Auto Dealer Compliance in Ohio, Made Manageable

Auto dealer compliance in Ohio is not one rule - it is a stack of federal and state obligations that every store has to meet at once: the FTC Safeguards Rule, the Used Car Rule, OFAC screening, the Red Flags Rule, and advertising law. NOADA’s member compliance support pulls those obligations into one place and translates each into what your dealership actually has to do. This page is the overview; the working guidance lives in the gated member portal.

The stakes are real and rising. Knowing violations of an FTC rule can carry significant civil penalties per violation, the amount is set by the FTC and adjusted for inflation, and regulators have made dealerships a stated priority. Compliance is not paperwork for its own sake; it is the difference between a clean exam and a costly enforcement action. NOADA’s job is to keep your store on the right side of it without making compliance a full-time job for someone who does not have one.

This page is general guidance for NOADA members, not legal advice. Rules, penalty amounts, and enforcement evolve, so confirm current requirements at ftc.gov and the Ohio sources linked at the bottom, and consult counsel for your store’s specific situation.

The compliance stack at a glance

Each section below explains the obligation in plain language and points to where NOADA helps.

FTC Safeguards Rule

Because dealers extend or arrange credit, the FTC treats them as “financial institutions” under the Gramm-Leach-Bliley Act - which means the Safeguards Rule applies to your store. It requires a comprehensive written information security program (WISP) reasonably designed to keep customer information secure and confidential, protect against anticipated threats, and protect against unauthorized access that could harm a customer.

The current Rule spells out specific elements your program must include:

• Designate a qualified individual to oversee and run the program.
• Conduct a written risk assessment of where customer data lives and how it could be exposed.
• Implement safeguards - access controls, encryption of customer information at rest and in transit, multifactor authentication for anyone accessing your systems, and logging of activity.
• Oversee service providers - select vendors that can protect customer data, require it in the contract, and reassess them periodically.
• Maintain a written incident-response plan - your blueprint for responding to and recovering from a security event.
• Train employees and keep the program current based on monitoring, testing, and changes to your business.
• Report to leadership - the qualified individual provides a written report to a board or senior officer (generally annually).

Two NOADA benefits plug straight in: secure document shredding with an annual audit for your federal compliance reporting, which covers the destruction of nonpublic personal information the Rule expects you to control, and compliance education that keeps your qualified individual current. See Member benefits and Education.

FTC Used Car Rule (and CARS)

For dealers selling used vehicles above the FTC’s threshold, the Used Car Rule applies. Its centerpiece is the Buyers Guide - a window sticker that must be displayed prominently and conspicuously on every used vehicle before you display it or let a customer inspect it for purchase, even if the car is not yet fully prepped for delivery.

The Buyers Guide discloses whether the vehicle is sold with a warranty and, if so, its terms, including the duration, the share of repair costs the dealer covers, and which systems are included. The FTC has updated the form and the systems it lists over time, so use the current version. The guide also tells consumers to ask about a pre-purchase inspection, warns against relying on spoken promises, and lists the major vehicle systems and the defects that can occur in each. If you conduct the sale in Spanish, you must post a Spanish-language Buyers Guide. Confirm the current threshold and form requirements at ftc.gov.

NOADA helps members keep current Buyers Guide stock and the related disclosures through the dealer forms service, and tracks federal changes (such as ongoing CARS-related developments) through Regulatory updates.

OFAC screening

The Treasury Department’s Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons (SDN) list - individuals and entities the U.S. government has flagged as national-security or sanctions risks. Before completing a deal, a dealership should compare the customer’s name against the SDN list and document that it did so.

A recent change raised the stakes on recordkeeping: the OFAC statute of limitations was extended, which means OFAC screening documentation should be retained longer than many stores plan for. Confirm the current retention period and update your deal-jacket retention and document-storage policy accordingly.

Red Flags Rule

The Red Flags Rule requires dealers that offer or arrange credit to maintain a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft. A compliant program identifies relevant “red flags,” builds them into your deal process, and trains staff to respond when one appears (a mismatched address, a suspicious document, a credit-application inconsistency).

The Red Flags Rule and the Safeguards Rule reinforce each other: one protects against identity theft at the point of sale, the other protects the data behind it. NOADA’s toolkit treats them together so your store is not solving the same problem twice.

Advertising compliance

Dealer advertising sits under both the FTC (truth-in-advertising standards, clear and conspicuous disclosure of material terms) and Ohio’s Consumer Sales Practices Act and BMV/Attorney General guidance. The recurring traps are familiar: bait-and-switch pricing, undisclosed fees, unavailable advertised vehicles, fine-print disclaimers that contradict the headline, and unsubstantiated claims. The safe rule is simple to state and harder to live: the deal a customer can actually get has to match the deal you advertised.

NOADA helps members keep advertising clean through education and regulatory monitoring, and flags enforcement trends before they reach your store. To ask about advertising questions for your store, call (330) 272-9011, and confirm current rules at ftc.gov and with the Ohio Attorney General.

How NOADA helps members stay compliant

NOADA pulls the rules, plain-language guidance, and updates into one place for members and ties them to the education and supporting services a store needs:

• Plain-language summaries of each rule and what it requires of your store.
• Practical guidance on the building blocks of a program: a WISP, an incident-response plan, Red Flags program elements, and Buyers Guide and OFAC practices.
• Regulatory updates translated into dealership terms, tied to Advocacy/Regulatory.
• Education - the workshops, roundtables, and webinars on Education that keep your team current.
• Supporting services - secure document destruction, and compliance help through Endorsed partners.

For details on what is available to your store, call NOADA at (330) 272-9011.

A practical compliance checklist

Use this as a starting self-audit; the member toolkit expands each item:

• A current WISP with a designated qualified individual and a written risk assessment
• MFA, encryption, access controls, and logging in place on systems holding customer data
• A written incident-response plan and an annual report to leadership
• Service-provider contracts that require safeguards, reviewed periodically
• A Buyers Guide on every used unit (Spanish where applicable), with current disclosures
• OFAC SDN screening on buyers, documented and retained per the current requirement
• A written Red Flags ITPP built into the deal process, with staff trained
• Advertising reviewed against FTC and Ohio standards before it runs
• Secure document destruction with a compliance audit (a NOADA benefit)
• Staff trained and the program kept current as rules change

Frequently asked questions

Does the FTC Safeguards Rule really apply to my dealership? Yes. Because dealers arrange or extend credit, the FTC treats them as financial institutions under GLBA, so the Safeguards Rule and its written-information-security-program requirement apply.

What has to be on a Buyers Guide? Whether the vehicle carries a warranty and its terms, the systems covered, a pre-purchase-inspection suggestion, a warning against unwritten promises, and the major vehicle systems. A Spanish-language guide is required for sales conducted in Spanish. The FTC updates the form over time, so use the current version from ftc.gov.

How long do I have to keep OFAC screening records? The OFAC statute of limitations was extended, so records should be kept longer than many stores plan for. Confirm the current retention period and update your deal-jacket retention accordingly.

What is the difference between the Safeguards Rule and the Red Flags Rule? Safeguards protects customer data through a written security program; Red Flags requires a written program to detect and prevent identity theft at the point of sale. Most dealers need both.

Is NOADA’s compliance support available to non-members? NOADA’s compliance support is a member benefit accessed through the member portal. Join NOADA to use it, or call (330) 272-9011 with questions about access.

Does NOADA give legal advice? NOADA provides compliance education, tools, and updates, and connects members with vetted partners and counsel where needed. For your store’s specific legal questions, consult an attorney.

Get compliant and stay there

• Join NOADA - get NOADA’s compliance support
• See all dealer services - title, licensing, forms, education
• Regulatory updates - what changed and what it means
• Questions? Call (330) 272-9011

Related

• Dealer services overview
• Dealer education
• Dealer forms
• Member benefits
• Endorsed partners
• Regulatory updates
• Member portal