identified risks. Now, risk assessments must include specific criteria and be in writing.
Update: Financial institutions must “address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.”
Update: While employee training and vendor oversight was part of the existing rule, the amended rule takes these to the next level. Covered entities are now required to have “mechanisms designed to ensure that such training and oversight are effective.”
Update: Auto lenders must contact their service providers to ensure the providers also implement and maintain appropriate safeguards to protect consumer information.
How are you working with your dealership partners and consumer protection product administrators to ensure compliance on all levels? Automotive lenders and dealers work with a significant amount of consumer confidential information, including social security numbers, pay stubs, utility bills, and more. In addition, most dealers in the U.S. have migrated to web-based platforms for conducting business, especially with regards to credit applications.
Data Security and EFG
At EFG, we recognize that data security is mission critical to successfully conducting business in today’s market.
It is for this reason that EFG Companies became the first F&I product administrator to achieve SOC 1 SSAE-16 certification in 2016. Since then, EFG has aggressively pursued heightened controls and protocols each year and has also achieved SOC 2 SSAE-18 certification.
Administered by the American Institute of Certified Public Accountants under the Statement of Standards for Attestation Engagements (SSAE), the SOC 1 and SOC 2 certifications are the most widely recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations.
Additionally, the company recently achieved certification by the Payment Card Industry Security Standards Council (PCI SSC) as PCI Data Security Standard compliant. PCI Data Security Standards (PCI DSS) protect payment account data for merchants, service providers, and financial institutions throughout the payment lifecycle, removing the incentive for criminals to steal it. Specifically, PCI DSS contains a set of requirements based on collaboration between major card brands including American Express, Discover, Mastercard and Visa, to prevent payment data breaches and payment card fraud. Companies achieving certification deliver a higher standard of security for personal confidential information and compliance with federal, state, and local regulatory requirements.
With more than 40 years of experience in advising clients on how to achieve compliant profitability, EFG Companies has the processes, training and tools to deliver the utmost data security for our clients, partners and contract holders. We help dealers and lenders stay on the right side of compliance with ongoing training, compliance reviews, and AFIP certification. Contact us today to learn more.