The new federal regulations that went into effect this year have added to the never-ending compliance requirements that dealerships have to deal with. Fortunately, most dealers have found that the Risk Based Pricing Notice and updated Privacy Notice requirements are pretty easy to handle. Utilizing the Credit Score Disclosure exception to Risk Based Pricing Notices and using the New Model Privacy Notices is relatively simple – just a few more forms to add to the pile. The Red Flags Rule is another story.
Red Flags regulations require a dealership to not only be a good citizen, but to be a cop as well. There’s no two ways about it, if red flags are detected during a credit transaction, certain proactive steps are required that will create extra work and slow down the deal process.
Many dealerships are utilizing automated Red Flags programs to help stay in compliance with the new regulations. These programs, such as those available through DealerTrack, RouteOne and the credit reporting services, are excellent and certainly make it easier to navigate the Red Flags Rule. The challenge begins when potential “red flags” are detected by these systems. Unfortunately, this is not an uncommon occurrence. Fraud or active duty alerts on credit bureaus, address discrepancies, multiple recent inquiries, or multiple new accounts recently opened are just a few of the situations that are considered to be identity theft “red flags”.
During compliance reviews in the last few months, we have been paying particular attention to how dealership employees are handling the new Red Flags requirements. Not surprisingly, we’re finding that in many instances when red flags are detected during a transaction, staff members are struggling with what to do next.
For instance, we’ve found a number of situations where the red flags program has prompted that a “high risk has been detected” and that “out of wallet questions are required”, but the questions have not been asked of the customer. While it can certainly be uncomfortable to ask a customer personal questions or request that they supply additional proof of identity or address, it is important that these steps not be avoided. If an identity theft does occur, and the system-recommended steps were not taken, it’s conceivable that the dealership’s exposure to liability will be increased dramatically. The same holds true in a situation where the dealer’s Red Flags procedures are audited by a regulator. Staff members’ proclamations that they had a ‘gut feeling’ that the customers were who they said they were will not likely be enough to satisfy the investigators. The fact that the employees were prompted to follow a particular procedure and failed to do so would almost certainly make matters much worse.
Training is a mandatory requirement of the FTC’s Red Flags Rule. Employees should be well-trained in all aspects of the company’s Identity Theft Protection Program and features of any automated Red Flags systems, including the proper procedures necessary if Red Flags are detected. The training should explain the spirit of the law as well. It is important that staff members understand that the Red Flags Rule requires employees to be proactive in attempting to prevent identity theft and that any shortcuts taken in the process can create extreme liability to the dealership.
Even the best Red Flags program is not infallible. Chances are that an experienced identity thief will succeed despite a dealership’s best efforts. That’s okay. As long as the company can show that they have performed their due diligence and did not take any shortcuts, their exposure will likely be lessened dramatically.