Department of Banking and Securities Audits – Cybersecurity Policies Requested

May 14, 2018 | Member News

The Department of Banking and Securities (DOBS) regularly audits dealerships throughout Pennsylvania to determine compliance.

Recently, dealers have been asked to produce their cybersecurity policy by DOBS during an audit. Often, this information is part of the dealerships ‘Information Safeguards & Identity Theft Red Flags Manual.’


Under the Graham-Leach-Bliley Act (GLBA), when dealerships collect personally identifiable financial information from customers to provide financing services, they are classified as a financial institution subjecting them to the legislation’s requirements for securing client data.


The Safeguards Rule requires dealers to adequately protect and safeguard customer information. Customer information is defined as any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the dealership or its affiliates.


PAA recommends an all-inclusive Information Safeguards & Identity Theft Red Flags Manual, which also includes the cybersecurity policies, developed by Auto Advisory Services and available online at heftPreventionandRedFlag.aspx.


The following is a summary of frequent violations found by the DOBS and a list of some of the other items that the DOB is checking for when auditing a dealership.


Violations Found in Recent Audits

In audits recently conducted, DOBS auditors have found the following violations in dealerships:


  • Dealers failed to renew Installment Seller’s License by October 1. Installment seller’s licenses enable dealerships and other businesses to engage in third party financing. These licenses should be renewed online at Dealers should note that the application is sometimes overlooked in dealerships due to employee turnover.
  • Dealers failed to provide customers with an incidental products disclosure form. Customers must sign the disclosure notice and dealers must retain a copy with the finance contract. [PAA’s Dealer Purchasing supplies disclosure forms. Call 1-800-692-7295 for ordering information or visit]
  • Dealers were not separately itemizing products that were not physically attached to the vehicle (i.e., service contracts, GAP) on the finance contract with a specific price for each item.

Among other things, the DOBS is checking for:


·                     maintenance of records;

·                     content of sales contracts;

·                     prohibited provisions in contracts;

·                     transfer of installment sale contracts to licensed financial institutions;

·                     finance charges;

·                     repossession;

·                     executed contracts and release of liens;

·                     prohibited charges;

·                     Red Flags program in place;

·                     Safeguarding Customer information program in place; and

·                     Compliance with applicable federal laws (e.g.: Gramm-Leach Bliley Act, FTC Safeguards Rule, Fair and Accurate Credit Transaction Act, Fair Credit Reporting Act, and the Equal Credit Opportunity Act).


The DOBS may conduct an examination at its discretion. On average, the department examines every installment seller at least once every five years. However, the department may choose to examine a licensee at any time, including in response to specific consumer inquiries.


In a typical on-site exam, the department examiner will arrive at the dealership and review a sample of materials on the premises. They will request a workspace, electrical outlet, photocopier, a secure place to store files and belongings.



The examiner will hold a meeting with the dealership’s management to determine how the dealership operates and will provide a questionnaire requesting information on:


·                     Name and address of the institutions to which the dealership assigned contracts in the past year;

·                     Volume number and monetary value of contracts written in the past three years; and

·                     Name of any employees who have been charged, convicted, pleaded guilty or no contest to any criminal offense, except summary offenses, along with an explanation of why that individual is employed by the dealership.


Generally, the examiner will request to see approximately 30 installment sale contracts along with the supporting paperwork. The examiner may request additional contracts depending on the circumstances of the examination and the size and complexity of the dealership. There is no limit as to how many contracts the examiner may request.


The examiner’s goal is to determine if an issue exists, to conclude whether an issue was singular or systemic and to accomplish all corrective action during the examination when possible.


After the examination, the DOBS will send an invoice to the dealership’s management. The invoice will reflect the amount due to the DOBS for the costs of the examination, currently calculated at a rate of $508 per examiner per day, without additional fees related to travel or expenses, and the due date for the invoice to be paid to the department.


Courtesy of PAA Bulletin No. 9, 5/10/2018