The FTC Red Flags Rule for auto dealers matters any time your dealership participates in credit—especially when you arrange financing for customers. In Dealer Educator’s California dealer training, the key takeaway is simple: if your dealership is a covered creditor, you must have a written Identity Theft Prevention Program that helps your staff spot identity theft warning signs, respond consistently, and document what happened.
What the Red Flags Rule requires (dealer-friendly overview)
Dealer Educator’s pre-licensing and renewal materials explain that the Red Flags Rule is built around a documented Identity Theft Prevention Program. In practice, your program should be designed to:
- Identify relevant identity theft “red flags” for your dealership’s credit activities.
- Detect red flags while opening accounts, processing credit applications, and servicing accounts.
- Respond appropriately to prevent or reduce identity theft when red flags appear.
- Update the program periodically as risks, processes, or technology change.
For official guidance and examples, review the FTC’s business guidance page on the Red Flags Rule: https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule.
Step 1: Confirm whether your dealership is a “covered creditor”
Dealer Educator emphasizes that the Rule applies to certain “creditors,” which can include auto dealers and financial institutions when they are involved in financing. Practically, you should assume you are covered if your dealership regularly:
- Arranges or offers financing (directly or indirectly) for retail customers, or
- Allows customers to pay over time under an agreement, or
- Maintains credit-related accounts where identity theft could create risk to the customer or the dealership.
Compliance tip: Document your coverage determination (what you do, why you believe you are covered or not, and who approved that determination). That memo becomes helpful during audits and internal reviews.
Step 2: Build a written Identity Theft Prevention Program
Your written program should be specific to your dealership’s workflows—not a generic template. Dealer Educator’s course content highlights that the program needs “reasonable policies and procedures” tailored to your risks.
What to include in your written program
| Program section | What to write | Where it shows up in dealership operations |
| Red flags list | Clear, dealership-specific warning signs tied to your credit process | Credit apps, ID review, stip review, funding package, servicing |
| Detection steps | How staff must check for red flags (what to compare, verify, and record) | Sales/F&I intake, online leads, phone deals, delivery |
| Response steps | Decision tree: what to do when something doesn’t match | Before contracting, before funding, during collections |
| Documentation | What forms/logs are required and where to store them | Deal jacket, compliance folder, DMS attachment |
| Governance and oversight | Who approves, administers, and updates the program | Owner/GM/Compliance Manager involvement |
| Training plan | Who must be trained, how often, and how completion is tracked | New-hire onboarding, annual refreshers |
Step 3: Define dealership “red flags” you will actually see
A strong program focuses on red flags that realistically appear in auto retail credit transactions. Consider writing your list around categories like:
- Identity and document inconsistencies (information doesn’t match across ID, credit app, insurance, proof of residence).
- Suspicious application patterns (multiple applications with similar data; sudden changes in address or employer information).
- Unusual customer behavior (refuses to provide standard documentation, pressures staff to skip steps, or avoids normal verification).
- Alerts from third parties (credit report warnings, lender stipulations that indicate possible fraud, or notices from customers about unauthorized activity).
Keep the red flags list short enough that staff will remember it, but complete enough to cover your real risks.
Step 4: Detect red flags during onboarding and servicing
Dealer Educator’s approach is to make detection a workflow—not a one-time check. Write procedures that specify:
- When checks happen (lead intake, test drive, contracting, delivery, funding, collections/service).
- Who performs checks (salesperson, F&I, desk manager, office staff).
- What evidence must be retained (copies of documents, verification notes, lender communications).
Also align detection with your broader privacy and recordkeeping discipline. Dealer Educator training stresses safeguarding confidential customer information and maintaining secure handling of sensitive documents.
Step 5: Respond consistently—and document outcomes
When a red flag is detected, your program should prevent “improvised” decisions that create risk. Build a response playbook that answers:
- What triggers an escalation to a manager or compliance lead?
- When do you pause the deal until verification is complete?
- When do you decline to proceed or require additional verification?
- How do you record the red flag and the final resolution?
Audit tip: Create a simple “Red Flags Log” (deal number, date, red flag type, who reviewed, action taken, outcome). Even if your store has few issues, a clean log demonstrates an active program.
Step 6: Establish governance, approval, and oversight
Dealer Educator materials highlight that the Rule’s guidelines include oversight actions such as:
- Obtaining approval of the initial written program by a board, board committee, or designated senior management employee.
- Ensuring ongoing oversight of program development, implementation, and administration.
- Training personnel.
That governance structure should be written into your program (names/titles and responsibilities), so it’s clear who owns compliance.
Step 7: Train the right staff (and prove it)
Training should match job roles. At a minimum, train anyone who touches customer identity information or credit workflows:
- Sales and internet teams collecting customer information
- F&I staff and managers handling credit applications and stipulations
- Office personnel handling deal jackets, funding, and recordkeeping
- Collections/servicing staff (especially for buy-here-pay-here operations)
Recordkeeping tip: Keep training rosters, agendas, and acknowledgments in a compliance binder (or digital compliance folder) so you can demonstrate training occurred.
Step 8: Update your program as risks and processes change
Dealer Educator emphasizes that your program must be updated regularly to reflect changes in customer risk, dealership operations, and security posture. Update triggers can include:
- New financing sources or changes in lender stip requirements
- New document collection tools, e-sign platforms, or DMS changes
- New identity theft patterns observed in your market
- Internal audit findings or compliance incidents
Write an update cadence (for example, periodic review by management) and document each review and what changed.
Quick compliance checklist (printable)
- Confirm covered creditor status for any credit/financing activity.
- Maintain a written Identity Theft Prevention Program tailored to your store.
- List dealership-specific red flags tied to your transaction flow.
- Define detection steps at intake, contracting, funding, and servicing.
- Define response steps and escalation rules; document each outcome.
- Assign governance (board/committee/senior manager) and oversight roles.
- Train all personnel who handle credit and customer data; keep proof.
- Review and update the program as processes and risks change.
How this ties into California dealer compliance culture
While the FTC Red Flags Rule is federal, it fits directly into the broader California dealership compliance mindset Dealer Educator teaches: protect consumers, standardize your documentation, and be prepared to demonstrate compliance through clear records and consistent procedures.
