This is part three of an article on what needs to be in your compliance binder. If you have not read parts one and two, I strongly suggest you do so. Several federal laws and regulations enacted over the last 10 years have required all car dealerships to have written plans outlining your efforts to comply. Failure to do so can lead to some severe penalties. Let’s take a look at several of the most important requirements. In the first part of this 3-part series, we looked at the USA PATRIOT Act and the Safeguards Rule from the Gramm-Leach-Bliley Act. In the second part, we looked at the Red Flags Rule from the Fair and Accurate Credit Transactions Act. This third article in the series will look at the Disposal Rule from the Fair and Accurate Credit Transaction Act plus a quick review of 2 other laws you must comply with that don’t require written plans but should be addressed in your compliance binder.
Fair and Accurate Credit Transactions Act – Disposal Rule
Automobile dealerships are also subject to the Disposal Rule, required by the Fair and Accurate Credit Transactions Act. The FTC recommends that your dealership’s plans and procedures for properly disposing of customers’ nonpublic information also be included in your written information security plan.
For business compliance with the FACTA rules, the FTC indicates that “reasonable measures are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.”
There is a strong message here that every business should develop its own internal policy regarding proper record keeping and disposal of sensitive information or documents. Included in the policies and procedures that could be covered are the following areas:
1. Certification and Documentation of Destruction
Businesses will need to be able to prove that they have destroyed sensitive documents or information to be FACTA compliant. This requires documentation that would include what was destroyed and when it was destroyed.
2. Written Policies and Procedures for Document and Data Destruction
Businesses should have a written program outlining how to maintain and shred documents or destroy other data. This means that there is a well defined, step by step procedure for various types of data and documents, including procedures for collecting and protecting the documents and data until the time that it is destroyed.
3. Schedules for Data and Document Disposal
Regularly scheduled paper shredding and data disposal is recommended to prevent the liability from storing excess records with personal information. Again, a documented procedure and schedule will show consistency in action and intent. Every business should have retention schedules that mandate when their records need to be securely destroyed.
4. Employee Training
Storage and shredding must be covered in your company handbook. Businesses should have regular training sessions for all employees. It is recommended that an overall attitude be reinforced in training that “if in doubt, shred”.
Fair and Accurate Credit Transactions Act – Risk Based Pricing Notice
The Federal Reserve Board and the Federal Trade Commission have issued rules which generally requires a creditor to provide notice to a consumer when the creditor uses a consumer report to grant or extend credit to the consumer on “material terms” that are “materially less favorable” than the most favorable terms available to a substantial proportion of consumers from or through that creditor. The proposed rules apply to creditors that engage in “risk-based pricing” (i.e., the practice of setting or adjusting the price and other terms of credit offered or extended to a particular consumer to reflect the risk of nonpayment by that consumer).
The proposed rules contain a number of exceptions, including the statutory exceptions that apply when a consumer (i) applies for and receives specific material terms and (ii) receives an adverse action notice in connection with the transaction. The agencies also included an exception for creditors that provide applicants with their credit scores. Most auto dealerships have chosen to use this exception and provide credit scores to all customers to comply with this Rule. Most credit reporting agencies make this form available when you pull a credit report.
OFAC
Motor vehicle dealers must comply with the reporting requirements mandated pursuant to the International Emergency Economic Powers Act and Executive Order 13224. The Executive Order prohibits U.S. citizens from “any transaction or dealing” with individuals identified by Executive Order, the Department of the Treasury or the U.S. Secretary of State as posing a significant risk of engaging in terrorist acts or providing support to terror organizations or individuals. The Specially Designated Nationals list provides financial and other institutions with the names of those individuals and organizations which are currently prohibited from engaging in financial transactions.
In order to be the compliant with the OFAC regulations, once you have established your customer’s identity as required by USA PATRIOT, you must check their identity against the SDN list. If a positive match comes up, you are required to do additional investigation to confirm whether or not your customer and the entity on the list are truly a match. If they are, or if you have any doubts, you must not complete the transaction and notify OFAC immediately.
The job of OFAC compliance does not end there, however. You are also required to check all customers with which you maintain an on-going relationship each time the SDN list is updated. The list is not updated on a regular schedule. Sometimes it can be weeks between updates other times it is days.
This brief article can certainly not cover every question or detail of these important compliance regulations. It is meant to be a brief overview. To make sure you are fully in compliance, consult an attorney who is well versed in compliance and the automotive industry. NIADA or your state association has resources available and I heartily recommend the firm of Hudson, Cook, who are experts in the field. Tom Hudson and his fellow attorneys at Hudson, Cook have written an excellent guide called, “F&I Legal Desk Book”. You can order this book and other valuable resource materials at www.counselorlibrary.com.
