Red Flags Program

After several delays, the Red Flags Rule has finally come into effect and dealerships are being held responsible for having the compliance piece in place. January 1, 2011 was the implementation date.

During the delays several groups successfully argued to Congress for exemption from the rule, most notably physicians, CPAs and attorneys. Auto dealerships, however, have not been exempt and can now be held responsible.

A key requirement of the Red Flags Rule is that the compliance program must be tailored to the entity’s size, complexity and nature of its operations. If you have delayed compliance, or feel uncertainty about how complete your compliance approach is, please contact Red Flags Made Easy for information on how we can help.

For more information, send a request for a phone consultation to sales@redflagsmadeeasy.com

Failure to properly monitor adverse action letters, and privacy notice records (especially on dead-on-arrival deals), is one of the biggest area of compliance improvement needed at most dealerships I visit. As part of an identity-theft-prevention-program, insuring proper signature of a privacy notice and credit application is vital, as is control of the adverse action letters.

Ask the dealer principal or GM about this, and invariably their stock answer is that it’s being taken care of. However when pressed for honesty, the finance director and desking manager usually paint a different picture. Internet sales departments, in particular, are prone to compliance mismanagement in this area.

In this FTC link, a subsidiary of Equifax settled with the FTC for $350,000 on charges that it failed to provide adequate disclosures.

Under the Fair Credit Reporting Act, the company allegedly failed to provide, “ ‘Notice to Users of Consumer Reports: Obligations of Users Under the FCRA,’ which notifies users of consumer reports of their statutory obligations, including notifying individuals if the user takes adverse action against them based on their consumer report,” as well as other related disclosures.

One scam I’ve seen involves grifters with incredibly bad scores going around to dealerships filling out apps knowing in advance that the special finance department can’t help them. Their app is a dead deal (or DOA), and a disgusted desking manager throws the signed privacy notice into a cardboard box. The frustrated sales person may likewise do something foolish with the deal jacket.

The grifter then returns in about six to eight months and claims he never authorized the dealership to pull his or her credit report. Since it was a dead deal, the dealership may or may not be able to find the signed privacy notice or application or a Xerox copy of the driver’s license- thereby being unable to provide evidence that the grifter had indeed been at the store and authorized the pull; and the store management is left with the open question as to what the grifter wants and what it will take to get rid of him or her.

The Red Flags Rule specifies that your Red Flags Program must be updated in response to changes in risk of identity theft, or in response to an actual occurrence of identity theft.  Employee turnover in the retail automobile industry is very high, and partly because of that, many dealers have experienced identity theft that was committed or facilitated by an employee.  (We’ve blogged about both high turnover and employee fraud previously).

A reasonable response to that risk might be to conduct background checks on potential employees.  But be careful.  From the FTC:

Two companies that fired workers and rejected job applicants based on background checks without informing them of their rights under the Fair Credit Reporting Act (FCRA) have agreed to settle Federal Trade Commission charges that they violated federal law. The settlements require the defendants to pay $77,000 in civil penalties…

According to the FTC’s two complaints, both defendants contracted with a CRA to conduct background checks including criminal record reviews for employees and job applicants, and made hiring and firing decisions based on those background checks. The companies allegedly failed to provide the employees and applicants with pre-adverse action notices and adverse action notices as required by the FCRA.

If you are considering doing background checks on your employees or applicants, be sure to check out the FTC’s guide, “Using Consumer Reports: What Employers Need to Know”.

An increasingly common, and depressing, form of identity theft facing car dealerships is for a customer to assume the identity of an older relative in order to obtain a vehicle.

For example, say a young college student is named John Doe, and his father is John Doe Sr. Junior’s driver’s license reflects his permanent home address, which is also his father’s address. Junior has bad or no credit history, so he uses his father’s social security on the credit application.

Junior would pass most of the standard Red Flags checks. His appearance would match his photo ID. His name would match the name associated with his father’s SSN on the credit report. The address on his license and credit application would match the address on the credit report, so there would be no “address discrepancy” flag on the credit report.

Even if Junior fully intends to pay for the vehicle himself, using someone else’s social security number turns his questionable scruples into identity theft. Remember, using even one piece of someone else’s identifying information to commit fraud constitutes identity theft.

Also, an automated Red Flags check in a lender-portal, OFAC, or bureau-portal may not turn up any significant alerts either. (They’re really spider software modules.) If the date of birth is flagged, in most instances the fraudulent applicant would be familiar enough with the “real” social security person to answer any security questions posed by the software; and F&I would jot the discrepancy down to either a software glitch or credit report error.

I have found this compliance misstep often in dealerships that Red Flags Made Easy has consulted with, especially in markets where common Hispanic surnames exist. That is why we advise that F&I or the Desk check that the birth date on the credit report matches the birth date on the driver’s license, and also that the credit report history is consistent with the age and demographic appearance of the applicant. (For example, the customer’s drivers license lists his birth date as 1985, yet the credit report shows he bought a house in 1990.)

An examination of the complete credit history is crucial to determine where the desking or F&I manager is going to “shop” the deal anyway (especially as lender banks announce changes almost monthly on their paper), so adding this scrutiny to the store’s Red Flags Check List does not really encumber or delay the sales process.

Failure to catch this common misrepresentation can lead the dealership having to buy the vehicle back from the bank, and or civil litigation from an unappreciative “Uncle” or similar relation. Either way, it’s a costly mistake that could have been avoided through appropriate compliance.

One of the greatest problems facing any dealership in enforcing and maintaining compliance is employee turnover.

I can think of no other business entities, aside from automotive dealerships, which combine absentee ownership with high employee turnover in both management and line employees.

Add the stress of moving units in a slowed down market environment, and a limited attention span to compliance can be damming. Any MBA student is familiar with the term “Bounded Rationality,” which is defined as “cognitive limitations that constrain one’s ability to interpret, process, and act on information.” In short all business decisions are imperfect as businesses cannot endlessly analyze, and must move forward with imperfect information and limiting time & resource constraints. However, bounded rationality must meet minimal fiduciary and due diligence.

Sadly, in the automotive industry that is often not the case, and “check-the-box” approach is used. It is not uncommon for a compliance plan to be haphazardly pieced together, usually by an hourly employee with no subject matter premise, and then be put on a shelf and forgotten.

However it doesn’t have to be that way.

I recently revisited a store for which RedFlagsMadeEasy had done a turnkey plan within the past six months and was pleased to note that our integrated training had worked. Some key personnel, as well as a number of line employees had turned over; but because of our comprehensive plan and integrated checklists, human resources had been able to document that terminated employees had been removed from key systems, and that they had not taken any sensitive data (such as credit applications) to their new dealerships. The store had also documented the transfer of some key compliance responsibilities to the new desking managers. In short, proof that compliance can live on despite turnover.

Given the current market challenges, forced closing of stores by the manufacturers, and civil litigation environment, dealer principals can no longer afford a detached overview management style and must work towards both continuity and integrated compliance controls.

Texas auto dealerships should be on the lookout for these two men, who have stolen 19 cars worth $750 thousand from three Houston dealers:

Benigno “Benny” Diaz, 49, and Jorge Demichelli, 59, sought employment at the dealerships and used false information to obtain credit and/or property from the dealerships.

We’re familiar with this scam since a similar incident happened to one of our customers before they hired us.  The thief was hired as a salesperson at the dealership.  His accomplices came to the store and provided data from stolen identities.  The “salesman” would fill out the credit app for them, get a blurry photocopy of the stolen ID, and generally run interference for the “customer” so nobody else at the dealership would look too closely at the customer or the ID data.  The dealership had no indication anything was amiss until they received notification from the banks that the first payments had not been made.  When the dealership started to connect the dots, the “salesman” disappeared.

Adding insult to injury, not only did the dealership lose the inventory, but they paid the thief commissions on the “sales”.

When you create your Red Flags Program, you must take into account any previous experiences your dealership has had with identity theft.  Also, if you experience identity theft afterward, you must update the Program to reduce the likelihood of the same incident happening again.   For our customer, we recommended that they add a second ID check at closing, where F&I would examine the ID (not a copy) before handing over the keys.  We also recommended that they restrict spot deliveries and prohibit remote sales; the customer must show up at the dealership in person to complete the deal.

Finally, in the case of Diaz and Demichelli, the identity data they used was stolen from people in Puerto Rico.  Dealerships are obligated by the Address Discrepancy rule to have policies and procedures “to enable them to form a reasonable belief that the consumer report they’ve received relates to the consumer on whom they requested the report”.  In other words, when you pull a credit report, if the address the customer provides doesn’t match the address the credit bureau has on record, you should investigate further.

If the thieves gave Houston area addresses, the credit bureau would have flagged that to the dealership as an address discrepancy and the dealership should have requested  utility bills or other address data to verify the customer’s identity.  If the thieves gave the Puerto Rico addresses of their victims, the situation is a bit trickier; there is nothing wrong with selling cars to out of state customers, however F&I should have done a double take and investigated a bit further, especially if there were a sudden glut of “customers” from Puerto Rico.

As promised when they announced that enforcement would be delayed until August 1st, the FTC has released a Red Flags Program template for low risk businesses.  It is a fairly simple template that does not negate any of the requirements of the Red Flags Rule such as implementing and updating the Program.  Of interest are the questions that the FTC asks to help you determine whether your business is low risk or not:

1. Do you know your clients personally?
2. Do you usually provide service at your customers’ homes?
3. Have you ever experienced an incidence of identity theft?
4. Are you in a business where identity theft is common?

Unfortunately, car dealerships are not at low risk of identity theft; in 2008, fraudulent identity data was used to establish about 3700 automobile loans or leases.

The template is a good starting point but is not terribly specific (”describe how you’ll update your program”) - understandable for a template intended for use in any type of business.  Having a Red Flags Program is only half the battle - you have to get it approved, conduct training, implement the program, and keep it up to date.  If you run an auto dealership, the Red Flags Identity Theft Prevention Program Toolkit is a faster, more complete solution for you.

This is the second time the Federal Trade Commission has delayed enforcement of the Red Flags Rule; it was originally scheduled to start enforcement on Nov 1st, 2008 but that was delayed until the following May 1st when the FTC realized that very few businesses knew about the rule.    The FTC’s press release.

The FTC responded to the American Medical Association’s stance that the Red Flags Rule should not apply to physicians and related health care providers.  That’s right - your trusty GP must have an Identity Theft Prevention Program.  In the FTC’s letter to the AMA, the FTC acknowledges that, yes, doctors take a confidentiality oath, and yes, there’s HIPAA, but that does not cover the “respond to and mitigate identity theft” provision of the Red Flags Rule.  In other words, they focus on two scenarios:

• The doc suffers a data breach and patient data is exposed when it shouldn’t be.
• A thief tries to someone else’s data to fool the doc, thus potentially exposing a real person to the perils of false entries in their medical records or false insurance billing.

To address these scenarios, the FTC suggests that for smaller doctors offices, which are presumably low risk, checking a drivers license and determining what to do if notified of identity theft involving the office would be sufficient.

BancInfoSecurity.com summarizes a study from the Fraud Management Institute. The article focuses on the cost of mailing address change confirmations (estimated at $300 million):

During the current financial crisis, it is critical for institutions to streamline and reduce costs and boost fraud prevention efforts, yet the survey shows that many are still doing address confirmation manually and spending much more time on ID Theft Red Flags Rule compliance that originally predicted by regulators.

FMI is absolutely correct about regulator disconnect on the time needed to comply with the Red Flags Rule.  From the text of the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (i.e., the Red Flags Rule):

The Agencies estimate the annual burden per respondent is 41 hours (25 hours to develop a Program, four hours to prepare an annual report, four hours for training, four hours for developing policies and procedures to assess the validity of changes of address, and four hours hours for developing policies and procedures to respond to notices of address discrepancy).

No way.  You can judge for yourself by reading the Red Flags Rule on the FTC’s web site, all 59 single-spaced pages of it.  Further, the estimate does not include actual implementation time - the time it takes to do the checks, keep abreast of methods of identity theft, update the program accordingly, etc.

And the training time estimate is ludicrous.  It takes longer than four hours for a single competent trainer to prepare for a class.  In a typical business, if I want to get funding for a project, I would have to submit an analysis that includes time x labor costs.  If I have a hundred employees who need to be trained for four hours, the burden is four hundred hours, not four.  If I am an auto dealership, the cost of having my sales force off the floor for half a day is certainly significant.