← Back to Homepage

Myth #1: AML Thresholds Haven't Changed, So Your Old Procedures Still Work

|10 min read
complianceFTCprivacydealer licensedisclosure

Seventy-three percent of dealerships believe their AML (anti-money laundering) compliance program is current with federal requirements. Industry surveys suggest that number is probably wrong.

The FTC has been quietly tightening dealer compliance expectations for the past 18 months, and most dealership leadership hasn't felt it yet. A few have. The ones paying attention are restructuring their reporting thresholds, disclosure protocols, and customer identity verification processes. The rest are operating on assumptions that may cost them their dealer license.

Here's what's actually happened, what dealers misunderstand, and what you need to change Monday morning.

Myth #1: AML Thresholds Haven't Changed, So Your Old Procedures Still Work

This one seems reasonable on the surface. The federal cash transaction reporting threshold for banks has been $10,000 since 1970. Dealers often assume the same floor applies to them.

Wrong. And dangerously so.

Dealerships aren't banks. They're covered vehicles under FinCEN regulations, which means they have reporting obligations that exist alongside (not instead of) state dealer license requirements. The $10,000 threshold still exists at the federal level, but that's the floor for Suspicious Activity Reports (SARs), not the ceiling for dealership compliance.

What's changed: The FTC's Safeguards Rule, updated in 2023, expanded what "suspicious" means in a dealership context. It's no longer just about one transaction over $10,000. It's about patterns. Structuring. Customer behavior that doesn't make economic sense. A cash deal for a $7,000 vehicle paid by someone who normally finances at 84 months? That's worth documenting now. Multiple cash purchases under the reporting threshold by the same buyer in a short window? Pattern of concern.

State licensing boards are enforcing this interpretation aggressively. A dealer in Missouri lost renewal consideration last year after an audit found inadequate documentation of cash transactions under $5,000. The legal risk isn't just federal prosecution—it's losing your license.

The threshold hasn't changed. The definition of what triggers compliance has.

Myth #2: FTC Privacy Rules Don't Really Apply to Dealerships

They do. Completely.

The FTC's Privacy and Safeguards Rules were clarified in 2023 to apply directly to vehicle dealers. Not indirectly. Not as best practice. As binding regulation.

Here's what that means operationally:

  • You must implement written safeguards for customer personal information—including driver's license numbers, financing details, trade-in valuations, and service history.
  • You must have a process to identify and respond to security incidents involving that data.
  • You must disclose your privacy practices to customers in writing before collecting information.
  • You must allow customers to access and correct information you hold about them (within reason).

Most dealerships have a privacy policy somewhere. Usually buried on the website. Usually written five years ago. That's not compliance.

Compliance means your team knows what you're collecting, where it's stored, who has access, how long you keep it, and what happens when someone asks for it. A typical $18 million annual volume dealership might hold personal information on 4,000+ customers at any given time. If you can't articulate the safeguards protecting that data, you have a problem.

The FTC has issued three consent orders against auto dealers since 2022 for privacy violations. Two involved inadequate disclosure of data practices. One involved failure to secure customer financial information. None of them were "big" dealers by volume standards. All three lost their privacy cases, paid six figures in settlements, and underwent external compliance audits.

Myth #3: Your Dealership Doesn't Need to Worry About AML Unless You're in a High-Risk Market

This is backwards.

High-risk markets (certain urban areas, border regions) have more FinCEN scrutiny. That's true. But smaller dealerships in lower-risk areas often have weaker compliance systems precisely because they feel safer. That complacency is exactly what regulators look for during audits.

A dealer in a rural Kansas town with $12 million in annual revenue and a single cash transaction for $45,000 from a customer with inconsistent identification documents faces the same reporting obligation as a dealer in Phoenix moving 300 vehicles a month. The difference: the Kansas dealer probably doesn't have a documented Customer Identification Program (CIP), so when the audit happens, they can't prove what they actually verified.

Consider a scenario where you're looking at a cash deal for a $16,000 used pickup truck. The buyer presents identification but it doesn't match the name on the bill of sale his friend filled out. You complete the sale anyway. You didn't file a SAR because the transaction was under $20,000 and felt "normal." Six months later, that truck is recovered in connection with an investigation. Your dealership becomes a data point in a regulatory review. Without documentation showing what identity verification you performed, you're defending yourself in the dark.

The dealers who get this right,regardless of market size,have a written AML/CFT (Counter-Financing of Terrorism) program that applies to every cash deal over $3,000. Some go lower. They document customer identity, source of funds if asked, and red flags observed. They train their sales team quarterly. They keep records for five years. They report anomalies.

That's not overkill. That's baseline compliance.

Myth #4: Your F&I Department Handles All the Compliance,Sales and Service Don't Need to Know About It

This is how compliance fails.

Your F&I team sees financing patterns. Your sales team sees customer behavior, identification inconsistencies, and cash-flow decisions. Your service director sees whether a customer is keeping maintenance records or abandoning the vehicle after purchase. Your parts manager processes warranty claims and customer communications.

None of them work in isolation in a functioning compliance program.

A typical pattern: Sales sells a vehicle for cash. F&I never sees it (because there's no financing). Service never flags anything (because the customer drops the vehicle off, gets the work done, and leaves). But if that same customer buys three vehicles in six months, each for cash, each at different locations if you're a dealer group, and never comes back for service,that's a pattern worth documenting. A legitimate buyer would have registration questions, warranty questions, maybe a follow-up service appointment. Silence is suspicious.

Dealer groups especially struggle here. If your CRM (customer relationship management system) doesn't talk to your service scheduling system, and neither talks to your F&I reporting, you're flying blind. You might be documenting the same customer's transactions separately across three dealerships and never knowing it's the same person.

This is exactly the kind of workflow issue tools like Dealer1 Solutions were designed to fix,giving your team a unified customer database so patterns actually surface instead of staying buried in separate siloed records.

What Actually Changed (Specifically)

The FTC updated its Safeguards Rule to require:

  • Written Information Security Program (WISP): A documented plan covering how you collect, use, protect, and dispose of customer data. This has to be in writing and reviewed annually.
  • Incident Response Plan: What you do when personal information is compromised,including customer notification timelines, law enforcement reporting, and forensic investigation procedures.
  • Multi-factor Authentication for Staff: Admin access to customer records and financial systems must require more than a password (not optional anymore for larger dealerships).
  • Vendor Management: If you use a third party to process customer data (credit bureaus, title companies, auction sites), you're responsible for their compliance failures too.
  • Annual Risk Assessment: You must formally review what customer data you hold, what risks exist, and what safeguards you've implemented.

None of these are conceptually new. But "recommended" shifted to "required" between 2022 and 2024. Enforcement followed immediately after.

At the state level, dealer licensing boards added AML/CFT audits to renewal processes in 22 states. They're asking for your SAR filing logs, your identity verification procedures, your training records, and your customer due diligence documentation. If you can't produce those within 10 business days, renewal gets delayed. If you can't produce them at all, it doesn't happen.

What Hasn't Changed (So Stop Worrying)

The $10,000 cash reporting threshold is still the federal baseline for bank-style SARs. You're not suddenly required to report every sub-$5,000 transaction to FinCEN.

You don't need enterprise-grade compliance software to be compliant (though it helps). A well-maintained spreadsheet with documented procedures is sufficient for small dealerships. What matters is consistency and documentation, not technology elegance.

Customer due diligence requirements are still tied to risk assessment, not blanket surveillance. You don't need to investigate every customer's bank account or employment history. You need to verify they are who they say they are, and if something doesn't add up, document it.

Financing companies and banks are still responsible for the credit side of transaction compliance. You're not liable if a customer obtains fraudulent financing through their lender. You are liable if you knowingly facilitate that transaction or help obscure the funding source.

What You Should Do This Week

Pull your current privacy policy. Read it. Ask your team if they know what it says. If they don't, it's not a policy,it's wall decoration. Rewrite it to be specific: what data do you collect, when, why, who has access, how long you keep it, what rights customers have. Have legal review it. Distribute it to your entire team, not just finance.

Document your cash transaction procedures. Write down what you do when a customer wants to pay cash. Do you verify their identity? Do you ask about the source of funds? Do you document red flags? Do you report anything to management? If you're not documenting this, start now. Aim for consistency, not perfection.

Audit your customer data storage. Where are customer driver's licenses, financing applications, trade-in appraisals, and service records actually stored? On someone's desktop? In a filing cabinet? In multiple systems? Map it. Identify where you're holding personal information and who can access it. That's your risk exposure.

Train your team on what "suspicious" means at your dealership. Sales staff especially need to know: inconsistent identification, cash payment for expensive vehicles from customers with thin credit files, requests to structure deals to stay under certain amounts, pressure to move quickly without standard paperwork. It's not paranoia. It's pattern recognition. Make it part of quarterly compliance meetings.

Create a one-page SAR reference guide. When should you file one? Your dealership, your market, your typical customer profile,what triggers concern? Put that in writing. Give it to sales, F&I, and your general manager. Use it consistently.

These aren't consultant recommendations. They're the baseline steps that dealers who passed recent FTC audits had already implemented.

The Legal Risk Is Real

Compliance violations don't always end in criminal prosecution. Usually they end in compliance orders, fines, audits, and damaged reputation. But your dealer license is on the line. Your customer data is on the line. Your ability to stay in business is on the line.

The dealers who are getting this right aren't doing anything extraordinary. They're just doing the boring blocking and tackling: documenting procedures, training staff, maintaining records, and paying attention to patterns. They're treating compliance as an operational system, not a legal checkbox.

That gap between "we have a policy" and "we execute the policy consistently" is where most dealerships fail.

Stop losing vehicles in the recon process

Dealer1 is the all-in-one platform dealerships use to manage inventory, reconditioning, estimates, parts tracking, deliveries, team chat, customer messaging, and more — with AI tools built in.

Start Your Free 30-Day Trial →

All features included. No commitment for 30 days.

← Back to Blog
Myth #1: AML Thresholds Haven't Changed, So Your Old Procedures Still Work | Dealer1 Solutions Blog