Prevent and Mitigate Identity Theft

After several delays, the Red Flags Rule has finally come into effect and dealerships are being held responsible for having the compliance piece in place. January 1, 2011 was the implementation date.

During the delays several groups successfully argued to Congress for exemption from the rule, most notably physicians, CPAs and attorneys. Auto dealerships, however, have not been exempt and can now be held responsible.

A key requirement of the Red Flags Rule is that the compliance program must be tailored to the entity’s size, complexity and nature of its operations. If you have delayed compliance, or feel uncertainty about how complete your compliance approach is, please contact Red Flags Made Easy for information on how we can help.

For more information, send a request for a phone consultation to sales@redflagsmadeeasy.com

Failure to properly monitor adverse action letters, and privacy notice records (especially on dead-on-arrival deals), is one of the biggest area of compliance improvement needed at most dealerships I visit. As part of an identity-theft-prevention-program, insuring proper signature of a privacy notice and credit application is vital, as is control of the adverse action letters.

Ask the dealer principal or GM about this, and invariably their stock answer is that it’s being taken care of. However when pressed for honesty, the finance director and desking manager usually paint a different picture. Internet sales departments, in particular, are prone to compliance mismanagement in this area.

In this FTC link, a subsidiary of Equifax settled with the FTC for $350,000 on charges that it failed to provide adequate disclosures.

Under the Fair Credit Reporting Act, the company allegedly failed to provide, “ ‘Notice to Users of Consumer Reports: Obligations of Users Under the FCRA,’ which notifies users of consumer reports of their statutory obligations, including notifying individuals if the user takes adverse action against them based on their consumer report,” as well as other related disclosures.

One scam I’ve seen involves grifters with incredibly bad scores going around to dealerships filling out apps knowing in advance that the special finance department can’t help them. Their app is a dead deal (or DOA), and a disgusted desking manager throws the signed privacy notice into a cardboard box. The frustrated sales person may likewise do something foolish with the deal jacket.

The grifter then returns in about six to eight months and claims he never authorized the dealership to pull his or her credit report. Since it was a dead deal, the dealership may or may not be able to find the signed privacy notice or application or a Xerox copy of the driver’s license- thereby being unable to provide evidence that the grifter had indeed been at the store and authorized the pull; and the store management is left with the open question as to what the grifter wants and what it will take to get rid of him or her.

The Red Flags Rule specifies that your Red Flags Program must be updated in response to changes in risk of identity theft, or in response to an actual occurrence of identity theft.  Employee turnover in the retail automobile industry is very high, and partly because of that, many dealers have experienced identity theft that was committed or facilitated by an employee.  (We’ve blogged about both high turnover and employee fraud previously).

A reasonable response to that risk might be to conduct background checks on potential employees.  But be careful.  From the FTC:

Two companies that fired workers and rejected job applicants based on background checks without informing them of their rights under the Fair Credit Reporting Act (FCRA) have agreed to settle Federal Trade Commission charges that they violated federal law. The settlements require the defendants to pay $77,000 in civil penalties…

According to the FTC’s two complaints, both defendants contracted with a CRA to conduct background checks including criminal record reviews for employees and job applicants, and made hiring and firing decisions based on those background checks. The companies allegedly failed to provide the employees and applicants with pre-adverse action notices and adverse action notices as required by the FCRA.

If you are considering doing background checks on your employees or applicants, be sure to check out the FTC’s guide, “Using Consumer Reports: What Employers Need to Know”.

An increasingly common, and depressing, form of identity theft facing car dealerships is for a customer to assume the identity of an older relative in order to obtain a vehicle.

For example, say a young college student is named John Doe, and his father is John Doe Sr. Junior’s driver’s license reflects his permanent home address, which is also his father’s address. Junior has bad or no credit history, so he uses his father’s social security on the credit application.

Junior would pass most of the standard Red Flags checks. His appearance would match his photo ID. His name would match the name associated with his father’s SSN on the credit report. The address on his license and credit application would match the address on the credit report, so there would be no “address discrepancy” flag on the credit report.

Even if Junior fully intends to pay for the vehicle himself, using someone else’s social security number turns his questionable scruples into identity theft. Remember, using even one piece of someone else’s identifying information to commit fraud constitutes identity theft.

Also, an automated Red Flags check in a lender-portal, OFAC, or bureau-portal may not turn up any significant alerts either. (They’re really spider software modules.) If the date of birth is flagged, in most instances the fraudulent applicant would be familiar enough with the “real” social security person to answer any security questions posed by the software; and F&I would jot the discrepancy down to either a software glitch or credit report error.

I have found this compliance misstep often in dealerships that Red Flags Made Easy has consulted with, especially in markets where common Hispanic surnames exist. That is why we advise that F&I or the Desk check that the birth date on the credit report matches the birth date on the driver’s license, and also that the credit report history is consistent with the age and demographic appearance of the applicant. (For example, the customer’s drivers license lists his birth date as 1985, yet the credit report shows he bought a house in 1990.)

An examination of the complete credit history is crucial to determine where the desking or F&I manager is going to “shop” the deal anyway (especially as lender banks announce changes almost monthly on their paper), so adding this scrutiny to the store’s Red Flags Check List does not really encumber or delay the sales process.

Failure to catch this common misrepresentation can lead the dealership having to buy the vehicle back from the bank, and or civil litigation from an unappreciative “Uncle” or similar relation. Either way, it’s a costly mistake that could have been avoided through appropriate compliance.