Test Drive Pro
Compliance

The Red Flags Rule for car dealers

What the FTC Red Flags Rule actually requires of US car dealerships, how to build a written Identity Theft Prevention Program, and how modern ID verification satisfies each element.

Book a demoSee the 2026 guide

What the Rule is

The Red Flags Rule is a regulation enforced by the FTC requiring financial institutions and “creditors” that maintain “covered accounts” to develop and implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft.

Does it apply to car dealerships?

In most cases, yes. A dealership that arranges financing or extends credit to customers — which is essentially every franchise store and most independents — is treated as a creditor under the Rule. The FTC has confirmed in guidance that auto dealers generally qualify.

What a compliant ITPP must include

  1. Identification of relevant red flags. Patterns, practices, or activities indicating possible identity theft — for example, a suspicious document, suspicious personal identifying information, unusual use of a covered account, or notice from a customer of identity theft.
  2. Detection of those red flags. The dealership’s systems and procedures must be designed to actually catch the red flags it identified.
  3. Response to detected red flags. When a red flag fires, the dealership must respond appropriately — holding a transaction, contacting the customer, notifying law enforcement, or declining the deal.
  4. Program updates. The ITPP must be reviewed and updated periodically to reflect new risks, new products, and operational changes.
  5. Administration. The program must be approved by the board (or senior management), overseen by a designated individual, trained on by staff, and include oversight of service providers.

How ID verification maps to the Rule

ID verification is a core detection control. Microblink BlinkID parses the ID document in-browser; IDScan DIVE Online cross-checks authenticity, expiration, and risk signals. A failed or suspicious verification fires a red flag, triggers a response in the dealership’s written program, and is logged to the audit trail.

Retention

While the Rule itself does not specify a retention period, examiners generally expect documentation sufficient to reconstruct the program’s effectiveness over multiple years. Five to seven years of program documentation is a reasonable default.

Where dealers most often fall short

  • No written ITPP at all, or a one-page template nobody follows.
  • ID verification that is just a photocopy in a drawer.
  • No logged responses when a red flag fires.
  • No training record for staff.
  • No service-provider oversight (including the dealership’s own software vendors).

How Test Drive Pro helps

Test Drive Pro produces the detection layer (BlinkID + DIVE Online), the logged response (drive held if verification fails, override logged, manager-approval audit), the audit trail (retained per policy), and the documentation trail the examiner wants to see. Your written ITPP still belongs to the dealership — we give your program the evidence it needs.

This is general information, not legal advice. Consult your counsel for a Red Flags Rule ITPP specific to your state and operation.

Frequently asked questions

Compliance is a product, not a policy doc

See how Test Drive Pro builds the evidence layer your counsel and your examiners want.

Book a demo

Keep exploring

Compliance

FTC CARS Rule Checklist

The other FTC rule every dealer now has to know.

Read more →

Guide

2026 Dealership Compliance Guide

Annual compliance pillar.

Read more →

Product

Dealership ID Verification

BlinkID + DIVE Online as a Red Flags detection control.

Read more →

Solution

F&I Manager Software

Where ITPP output gets used daily.

Read more →

Learn

Digital Deal Jacket

The evidence file examiners want to see.

Read more →