F&I Compliance Checklist 2026: Regulations & Best Practices

Introduction

F&I compliance scrutiny has reached unprecedented levels. In April 2026, the FTC and Maryland Attorney General secured a record-breaking $78.1 million settlement against Lindsay Automotive Group for deceptive pricing and charging for unwanted add-ons—the largest auto dealer enforcement action to date. Just months earlier, Leader Automotive Group paid $20 million for bait-and-switch tactics and junk fees, while Coulter Motor Company settled for $2.6 million after allegations of discriminatory pricing against Latino buyers.

These enforcement actions signal a clear pattern, not a series of isolated incidents. The FTC's CARS Rule was vacated in January 2025, but regulators didn't back down—they shifted to aggressive case-by-case enforcement under existing UDAP authority.

In March 2026, the FTC sent warning letters to 97 dealer groups. No dealership is off the radar.

That enforcement climate is exactly why this guide exists. Here you'll find a practical 2026 F&I compliance checklist, a breakdown of key regulations for independent dealers, franchise dealers, and BHPH operators, and best practices you can implement immediately to protect your dealership and build customer trust.

TLDR

  • F&I compliance in 2026 means navigating aggressive FTC enforcement, state junk fee laws, data privacy mandates, and fair lending requirements simultaneously
  • Every deal should clear a checklist covering identity verification, product disclosures, contract execution, and OFAC record retention (10-year minimum)
  • The FTC Safeguards Rule breach notification requirement (30 days for 500+ consumers) is now fully in effect
  • Deal-level, monthly sampling, and annual independent audits form the backbone of any defensible compliance program
  • Dealers with documented compliance programs face significantly lower regulatory exposure — and retain lender relationships that less-prepared competitors lose

What Is F&I Compliance and Why It Matters in 2026

Finance & Insurance (F&I) is the most heavily regulated department on any dealer's floor. It handles sensitive customer data, credit decisions, and product disclosures—extended warranties, GAP insurance, service contracts, tire and wheel coverage—that touch multiple federal and state laws simultaneously.

Getting it wrong isn't just a paperwork problem. In 2026, enforcement is coordinated, bipartisan, and financially severe.

The 2026 Enforcement Landscape: Post-CARS Rule but Not Post-Enforcement

The FTC's Combating Auto Retail Scams (CARS) Rule was vacated by the Fifth Circuit Court of Appeals on January 27, 2025, on procedural grounds. Some dealers interpreted the vacatur as breathing room. It wasn't. The FTC immediately pivoted to Section 5 UDAP (Unfair or Deceptive Acts or Practices) authority, the same framework it has used for decades, and intensified case-by-case enforcement.

Key enforcement actions from the past 18 months:

  • January 2025: Fifth Circuit vacates the CARS Rule on procedural grounds
  • March 2026: FTC sends warning letters to 97 dealership groups over junk fee practices
  • April 2026: Lindsay Automotive settlement — $75 million in consumer redress plus $3.1 million in penalties

2024-2026 FTC auto dealer enforcement actions timeline with settlement amounts

The warning letters were direct: "The Trump-Vance FTC is committed to preventing auto dealers from misleading consumers with low advertised prices and then adding on mandatory fees at the end of the purchasing process."

Regulators are pursuing multi-million dollar outcomes through coordinated federal-state task forces. The Lindsay settlement demonstrates that enforcement actions now carry consequences that can threaten a dealership's financial viability outright.

The Business Case: Compliance Isn't Just About Avoiding Fines

Beyond regulatory penalties, a compliant F&I process delivers measurable business benefits:

  • Transparent pricing and clear product disclosures drive repeat and referral business
  • Properly documented deals reduce contract cancellations and chargeback exposure
  • Lenders scrutinize dealer compliance records — violations can trigger curtailments or loss of capital access
  • For independent and BHPH dealers on thinner margins, compliance is the difference between a manageable audit and a catastrophic financial exposure

Key F&I Regulations Dealers Must Know in 2026

FTC Enforcement Under Section 5 UDAP Authority

Even without the CARS Rule, the FTC actively pursues dealerships for payment packing (bundling product costs into payments without itemizing them), bait-and-switch advertising, and undisclosed add-ons. Recent enforcement actions demonstrate the scope:

FTC actions increasingly involve state attorneys general as co-enforcers — meaning a dealer in any state, at any volume, now faces coordinated federal and state scrutiny simultaneously.

State Junk Fee Laws

With federal rulemaking stalled, states have filled the void with strict all-in pricing mandates:

StateLegislationEffective DateKey Requirements
CaliforniaSB 478July 1, 2024Prohibits advertising a price that excludes mandatory fees (excluding government taxes/shipping); violates Consumers Legal Remedies Act
Rhode IslandH5247July 1, 2025Amends Deceptive Trade Practices Act to mandate all mandatory fees in advertised prices
New YorkS363AProposed (advanced March 2026)"Junk fee prevention act" requires total price inclusive of all mandatory fees displayed clearly

State junk fee laws comparison chart California Rhode Island New York 2024-2026

Non-compliance carries civil penalties and mandatory consumer refunds. Multi-state dealers face a patchwork problem: California's SB 478 and Rhode Island's H5247 share the same goal but differ in enforcement mechanisms and penalty structures, so a single advertising template won't satisfy both.

FTC Safeguards Rule and Data Privacy

Auto dealers that extend or arrange credit are "financial institutions" under the Gramm-Leach-Bliley Act, subject to the FTC Safeguards Rule. Updated requirements include:

  • Written Information Security Program (WISP) with designated qualified individual
  • Encryption of customer data in transit and at rest
  • Multi-factor authentication (MFA) for system access
  • Employee training on data handling procedures
  • Third-party vendor oversight
  • Incident response plan with documented procedures
  • Breach notification: As of May 13, 2024, dealers must notify the FTC within 30 days of discovering a breach involving unencrypted information of 500+ consumers

The Safeguards Rule is only part of the data compliance picture. By 2026, 19 states have enacted their own comprehensive consumer data privacy laws — adding layered requirements for F&I offices that routinely handle Social Security numbers, credit reports, and income documentation.

Fair Lending Laws (ECOA and Fair Credit)

The Equal Credit Opportunity Act prohibits discriminatory credit markups. Regulators use Bayesian Improved Surname Geocoding (BISG)—a statistical method combining geography and name-based probabilities—to detect disparate impact in discretionary dealer markups, even without proof of intentional discrimination.

Documented enforcement examples:

  • Napleton Automotive Group: $10 million settlement (April 2022) after analysis showed Black customers paid $190 more in interest and $99 more for add-ons than white customers
  • Rhinebeck Bank: $950,000 fine (October 2022) after BISG analysis revealed Black, Hispanic, and Asian borrowers paid 15% to 39% more in discretionary dealer markups

Your minimum protection: Maintain a documented Fair Credit Policy that sets a consistent rate spread over buy rate. Any downward deviation must be justified by a non-discriminatory reason and recorded in the deal jacket — before the deal is funded.

OFAC Screening and Updated Record Retention

Every deal requires an OFAC (Office of Foreign Assets Control) sanctions check against the Specially Designated Nationals (SDN) list. While OFAC doesn't mandate specific software, it enforces strict liability for violations.

Critical update: On March 21, 2025, OFAC extended recordkeeping requirements from 5 years to 10 years, aligning with the new statute of limitations under the 21st Century Peace through Strength Act. Failure to retain OFAC records for the mandated period is itself a violation during regulatory audits.

Together, these five regulatory areas define the compliance floor for F&I in 2026. The checklist below translates each into specific, actionable requirements your office can implement and document.

The 2026 F&I Compliance Checklist

Deal Documentation and Forms

Every deal jacket must contain all required documents, fully executed with customer signatures:

  • Retail installment sales contract
  • Buyers guide (for used vehicles)
  • Privacy notice (Gramm-Leach-Bliley Act)
  • Credit application
  • OFAC check confirmation
  • Product-specific disclosure forms (VSC, GAP, tire & wheel, etc.)

Missing or improperly executed forms are among the most common compliance failures in audits. Implement a dual-check system: the F&I manager reviews the deal jacket before customer delivery, and a billing clerk verifies completeness before submitting for funding.

Identity Verification and Red Flags Rule Compliance

Under the FTC's Red Flags Rule, dealers must maintain a written Identity Theft Prevention Program. Key verification steps:

  • Government-issued ID review and driver's license scan
  • Knowledge-based authentication quiz
  • Cross-check customer information for inconsistencies (address mismatches, conflicting phone numbers)
  • Screen for synthetic identity fraud indicators

The program must be documented, reviewed annually, and any cleared red flags must be recorded in the deal file. Violations can result in civil penalties of up to $53,088 per violation as of 2025.

F&I Product Disclosures and Voluntary Protection Product (VPP) Compliance

Every aftermarket product must be presented as:

  • Optional (not required for financing)
  • Separately priced (itemized, not bundled)
  • Individually consented to (documented customer acknowledgment)

Payment packing (concealing product costs inside the payment structure without itemizing them) is a primary FTC enforcement target. Dealers using dealer-owned reinsurance programs, such as an admin obligor structure through providers like DealerRE, gain greater control over product terms and disclosures — reducing reliance on third-party documentation standards that vary by provider.

Fair Credit and Lending Practices

Three practices must be consistent across every deal:

  • Credit applications completed in full — no blank fields
  • Fair Credit Policy applied uniformly: every deal starts at the same rate spread over buy rate
  • Any downward adjustment from standard spread documented with a non-discriminatory written justification

Regulators have explicitly cited two practices as prohibited — both carry significant enforcement risk:

  • Power booking: Inflating the vehicle value to reduce the apparent down payment or monthly payment
  • Payment packing: Concealing product costs inside the payment without itemization

F&I managers should be trained on both distinctions and tested regularly to confirm understanding.

Data Security and Privacy Notices

Customer information collected in F&I must be safeguarded per the FTC Safeguards Rule. Checklist items:

  • Encrypted storage (both electronic and physical records)
  • Limited employee access with role-based permissions
  • Written incident response plan tested annually
  • Delivery of required privacy notice under Gramm-Leach-Bliley Act
  • Employee training records maintained and updated annually

Record Keeping and Document Retention

Retain all deal documentation for legally mandated periods:

  • OFAC records: 10 years (updated March 2025)
  • Credit applications and contracts: Varies by state; typically 6-7 years
  • Product disclosures and privacy acknowledgments: 6 years minimum
  • Training logs and compliance program documentation: Duration of employment plus 3 years

Maintain a written document retention and destruction policy covering both paper and electronic records. Issue litigation holds immediately if a formal dispute arises.

How to Conduct a Dealership F&I Compliance Audit

Three-Level Audit Framework

Compliance professionals use a three-tiered approach:

1. Deal-Level Review (Every Transaction)

Conducted by the F&I manager and billing clerk using a standardized checklist before funding. Verifies:

  • All required forms are present and signed
  • Math flows correctly from pencil to menu to contracts
  • OFAC check is documented
  • Red Flags are cleared and documented
  • Product prices have documented customer consent

2. Monthly Sampling Audit

Conducted by the dealership's compliance officer, controller, or GM. Reviews a cross-section of deals from each F&I manager (typically 10-15 deals per month). Identifies patterns, training gaps, and manager-specific issues.

3. Independent In-Person Review (Annual)

Conducted by an outside compliance professional who reviews the deal jacket in full detail from the perspective of a regulator or plaintiff's attorney. This is the dealership's strongest defense preparation — every document should hold up under scrutiny.

Three-level dealership F&I compliance audit framework from deal review to independent audit

Forms Audit vs. Compliance Checklist Audit

Understanding which type of audit you're running matters — the two aren't interchangeable.

Forms audit: Checks whether required documents are present.

Compliance checklist audit: Goes deeper — verifies math accuracy, confirms all signatures are in place, validates Red Flags clearance, and ensures every product's price has documented customer consent.

Only the checklist audit provides meaningful regulatory protection.

Audit Frequency and Corrective Action

Recommended frequency:

  • Deal-level checks: Every transaction
  • Monthly audits: Random sample of deals (larger samples for high-volume stores)
  • Independent reviews: Annually — or after major regulatory changes

When issues are identified, corrective action must include:

  • Immediate retraining for affected staff
  • Process updates documented in writing
  • Follow-up audit to confirm correction
  • Written documentation demonstrating intent to comply

F&I Compliance Best Practices for 2026

Invest in Ongoing Staff Training and New Hire Testing

Compliance gaps often stem from turnover and inconsistent onboarding. Best practices:

  • Test new F&I hires on key compliance areas before they work deals independently: Red Flags Rule, Truth in Lending, payment packing, menu presentation, credit app fraud
  • Schedule annual refresher training for all F&I staff on regulatory updates and common pitfalls
  • Keep training records as part of the compliance file — they're your first line of defense in an audit

Use Compliance Technology to Enforce Consistency

Modern F&I platforms embed compliance guardrails directly into the deal process:

PlatformCompliance Features
DealertrackCompliance checklist for every deal; automated Red Flags and OFAC checks; 10-year secure document storage
RouteOneIDOne identity verification and OFAC checks; Compliance Dashboard; eSign Anything for remote contracting
CDK GlobalMenuVantage Platinum for standardized menu presentations; audit trails for user changes

F&I dealership compliance software dashboard displaying deal checklist and OFAC verification

Some platforms now use AI-assisted deal scanning to flag issues before funding, catching problems that manual review misses and generating timestamped audit records automatically.

Work with Experienced F&I Compliance Partners

Technology helps, but layered federal and state requirements often require professional oversight — particularly for independent and BHPH dealers without dedicated legal staff. A full-service F&I compliance partner typically covers:

  • Forms management and regulatory filings
  • Staff training programs and onboarding support
  • Ongoing performance reporting and compliance audits
  • Coordination with CPAs and legal counsel on program structure

DealerRE has provided this kind of full-service administration for over 28 years, helping dealers build F&I programs that hold up under regulatory scrutiny.

Build a Culture of Ethics from the Top Down

Management must set the expectation that ethical F&I practices are non-negotiable. Practical steps:

  • Appoint a designated compliance officer or manager
  • Empower staff to flag concerns without retaliation
  • Review the compliance program whenever new laws take effect or enforcement trends shift
  • Recognize that transparency drives customer loyalty and repeat business

Frequently Asked Questions

What is F&I in a dealership?

F&I stands for Finance and Insurance—the dealership department that handles vehicle financing arrangements and presents optional protection products (extended warranties, GAP insurance, service contracts) to buyers during the purchase process.

What is red flag compliance for auto dealers?

The FTC's Red Flags Rule requires auto dealers to maintain a written Identity Theft Prevention Program that identifies, detects, and responds to warning signs of identity theft or fraud before completing any credit transaction. Cleared red flags must be documented in the deal file.

What are the biggest F&I compliance risks for dealerships in 2026?

The top risks are hidden or undisclosed fees (junk fee enforcement), payment packing, identity theft fraud, data security breaches under the FTC Safeguards Rule, and discriminatory credit practices under ECOA. The FTC and state attorneys general are actively targeting all of these in 2026.

What happens if a dealership fails F&I compliance?

Penalties include multi-million dollar settlements, mandatory consumer refunds, reputational damage, and loss of lender relationships. The Lindsay Automotive Group settlement in April 2026 resulted in $78.1 million in consumer redress and penalties for deceptive pricing and unwanted add-ons.

How often should a dealership conduct a compliance audit?

Use a three-level cadence: a checklist review on every single deal, a monthly sampling audit of each F&I manager's deals, and an independent professional review at least once per year.

What is the FTC Safeguards Rule and does it apply to car dealers?

Auto dealerships qualify as financial institutions under GLBA, so the updated FTC Safeguards Rule applies directly to them. Dealers must maintain a written information security program covering encryption, access controls, employee training, vendor oversight, and breach notification within 30 days for incidents affecting 500+ consumers.