If your first though when you read this title was, “What’s a compliance binder?”, you must read this article.
If you have a compliance binder, this article will be a good review to make sure that binder contains everything it should. Several federal laws and regulations enacted over the last 10 years have required all car dealerships to have written plans outlining your efforts to comply. Failure to do so can lead to some severe penalties. Let’s take a look at several of the most important requirements. In this first part of a 3-part series, we’ll take a look at the USA PATRIOT Act and the Safeguards Rule and the Privacy Rule from the Gramm-Leach-Bliley Act. In the second part, we’ll look at the Red Flags Rule from the Fair and Accurate Credit Transactions Act. The third article in the series will look at the Disposal Rule from the Fair and Accurate Credit Transaction Act plus a quick review of 2 other laws you must comply with that don’t require written plans but should be addressed in your compliance binder.
USA PATRIOT Act
Since October 26, 2002, all ’financial institutions’ have been required to have a written Customer Identification Program. The Customer Identification Program must include:
- Reasonable procedures for identifying any person or business entity seeking to do financial business with the financial institution. The procedures must specify the type of identifying information the institution will require.
- Procedures for notifying customers that information and documentation will be required to verify their identity. This notice requirement can generally be satisfied with a sign notifying customer of what steps you are taking to comply with the requirement that their identities be verified.
- You must set forth in writing procedures describing how identifications will be verified, what documents will be used for this purpose and when other methods will be used in addition to or in lieu of these documents. The Rule is fairly flexible and the extent of your policies can vary by the size of the dealership; however, it is clear that each dealership is responsible for exercising reasonable efforts to verify the identity of each customer and their procedures must enable them to form a reasonable belief that they know each customer’s true identity.
The Plan must also outline the procedures for the maintenance of records of information used to verify a customer’s name, address and other identifying information. Such records must include the customer’s information, a copy of all documents reviewed, and a summary of the means and results of any measures taken to identify customers, including the resolution of any discrepancies noted in the identifying information that was obtained.
Gramm-Leach-Bliley Act – Safeguards Rule
The Safeguards Rule requires financial institutions to develop a written security plan that describes how the company has prepared for and plans to continue to protect customers’ nonpublic information. The Safeguards Rule also applies to the data of former customers who no longer have a relationship with the financial institution. This rule is intended to do what most businesses should already be doing: protecting its clients’ private information. The Safeguards Rule was designed to force financial institutions to take a closer look at how they manage private data and to analyze the risks that data is exposed to and what needs to be done to enhance its protection. The Safeguards Rule requires that this process of analyzing weaknesses, developing solutions and continuing assessment of data security be put into a written plan. As part of each plan, each company must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each area of the company’s operation and evaluate the effectiveness of the safeguards currently in place;
- Design and implement a safeguards program and regularly monitor and test it;
- Select only service providers that can maintain appropriate safeguards, make sure you have language in your contracts or service agreements with these providers requiring them to safeguard such information and oversee and review their handling of customer information, and
- Outline plans to regularly evaluate and adjust the program in light of changing circumstances.
The requirements for the written security plan are flexible. The dealership’s privacy policies and information security plan should be developed taking into account the dealership’s size and the complexity of its operations, the nature and scope of its activity, and the sensitivity of the information it collects. Once established, the policies and standards should be monitored continuously. When implementing the Safeguards Rule and designing your dealership’s security plan, there are three particular areas that should be focused on: employee management and training, information systems, and managing system failures.
Gramm-Leach-Bliley Act – The Financial Privacy Rule
Protecting the privacy of consumer information held by “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some – but not all – sharing of their information.
The privacy notice must be a clear, conspicuous, and accurate statement of the company’s privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information. The notice applies to the “nonpublic personal information” the company gathers and discloses about its consumers and customers.
Consumers and customers have the right to opt out of – or say no to – having their information shared with certain third parties. The privacy notice must explain how – and offer a reasonable way – they can do that. For example, providing a toll-free telephone number or a detachable form with a pre-printed address is a reasonable way for consumers or customers to opt out; requiring someone to write a letter as the only way to opt out is not.
This brief article can certainly not cover every question or detail of these important compliance regulations. It is meant to be a brief overview. To make sure you are fully in compliance, consult an attorney who is well versed in compliance and the automotive industry. NIADA or your state association has resources available and I heartily recommend the firm of Hudson, Cook, who are experts in the field. Tom Hudson and his fellow attorneys at Hudson, Cook have written an excellent guide called, “F&I Legal Desk Book”. You can order this book and other valuable resource materials at www.counselorlibrary.com.
