This is part two of an article on what needs to be in your compliance binder. If you have not read part one, I strongly suggest you do so. Several federal laws and regulations enacted over the last 10 years have required all car dealerships to have written plans outlining your efforts to comply. Failure to do so can lead to some severe penalties. Let’s take a look at several of the most important requirements. In this first part of this two-part series, we took a look at the USA PATRIOT Act and the Safeguards Rule from the Gramm-Leach-Bliley Act. In this second part, we’ll look at the Red Flags Rule from the Fair and Accurate Credit Transactions Act. The third article in the series will look at the Disposal Rule from the Fair and Accurate Credit Transaction Act plus a quick review of 2 other laws you must comply with that don’t require written plans but should be addressed in your compliance binder.
Fair and Accurate Credit Transactions Act – Red Flags Rule
The Rules are designed to help organizations recognize “red flags” of identity theft that may arise during the indirect lending process. Towards this end, the rules require dealerships and financial institutions alike to establish formal identity theft detection and response programs within their respective businesses.
Requirements of an Identity Theft Program are that it is written, that dealerships adopt policies regarding how the dealership responds to red flags, ongoing and appropriate updating of the program, the designation of responsibility for the program, and oversight of service provider arrangements.
There are 4 parts that must be included in your Red Flags compliance plan:
Part 1: LIST YOUR RED FLAGS
Each organization that is subject to the regulation must IDENTIFY relevant patterns, practices and specific forms of activity that are “red flags” signaling possible identity theft, and incorporate those red flags into their program.
Each organization is responsible for coming up with its own list of Red Flags, and the list should be as exhaustive as possible. Unfortunately there is no qualification in the regulation for the “Top Ten Red Flags” or the “Red Flags Most Commonly Found” so you need to include every situation that you can.
Part 2: DETECT RED FLAGS
Now that you have a complete list of the Red Flags that signal identity theft as it pertains to your organization, you must describe how you will detect each Red Flag in every circumstance where it may occur. These should include policies and procedures on how you:
- Obtain Identifying Information and Verify Identity
- Authenticate Transactions for Existing Customers
- Monitor Transactions (Activity) Of Customers
- Verify the Validity of Change of Address among other things
Part 3: PREVENT AND MITIGATE IDENTITY THEFT WITH AN APPROPRIATE RESPONSE
The regulation states that a Red Flag Program should provide for appropriate responses to the Red Flags detected that are commensurate with the degree of risk posed. In reading the original draft of the legislation this section references an assessment of risk to both the customer and to the financial institution or creditor. This is a human assessment that must take place each time a Red Flag is detected in order to gauge a response. You must not only consider the type of Red Flag, but its timing with other “aggravating factors” that may increase the risk of identity theft. The regulation provides two examples of aggravating factors; (1) the institution has experienced a breach of security that resulted in the unauthorized access of loss of personal data of customers, or (2) you become aware that a customer has provided information related to a covered account to someone who is fraudulently claiming to represent the financial institution or creditor, or to a cloned website. There are surely other aggravating factors, such as the customer reporting to you that they have seen other evidence of fraud or abuse of their identifying information.
The regulation states that appropriate responses may include the following:
(a) Monitoring a covered account for evidence of identity theft
(b) Contacting the customer,
(c) Changing any passwords, security codes, or other security devices that permit, access to a covered account,
(d) Reopening a covered account with a new number,
(e) Not opening a new covered account,
(f) Closing an existing covered account,
(g) Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular circumstances.
In practical application, when you find a Red Flag and you cannot establish a reasonable basis for no response, you must notify the customer. All other responses depend on this.
Part 4: UPDATING THE PROGRAM
The final rules include a fourth element to make sure that the Program keeps pace as criminals get more creative. The regulation requires that a financial institution or creditor have in place “policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.” In this requirement are several key words that elaborate on its intent.
First, the terms “policies” and “procedures” means that you need to have a documented method for monitoring, assessing, and adopting additional measures to detect, prevent and mitigate new ways of committing identity theft as they are discovered.
Second, the term “ensure” emphasizes the importance of making sure that this requirement is not treated lightly. Key criteria that should be included in your program include:
- Where you access your identity theft trend data,
- Who will be designated to track and record this information,
- What process will you take to assess and adopt new measures into your program?
Third, the term “periodically” may be interpreted as more than once a year. Otherwise, the Committee would have used the word annually.
This brief article can certainly not cover every question or detail of these important compliance regulations. It is meant to be a brief overview. To make sure you are fully in compliance, consult an attorney who is well versed in compliance and the automotive industry. NIADA or your state association has resources available and I heartily recommend the firm of Hudson, Cook, who are experts in the field. Tom Hudson and his fellow attorneys at Hudson, Cook have written an excellent guide called, “F&I Legal Desk Book”. You can order this book and other valuable resource materials at www.counselorlibrary.com.
