FTC Safeguards Rule Compliance: Surveillance, Access Control, and Network Infrastructure for Oklahoma and North Texas Auto Dealers
If you sell vehicles and offer or arrange financing, the
Federal Trade Commission considers you a financial institution. That single sentence — buried for years in
Gramm-Leach-Bliley implementation guidance and largely ignored by independent dealers — became operationally enforceable on June 9, 2023, when the amended
FTC Safeguards Rule at
16 CFR Part 314 took full effect. A further amendment in 2023 added
breach reporting requirements that took effect May 13, 2024, requiring covered institutions to notify the FTC within 30 days of any security event involving the customer information of 500 or more consumers.
Most independent dealers have heard “you have to comply with the FTC Safeguards Rule” said at them by their compliance attorney, their dealer-management-system vendor, or their NADA contact. Most have nodded, written a check for a generic policy template, and moved on. The actual technical controls the rule requires — encrypted storage, access logging, multi-factor authentication, network segmentation, secure disposal, monitoring, and the ability to detect and respond to a security event — are
still not in place at most independent dealerships in Southwest Oklahoma and North Texas.
The state regulatory layer adds inspection authority on top. In Oklahoma, the
Oklahoma New Motor Vehicle Commission licenses new-vehicle dealers under Title 47, while the
Oklahoma Used Motor Vehicle, Dismantler, and Manufactured Housing Commission regulates used and wholesale dealers under Title 765 of the Oklahoma Administrative Code — with location inspections, bond requirements, and operational standards that include records production on demand. In Texas, the
Texas Department of Motor Vehicles regulates dealer licensing under
Texas Occupations Code Chapter 2301, with retail installment contracts governed by Texas Finance Code Chapter 348. Both states require dealers to produce records and respond to investigations on regulator timelines that consumer-grade surveillance and consumer-grade IT cannot meet.
The compliance burden does not stop with the regulators. Manufacturers impose surveillance and security expectations on franchised dealers as conditions of dealer agreements. Floor plan lenders impose loss prevention and security requirements as conditions of financing. Insurance carriers impose surveillance retention and access control requirements as conditions of property and liability coverage.
The dealer who cuts corners on infrastructure is cutting corners against four different oversight relationships at once.
The penalty structure is real. FTC enforcement under the Safeguards Rule can reach $50,120 per violation under 2024 inflation-adjusted maximums, and a single data breach can multiply violations across thousands of customer records. The reputational damage from a publicly disclosed dealer breach — name in the local news, every customer notified by mail, every floor plan lender and manufacturer reviewing the dealer agreement —
can end an independent dealership.
Red River Integration deploys the
Ubiquiti UniFi ecosystem — enterprise infrastructure used in Fortune 500 commercial environments worldwide — engineered specifically for the dealership operation. The showroom and sales floor. The finance and insurance offices where deal jackets and credit applications live. The service write-up area. The parts counter. The lot, the back row, and the perimeter. Every system we install is designed to satisfy the technical controls the FTC Safeguards Rule actually requires, alongside state regulator records production timelines, manufacturer dealer agreement standards, and the carrier and lender expectations that ride on top of all of it.
What the FTC Safeguards Rule Actually Requires. What We Build.
Access Controls Under 16 CFR §314.4(c)(1)
The
Safeguards Rule requires covered institutions to implement and periodically review access controls — including
technical and physical controls — to authenticate and permit access only to authorized users, and to limit authorized users’ access only to the customer information they need to perform their duties.
UniFi Access enforces and documents every one of those requirements at the physical layer. Every door to the F&I office, the records storage room, the server closet, and the after-hours service entrance is logged with timestamp, credential, and a camera-linked video record. Time-based permissions automatically restrict access outside authorized hours. When a salesperson, F&I manager, or service writer separates from the dealership, credentials revoke from the management console in seconds — no rekeying, no exposure window, no after-hours return visits.
When the FTC, a state commission inspector, a floor plan auditor, or a plaintiff’s attorney asks who accessed your records storage on a specific date, you produce a
timestamped, video-confirmed answer in seconds.
Multi-Factor Authentication Under 16 CFR §314.4(c)(5)
The Safeguards Rule requires
multi-factor authentication for any individual accessing any information system, with limited exceptions. Most independent dealerships still log into their dealer management system, their CRM, and their email with a password and nothing else — a configuration that is now, as of June 2023,
technically out of compliance with federal regulation.
UniFi networking infrastructure provides the foundation for proper authentication architecture, with VLAN segmentation that limits which systems are even reachable from which user accounts, captive portal authentication for guest and employee Wi-Fi, and integration paths for the MFA platforms that satisfy the rule’s requirements.
Encryption and Data Security Under 16 CFR §314.4(c)(3)
The Safeguards Rule requires encryption of all customer information held or transmitted, both
at rest and in transit. Customer information under §314.2 includes any record containing nonpublic personal information about a customer of a financial institution — which for an auto dealer includes credit applications, deal jackets, retail installment contracts, financing documents, copies of driver’s licenses and insurance cards, and the entire customer database in your CRM and DMS. UniFi enterprise networking provides the segmentation foundation that makes encryption architecture enforceable, with proper network isolation between systems handling customer information and the rest of the dealership infrastructure.
Monitoring, Logging, and Detection Under 16 CFR §314.4(d)
The Safeguards Rule requires covered institutions to regularly test or otherwise monitor the effectiveness of safeguards’ key controls, systems, and procedures — including
continuous monitoring or annual penetration testing and biannual vulnerability assessments. UniFi’s centralized management console produces a complete, exportable audit trail of every access event, every administrator action, every configuration change, and every camera event across the entire infrastructure. When a Qualified Individual under §314.4(a) needs to demonstrate to the dealership’s owner or board that the information security program is functioning, the evidence is in
one console rather than scattered across four separate vendor portals.
Continuous Surveillance of Sales, F&I, Service, and Lot Areas
UniFi Protect delivers commercial-grade camera coverage across every operationally relevant zone — showroom and sales floor, F&I offices and customer-facing desks, service write-up area and customer waiting room, parts counter and inventory storage, service bays, used vehicle lot perimeter, new vehicle inventory rows, employee parking, and customer parking. AI-based detection identifies people and vehicles. License plate recognition logs every vehicle entering and leaving the lot — which is operationally useful for customer history, test drive documentation, and after-hours theft response. Recording is continuous to local NVR hardware
regardless of internet status — the cameras keep recording whether the internet is up or down.
All footage records to storage hardware you own, inside the dealership, accessible only by personnel you authorize.
Retention That Satisfies Regulators, Manufacturers, and Carriers
Manufacturer dealer agreement audits, floor plan lender audits, FTC investigations, state commission inspections, and insurance claims all reference incidents that occurred weeks, months, or sometimes years before the request. UniFi Protect is configured with retention windows sized for the dealership’s actual exposure —
90 to 180 days standard, longer where manufacturer or carrier requirements warrant it. Footage is organized and searchable by date, time, camera, and event. When the request comes in — whether from the FTC, the manufacturer, the floor plan lender, the insurance carrier, or a plaintiff’s attorney — you produce the recording from your own storage in minutes.
After-Hours Lot Coverage and Vehicle Theft Defense
Independent and franchised dealers face a specific operational threat profile most retail businesses do not —
millions of dollars of inventory parked outside, exposed to elements, accessible from public roadways, and visible to anyone driving by. Catalytic converter theft, key cloning attacks on push-button-start vehicles, and vehicle theft from dealer lots have all increased substantially in the post-2020 environment. UniFi Protect integrates intrusion detection, motion-triggered alerting, and license plate recognition with after-hours alarm integration. Triggers transmit alerts
with embedded video to your central station monitoring service, your general manager, or directly to ownership.
Police arrive with footage already captured. Insurance claims are filed with documented evidence rather than reconstructed from the morning service walk.
Network Infrastructure for DMS, CRM, and Customer Wi-Fi Segmentation
UniFi enterprise networking provides the foundation — managed switches, enterprise routers, professionally configured wireless coverage across the showroom, the service drive, the parts counter, and the lot — with proper VLAN segmentation that isolates the dealer management system, the CRM, F&I workstations, service systems, surveillance and access control, employee Wi-Fi, customer Wi-Fi, and any digital signage from each other.
Network segmentation is the technical safeguard the FTC explicitly references throughout the Safeguards Rule guidance, and it is also the safeguard most overlooked in independent dealer IT.
A flat dealership network — where every device sees every other device — means a compromised customer Wi-Fi user, a compromised IoT device, or a compromised showroom tablet
can reach the DMS holding every customer’s credit application. Proper segmentation eliminates that path entirely.
Cellular Failover for Uninterrupted Access and Alerts
UniFi Protect records continuously to local NVR hardware on your network
regardless of internet status — that footage is captured and retained on infrastructure inside the dealership, not dependent on a cloud connection. What an internet outage
does compromise is everything that depends on a working connection: DMS and CRM access for cloud-hosted platforms, F&I credit pulls and lender submission, after-hours intrusion alerts to central station monitoring, real-time alert delivery to the general manager, and the management plane for surveillance and access control.
UniFi 5G Max provides automatic dual-SIM cellular failover — the moment your primary connection drops, the system fails over without manual intervention and your DMS access, F&I credit pulls, alarm signaling, and management capabilities
stay online without interruption. For dealerships in rural service areas across Southwest Oklahoma and North Texas where wired internet reliability is inconsistent, 5G Max can also serve as the primary connection —
the difference between closing the deal and telling the customer to come back tomorrow.
Why Local, Private Infrastructure Matters Specifically for Dealers
Cloud-based surveillance and access control vendors create a specific problem for auto dealers operating under the Safeguards Rule. The rule explicitly addresses
service provider oversight under §314.4(f), requiring covered institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information — and to periodically assess those service providers based on the risk they present. A cloud camera vendor that ingests footage capturing F&I office activity, customer driver’s licenses on copy machines, and credit application screens is a service provider with potential access to nonpublic personal information. The vendor’s own security posture is now, by extension,
the dealership’s compliance exposure.
Most cloud surveillance contracts do not include the contractual safeguards the FTC expects. Most cloud vendors do not undergo the kind of service provider assessment §314.4(f) requires.
The dealer who chose the cloud system because it was cheaper than local storage often discovers, mid-FTC investigation, that the cheaper system created a compliance gap that local infrastructure would have closed.
Every system Red River Integration deploys records and stores locally. Footage stays on hardware
you own, inside the dealership, accessible only by personnel you authorize. Access logs stay on systems you control. The service provider relationship that the Safeguards Rule asks you to assess is the relationship between you and your own infrastructure — not between you and a cloud vendor with access to your customers’ financial data. When the FTC, a manufacturer auditor, or a plaintiff’s attorney requests footage with a proper legal basis, you produce it from your own storage on your own systems.
Built for Your Dealership Type
- Franchised New Vehicle Dealers — Franchised dealers operating under manufacturer agreements face the Safeguards Rule on top of brand-mandated security and surveillance standards, floor plan lender audit requirements, and the state commission oversight specific to new vehicle licensing. We design infrastructure that satisfies the manufacturer, the lender, and the regulators from a single integrated platform.
- Independent Used Vehicle Dealers — Independent used dealers operating under Oklahoma Title 47 §583 and the Texas General Distinguishing Number framework administered by TxDMV operate without manufacturer compliance overlay but face the same FTC Safeguards Rule burden, the same state commission oversight, and a more variable insurance carrier relationship. We design infrastructure scoped to the actual operation.
- Buy-Here-Pay-Here Dealers — BHPH operations are uniquely exposed under the Safeguards Rule because the dealer is the lender — every BHPH customer is, definitionally, a customer in a continuing financial relationship under §314.2. The customer information protected is more sensitive, the retention period is longer, and the compliance scrutiny is correspondingly greater. We design infrastructure that reflects that exposure.
- Wholesale Dealers and Auctions — Wholesale operations carry their own state commission licensing under Oklahoma’s Used Motor Vehicle, Dismantler, and Manufactured Housing Commission and equivalent Texas oversight, with bond and inspection requirements that turn on records production. We design surveillance and access control engineered for the operational profile of a wholesale yard or auction facility.
- Multi-Location Dealer Groups — Dealer groups operating multiple rooftops face a more complex compliance posture — centralized DMS hosting, shared customer information across locations, and the need to demonstrate consistent safeguards across every location during an FTC investigation. We design infrastructure with centralized management and consistent configuration across every location, satisfying the Safeguards Rule’s emphasis on a written information security program that applies enterprise-wide.
Every Installation Is Engineered for That Dealership. Not Adapted From a Template.
We don’t sell a standard dealership package. We assess your dealer type, your manufacturer relationships, your floor plan lender requirements, your state commission posture, and the specific gaps in your current infrastructure that the FTC Safeguards Rule’s nine elements ask about — and we engineer a system that satisfies the regulators, the manufacturer, the lender, and the carrier from a single integrated platform.
Built on the
Ubiquiti UniFi ecosystem — enterprise infrastructure deployed in Fortune 500 commercial environments worldwide — installed and configured by a team that understands the difference between a generic IT vendor’s “Safeguards Rule package” and a system that
actually satisfies 16 CFR Part 314.
Serving Southwest Oklahoma and North Texas
Red River Integration serves franchised, independent, and wholesale auto dealerships across Southwest Oklahoma — including Lawton, Duncan, Altus, Chickasha, Anadarko, Ardmore, and the surrounding counties — and across North Texas, including Wichita Falls and the surrounding communities.
Ready to Talk About Your Dealership?
Your manufacturer agreement, your floor plan, your state license, and your customer database are too valuable to trust to consumer-grade equipment and a generic IT vendor who cannot tell you which of the nine elements of 16 CFR §314.4 their package actually satisfies.
Call us at
(580) 289-8181 or fill out the form on our
contact page. Consultations are confidential and there’s no obligation.
