When Dealers Go Bad: How One Dealer's Compliance Failures Led to a Bitter Fall

January 01, 2006 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

Compliance mavens often use scare stories to convince auto dealers that the legal risks of shady F&I practices don’t justify taking the chance for a quick buck. Sometimes you wonder if it could happen to you. Yes it can. The following is a true account of what happened last year to a multi-state, multi-store dealer whose principal, Daniel A. Nelson, was a very prominent member of his community and a close personal friend of South Dakota U.S. Senator John Thune.

The Dan Nelson Automotive Group operated 6 stores in Iowa and South Dakota and also owned a captive finance company that provided most of its financing to subprime consumers. They did approximately $80 million a year in sales, had obtained corporate and inventory financing in the amount of $28 million from MetaBank, a South Dakota-based thrift, and spent millions of dollars a year on “infomercials” and other advertising. This was no “mom and pop” operation.

After an extensive investigation in 2004, the Iowa Attorney General filed a consumer fraud lawsuit against the dealership group in January 2005, alleging a large number of predatory lending and deceptive sales practices. The complaint reads like a laundry list of ways to not comply with multiple auto-industry laws and regulations.

Among the charges were that the Dan Nelson Automotive Group used misleading advertising to entice consumers to their lots. Once there, credit-challenged consumers were pressured to pay inflated prices for vehicles in poor condition. No vehicle prices were disclosed until after the sales people reviewed a consumer’s credit. Both the vehicle prices and the amounts financed were well in excess of the value of the vehicles. The finance terms were at high APRs (generally 24.95%) and for terms long beyond the useful life of the cars, thereby all but guaranteeing negative equity. The Attorney General also claimed that Nelson ran what amounted to an illegal credit repair organization by promoting a “credit reestablishment program” promising consumers that they could increase their credit scores and trade up to a newer vehicle in 12-18 months if they made all their payments.

Other allegations included the sale of misleading warranties that were not honored; churning vehicles by repossessing cars sold with large deferred down payments that caused first payment defaults before the vehicles were even titled in the consumers’ names; and engaging in abusive and illegal collection practices. The Attorney General didn’t allege only consumer fraud. The complaint charged the Dan Nelson Automotive Group with repeatedly falsifying down payments, overstating customers’ income, and hiding the financing of negative equity on credit applications submitted to third-party lenders. MetaBank would later charge that the dealer group sold numerous vehicles out of trust and misrepresented financials to exceed its contractual lending limits.

The fallout from the Attorney General’s suit was quick and devastating to the dealership. Sales dried up almost overnight. Complaints and lawsuits started coming out of the woodwork and the Dan Nelson Automotive Group began to incur large legal fees and bad publicity. One of the stores in Iowa was sued for discriminating in both sales and credit practices against Native Americans.

Nelson never even got its day in court. In April, Dan Nelson closed a store in Iowa and closed a second store, also in Iowa, two months later. By June, the Dan Nelson Automotive Group was unable to meet payroll and filed for Chapter 11 bankruptcy protection on June 20, 2005. Its filing listed $6.4 million in assets and $30 million in liabilities. MetaBank was not impressed. On July 8, it got the Bankruptcy case dismissed and the dealership agreed to turn over all its assets to the bank for liquidation.

MetaBank was left holding the bag when it agreed to settle the Iowa Attorney General’s case by giving credits to consumers and was forced to literally auction off most of the dealer lots in foreclosure sales. The situation reached a point in July where MetaBank was asking the public to make donations at its branches to help pay the dealership’s employees their unpaid wages.

Shortly after filing the bankruptcy petition, Daniel A. Nelson sold his 75% interest in the Dan Nelson Automotive Group to his partner for $50. That’s right, $50. It is unclear to what extent Mr. Nelson’s home and personal assets are at risk to satisfy creditors and the unpaid employees. However, Mr. Nelson did personally guarantee at least some of the financing provided to the dealership by MetaBank and he was forced to give MetaBank a mortgage on his home as well.

Mr. Nelson’s transition from owning a 75% interest in an $80 million a year auto business to $50 in six months, along with his personal assets being seriously at risk to satisfy his unpaid employees and creditors, should be a real-life lesson for all auto dealers. Don’t put the business that you have worked years to build at risk of a similar fate. Take compliance seriously, put a comprehensive compliance plan in place, and act quickly to address failures and deficiencies. Don’t be the next Dan Nelson.

Originally published January, 2006

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

A Ha Moments: Why Full Compliance May Require a Culture Change

January 01, 2006 | No Comments | share on facebook | retweet | share on LinkedIn

by Gil Van Over

You would normally think that a 50 percent increase is a good thing. I always thought so, at least until my wife dragged me, kicking and screaming, to the doctor's office. My blood pressure had increased 50 percent year over year, both the bottom and top numbers. I guess that's a sign of too many good steaks and butter-laden baked potatoes.

I suppose that my $750 annual membership to Gator's Fitness Center, which ended up costing me $250 per visit, hasn't helped either. I think my passion for Grande Carmel Macchiatos and 48-ounce Dr. Peppers has caught up with me. What an Ah-Ha! moment. Your doctor tells you that you're a walking stroke! And it's not like I didn't know better. High blood pressure swims in the family gene pool. I hear a story about high blood pressure every sweeps month from the local talking heads. The corrective actions are widely published.

So now, I'm taking medicine that sends me to the urinal like a racehorse. I'm back on a reasonable diet.

I've started to cycle and run and stair-step again. My blood pressure is back under control. Both my doctor and life insurance agent are happy. My situation reminds me of what dealers face every day from a compliance perspective. You are under constant, unrelenting attack and scrutiny. Monthly reports from Denver, LA, Florida, Texas, New York,

Virginia and all points in between show that the media is hungry to run pieces about you-and they don't let the facts get in the way of ratings.

Regulators receive complaints about dealers on a daily basis. Some come from consumers, some from lending institutions. Warrants, affidavits and search warrants often follow. This year, 40,000 lawsuits have reportedly been filed against dealers.

Yet, many dealers do not implement a compliance program until...Ah-Ha!...it happens to them!

An Ah-Ha! moment helps to accelerate a culture change within an organization. But how can you encourage a culture change within your organization if you and your team have not experienced an Ah-Ha! moment? Change requires a process. Change is a process. This process includes expectation, education and execution.

Expectation

Employees want the boss to tell them what the boss expects them to do. Most employees don't like to play the guessing game of trying to figure out what the boss wants. The employees practically scream,

"Tell me what you want me to do!"

So tell them. Not just verbally, because that takes a lot of effort on your part. If you have 500 employees, and it takes an hour to tell each one what you expect...you do the math. Tell them by publishing an employee guide and a policy and procedure manual. The employee guide should contain the standard human resources materials such as dress code, company computer usage and time card reporting. All employees should receive one as soon as they join your company.

The policy and procedure manual must be specific to an employee's job. The F&I Manager should have one, the Sales Manager should have one and each sales associate should have one. This manual outlines the specific objectives and operating processes for the position.

These manuals help to communicate your expectations and provide the basis for decision-making while you are gone for the afternoon at a manufacturer's meeting.

A final point on expectations: Make sure that each employee signs an acknowledgement affirming that everyone has read the manual and agrees to abide by the policies set forth.

Education

It's one thing to tell an employee what your expectations are, it's quite another thing altogether to expect that each employee instantly understands how to transfer that expectation into a daily job routine.

For example, you can tell an employee to comply with all state and federal laws as they pertain to that employee's job. Huh? What does that mean?

F&I Managers, for example, must comply with Truth In Lending, Consumer Leasing Act, Equal Credit Opportunity Act, Fair and Accurate Credit Transactions Act, federal and state deceptive trade practices acts, etc. ad nausea.

You have an obligation to not only tell your employees what you want them to do, but also to provide training on how they should do it properly.

Execution

Your process change is not complete. You've told your employees what you expect, and provided training on how to do it. Now you have to ensure that the employees are executing your expectations properly.

Many employees who have been involved in process change tend to take a jaundiced view of change.

They will say: "This is just the trend-du-jour. It'll go away." Unfortunately, they speak from the fountain of experience.

Too many times, dealers put big initiatives into place. You make a huge splash of this new initiative- complete with kick-off meetings and big glossy posters. You may even make a commitment to it. And you might order a round of employee training to support it.

But too often these initiatives fall apart after a few months because no one follows up. No one inspects the execution of the process change. No one makes sure that the employees are doing things the new way.

Once you put a compliance program in place, make sure that you have someone periodically inspecting the output of the new processes to ensure your compliance initiative does not become another programdu-jour.

Chances are, if you are reading this, you already have a compliance program. I hope you do, and not because you had an Ah-Ha! moment.

Do the industry a favor: Encourage your fellow dealers to launch their own compliance programs and avoid any Ah-Ha! moments.

Gil Van Over is the president of gvo3 & Associates (www.gvo3consulting.com). He assists dealers in developing and implementing litigation defense strategies for F&I offices.

Originally published January, 2006, Dealer Magazine

© 2006-2008 gvo3 & Associates. All Rights Reserved.

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

Data Security Incident Response Plans: A Necessary Part of Your Safeguards Data Security Program

January 04, 2006 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

2006 was another record year for data security breaches. By the middle of December, the Identity Theft Resources Center had tracked 306 incidents involving access to personal information on over 45 million people at companies, universities, and government. 158 such incidents were tracked in all of 2005.

There is a good possibility that your dealership may suffer a breach of security in which the personal information of your customers is wrongfully accessed or used. This could occur in the form of an external hacker but is more likely to come from someone close at hand. A disgruntled employee, a salesman who leaves your dealership for a competitor and takes customer information, a vendor or service provider, or an identity thief who simply walks through your showroom on a busy Saturday using a cell phone camera to take photos of deal files, credit apps, and other information laying around in plain sight.

It is important-and in fact required by the Federal Trade Commission-that your Safeguards Information Security Program includes a security incident response plan containing procedures to follow if your customer information is compromised. But what should such a response plan consist of? Let's consider a few of the elements you should consider in developing such a plan.

An incident response plan should designate a team of dealership employees who will be in charge of executing the plan if an incident, or the possibility of an incident, comes to your attention. The team should be led by your Safeguards Compliance Officer. Depending upon the type of security breach (database hack, theft or copying of paper files, interception of documents in transit), it is possible you will need specialized outside resources such as a forensics expert who can reconstruct an electronic database to determine the point of access and the degree of compromise. An attorney knowledgeable in privacy and data security can help you through the maze of federal and state laws and regulations that may apply. Identify both your internal team members and outside experts who you may need to call on depending upon the situation. Be ready to mobilize your team and outside resources quickly.

A good initial step in developing a response plan is to understand your data practices and define what constitutes an incident. If you do not know what information is in your system, where it is located, and who has the ability to access it, you are asking for trouble. Defining what constitutes an incident will sharpen your focus and identify what kinds of events would trigger use of the response plan. It will also make it easier to design specific incident-handling procedures for each identified threat.

The minimum requirements for an incident response plan can be classified into two general categories: reaction and notification. Reaction procedures are the initial actions you take once a compromise is identified. These are the things you have to do right away. Notification procedures involve communicating the details of the incident to critical parties, and may involve some regulatory reporting requirements as well. This is a broader group of entities than you might think. Both the reaction and notification activities are not best done in response mode after a breach happens. That's why you need the incident response plan to be carefully laid out first.

The first step in any data security incident response plan is to identify the source of harm and stop the bleeding. This may mean shutting down compromised IT systems or servers, force-changing of passwords among authorized users, locking down file rooms and cabinets, limiting and logging user access, and trying to mitigate other points of vulnerability. Computer techies use the term "zero-day exploits" to refer to hackers who take advantage of a system vulnerability on the same day the vulnerability becomes generally known. Some threats just can't be stopped. Your incident response plan should have procedures for testing systems and protocols (including non-electronic processes) to assess the situation and attempt to identify and quantify the customer information that has been compromised. A good IT professional can help you deal with likely threats and give you a series of preliminary procedures to follow if information is compromised, but you should also identify a forensics expert who can take a snapshot of your database at a point in time to identify the compromise more precisely. If the incident involves wrongful access to paper files, you should have a procedure laid out to secure the point of compromise and attempt to identify customers whose files were involved.

Once you have identified or isolated the source of the information compromise, your response team must take prompt steps to shut it down. If that means shutting down access to a server until a patch or procedure is installed, so be it.

A good practice in the virtual world is to have an intrusion detection system installed in your network system or database. Many of these can be easily incorporated into your network firewall. Consider establishing and limiting user permissions based on legitimate business need and make sure to turn off user names and passwords when employees leave your dealership. It is also a good practice to keep access logs for both your electronic and paper files. An access log can help you pinpoint possible internal as well as external sources that may have performed the compromising activity. An access log can also help you monitor unusual activity as part of your everyday safeguards compliance activity.

Another good practice is to limit employee use of the Internet. Many third party websites are infected with sophisticated system-infecting viruses. One technique that has been used in industrial espionage is "spear phishing." In this scheme, a series of executives are sent an official-looking email promoting a business opportunity that is carefully worded to tie in with the recipients' departmental goals so as to seem legitimate and enticing. However, clicking on the Web link downloads a virus that copies and delivers to the intruder everything on the user's PC hard drive (including possible trade secrets) and also puts a back door keylogging virus on the PC that tracks keystrokes if the user goes to a financial or other critical website. Many of these viruses can be detected and quarantined by good anti-virus software. Many can't. So you have to put limits on websites that your employees can access. Employee Web surfing is where many information compromises have their start.

Another concern is employee email. If an employee sends sensitive company or customer information to their personal Web-based email address (even for a valid purpose such as wanting to work at night or on a weekend), you run a security risk with respect to the data. Web-based email systems (like Google's GMail or Yahoo Mail) don't have the security protections comparable to your internal network like multiple passwords, firewalls, or spyware protection. Also, the employee's home PC may be infected with a virus that compromises the data. If an employee wants to work from home, try to set up a secure interface (sometimes called a VPN for Virtual Private Network) to your dealership network so the connection is secure.

Using intrusion detection software, limiting user permissions, implementing access logs, and restricting Internet use and Web-based email can not only make a security breach less likely, but can provide you a better starting point to pinpoint where the intrusion arose. Having fewer touch points for data in your system, and knowing who accessed what information and when, can be very helpful when you are in the process of trying to execute the reaction portion of your data intrusion plan.

In the event of a security breach compromising customer information, there are a series of people you may need to inform. Compile a current list of these persons for quick reference in the event of a security incident. Among others, affiliated dealerships and parent companies, law enforcement officials, insurance companies, service providers, and financial institution partners should be on the list. So should your attorney who can evaluate whether the information compromise requires notices to affected consumers under applicable law. A comprehensive list of persons to notify can be an invaluable resource and a great time-saver in responding to an incident.

In addition, 36 states now have laws requiring you to give notices to affected consumers if their personal information is compromised. Many of these laws have risk thresholds (such as a likelihood of

identity theft) before the notice obligation is triggered. Your attorney will know the legal standards for notice in your affected states and whether the incident requires notice to the FTC or a state regulator. For example, in New York, any data security breach requires notice to all of the affected consumers (there is no risk threshold for the notices) and you have to notify the state's Attorney General, the Consumer Protection Board, and the State Office of Cyber Security and Critical Infrastructure. It is a good practice to learn and include in your incident response plan the obligations to notify consumers and state officials in the states where you do business and those states from which you draw customers.

For consumer notices, have a series of sample letters on file (attached to this article is one possible sample) so you are not drafting under fire. Also have a series of press Q and A's ready to go, or at least ready as a first draft because once the letters go out, the press may want to inquire further. Again, your attorney or a good public relations firm can give you assistance in preparing these documents. Having them predrafted will make a huge difference if you are in a situation where you have to implement the response plan under tight time frames.

It is important to be open and honest about the incident with your customers and third parties unless law enforcement requires otherwise. Studies have shown that companies that promptly notified customers in a personalized way (not just by form letter or email) and then provided periodic updates on their website or in follow-up communications were much less likely to lose customers following the breach than companies that delayed giving notice or were not forthcoming about the incident. Don't forget to keep critical corporate parties such as senior managers, insurance companies, financial institutions and others updated as well.

Studies have also been done about the effect of security breaches on the stock prices of publicly traded companies. One study found an average decline of 5%-14% in company stock prices in the days following the initial publicity of a security breach. Shares of Choicepoint, which was the subject of a large breach of 145,000 customers that was belatedly announced in 2005, did not recover to pre-breach levels for almost one year.

If you experience a security breach and need to implement your plan, be sure to take time afterwards to conduct a "lesson-learned" meeting. What worked and what didn't work? What problems were encountered? Do any of your affected controls or procedures need to be strengthened beyond what was done in the course of implementing your response plan? Did the incident reveal shortcomings in your Safeguards Compliance Program that need to be addressed? Is additional employee training or monitoring necessary? Once you have implemented the incident response plan, many of these issues will come into clearer focus. Modify your incident response plan accordingly.

The bottom line is if a breach happens, you need to be prepared. You need to implement your incident response plan quickly and effectively. Preparation and execution of a good response plan developed before the crisis hits will make the task much more reliable and less time-consuming than trying to do so in reaction mode. Hopefully this is one plan you will never need but real life experience with data security breaches suggests otherwise. Good luck.

Originally published January, 2007