The Rise of ‘Finders’: Is Your Lead Provider a Financial Institution?

Threat Intelligence

The Rise of ‘Finders’

The FTC has expanded the definition of “Financial Institution” to include “finders.” If your business model involves connecting consumers with lenders or dealers for a fee, you are now legally required to have a full FTC Safeguards program. And if you are a dealer buying leads from these companies, you have new obligations of your own.

The Regulatory Basis

The 2021 amendments to the FTC Safeguards Rule, published in the Federal Register on December 9, 2021, added “finders” to the list of covered entities under 16 CFR 314.2(h). The definition draws from 12 CFR 225.86(d)(1), which describes a financial activity as “acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.”

The original compliance deadline for the amended rule was December 9, 2022. The FTC extended this to June 9, 2023, due to supply chain and staffing challenges. That deadline has long passed. Compliance is mandatory now.

Who Is a ‘Finder’?

The FTC’s definition is deliberately broad. A “finder” is any entity that identifies potential parties to a transaction, makes introductions, provides referral services, or facilitates the exchange of information between buyers and sellers of financial products or services.

In practical terms, this covers:

  • Lead generation companies that collect consumer credit applications and sell them to dealers or lenders
  • Auto loan comparison websites where consumers shop rates across multiple lenders
  • Digital marketing agencies that operate credit application forms on behalf of dealers
  • Referral networks that match consumers with dealerships based on financing needs
  • Aggregator platforms that pull consumer data and distribute it to multiple financial institutions

The FTC specifically noted that finders “often maintain extremely sensitive consumer financial information,” which is precisely why they were brought under the rule.

An Important Limitation

The rule applies to finders that have an “ongoing relationship” with consumers. It does not apply to finders that have only isolated, one-time interactions and do not receive customer information from other financial institutions. That said, most lead generation models involve repeated data collection and ongoing consumer engagement, which places them squarely within scope.

Why This Matters for Dealers

If you buy leads from these “finders,” you are now buying from a fellow financial institution. Under the vendor oversight requirements of 16 CFR 314.4(f), you must:

1. Select capable providers (314.4(f)(1)): Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information.

2. Require safeguards by contract (314.4(f)(2)): Your agreements with lead providers must explicitly require them to implement and maintain safeguards that protect the customer data they handle.

3. Periodically assess them (314.4(f)(3)): You must conduct ongoing assessments of your lead providers based on the risk they present and the continued adequacy of their safeguards.

If your lead provider gets hacked and they were not compliant, the FTC will look at your vendor management process to see why you were doing business with them. The days of “buying data and asking no questions” are over.

What Dealers Should Require from Lead Providers

Every lead provider contract should include, at minimum:

  • Written confirmation that they maintain an Information Security Program compliant with 16 CFR Part 314
  • The name of their Qualified Individual responsible for their security program
  • Evidence of safeguards: SOC 2 Type II reports, penetration test summaries, or equivalent documentation
  • Data handling terms: How consumer PII is stored, encrypted, transmitted, and disposed of
  • Breach notification obligations: A contractual requirement to notify you promptly if a security event affects data they collected on your behalf
  • Right to audit: Language permitting you or a third party to verify their compliance

If a lead provider cannot produce this documentation, that is your answer. You are taking on unquantified regulatory risk every time you accept a lead from a non-compliant source.

The Enforcement Landscape

The FTC has made clear through its guidance and enforcement posture that vendor oversight is not optional. Civil penalties under the FTC Act can reach up to $50,120 per violation (adjusted for inflation), and each day of non-compliance can constitute a separate violation. The FTC also requires financial institutions to notify the Commission within 30 days of discovering a breach affecting 500 or more consumers’ unencrypted data.

For dealers, the calculus is simple: the cost of vetting your lead providers is a fraction of the cost of explaining to the FTC why you did not.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
FTC vs. Asbury: Why Junk Fees are Now a Security Issue
Next article
Post-CDK Reality: Cyberattacks on Dealers Are Surging

Related articles