Every F&I department in the country passes an annual outside compliance audit. Most of them fail it.
The failure isn't because dealers don't know the rules — it's because they treat compliance as a once-a-year event instead of a daily practice. By the time the third-party reviewer pulls the jacket files, the patterns that produced the violation have usually been running for 12 or 18 months. The data was visible the whole time. Nobody was watching it.
This checklist gives you the six areas every dealership F&I operation must cover, the internal audit cadence that catches drift before it becomes a consent order, and the specific recordkeeping and disclosure details that enforcement actions most often target.
Audit-ready F&I starts with daily metric discipline
DealerPulse produces a daily compliance audit trail alongside your F&I performance numbers — so when the next review drops, you already have the data organized. Free to start.
Start Free TrialNo credit card required · Get the free ROI white paper instead →
Why F&I Compliance Should Be a Daily Concern, Not an Annual One
CFPB enforcement actions against auto dealers have accelerated over the last five years. The pattern in nearly every consent order is depressingly similar: a dealer group operated for one to three years with a systemic compliance failure that produced detectable signatures in deal jackets, only nobody sampled the jackets frequently enough to catch it. By the time the regulator pulled the files, the harm was already done — to consumers, to the dealer's reputation, and to the balance sheet in the form of remediation cost plus a civil money penalty.
The most common enforcement vector is UDAP/UDAAP — Unfair, Deceptive, or Abusive Acts or Practices. The CFPB doesn't need a specific regulation violation to act on UDAP grounds; they only need to show that the practice was unfair, deceptive, or abusive to a consumer. Payment packing, undisclosed add-on products, and APR/payment mismatches all fit this category. The same patterns that hurt your customers on the finance office side are also the patterns that create regulatory exposure on the compliance side.
The fix is not to wait for the annual review. The fix is to embed compliance into the same daily routine your F&I team already runs for performance. If you're using daily F&I tracking for products per deal and PVR, the same daily habit can surface the OFAC miss, the stale rate sheet, or the missing adverse action notice — before it multiplies across a quarter. Compliance and performance are the same job, viewed from two different angles.
Those numbers are illustrative — actual case-by-case enforcement varies — but the directional pattern is consistent across the industry. The cost of doing compliance wrong is large enough that the cost of doing it right, daily, is almost always a rounding error in comparison.
"Annual audits catch what already happened. Daily compliance rhythm is what stops the pattern from forming in the first place."
The 6-Part F&I Compliance Checklist
The checklist below is what every F&I operation should be running every month, broken into the six areas that drive the majority of enforcement risk. Treat it as the floor — your state, your lender relationships, and your product administrators will add detail on top.
1. CFPB Federal Disclosures
The four federal regulations that drive the most F&I enforcement exposure:
- Regulation Z (Truth in Lending Act). Finance charge, APR, payment schedule, and right of rescission timing must all be accurate on every credit transaction. The most frequent Z violation is the payment schedule on the disclosure not matching the actual payment charged.
- Regulation M (Consumer Leasing Act). Advertising rules for lease promotions and full lease-cost disclosures at signing.
- ECOA / Regulation B. A written Notice of Adverse Action within 30 calendar days of any credit denial, with the specific reasons the application was declined. Verbal-only or back-dated notices are a top-five enforcement target.
- UDAP / UDAAP. The catch-all. The CFPB doesn't need a specific regulation violation — only a practice that is unfair, deceptive, or abusive to a consumer. Add-on products that don't perform as marketed, payment packing, and undisclosed finance charges all live here.
Above the F&I floor, dealers also handle Gramm-Leach-Bliley Act privacy notices annually and FTC Safeguards Rule information security requirements for customer nonpublic personal information.
2. State Product-Rating & Filing Rules
State rules differ materially by state — and dealer groups operating in 10+ rooftops must track each state separately. The four heaviest states to monitor:
- Texas. Specific VSI gap disclosure plus finance-source disclosure on every deal; distinct used-car buyer guide requirements.
- California. Lemons Law, used-car buyer guides, and additional advertising rules for finance promotions and rate advertising.
- Florida. F&I manager licensing requirements at the individual and dealer level, plus state-specific rate disclosure formatting.
- New York. State-level UDAP statute with a private right of action that materially changes the consumer-side enforcement risk compared to other states.
Beyond those four, every state has its own product-rating rules for service contracts and GAP. The administrator is typically filed state-by-state, and the refund calculation method — pro-rata versus actual-earned-premium — varies by state and by product. A dealer operating in Pennsylvania and Ohio on the same GAP administrator may be operating under two materially different compliance regimes, and the F&I manager cannot rely on the menu form being identical for both.
3. Identity, OFAC, and Red Flags
Three categories of identity-related compliance that must be checked on every deal:
- OFAC SDN list. The customer's name must be run against the Office of Foreign Assets Control Specially Designated Nationals list at the time of sale. A miss here is a strict-liability federal violation — there is no good-faith defense available, and the dealer cannot later correct it with documentation.
- Driver's license scan and address match. The ID document scan must be retained in the deal jacket, and the address on the ID must be verified against a secondary source (utility, bank statement, employer record) for fraud-detection compliance under the Red Flags Rule.
- Suspicious activity log. Any transaction that triggers a red flag — mismatched ID, cash down payment anomalies, gross income inconsistencies — must be logged with the time, the manager's name, and the resolution. The log must be retained for at least five years.
4. Document Handling & Recordkeeping
The retention and version-control rules that surround the deal jacket:
- Federal minimum retention is 2 years for credit application records and TILA disclosures. State requirements extend this — some states require up to 7 years. Default to the longer of the two.
- E-signature integrity. The e-signed document must be tamper-evident, and the audit trail showing the signing sequence (initials, full signature, date/time stamps) must be retained alongside the document. A scanned paper signature on a digital document does not satisfy the e-signature requirements.
- Menu form version control. Every deal jacket must contain the menu form version that was in use on the deal date. If a menu form is updated mid-month, deal jackets from prior versions must still be retrievable for an audit at any point during the retention window.
- Document storage. Both digital and original wet-ink versions (when used) must be retained in a way that survives a system migration. A dealer that has migrated DMS platforms twice in five years must retain documents across both platforms.
5. Lender Relationships & Rate Disclosures
The compliance touchpoints between the F&I office and the lenders it routes to:
- Rate sheet version pinning. The rate sheet active on the deal date must be the rate sheet referenced in the deal jacket. Mixing a Friday rate sheet with a Monday deal date is a frequent Reg Z and Rate Participation Agreement violation.
- No side-fee language. Lender contracts typically prohibit marking up APR or charging the customer a fee that is not fully disclosed on the TILA. The F&I manager must be trained on what they can and cannot negotiate.
- Finance-source disclosure. Every deal jacket must disclose the source of the financing. A customer who believes they are finance-direct when they have actually been routed to a captive lender must have that fact disclosed before signing.
- Rate Participation Agreement (RPA) compliance. Most lenders require signed RPAs that govern markup limits, dealer participation caps, and required add-on disclosures. The signed RPA must be on file per lender per year.
6. Internal Audit Cadence
The three-layer cadence that converts the checklist above from a policy document into an operating practice:
- Monthly self-audit. Pull 10 to 15 random deal jackets from the prior month. Score each against the checklist above. Findings go to the GM with a written remediation note attached.
- Quarterly GM sign-off. The GM reviews the monthly audit findings, confirms or refutes each one, and countersigns the rate-sheet log for the quarter.
- Annual third-party review or mystery-shop. An external compliance review or a mystery-shop focused on F&I presentation and disclosure accuracy. This is the audit that surfaces patterns the monthly self-audit typically misses.
Internal Audit Walkthrough: Pull 10 Random Deals from Last Quarter
The monthly self-audit is the most important of the three — it is the layer that catches drift closest to real time. A dealer group GM who runs the monthly audit on the second business day of each month, against the prior month's jackets, will surface patterns within 30 days of forming. Here is what the monthly audit pulling 10 random deals should verify, in order:
Verify Reg Z Initial Disclosure Timing
The TILA disclosure must be provided within 3 business days of application and before consummation of the credit transaction. Check the application date, the disclosure date stamp, and the deal date. Any deal where the disclosure post-dates consummation is a Reg Z violation.
Verify Signed TILA Disclosure Present
The customer must sign the final TILA disclosure. An unsigned disclosure is unenforceable AND a regulatory violation — Reg Z requires both delivery and acknowledgment.
Confirm OFAC Run for Each Customer on the Deal
Every named customer on the deal — buyer, co-buyer, signer — must appear on the OFAC log with a clean result, timestamped within the deal date window. If the log is missing a name, that's a strict-liability violation.
Check Rate Sheet Date vs. Deal Date
The rate sheet in the deal jacket must be the rate sheet effective on the deal date. A stale or undated rate sheet is an RPA violation and frequently a Reg Z violation. Compare the rate-sheet date stamp to the deal date.
Verify Adverse Action Process (If Applicable)
For deals that involved an application that was declined at any lender, confirm that a written Notice of Adverse Action was sent within 30 calendar days, with the specific Reason Codes listed. Verbal-only denials are a frequent enforcement finding.
Audit Add-On Product Disclosures
Confirm every add-on product sold was disclosed with its cost as a separate line item. Payment packing — where a product is "rolled in" to a payment schedule without separate disclosure — is the #1 UDAP enforcement vector.
Spot-Check State-Specific Disclosures
For deals in TX, CA, FL, or NY, confirm the state-specific disclosure form is present, properly completed, and signed. Failure to use the correct state form is among the most common state-level audit findings.
Verify Menu Form Version and Signature
Confirm the menu form in the jacket matches the version active on the deal date. Confirm the customer's signature is on the menu form. An unsigned menu form is typically scored as a state-level violation regardless of the federal layer.
Confirm E-Signature or Wet-Ink Integrity
For e-signed deals, confirm the audit trail artifact (the file containing the signing sequence and timestamp) is retained. For wet-ink deals, confirm the original document is in the jacket — a scan only is insufficient under most state rules.
Log Findings with Severity Tier
Tag each finding as Tier 1 (federal violation — fix immediately), Tier 2 (state violation — fix within 30 days), or Tier 3 (process gap — fix within quarter). Aggregate the findings into a monthly memo for the GM.
Pulling ten random deals against this list takes 60–90 minutes. The audit itself is not the deliverable — the trend across three to six months of audits is. A dealer that runs this monthly will know within one quarter whether compliance exposure is improving, stable, or deteriorating, and will know which specific item is drifting before it compounds into an enforcement finding.
Common F&I Compliance Violations & How to Avoid Them
Five violations account for the majority of CFPB and state AG enforcement actions. Each one is detectable from a deal jacket — which means each one is preventable from a daily routine.
1. Undisclosed Payment Packing
The pattern: an F&I product is presented as a payment reduction or rate concession without showing the customer the actual cost of the product as a separate line item. Enforcement view: UDAP/UDAAP — unfair and deceptive to a consumer who doesn't understand what they bought. Avoidance: every add-on product is shown as a line-item cost on the menu before the customer signs. F&I managers should be coached on the difference between "lowering the payment" and "adding a product that costs X."
2. APR / Payment Schedule Mismatch
The pattern: the printed payment schedule on the TILA disclosure does not match the actual payment the customer is being charged in the loan documents. Often caused by stale rate sheets or by manual adjustment after the disclosure was printed. Avoidance: any change to rate or term between disclosure and consummation requires a new disclosure and a new signature.
3. Stale Rate Sheet
The pattern: the rate sheet in the deal jacket is stamped with an earlier date than the deal date. This is an RPA violation against the lender and frequently a Reg Z violation against the customer. Avoidance: the rate sheet log archives each Friday's sheet automatically; the F&I manager selects the active sheet by deal date, not by memory.
4. OFAC List Not Run
The pattern: the customer's name was never checked against the OFAC SDN list at the time of sale. This is a strict-liability federal violation with no good-faith defense. Avoidance: the OFAC log is integrated with the DMS so a deal cannot close until the OFAC check shows a clean result, with the timestamp retained.
5. Missing or Back-Dated Adverse Action Notice
The pattern: a customer's credit was declined but no written Notice of Adverse Action was sent within 30 days, or the notice was back-dated after the regulator asked for the file. Avoidance: every credit denial in the DMS triggers an automatic adverse-action workflow with a 30-day timer; verbal-only denials are not permitted.
Each of these five patterns is also a pattern that connects directly to the F&I presentation. How a manager presents the menu is not just a performance question — it is also a compliance question, because the most common enforcement vector (payment packing) is created in the same conversation where penetration is won or lost.
Catch compliance drift before it becomes a CFPB issue
DealerPulse gives you daily visibility into the same metrics that compliance audits hit hardest — products per deal, PVR, finance reserve, and deal-jacket integrity — so your monthly review starts with data, not surprises.
Start Free TrialNo credit card required · Get the free ROI white paper instead →