Every F&I department in the country passes an annual outside compliance audit. Most of them fail it.

The failure isn't because dealers don't know the rules — it's because they treat compliance as a once-a-year event instead of a daily practice. By the time the third-party reviewer pulls the jacket files, the patterns that produced the violation have usually been running for 12 or 18 months. The data was visible the whole time. Nobody was watching it.

This checklist gives you the six areas every dealership F&I operation must cover, the internal audit cadence that catches drift before it becomes a consent order, and the specific recordkeeping and disclosure details that enforcement actions most often target.

Audit-ready F&I starts with daily metric discipline

DealerPulse produces a daily compliance audit trail alongside your F&I performance numbers — so when the next review drops, you already have the data organized. Free to start.

Start Free Trial

No credit card required · Get the free ROI white paper instead →

Why F&I Compliance Should Be a Daily Concern, Not an Annual One

CFPB enforcement actions against auto dealers have accelerated over the last five years. The pattern in nearly every consent order is depressingly similar: a dealer group operated for one to three years with a systemic compliance failure that produced detectable signatures in deal jackets, only nobody sampled the jackets frequently enough to catch it. By the time the regulator pulled the files, the harm was already done — to consumers, to the dealer's reputation, and to the balance sheet in the form of remediation cost plus a civil money penalty.

The most common enforcement vector is UDAP/UDAAP — Unfair, Deceptive, or Abusive Acts or Practices. The CFPB doesn't need a specific regulation violation to act on UDAP grounds; they only need to show that the practice was unfair, deceptive, or abusive to a consumer. Payment packing, undisclosed add-on products, and APR/payment mismatches all fit this category. The same patterns that hurt your customers on the finance office side are also the patterns that create regulatory exposure on the compliance side.

The fix is not to wait for the annual review. The fix is to embed compliance into the same daily routine your F&I team already runs for performance. If you're using daily F&I tracking for products per deal and PVR, the same daily habit can surface the OFAC miss, the stale rate sheet, or the missing adverse action notice — before it multiplies across a quarter. Compliance and performance are the same job, viewed from two different angles.

$3.6B+
Approximate civil money penalties and restitution paid by U.S. auto dealers in CFPB and state AG actions over the last 5 years
~62%
Estimated share of dealerships that fail an internal compliance audit on first pass when the audit pulls random deal jackets from the prior quarter

Those numbers are illustrative — actual case-by-case enforcement varies — but the directional pattern is consistent across the industry. The cost of doing compliance wrong is large enough that the cost of doing it right, daily, is almost always a rounding error in comparison.

"Annual audits catch what already happened. Daily compliance rhythm is what stops the pattern from forming in the first place."

The 6-Part F&I Compliance Checklist

The checklist below is what every F&I operation should be running every month, broken into the six areas that drive the majority of enforcement risk. Treat it as the floor — your state, your lender relationships, and your product administrators will add detail on top.

1. CFPB Federal Disclosures

The four federal regulations that drive the most F&I enforcement exposure:

Above the F&I floor, dealers also handle Gramm-Leach-Bliley Act privacy notices annually and FTC Safeguards Rule information security requirements for customer nonpublic personal information.

2. State Product-Rating & Filing Rules

State rules differ materially by state — and dealer groups operating in 10+ rooftops must track each state separately. The four heaviest states to monitor:

Beyond those four, every state has its own product-rating rules for service contracts and GAP. The administrator is typically filed state-by-state, and the refund calculation method — pro-rata versus actual-earned-premium — varies by state and by product. A dealer operating in Pennsylvania and Ohio on the same GAP administrator may be operating under two materially different compliance regimes, and the F&I manager cannot rely on the menu form being identical for both.

3. Identity, OFAC, and Red Flags

Three categories of identity-related compliance that must be checked on every deal:

4. Document Handling & Recordkeeping

The retention and version-control rules that surround the deal jacket:

5. Lender Relationships & Rate Disclosures

The compliance touchpoints between the F&I office and the lenders it routes to:

6. Internal Audit Cadence

The three-layer cadence that converts the checklist above from a policy document into an operating practice:

Internal Audit Walkthrough: Pull 10 Random Deals from Last Quarter

The monthly self-audit is the most important of the three — it is the layer that catches drift closest to real time. A dealer group GM who runs the monthly audit on the second business day of each month, against the prior month's jackets, will surface patterns within 30 days of forming. Here is what the monthly audit pulling 10 random deals should verify, in order:

Deal 1

Verify Reg Z Initial Disclosure Timing

The TILA disclosure must be provided within 3 business days of application and before consummation of the credit transaction. Check the application date, the disclosure date stamp, and the deal date. Any deal where the disclosure post-dates consummation is a Reg Z violation.

Deal 2

Verify Signed TILA Disclosure Present

The customer must sign the final TILA disclosure. An unsigned disclosure is unenforceable AND a regulatory violation — Reg Z requires both delivery and acknowledgment.

Deal 3

Confirm OFAC Run for Each Customer on the Deal

Every named customer on the deal — buyer, co-buyer, signer — must appear on the OFAC log with a clean result, timestamped within the deal date window. If the log is missing a name, that's a strict-liability violation.

Deal 4

Check Rate Sheet Date vs. Deal Date

The rate sheet in the deal jacket must be the rate sheet effective on the deal date. A stale or undated rate sheet is an RPA violation and frequently a Reg Z violation. Compare the rate-sheet date stamp to the deal date.

Deal 5

Verify Adverse Action Process (If Applicable)

For deals that involved an application that was declined at any lender, confirm that a written Notice of Adverse Action was sent within 30 calendar days, with the specific Reason Codes listed. Verbal-only denials are a frequent enforcement finding.

Deal 6

Audit Add-On Product Disclosures

Confirm every add-on product sold was disclosed with its cost as a separate line item. Payment packing — where a product is "rolled in" to a payment schedule without separate disclosure — is the #1 UDAP enforcement vector.

Deal 7

Spot-Check State-Specific Disclosures

For deals in TX, CA, FL, or NY, confirm the state-specific disclosure form is present, properly completed, and signed. Failure to use the correct state form is among the most common state-level audit findings.

Deal 8

Verify Menu Form Version and Signature

Confirm the menu form in the jacket matches the version active on the deal date. Confirm the customer's signature is on the menu form. An unsigned menu form is typically scored as a state-level violation regardless of the federal layer.

Deal 9

Confirm E-Signature or Wet-Ink Integrity

For e-signed deals, confirm the audit trail artifact (the file containing the signing sequence and timestamp) is retained. For wet-ink deals, confirm the original document is in the jacket — a scan only is insufficient under most state rules.

Deal 10

Log Findings with Severity Tier

Tag each finding as Tier 1 (federal violation — fix immediately), Tier 2 (state violation — fix within 30 days), or Tier 3 (process gap — fix within quarter). Aggregate the findings into a monthly memo for the GM.

Pulling ten random deals against this list takes 60–90 minutes. The audit itself is not the deliverable — the trend across three to six months of audits is. A dealer that runs this monthly will know within one quarter whether compliance exposure is improving, stable, or deteriorating, and will know which specific item is drifting before it compounds into an enforcement finding.

Common F&I Compliance Violations & How to Avoid Them

Five violations account for the majority of CFPB and state AG enforcement actions. Each one is detectable from a deal jacket — which means each one is preventable from a daily routine.

1. Undisclosed Payment Packing

The pattern: an F&I product is presented as a payment reduction or rate concession without showing the customer the actual cost of the product as a separate line item. Enforcement view: UDAP/UDAAP — unfair and deceptive to a consumer who doesn't understand what they bought. Avoidance: every add-on product is shown as a line-item cost on the menu before the customer signs. F&I managers should be coached on the difference between "lowering the payment" and "adding a product that costs X."

2. APR / Payment Schedule Mismatch

The pattern: the printed payment schedule on the TILA disclosure does not match the actual payment the customer is being charged in the loan documents. Often caused by stale rate sheets or by manual adjustment after the disclosure was printed. Avoidance: any change to rate or term between disclosure and consummation requires a new disclosure and a new signature.

3. Stale Rate Sheet

The pattern: the rate sheet in the deal jacket is stamped with an earlier date than the deal date. This is an RPA violation against the lender and frequently a Reg Z violation against the customer. Avoidance: the rate sheet log archives each Friday's sheet automatically; the F&I manager selects the active sheet by deal date, not by memory.

4. OFAC List Not Run

The pattern: the customer's name was never checked against the OFAC SDN list at the time of sale. This is a strict-liability federal violation with no good-faith defense. Avoidance: the OFAC log is integrated with the DMS so a deal cannot close until the OFAC check shows a clean result, with the timestamp retained.

5. Missing or Back-Dated Adverse Action Notice

The pattern: a customer's credit was declined but no written Notice of Adverse Action was sent within 30 days, or the notice was back-dated after the regulator asked for the file. Avoidance: every credit denial in the DMS triggers an automatic adverse-action workflow with a 30-day timer; verbal-only denials are not permitted.

Each of these five patterns is also a pattern that connects directly to the F&I presentation. How a manager presents the menu is not just a performance question — it is also a compliance question, because the most common enforcement vector (payment packing) is created in the same conversation where penetration is won or lost.

Catch compliance drift before it becomes a CFPB issue

DealerPulse gives you daily visibility into the same metrics that compliance audits hit hardest — products per deal, PVR, finance reserve, and deal-jacket integrity — so your monthly review starts with data, not surprises.

Start Free Trial

No credit card required · Get the free ROI white paper instead →

Related Resources

Track F&I performance daily (not monthly) F&I products per deal benchmarks for 2026 F&I menu selling techniques The 15-minute F&I morning routine
Download the F&I ROI White Paper →