We visited a Volkswagen dealership on Saturday.  I’ve always loved Audi - a dealer friend of ours once tried to sell us a used Mercedes by saying, “Think of Mercedes as Audi with ONE circle instead of four” - and we wondered what their bigger but more affordable brother was offering.  Besides moving the Volkswagen CC VR6 to the top of my Want list, a couple of things came out of that visit:

First, business:  the sales rep was professional, personable, and very knowledgeable; the kind of  guy that you would feel good about buying a car from.  Likewise the dealership was new, clean, and all the employees from the receptionist on up were professional and responsive even on on a busy weekend day.

And yet, the dealership process for securing the customer driver’s license during the test drive was, “make a copy, and leave the copy face up on an otherwise empty desk right next to the showroom floor”.    When my husband commented on it, the sales rep moved the copy to a less visible area but it was clear that protecting customer data was not a big priority; I doubt the sales rep had ever heard of the Red Flags Rule.  Under the Rule, car dealerships have a responsibility to protect themselves and their customers from “reasonably foreseeable risks of identity theft” and safeguarding customer non-public information is certainly part of that.  We’ve said it before: treat customer data like cash.  If you wouldn’t leave cash lying around, don’t leave a driver’s license or credit app lying around.  The solution can be as simple as having the receptionist or tower guard those documents so long as they lock them up when they leave their desk.

Second:  in conversing with the sales rep, he mentioned that business was good; the start of a new model year is usually busy for dealers, but this year he was seeing “a lot of people we don’t usually see” because of the CARS (car allowance rebate system).  This started me thinking about “Cash for Clunkers” and its long term impact on domestic auto manufacturers.

US manufacturers have dominated the large car/truck/SUV market for years, whereas non-US manufacturers have dominated the small/fuel efficient market.  Since CARS encourages customers to buy fuel efficient vehicles, does it essentially encourage exising GM, Ford, and Chrysler customers to become Toyota and Honda customers?  I decided to do some research.  Stay Tuned for Part II.

For the third time, the FTC is delaying enforcement of the Red Flags Rule in order to give businesses time to learn about and become compliant with the Rule.  The FTC is also stepping up their outreach and education efforts.  Enforcement is slated to begin on Nov 1st, 2009, fully one year after the original deadline.

From the FTC’s press release:

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

The release specifically mentions health care providers and a request from Congress, so it seems that the AMA has had more luck lobbying Congress directly than it did going straight to the FTC.

That said, the FTC is correct when they state that their hands are effectively tied on this matter; Congress defined “creditor” almost to the point where it means “every business, non-profit, or any other organization that ever comes in contact with money” (exaggerating a bit) and it is up to Congress to revise it. In mandating that organizations facing very little risk from or of identity theft follow the Red Flags Rule, they diminish the impact of the Rule, and harm organizations like car dealerships, which really are at risk.

UPDATE:  The Wall Street Journal has a story on the delay (subscriber article):

Implementation of an identity-theft program entails certain research and training expenses. Failure to comply may subject a company to penalties of up to $3,500 per violation. But Nicholas Economidis, an underwriter for Beazley Group, said that “failure to comply will increase a company’s exposure to negligence claims.” Beazley, based in London, provides companies with identity-theft and data-theft insurance.

An increasingly common, and depressing, form of identity theft facing car dealerships is for a customer to assume the identity of an older relative in order to obtain a vehicle.

For example, say a young college student is named John Doe, and his father is John Doe Sr. Junior’s driver’s license reflects his permanent home address, which is also his father’s address. Junior has bad or no credit history, so he uses his father’s social security on the credit application.

Junior would pass most of the standard Red Flags checks. His appearance would match his photo ID. His name would match the name associated with his father’s SSN on the credit report. The address on his license and credit application would match the address on the credit report, so there would be no “address discrepancy” flag on the credit report.

Even if Junior fully intends to pay for the vehicle himself, using someone else’s social security number turns his questionable scruples into identity theft. Remember, using even one piece of someone else’s identifying information to commit fraud constitutes identity theft.

Also, an automated Red Flags check in a lender-portal, OFAC, or bureau-portal may not turn up any significant alerts either. (They’re really spider software modules.) If the date of birth is flagged, in most instances the fraudulent applicant would be familiar enough with the “real” social security person to answer any security questions posed by the software; and F&I would jot the discrepancy down to either a software glitch or credit report error.

I have found this compliance misstep often in dealerships that Red Flags Made Easy has consulted with, especially in markets where common Hispanic surnames exist. That is why we advise that F&I or the Desk check that the birth date on the credit report matches the birth date on the driver’s license, and also that the credit report history is consistent with the age and demographic appearance of the applicant. (For example, the customer’s drivers license lists his birth date as 1985, yet the credit report shows he bought a house in 1990.)

An examination of the complete credit history is crucial to determine where the desking or F&I manager is going to “shop” the deal anyway (especially as lender banks announce changes almost monthly on their paper), so adding this scrutiny to the store’s Red Flags Check List does not really encumber or delay the sales process.

Failure to catch this common misrepresentation can lead the dealership having to buy the vehicle back from the bank, and or civil litigation from an unappreciative “Uncle” or similar relation. Either way, it’s a costly mistake that could have been avoided through appropriate compliance.

American Bar Association President Thomas Wells Jr. plans to file suit against the FTC by the end of the week if the FTC does not drop its plan to enforce the Red Flags Rule starting August 1st. The ABA contends that the FTC has no right to regulate the legal profession (and in fact the ABA won a lawsuit to that effect in 2005) and that lawyers should not be subject to the Red Flags Rule:

The ABA’s current beef with the FTC is defining lawyers as creditors.

In June, Wells issued a statement urging the FTC to exclude lawyers from the regulations, known as the “Red Flags Rule,” which require businesses and organizations that act as creditors to establish programs for preventing identity theft.

“The FTC has taken the position that professionals like lawyers, who regularly bill their clients for services after those services are rendered, are creditors under the ECOA,” Wells says.

That is almost identical to the AMA’s main argument - that doctors who bill after services rendered are not creditors - which we covered here. It will be interesting to see how this plays out.

For car dealers, there is no question as to whether they are subject to the Red Flags Rule since they are specifically mentioned in FACTA. There may be another delay in enforcement, though, as the FTC sorts out requests from Congress, which, predictably, is under pressure from lobbyists such as the ABA and AMA.

One of the greatest problems facing any dealership in enforcing and maintaining compliance is employee turnover.

I can think of no other business entities, aside from automotive dealerships, which combine absentee ownership with high employee turnover in both management and line employees.

Add the stress of moving units in a slowed down market environment, and a limited attention span to compliance can be damming. Any MBA student is familiar with the term “Bounded Rationality,” which is defined as “cognitive limitations that constrain one’s ability to interpret, process, and act on information.” In short all business decisions are imperfect as businesses cannot endlessly analyze, and must move forward with imperfect information and limiting time & resource constraints. However, bounded rationality must meet minimal fiduciary and due diligence.

Sadly, in the automotive industry that is often not the case, and “check-the-box” approach is used. It is not uncommon for a compliance plan to be haphazardly pieced together, usually by an hourly employee with no subject matter premise, and then be put on a shelf and forgotten.

However it doesn’t have to be that way.

I recently revisited a store for which RedFlagsMadeEasy had done a turnkey plan within the past six months and was pleased to note that our integrated training had worked. Some key personnel, as well as a number of line employees had turned over; but because of our comprehensive plan and integrated checklists, human resources had been able to document that terminated employees had been removed from key systems, and that they had not taken any sensitive data (such as credit applications) to their new dealerships. The store had also documented the transfer of some key compliance responsibilities to the new desking managers. In short, proof that compliance can live on despite turnover.

Given the current market challenges, forced closing of stores by the manufacturers, and civil litigation environment, dealer principals can no longer afford a detached overview management style and must work towards both continuity and integrated compliance controls.

I admire them for not wanting to waste so much paper, but maybe recycling isn’t always the answer.  A Boulder, CO Kia dealership that went out of business threw their customer records in recycling bins resulting in police involvment and possible criminal charges.

This has happened before, resulting in huge fines for the offender.  The FTC has numerous resources for protecting and disposing of customer data; learn more here.

Via:  datalossdb.org

Texas auto dealerships should be on the lookout for these two men, who have stolen 19 cars worth $750 thousand from three Houston dealers:

Benigno “Benny” Diaz, 49, and Jorge Demichelli, 59, sought employment at the dealerships and used false information to obtain credit and/or property from the dealerships.

We’re familiar with this scam since a similar incident happened to one of our customers before they hired us.  The thief was hired as a salesperson at the dealership.  His accomplices came to the store and provided data from stolen identities.  The “salesman” would fill out the credit app for them, get a blurry photocopy of the stolen ID, and generally run interference for the “customer” so nobody else at the dealership would look too closely at the customer or the ID data.  The dealership had no indication anything was amiss until they received notification from the banks that the first payments had not been made.  When the dealership started to connect the dots, the “salesman” disappeared.

Adding insult to injury, not only did the dealership lose the inventory, but they paid the thief commissions on the “sales”.

When you create your Red Flags Program, you must take into account any previous experiences your dealership has had with identity theft.  Also, if you experience identity theft afterward, you must update the Program to reduce the likelihood of the same incident happening again.   For our customer, we recommended that they add a second ID check at closing, where F&I would examine the ID (not a copy) before handing over the keys.  We also recommended that they restrict spot deliveries and prohibit remote sales; the customer must show up at the dealership in person to complete the deal.

Finally, in the case of Diaz and Demichelli, the identity data they used was stolen from people in Puerto Rico.  Dealerships are obligated by the Address Discrepancy rule to have policies and procedures “to enable them to form a reasonable belief that the consumer report they’ve received relates to the consumer on whom they requested the report”.  In other words, when you pull a credit report, if the address the customer provides doesn’t match the address the credit bureau has on record, you should investigate further.

If the thieves gave Houston area addresses, the credit bureau would have flagged that to the dealership as an address discrepancy and the dealership should have requested  utility bills or other address data to verify the customer’s identity.  If the thieves gave the Puerto Rico addresses of their victims, the situation is a bit trickier; there is nothing wrong with selling cars to out of state customers, however F&I should have done a double take and investigated a bit further, especially if there were a sudden glut of “customers” from Puerto Rico.