Compliance 2007: The Year in Review

December 31, 2007 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

2007 was a year that presented new compliance challenges to dealers and posed important new ones for 2008, most notably the FTC Red Flags Rule that requires dealers to develop and implement an Identity Theft Prevention Program by November 1, 2008.  But other issues emerged that will continue to challenge dealers in the New Year.  The regulators and plaintiffs' lawyers are always out there.  Let's review some of the key compliance developments of 2007 and look ahead to 2008.

Challenges to Dealer Doc Fees - This is an issue that really took off in 2007 with several off-the-wall cases claiming that dealers who complete form retail installment sales contracts are practicing law without a license.  The argument worked in Arkansas and a legislative fix was ruled unconstitutional by the Arkansas Supreme Court.  The Missouri Supreme Court ruled similarly that employees of a bank who completed pre-printed mortgage documents were practicing law without a license when the bank charged a document preparation fee for the service.  Similar cases are pending in Colorado.  Fortunately, the Indiana Supreme Court showed some sanity in denying an unauthorized practice of law claim in connection with the preparation of mortgage documents saying, "Directing or acting on general knowledge, even if knowledge of a rule of law, does not constitute the practice of law. . . .Requiring an attorney for such a routine task would produce only inconvenience and added cost to the public."  More of these suits are coming down the road. 

Doc fees are called by different names in different states.  Documentary service fee (New Jersey); documentary fees (Arkansas); administrative fees (Alaska) among others.  Unfortunately, there is no uniformity among the states with respect to doc fees.  Some states expressly allow and permit these fees like Michigan where a dealer can charge the lower of 5% of the cash price of the vehicle or $180, or Ohio where a "documentary service charge" not to exceed $250 is permitted.  If a state sets a ceiling for these fees, exceeding it can be costly.  In Louisiana, a dealer was convicted of criminal fraud for charging customers $9 more than the $50 allowed for doc fees and an average of $50 in excess of the costs for a title, handling, lien recording, and other official fees.  A large dealer group agreed to pay the State of Alaska a $500,000 penalty and restitution in the sum of $200 to each consumer who purchased a vehicle and paid an "administrative" or "doc prep" fee in addition to the advertised vehicle price.

Many states are either silent on the legality of doc fees or impose a "reasonable cost" type of limitation.  These are the states where the plaintiffs' bar is focusing their efforts to claim doc fees are hidden profit centers for dealers and failing to charge something close to the actual cost of performing the services amounts to an unfair trade practice or fraud.  In Connecticut, a 4-2 decision of the State's Supreme Court upheld a "dealer conveyance fee" of $299 using a very strained reading of the word "reasonable."

The moral is to know your state's law and be careful if there is not specific authority for a set amount.  While consumers are more knowledgeable today on the dealer's cost of a vehicle, it is still better to raise the price of the vehicle than to hide profits in doc fees.  Be prepared to defend your charges as related to your costs and overhead to perform the activities of documenting and filing papers to sell and title vehicles, plus a reasonable profit, and make sure this item is flagged with the notation that ":Dealer may retain a portion of these fees." 

Adverse Action Notices  -  While the law in this area has not changed, a number of cases have focused on dealers as participating creditors in vehicle financing who must give customers adverse action notices if they cannot procure financing for the customer on acceptable terms.  The issue was the subject of a NADA Management Guide booklet distributed to it members this past summer (and available for purchase from NADA) that covers the subject quite comprehensively.

This issue can be summed up and compliance can be simplified if you remember the "rule of three," these being the three situations when a dealer should send an adverse action notice to a consumer:

1. When you take a credit application from the consumer but do not send it to any financing source, typically because the customer has poor credit and you don't want to lower your look-to-book ratio with any of your financing sources. Send the consumer an adverse action letter as you are the creditor required by Equal Credit Opportunity Act (ECOA) and Fair Credit Reporting Act (FCRA), if you pulled a credit report, to do so.

2. When you unwind or recontract a spot deal.  Unwinding or recontracting a spot deal both meet the definition of adverse action under both ECOA and FCRA.  You are cancelling a contract to give the consumer a worse deal.  Hand the consumer the adverse action notice along with the new contract or when the consumer returns the vehicle.  Getting an Acknowledgement of Rewritten Contract, a document that acknowledges the consumer's voluntary decision to recontract and explains the different deal terms, is also a good idea and required in Oregon.
 

3. When you can't get the customer financed, either because no lender will offer credit on terms acceptable to the dealership or the customer will not accept the terms you offer.  If the customer accepts any credit you offer to them, no adverse action notice is required but, if you seek financing for the customer and cannot close the deal, send an adverse action notice because you could not provide financing on terms the customer requested.  One adverse action notice after you have finished negotiating unsuccessfully with the consumer can handle this situation. 

That's it. Only three situations.  Adverse action notices can either give the customer the reasons (2-4) for the adverse action or give the consumer a person or office at the dealership to call within 60 days to get the reasons.  Few consumers ever call.  There are required wording disclosures under ECOA, FCRA (if you used a credit report), and additional language if you obtained credit information from someone other than a credit bureau, like the consumer's employer or landlord.

Send the notice within 30 days of receiving a completed credit application.  You can hand it to the customer or send it by regular mail.  ECOA requires you to retain a copy for 25 months but many attorneys advise dealers to retain them for 5 years, this being the statute of limitations for a lawsuit under the FCRA.  You can't rely on a lender's notice to cover you because it doesn't provide required information such as the name and address of your dealership and the name of the credit bureau from which you (as opposed to the lender) pulled a credit report.  So send your own notice when the "rule of three" comes into play.

Final Red Flags Rule  -  In November 2007, the FTC and banking regulators issued the final "Red Flags" Rule required by the FACT Act.  By November 1, 2008, each dealer will need to develop and implement an Identity Theft Protection Program.  The Program must be "designed to detect, prevent, and mitigate identity theft" in connection the granting of credit. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities."

There are 4 steps to take to develop and implement your program:

1. The Rule requires that the Program identify relevant "red flags" for the type of credit that you offer or maintain, and incorporate those red flags you're your Program; the rule identifies 26 specific red flags that you must consider but none are mandatory for your Program and the list is not intended to be an exclusive list. Your own experiences with attempted identity theft and those of similarly-situated creditors are an important source of additional red flags to be incorporated into your program. If you have been victimized, think about what could have tipped you off and what information could have flushed out the person as an identity thief. Those are "red flags" you should include in the program.

2. The Program must detect red flags in individual transactions. This will require creating a process for your employees who deal with customers. A good practice is to use the sales staff only to gather information on the customer's identity by asking questions and using outside resources, such as DealerTrack RedFlags^TM to identify points of ID discrepancy. Social Security numbers are a critical area for exploration as every identity thief uses a phony or stolen Social Security number. One question to ask each customer is what state they lived in when their Social was issued. The first three numbers of each Social Security number are assigned to a specific state, a list of which is available on the Social Security Administration's website.

3. The Program must contain procedures to respond appropriately to any red flags that are detected to prevent and mitigate identity theft. A suggested practice here is for the sales person to only gather information and observe the customer's behavior, then report any discrepancies or concerns to your program administrator or someone higher up who can evaluate the situation. You can then ask follow-up questions (using an out-of-wallet service that asks questions only the real person should know can be helpful) or seek additional information until you are satisfied, one way or another. Maybe try to videotape a session with the customer. Ultimately, the senior program administrator should make the final decision on whether the customer is who they claim to be and whether who they claim to be is a real person or a fictitious identity (a so-called synthetic identity thief).

4. The Program (including the red flags determined to be relevant) must be updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. Not less than annually, each employee participating in the program must make a report of their experiences and suggestions for improvement. The program administrator must then revise the program accordingly from these reports and other information concerning identity theft that is available from industry resources (like dealer associations), from law enforcement authorities, or in the press.

At the end of the day, your dealership will be judged by the reasonableness of your Program, the consistency of its administration, and the processes by which you update and refine it.  No person or program can stop all identity theft.  You can use outside resources like DealerTrack RedFlags in structuring your program but you can't outsource the entire program.  Use outside resources that will save you time, provide important information, and that are cost-effective.  Then take each of the four steps, one at a time. 

You are probably already doing a lot to prevent identity theft in your dealership today such as checking drivers licenses and photo IDs, matching credit application information to what is contained in a credit report, and evaluating the customer's demeanor in answering identity-based questions.  Systemizing these processes to establish your Red Flags Identity Theft Prevention Program will be easier than you think.  The program is personal to your dealership.  There won't be a "one size fits all" Red Flags Program so give some thought to what will best meet your dealership's risks and needs. 

Security Freeze Rights Now Available to All Consumers  -  A year ago, less than half the states had laws that allow consumers to freeze their credit files.  Now all consumers have that right, either by state law or because the three national credit bureaus, Equifax, Experian, and TransUnion now give the right to any consumer.  If a consumer freezes their credit file, their credit report and credit score will not be available to any new creditor such as an auto dealer who seeks financing for the consumer.

A security freeze can be temporarily "thawed" making a credit report available--either for a specified period of time or with respect to particular creditors-in less than 15 minutes if the consumer calls the credit bureau and uses a PIN given to the consumer by the bureau when the file was first frozen.  Have a list of each credit bureau's phone number for thawing frozen files available to give to consumers who come to your showroom without having first unfrozen their files.  The consumer will need their PIN.  Hopefully they will have it or be able to call someone at home to give it to them.  If so, you will be able to get the credit report or credit score in a matter of minutes.  Without the PIN, a credit bureau is not obligated to thaw the file or make it available. Consumers can get their PIN or get a reissued PIN from a credit bureau but that process takes some time.  Any consumer who is unable to "thaw" their frozen credit file is an absolute red flag for identity theft.

To date, very few consumers have frozen their credit files and the credit industry has launched a "consumer education" campaign softly discouraging consumers from doing so.  But you will see more frozen credit files in the future so make sure you have the phone numbers a customer needs to thaw their file and hopefully the customer will have or be able to get their PIN to do so.  This is another area that will see further developments in 2008 especially if credit file freezing becomes more widespread.

Other Compliance Highlights and Lowlights -  2007 brought a number of large damage awards against auto dealers for egregious conduct that was compensable under state UDAP laws. Ohio seemed to lead the way in large damage awards.  In one case, an Ohio jury awarded the consumer $470,000 for mental anguish experienced during a dealer's unwinding of a spot deal.  In another Ohio case, a consumer who bought a defective vehicle was assured by GM that it would be replaced at no cost.  However, the dealer pressured the consumers into signing a new contract for a higher price and at a higher APR, a practice apparently known in the industry as a "collateral swap."  The jury award against the dealer (a small part of which was assessed against GM) exceeded $100,000.  In South Carolina, a dealer's failure to disclose that a used vehicle was wrecked and repaired netted a UDAP award of damages in excess of $150,000.  The moral is that bad conduct is bad business and the numbers just continue to increase.

Dealers did not generate any major data security breaches this year but the discount retailer TJX (parent of TJ Maxx, Marshall's and other retailers) disclosed a several year breach enabled by its use of an obsolete wireless security protocol that allowed criminals to hack in from a Marshall's parking lot using primitive devices bought at a local Radio Shack.  It turns out that over 100,000 card accounts and related data that TJX stored in violation of MasterCard and Visa rules were compromised along with identifying information (drivers licenses, SSNs) on about 450,000 consumers.  TJX has reserved in excess of $219 million to cover litigation costs and settlement of consumer and commercial class actions.  The commercial class actions were brought by the card-issuing banks seeking to recover their costs to reissue compromised cards (about $20 per card) and crediting cardholders for unauthorized charges.  The TJX breach led Minnesota to pass a law providing that if a retailer retains information from a card mag stripe, a PIN or a CVC code after its gets an authorization, and such information is later compromised, the retailer can be liable to the banks for these costs of reissuing cards and crediting unauthorized charges.  That's in addition to all other liability that a security breach can entail.

Minnesota also became the second state to issue a Car Buyer's Bill of Rights.  Their law is not quite as detailed as California's but requires disclosure of each aftermarket item and the buyer's monthly costs with and without the item, and mandates disclosure of the credit bureaus that issued credit reports for the dealer and lender.  That law takes effect January 1.

We will continue to keep you informed of new compliance developments in our monthly Compliance Corner columns in 2008. We are also launching a compliance website, http://www.thecomplianceguide.com/.  Check it out.  Also make sure to pick up a free copy of the third edition of our Compliance Guide at DealerTrack's booth at the NADA Convention in San Francisco or you can request a copy by emailing us at compliance@dealertrack.com.  It contains updates on these issues and many other laws and regulations affecting sales and F&I compliance.  Dealers have told us that the Compliance Guide is a valuable desk reference book that they use in their work regularly.  Be sure to get your copy.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  Compliance Corner is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Originally published December, 2007

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.