A Checklist For Implementing The Red Flag Rule

Team VADA eViews
The Digital Newsletter of Your Virginia Automobile Dealers Association
May - June 2008
 
 
  • November 1 implementation deadline is rapidly approaching
  • Red Flag Rule is valuable tool for dealers to protect themselves
  • It is a commonsense exercise, but it is not easy; preparations should be well underway
 
By November 1, 2008, your dealership must comply with the Federal Trade Commission’s rule establishing duties regarding the detection, prevention and mitigation of identity theft, commonly known as the Red Flag Rule. You’ve probably heard the complaints that the Rule is “just another unfunded government mandate”, or “another attempt to create rules dealers can be fined for breaking”, or “another attempt to make life difficult for dealers”. 
 
Sharing those views won’t make compliance with the Rule any easier. And it’s the wrong way to look at the Rule. The Red Flag Rule is, in fact, a valuable tool to enable dealers to protect themselves. It is a formalized method to “know your customer”. You must know your customer for a number of reasons – for example compliance with existing laws about cash reporting and prevention of money laundering and proper attention to legal mandates such as the Fair Credit Reporting Act. A “know your customer” policy is most important, however, from the practical standpoint of protecting the dealer’s assets. 
 
Who suffers the most when a dealership sells a vehicle to an identity thief? Most would answer that it is the person whose identity was stolen. But, is the dealer who sold the car any less a victim? Every indirect finance agreement and indirect lease agreement signed by a dealer makes the dealer a guarantor of the customer’s identity. Even when a vehicle isn’t financed or leased, the delivery of the vehicle is accompanied by some financial instrument from the customer to pay for the vehicle. If the buyer is an identity thief, the finance or lease company will likely return that contract to the dealer and force the dealer to pay it off. Any financial instrument used to pay for the vehicle is likely a forgery or otherwise invalid. When the dealer is not paid for the vehicle, or when it must repurchase the finance or lease instrument and the vehicle is unavailable to be retaken because it is chopped up in another state or country, the dealer winds up eating a loss for $30,000, $40,000 or $50,000. And don’t expect to collect from your insurance company without a major fight because insurance companies are rewriting their policies and revising their claim procedures to restrict or eliminate payments for identity theft.
 
Viewed in this light, the benefits of implementation of the Red Flag Rule are clear. It is an important tool for a dealership to protect itself against loss, and it is protection for sales and F&I people who can avoid spending time selling vehicles to identity thieves for which they will never earn their commissions or for which they will wind up with chargebacks.  
 
Now that the importance of the Red Flag Rule is clear, how do you implement it? Here’s a checklist:
 

  • Is the dealership in compliance with existing information protection regulations?
    It’s nearly seven years since dealerships were required to comply with the FTC Privacy Rule by delivering a “privacy notice” to customers. It’s nearly five years since dealerships had to comply with the FTC’s Information Safeguards Rule. Now that you are preparing to implement the FTC’s Red Flag Rule, its time to make sure you’re in compliance with your existing obligations. Is your dealership delivering a privacy notice at the appropriate time? Do those delivering the privacy notice know the rules for doing so? Is your information safeguards policy in place, and are you regularly reviewing and updating it to be sure that your customers’ non-public personal information is protected?   

     

  • Appoint someone to coordinate the Red Flag program design, implementation, and maintenance.  
    The Red Flag Rule does not require a Red Flag coordinator. Practicality does. Unless one person is in charge, obligations will not be met as they should. You have an information safeguards coordinator. It’s probably the same person who is responsible for other programs in your dealership, like IRS 8300 reporting and prevention of money laundering. The Red Flag obligations are very similar to obligations under those programs. Does the dealership know that the customer it is dealing with is the person represented? Appoint one person who will coordinate the process to design, implement and maintain the Red Flag program.

     

  • Develop a written program. 
    The Rule requires a written program. You may do your own based on information like this checklist and the Rule itself, you may adapt one from programs that may be issued by a trade association, or you may choose to buy a template program from one of the dozens that will be available this summer. It really doesn’t matter how you choose to comply. However, it does matter that you make whatever program you choose your own. Take a lesson from the FTC’s investigations of dealer compliance with the Information Safeguards Rule. The FTC has spent time in investigations to be sure that dealers who installed canned programs took the time to tailor programs to their own needs. Consequently, whether you develop your own program, use a program furnished by a trade association, or use a form program that you buy, make sure that you do the work to make it fit your dealership. And make sure you document the fact that you did this work.

     

  • Identify indications of identify theft to be included in your program.
    A red flag is a pattern, practice or specific activity that indicates the possibility of identity theft. The job of the person developing a program is to choose the various red flags that should be incorporated into the dealership’s program. The starting point is the list published by the government in the Rule of 26 separate indicators of identity theft, or red flags, in five specific categories. In developing a program for detecting identity theft, you should determine which of those will be part of your program. Be aware of other guidelines that may be issued by governmental agencies. Consider other types of indicators of which you may become aware either through the experience of other car dealers or your own experiences and include them where appropriate. 

     

  • The Program should explain how to detect the indicators of identity theft.
    Once you have identified the red flags your program will include, employees must understand how to detect those indicators of identity theft. Remember, the goal of the program is for the dealership to know its customer. If there are indications that the person with whom the dealership is dealing may not be the person represented based on the existence of one or more indicators, or red flags, the dealership should take further action to be sure that it is protecting its interests by satisfying itself that it is dealing with the correct customer.

     

  • The Program should explain how to respond to red flags.
    If dealership employees have concerns because of one or more indicators of potential identity theft, what should their response be? Quite clearly, common sense should take over and employees should do more to ensure that they’re not dealing with an identity thief. The first step is to engage the customer to get more information that explains any discrepancy, such as a utility bill to explain a difference in address. If dealership personnel are still concerned that they might be dealing with an identity thief, then the obvious response is to slow down the deal and get sufficient information to make a reasoned decision whether to do the deal at all. If the deal is done and the dealership later learns that it dealt with an identity thief, then it must ask itself whether it should contact the correct person. And should it notify law enforcement? And should it contact the assignee of the finance contract to stop collection efforts?   The program must detail methods to prevent and mitigate identity theft.

     

  • The board of directors of the company is responsible for development and oversight of the program.
    The Red Flag Rule has a requirement that has not been a part of previous FTC regulations having to do with protection of customer information. It specifically requires that the development, implementation and oversight of the Program must be overseen by the board of directors of the dealership. That means the board of directors must review and approve the development of the program. If there is a large board of directors an appropriate committee of the board can do that. If there is no board of directors then a designated senior manager should perform these functions. Whoever is responsible, however, there must be action to oversee and approve the program and oversee and approve continuing compliance. 

     

  • The dealership must train employees to comply with the program. 
    Once the program is developed and approved, the real work begins. Dealership employees must be trained to implement the Program. This will be the toughest hill to climb in implementation of a Red Flag program. A dealer must recognize that the Red Flag Program will require employees to understand that they must do business differently. Because of the stakes for dealers, the Rule requires important changes. Experienced dealership managers understand the challenge of implementing changes on the sales floor and in the F&I office. People are accustomed to doing things in set ways. They have dedicated their careers to learning how to do their jobs using established procedures.   Don’t expect the training for implementation of these changes to be easy. However, it is the most important element of the program. The program has no value unless employees are trained to implement it appropriately. 

     

  • Develop a policy for updating the program. 
    The Rule requires that program updates be implemented in two circumstances. First, there must be a regularly scheduled review and update at least annually, and the results of that review and update must be reported to the board of directors (or person in charge in lieu of the board) for its action. Second, the program must be flexible to incorporate new identifiers of identity theft or to respond to problems identified in the program. Whether you learn of a new method of defrauding dealerships from others, or you learn it from your own experience, or you simply learn that something in your program isn’t working well, steps must be taken to update it and plug any holes. 

     

  • The program must ensure that service providers use reasonable policies and procedures to detect, prevent and mitigate the risk of identity theft. 
    Agreements with service providers should contain policies to require them to detect relevant red flags under the appropriate circumstances and to either report the red flags to the dealership or take appropriate steps to prevent or mitigate identity theft. 
 
 
The most important thing to understand about implementation of the Red Flag Rule is that it is a common sense exercise. However, a dealer cannot pretend that it will be easy. The Red Flag Rule is different from the Information Safeguards Rule. The Information Safeguards Rule is a “Thou Shalt Not” obligation: “thou shalt not leave deal folders lying around”, or “ thou shalt not leave file drawers unlocked.” In contrast, the Red Flag Rule requires dealership employees to affirmatively exercise judgment and discretion to know the customer in every transaction.
Do not fall victim to the scare mongers who will be sending you emails, or mail ads, or even visiting your dealership. Don’t listen to those who tell you that if the dealership is victimized by an identity thief you are subject to FTC penalties of up to $11,000 per day. In fact, falling victim to an identity thief is not a violation of the rule. The rule envisions the fact that there will always be cunning thieves who will find their way through any program. The rule accounts for that by imposing an update requirement so that the dealership’s program can be changed in the event it learns of a new way to defeat its efforts. 
 
The compliance obligation of a dealer is to follow the Rule issued by the FTC. Failure to implement and maintain a program according to the FTC Rule is the violation, not an instance of identity theft. Compliance with the Rule is important to the dealership’s customers and to the protection of the dealership and its employees. 
 
 
| |