Dealership Compliance Audit Checklist: Annual Self-Assessment
This article is for informational purposes and does not constitute legal advice. Consult qualified legal counsel for compliance guidance specific to your dealership.
If your annual compliance review is a one-hour HR training and a stack of forms no one actually reads, you’ve got exposure you probably don’t know about. The regulatory environment around auto retail has never been more active — and the agencies enforcing it have never had more tools, more data, or more appetite to make examples of dealers. A thorough dealership compliance audit checklist isn’t bureaucratic overhead. It’s operational risk management, and the stores that treat it that way are the ones that don’t end up in consent decrees.
—
Bottom Line Up Front
Non-compliance in auto retail isn’t a theoretical problem. It’s a business continuity problem. A single FTC action, CFPB referral, or state AG investigation can cost you your franchise, your floor plan relationship, and your license — in addition to civil penalties and class action exposure. The question isn’t whether you’ll face regulatory scrutiny at some point. It’s whether your store is built to pass it when it arrives.
The stores that get hit hardest aren’t always the ones doing something intentionally wrong. They’re often stores where the processes got sloppy, the training lapsed, or a single F&I producer developed habits nobody audited. You can’t fix what you’re not measuring. That starts with a structured annual self-assessment.
—
Regulatory Overview
The Laws That Govern Your Store
Auto retail touches more regulatory frameworks than most dealers fully appreciate. At the federal level, your primary exposure points include:
- FTC Act (Section 5): Unfair or deceptive acts and practices — this is the parent authority behind most FTC dealer enforcement, and it’s broad enough to reach advertising, F&I, and your online payment calculators.
- Gramm-Leach-Bliley Act (GLBA) / Safeguards Rule: Governs customer data security and privacy. The FTC’s updated Safeguards Rule has materially expanded your obligations around data protection, vendor oversight, and incident response.
- Equal Credit Opportunity Act (ECOA) / Fair Credit Reporting Act (FCRA): Covers how you handle credit applications, adverse action notices, and consumer data. CFPB has joint enforcement authority here.
- Truth in Lending Act (TILA) / Regulation Z: Disclosure requirements for retail installment contracts, including payment, APR, and financing term accuracy.
- Bank Secrecy Act (BSA) / Anti-Money Laundering (AML): If a cash deal hits certain thresholds, IRS Form 8300 is mandatory. No exceptions, no discretion.
- FTC’s Vehicle Shopping Rule (formerly known as the “CARS Rule” or subsequent rulemaking): Disclosure, consent, and anti-junk-fee requirements for the vehicle sale process. Confirm current status and applicability with counsel, as this rulemaking has had a complex regulatory history.
Who Enforces It and Who It Covers
Every dealer — franchise and independent — is covered under federal consumer protection law. Franchise dealers carry additional OEM compliance obligations layered on top of federal and state law. The enforcing agencies aren’t operating in silos:
| Agency | Primary Authority | Dealer Impact |
|---|---|---|
| FTC | Advertising, F&I, Safeguards Rule | Deceptive practices, data security |
| CFPB | Fair lending, ECOA, FCRA | Indirect lending, adverse action |
| IRS | BSA / Form 8300 | Cash transaction reporting |
| State AG | State consumer protection statutes | Advertising, add-ons, spot delivery |
| State DMV / Licensing | Dealer license conditions | Title, registration, spot delivery |
| OEM Compliance Dept | Franchise agreement | Advertising co-op, pricing disclosures |
State AG offices have been particularly aggressive in recent years, and many states have consumer protection laws that go beyond the federal floor. Know your state’s specific requirements — they’re often more restrictive on advertising, dealer fees, and add-on disclosures.
—
Requirements Breakdown
F&I Disclosure and Documentation
Every deal jacket needs to tell a complete, accurate story. Required documentation at minimum includes the retail installment sales contract (RISC), the buyer’s order, the credit application, any adverse action notices issued, F&I product menus with signed acceptance or declination, and any aftermarket contract booklets. If it’s not documented, it didn’t happen — that standard will be applied to you in any enforcement action or litigation.
Adverse action notices are a common gap. When a deal doesn’t fund as structured, or a customer is declined or counter-offered by a lender, the FCRA triggers an adverse action notice requirement with specific timing. Automate this or put a checklist on every unconsummated deal.
Advertising Compliance
Your advertising — print, digital, social, email, SEM/paid search — is an FTC audit in waiting. Every ad that promotes a specific payment or financing offer must include the required Regulation Z disclosures if it’s a “triggering term.” One number can trigger a full disclosure requirement. Your marketing team and agency need to know this cold.
Bait-and-switch on pricing, unavailable vehicles in ads, and failing to honor advertised prices are the fastest ways to land in a state AG investigation. Maintain a creative archive — every ad, with the date it ran and a copy of any required disclosures — for at least three to five years.
Safeguards Rule and Data Security
The FTC’s Safeguards Rule requires a written information security program (WISP), a designated Qualified Individual (QI) responsible for information security, vendor oversight with written agreements, an incident response plan, and annual risk assessments. If you’re storing customer data — and you are, across your DMS, CRM, and third-party vendors — you have obligations here that most dealers haven’t fully operationalized.
Your DMS provider and CRM vendor are not automatically compliant on your behalf. You need written vendor agreements that address data security obligations. Pull those agreements now and confirm they exist.
Employee Training Requirements
ECOA and fair lending requirements mean your sales and F&I staff need documented training on non-discriminatory credit practices. Safeguards Rule training is required for employees who handle customer information. Red Flag Rules training is required for staff who can identify or flag identity theft indicators. Document every training session, including who attended, what was covered, and when.
—
Compliance Checklist
Use this framework as the backbone of your annual self-assessment. Adapt it to your state requirements and OEM obligations.
F&I and Deal Documentation
- [ ] Pull a sample of closed deal jackets — at minimum one month’s worth — and audit for completeness
- [ ] Confirm adverse action notices are being issued on every unfunded or counter-offered deal, within required timeframes
- [ ] Verify F&I menus are being used consistently and signed declinations are being retained
- [ ] Review your spot delivery policy and your “spot unwind” process against your state’s requirements
- [ ] Confirm Form 8300 filings are current for all qualifying cash transactions
Advertising and Marketing
- [ ] Pull your last 90 days of ads across all channels and review for triggering terms and required disclosures
- [ ] Confirm your creative archive is current and organized by date and medium
- [ ] Review your OEM co-op submissions for compliance with OEM advertising standards
- [ ] Audit your website for price and payment accuracy, including any online calculators
Data Security and GLBA Safeguards
- [ ] Confirm your WISP is written, current, and signed off by your Qualified Individual
- [ ] Pull your vendor list and confirm written data security agreements exist for all who access customer data
- [ ] Verify annual risk assessment has been completed and documented
- [ ] Confirm your incident response plan is current and your team knows their roles
Fair Lending and Credit Compliance
- [ ] Run a fair lending analysis on your rate participation or markup data across protected classes
- [ ] Confirm adverse action notice process is documented and assigned to a specific role
- [ ] Review credit application handling for FCRA compliance, including permissible purpose and data retention
Employee Training
- [ ] Document all compliance training from the past year by employee name, topic, and date
- [ ] Schedule and document Red Flag Rules refresher
- [ ] Schedule and document ECOA/fair lending training for all F&I and sales staff
- [ ] Confirm all new hires received required training within 30 days of hire
Licensing and Regulatory Standing
- [ ] Confirm dealer license renewals are current in all states where you operate
- [ ] Confirm DMV bonds are current and in required amounts
- [ ] Review any open state AG, BBB, or CFPB complaints and confirm documented resolution
—
Common Violations and Penalties
The violations that actually generate citations aren’t exotic. They’re process failures that compound over time.
Advertising violations — misleading payment ads, bait-and-switch pricing, buried fees — are the single most common trigger for state AG investigations. One complaint from a customer, one competitor tip, or one proactive media monitoring sweep and you’re in a response posture that’s expensive even if you ultimately prevail.
Adverse action notice failures are prevalent and largely invisible until an audit or lawsuit surfaces them. The FCRA is strict, the timing requirements are specific, and class action plaintiffs’ attorneys know exactly what to look for.
Safeguards Rule deficiencies — no WISP, no vendor agreements, no documented QI — are now a primary FTC audit focus. A data breach without a compliant security program behind it isn’t just a PR problem. It’s a regulatory enforcement event.
Form 8300 failures create IRS exposure that dealers often don’t discover until a routine IRS audit surfaces unreported cash transactions. The penalties are significant and there’s no good-faith exception for ignorance of the threshold.
State AG consent decrees in auto retail regularly include multi-year compliance monitoring, required training programs, third-party audits, and civil penalties that affect the entire store’s profitability. Public consent decrees also follow a dealership’s reputation for years in review sites, local media, and OEM compliance files.
—
Building a Compliance Culture
Compliance doesn’t live in a binder. It lives in your processes, your deal flow, your training cadence, and your management accountability structure.
Designate a Compliance Point Person
Every store needs a designated compliance officer or compliance coordinator — someone who owns the audit calendar, tracks training completion, manages vendor agreements, and is the first call when a regulatory inquiry arrives. In a large group, this may be a dedicated role. In a single-point store, it’s often the F&I director, GM, or office manager with explicit accountability and a documented job scope.
Build the Audit Schedule Into Your Calendar
Your annual dealership compliance audit checklist should be scheduled in advance — not triggered by a problem. Quarterly mini-audits on high-risk areas (advertising, deal documentation, adverse action) combined with a comprehensive annual review is the cadence top stores use. Put it in the management calendar now, the same way you schedule your OEM reviews and your 20 Group prep.
Training as a Standing Agenda Item
At your managers meeting, compliance training completion should be a standing agenda item alongside your sales pace and inventory aging. If training is only discussed when someone gets cited, you’re already behind.
When to Involve Outside Counsel
If you receive a CID (Civil Investigative Demand), a subpoena, a formal state AG inquiry, or any communication from the FTC or CFPB, stop and call your attorney before you respond to anything. Proactively, most stores benefit from an annual outside counsel compliance review — typically a half-day engagement that benchmarks your policies and practices against current regulatory expectations. The cost of that review is a fraction of a single enforcement action.
—
Frequently Asked Questions
How often should we complete a formal compliance audit?
A comprehensive annual audit is the baseline. High-risk areas — advertising, F&I documentation, adverse action notices — warrant quarterly spot-checks. If you’ve had staff turnover in key compliance roles or received any regulatory inquiry, do an unscheduled review immediately.
Do independent dealers have the same compliance obligations as franchise dealers?
For federal law — FTC, GLBA Safeguards, ECOA, FCRA, BSA — yes, independent dealers are covered. Franchise dealers carry additional OEM-specific obligations layered on top. State requirements apply equally to both dealer types; confirm your state’s specific licensing and consumer protection statutes with counsel.
Who is responsible if an F&I producer violates ECOA or FCRA?
The dealership is responsible, not just the individual. The dealer is the creditor or the intermediary in the credit transaction, and enforcement actions name the dealer entity. Individual producers may face personal liability in some circumstances, but your store is always in the chain of responsibility — which is why training documentation and process controls matter so much.
What’s the biggest compliance gap most dealers don’t know they have?
Safeguards Rule deficiencies — particularly missing vendor agreements and an undocumented or non-existent WISP — are the most common gap we see in dealer compliance reviews. Most dealers assume their DMS or CRM vendor handles it. They don’t, not completely. You own the program.
Does our F&I product menu presentation need to comply with specific legal requirements?
Yes — consistent menu presentation practices, documentation of acceptance and declination, and non-discriminatory product offering are all areas of regulatory and legal focus. Some states have specific requirements around menu presentation timing and structure. Work with your F&I product vendor, compliance trainer, and counsel to confirm your menu process meets current requirements in your state.
—
Conclusion
Compliance isn’t a project you complete. It’s an operating discipline — one that belongs in your management rhythm alongside your days-to-turn, your PVR, and your service absorption rate. The stores that stay clean aren’t the ones with the most elaborate compliance programs. They’re the ones where the GM actually reviews the audit checklist every year, the managers know who owns each process, and training happens on a schedule instead of in response to a crisis.
Pull your deal jackets. Review your advertising archive. Confirm your WISP exists and is current. Walk through this dealership compliance audit checklist with your compliance point person before your next managers meeting and identify the two or three gaps you’ll close in the next 90 days. That’s what operational compliance looks like.
If your store is ready to tighten the operational infrastructure that sits alongside your compliance work, CarDealership.com’s all-in-one dealer growth platform is built specifically for auto retail — giving you the CRM, automated lead follow-up, reputation management, and marketing tools your team needs to run a cleaner, more accountable operation. Book a demo or start your free trial to see what an integrated platform does for your store’s performance and your peace of mind.