Auto News this week reported that 39% of dealerships collect customer driver's licenses on salespeople's personal phones, exposing institutions to FTC Safeguards Rule violations. The actual number, based on what we see in the field, is probably closer to 93%.
The article quotes Ken Hill of 700Credit, the panelist who raised the issue at the 2026 NADA Show in February. Our CEO Karl Falk made the same argument on the Auto Hub Show fraud panel last week.
The pattern Auto News named — uncontrolled transport on personal devices — is the back door of fraud. And it is not an auto industry problem alone.
Two doors of fraud
In every regulated industry we work in, fraud rides on one of two surfaces.
The front door is identity. At the deal desk. The loan application. The patient intake form. The brokerage onboarding flow. This door has good vendors: 700Credit, Trust Stamp, Persona, Onfido, IDology, eLEND IDentify, others. If you sell to dealers, banks, or hospitals, you already have something running on this door.
The back door is transport. Customer documents and identification flow into and out of the institution on channels the institution does not own and cannot audit: salesperson personal phones, plain email, scan-to-email from a back-office printer, SMS attachments, third-party file-share links. The FBI logged $2.77 billion in Business Email Compromise losses in 2024 on this exact channel.
Most institutions are watching the front door. The back door is what 39% of dealers admit to and what the rest of the industry quietly accepts.
Why the back door matters more in 2026
Three signals converged this year.
The FTC Safeguards Rule shifted enforcement to channel-level transmission. The regulator no longer accepts policy-level attestations. Institutions are expected to produce evidence of TLS negotiation on customer-information traffic during testing.
The FFIEC AIO booklet, published in June 2021, gave bank examiners the same lens. Asset inventory completeness, encryption-in-transit demonstrability, sender authentication, DLP coverage, and vendor-management documentation are now five examiner patterns in the 2026 exam cycle. None of them name scan-to-email or personal phones. All of them point at the same control failure.
Cyber insurance underwriters added scan-to-email and personal-device exclusions to 2026-2027 renewal questionnaires. Dealers and banks answering "no" are seeing premium adjustments or sub-limit exposures.
The cross-industry pattern
The institutions that closed the back door early were mortgage (forced by CFPB enforcement in the mid-2010s), healthcare (HIPAA), and financial services (GLBA and SOX). Each industry moved through the same four-step pattern:
- Insecure transport goes mainstream because it is convenient.
- Fraud scales on the convenience.
- Regulators force change.
- Institutions that fixed the gap before step three look smart. The rest pay fines.
Auto is on step two right now. The Auto News article and the FTC Safeguards Rule enforcement shift are the beginning of step three.
What closes the back door
Secure Digital Transport, the SDT category Botdoc has built on for nine years, closes the channel without putting documents in a central store. There is no shared file repository, no long-lived link, no plaintext SMTP. Sender authenticates, receiver authenticates, the document moves through an encrypted ephemeral session, the session closes.
That is the architectural difference between a controlled transport channel and a personal-device fraud vector.
If you are a dealer, a bank IT director, a CFO, a BSA officer, or a compliance officer reading this, the question to ask before your next exam or cyber renewal is one sentence: where does customer data actually move between your institution and the other side? If the answer includes "regular email, text, or personal devices," you have a back door problem.
The 39% in the Auto News article is the floor, not the ceiling.
Sources and further reading: