Skip to content
All articlesCompliance

Red Flags Rule for Car Dealers: A Compliance Guide

A plain-English guide to the Red Flags Rule for car dealers: who's covered, what your written program needs, and how to comply for free.

The AutoDealer.io Team May 6, 2026 11 min read

If you arrange financing or carry your own paper, the red flags rule for car dealers almost certainly applies to you. And "I didn't know" is not a defense the FTC accepts. Here's the good news: complying is mostly a written process and some staff habits. You don't have to buy anything. This guide covers who's on the hook, what your program has to contain, the specific warning signs to watch for, and how to do it all without a vendor.

What the Red Flags Rule actually is

The Red Flags Rule requires "financial institutions" and certain "creditors" to build and run a written Identity Theft Prevention Program that detects, prevents, and mitigates identity theft tied to covered accounts. It lives at 16 CFR Part 681 and carries out the Fair and Accurate Credit Transactions Act (FACT Act) amendments to the Fair Credit Reporting Act (FCRA). The FTC's business guidance on the Red Flags Rule is the plain-English hub for the whole thing.

It all comes down to one idea. Under 16 CFR 681.1(b), a "Red Flag" is a pattern, practice, or specific activity that points to possible identity theft. Your job is to catch those patterns at the deal desk and act before a fraudster drives off in a car titled to somebody else's stolen identity.

Does the Red Flags Rule apply to your dealership?

Two questions settle it: are you a "creditor," and do you have "covered accounts"?

The 2010 Red Flag Program Clarification Act tightened up the word "creditor." Per the Red Flag Program Clarification Act of 2010 (S.3987), a creditor is now one that, in the ordinary course of business, regularly:

  • obtains or uses consumer reports in connection with a credit transaction,
  • furnishes information to consumer reporting agencies in connection with a credit transaction, or
  • advances funds based on an obligation to repay.

A store that pulls credit to arrange financing, or that carries its own paper, sits squarely inside that definition. One thing the FTC is careful to point out: just taking credit cards as payment doesn't by itself make you a "creditor." What trips the wire is regularly using consumer reports, reporting to the bureaus, or advancing funds to be paid back in connection with a credit transaction.

On the second question, a "covered account" under 16 CFR 681.1(b)(3) includes (i) an account held mainly for personal, family, or household purposes that allows multiple payments or transactions — and the rule's examples flat-out list an "automobile loan" — plus (ii) any other account with a reasonably foreseeable risk of identity theft.

If you pull credit to arrange financing or you carry your own paper, the rule's own text uses an "automobile loan" as the textbook example of a covered account. There's not much room to argue you're exempt.

Why BHPH and finance dealers are almost always in

Buy-here-pay-here is the easy call. Carry your own paper and you're advancing funds on an obligation to repay — that's element three of the creditor test — and the loan you service is a covered account by definition. Finance dealers who pull credit to place paper with a lender hit element one. Either road puts you inside the rule.

The written program: four required elements

This is the heart of compliance. Under 16 CFR 681.1(d)(2), your written program needs reasonable policies and procedures to:

  1. Identify the red flags relevant to your accounts and build them into the program.
  2. Detect the red flags you've built in, in day-to-day operations.
  3. Respond appropriately to red flags you catch, to prevent and mitigate identity theft.
  4. Update the program from time to time as your risks change.

That's the skeleton. Everything else is just spelling out what each of those four looks like at your store.

The five categories of red flags

You don't have to dream up the warning signs yourself. Appendix A to 16 CFR Part 681 — the Interagency Guidelines, Supplement A — hands you 26 illustrative red flags sorted into five categories. Here's how they show up on a dealership floor:

  • Alerts, notifications, or warnings from a consumer reporting agency. A fraud alert, a credit freeze, or an address-discrepancy notice on the report you just pulled.
  • Suspicious documents. A driver's license that looks altered or forged, or a photo that doesn't match the person standing in front of you.
  • Suspicious personal identifying information. A Social Security number that doesn't match, an address tied to known fraud, or details that don't line up across the application.
  • Unusual use of, or suspicious activity related to, the covered account. Patterns that don't fit a real buyer or borrower.
  • Notice from customers, identity-theft victims, law enforcement, or other persons that fraud may have happened.

Detecting them at the deal desk

Detection isn't some abstract idea. It's the F&I office doing its job. Check the customer's ID against the customer. Actually read the address-discrepancy notices the bureau sends back instead of clicking past them. Hold the credit application up against the documents the buyer hands you. The detection step mostly comes down to training your people to look, and to know what "looks wrong" actually looks like.

Responding the right way — and documenting it

When a red flag trips, your response should match the risk: ask for more verification, hold off on opening the account, kill the deal, call the customer, or get law enforcement involved. The part dealers skip is writing down what they did. A response you can't document is, as far as an audit goes, a response that never happened. Record the flag, the response, and who handled it.

Administering the program

The rule has governance rules, not just procedures. Per 16 CFR 681.1(e):

  • The program has to be approved by your board of directors (or an appropriate committee). No board? A designated senior management employee approves it.
  • Senior management oversees the program on an ongoing basis.
  • Staff get trained as needed to run it.
  • You keep appropriate oversight of service provider arrangements — meaning the lenders and vendors who touch your covered accounts.

For most independent and used-car stores, that means an owner or manager signs off, trains the F&I team, and keeps an eye on the lenders in the mix.

What it costs to comply: basically staff time

Here's the part that catches dealers off guard when they assume they need to buy something. The rule is scalable — it has to be "appropriate to the size and complexity" of your business and what you actually do. The FTC says outright that a streamlined program can work for a low-risk business — say, one that mostly plans how it'll react if someone tells it an identity was misused. A low-risk shop still needs a written program approved by its board or a senior employee, but it doesn't need an enterprise build.

And the FTC hands you the template. It puts out a free how-to guide for business, including a fill-in-the-blanks template for low-risk businesses that know their customers. You don't need to buy a third-party product to be compliant. You need to do the work.

Penalties and enforcement

The Red Flags Rule is enforced under the Fair Credit Reporting Act. The inflation-adjusted civil penalty for a knowing violation under FCRA Section 621(a)(2), 15 U.S.C. 1681s(a)(2), is $4,983 per violation under 16 CFR 1.98 (for penalties assessed after January 17, 2025), and that number gets adjusted for inflation every year. The fines aren't the whole story, either. Gaps leave you eating the fraud losses yourself and taking the reputational hit when a customer's identity gets stolen on your watch.

How it fits with your other obligations

The Red Flags Rule doesn't stand alone, and it's easy to mix up with its cousins:

  • FTC Safeguards Rule — a separate obligation, often on the same dealer. Safeguards is about running an information security program to protect customer data; Red Flags is about catching and reacting to signs of identity theft when accounts are opened or used. A finance or BHPH dealer usually needs both.
  • OFAC screening and other compliance items round out the picture.

Think of Red Flags as the "is this person who they say they are?" layer, and Safeguards as the "is their data locked down?" layer.

Putting it on autopilot

The rule rewards a process you actually run on every deal, not a binder collecting dust on a shelf. This is where your DMS pays for itself: capturing the identity-verification steps inside the deal workflow, surfacing the warning signs as you go, and logging the response so the documentation is there when an examiner asks. AutoDealer.io's built-in Red Flags identity checklist is built to run exactly the detect-respond-document loop the rule calls for, so compliance happens inside the deal instead of in some separate task nobody remembers to do.

Want to see how that fits your store? Start a free trial or see the features.

Frequently asked questions

Does the FTC Red Flags Rule apply to car dealers?

Yes, for most dealers who arrange or provide financing. The Red Flags Rule (16 CFR Part 681) applies to "creditors" with "covered accounts." After the Red Flag Program Clarification Act of 2010, a creditor is a business that regularly uses consumer reports, furnishes information to credit bureaus, or advances funds to be repaid in connection with a credit transaction. A dealership that pulls credit to arrange financing, or that carries its own paper (BHPH), meets that definition — and the rule's own examples list an "automobile loan" as a covered account.

What is a written Identity Theft Prevention Program and what must it include?

It's the document the Red Flags Rule requires every covered creditor to create. Under 16 CFR 681.1(d)(2) it must have reasonable policies and procedures to do four things: (1) identify the red flags relevant to your accounts, (2) detect those red flags in daily operations, (3) respond appropriately to red flags you detect to prevent and mitigate identity theft, and (4) update the program periodically as risks change. It must be approved by your board or a senior manager, supported by staff training, and include oversight of your service providers.

What are the categories of "red flags" a dealership must watch for?

Appendix A to 16 CFR Part 681 lists 26 example red flags in five categories: alerts or warnings from a consumer reporting agency; suspicious documents (like an ID that looks altered); suspicious personal identifying information (such as a SSN that doesn't match or an address tied to fraud); unusual use of or suspicious activity on the account; and notice from a customer, an identity-theft victim, or law enforcement that fraud may have occurred.

What does it cost to comply with the Red Flags Rule?

It can cost essentially nothing but staff time. The FTC publishes a free how-to guide and a fill-in-the-blanks template aimed at low-risk businesses that know their customers. The rule is scalable: it must be "appropriate to the size and complexity" of your business, so a small dealer can adopt a streamlined written program rather than an enterprise one. You do not need to buy a third-party product to be compliant.

What are the penalties for not having a Red Flags Rule program?

The rule is enforced under the Fair Credit Reporting Act. The inflation-adjusted civil penalty for a knowing violation under FCRA Section 621(a)(2) (15 U.S.C. 1681s(a)(2)) is $4,983 per violation as set in 16 CFR 1.98 (effective for penalties assessed after January 17, 2025), and that figure is adjusted annually for inflation. Beyond fines, gaps expose the dealership to fraud losses and reputational harm.

Is the Red Flags Rule the same as the FTC Safeguards Rule?

No. They are separate obligations that often apply to the same dealership. The Red Flags Rule (16 CFR Part 681) is about detecting and responding to signs of identity theft when accounts are opened or used. The Safeguards Rule is about maintaining an information security program to protect customer data. A finance or BHPH dealer typically needs both, plus other compliance items like OFAC screening.

Where to start

You don't need a consultant or a software contract to get compliant. You need a written program, trained people, and the habit of writing down what you do. Pull the FTC's free template, size it to your store, and bake the detection and response steps into how you already run deals. If you'd rather have that built into your deal workflow than living in a separate binder, take a look at how AutoDealer.io handles it whenever you're ready.

Keep reading

More for independent dealers

Compliance

Florida Vehicle Title Transfer for Dealers: Checklist

A step-by-step Florida vehicle title transfer for dealers: the exact HSMV forms, odometer rules, 6% sales tax, and the 30-day filing deadline.

June 11, 202612 min read
Getting Started

How to Get a Used Car Dealer License in Florida (2026)

How to get a used car dealer license in Florida in 2026: the prelicensing course, $25K bond, insurance, form HSMV 86056, the $300 fee, and timeline.

June 3, 202611 min read
AI

How independent dealers are using AI to sell more cars

AI won't replace your salespeople — but it will take the busywork off their plate. Here are the practical ways independent lots are putting it to work today.

June 2, 20263 min read
Get started

Ready to run your lot from one place?

Start your free trial today — your website and AI assistants are included. No setup fees, cancel anytime.

Start your free trial Talk to us