Consumer Credit File Security Freezes Present New Challenges to Auto Dealers

January 04, 2008 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

Data security breaches compromising consumers' personal information continued at a fast and furious pace in 2007. TJX Corporation (the parent of discount retailers such as Marshall ' s and TJ Maxx) learned of a security breach that had been going on for several years. Up to 100 million card accounts and the personal identifying information of approximately 455,000 customers in the U.S. and Canada were compromised by a hacker using primitive equipment from the parking lot of a Marshall's store to hack into the wireless in-store communications network from which it then hacked through to TJX ' s central database in Framingham, MA. TJX was using outdated wireless encryption technology.

Approximately 40 states have now passed laws that, in one form or another, require giving notices to consumers whose personal information is wrongfully accessed from computerized and, in some states, paper databases. The recent trend of these laws has been to require a threshold level of risk of identity theft before notices are required to be sent. 18 of the last 21 enacted laws have included such a risk threshold. However, New York and California remain the principal holdouts requiring notices to all affected consumers whenever their unencrypted personal information is wrongfully accessed from an electronic database such as when an employee's laptop is stolen.

Approximately 39 states have passed security freeze laws. These laws permit a resident of the state to "freeze" their credit bureau files making their credit reports (including credit scores) unavailable to persons such as auto dealers seeking to provide new credit. In the fall of 2007, the three national credit bureaus, Equifax, Experian, and TransUnion, announced that effective November 1, 2007, they would allow consumers in any state to file a security freeze and thereby lock down their credit files as well. Security freeze laws and the rights given by the three national credit bureaus to consumers whose states do not have security freeze laws follow a similar pattern along the following lines: A consumer can initiate a credit file freeze by sending a certified letter (or in some states, an overnight letter) to a credit bureau along with appropriate proof of identity and, in some states, payment of a fee (usually between $5 and $20). A separate letter and supporting documentation must be sent to each credit bureau whose files the consumer wants frozen. The credit bureau has a period of three to five business days from receipt of the letter to freeze the consumer's credit file. Once it does so, the credit bureau cannot release a credit report, contents of a credit report, or the consumer's credit score, subject to certain exceptions that include permitting the consumer's file to be accessed in developing "prescreened" lists of persons for creditors to make pre-approved credit offers. Within ten business days of freezing the consumer ' s credit file, the credit bureau must confirm the security freeze to the consumer in writing and it must give the consumer a unique PIN or password for use by the consumer to "unfreeze" the file or give authorization for a particular creditor to see their credit report.

The laws let the consumer temporarily thaw their credit file either for a specific period of time of for access by particular identified creditors. To do this, the consumer must use the PIN in making a telephone call or Website entry to request the temporary file thaw. The customer must also pay any applicable fee (again, usually between $5 and $20). The three credit bureaus can "thaw" a frozen credit file in less than 15 minutes provided the consumer has their PIN available to do so. A consumer can permanently remove the freeze of their credit file by sending a certified letter and supporting documentation, again along with the prescribed fees.

If a consumer whose credit file is frozen applies for credit and the creditor tries to pull a credit report, the credit bureau will inform the creditor that a security freeze is in effect with respect to that consumer's credit file. Until the consumer's credit file is thawed and the creditor can access a credit report, the creditor can treat the consumer ' s credit application as being incomplete. The Federal Reserve Board's Regulation B requires a creditor to seek information such as a credit report promptly after receiving a credit application but it also permits the creditor to deny a credit application for being incomplete.

The security freeze laws unquestionably will make it more difficult for a dealer to "spot" vehicles because the dealer will be unable to pull a credit report or get a credit score on a consumer who has frozen their file and not taken steps to temporarily thaw the file before going car shopping. If the consumer has their PIN or can get it by calling someone at home, the dealer can get access to the credit file in a matter of minutes. If not, the process will be more cumbersome as the credit bureaus are not required to release a frozen credit report without the customer using their PIN to thaw the file.

If the dealership spot delivers the vehicle without a credit report, it is taking a chance on its ability to sell the contract, and the financial institution may also be met with the same inability to pull the consumer's credit report unless the consumer acts to promptly thaw their credit files.

So what's a dealer to do? Make sure you have available on a piece of paper that you can give to the consumer the phone numbers that each national credit bureau has instituted for temporary credit file thaws so the customer can make the call. If you want to spot a vehicle prior to waiting for the credit bureau to thaw your customer ' s credit file, use a good spot delivery agreement (unless your state prohibits or restricts use of spot agreements) that requires the consumer to immediately undertake to thaw their credit files with all the bureaus and allows you to unwind the transaction if the consumer fails to do so or if you are unable to sell the deal once the credit report is available to your lending sources. It is not a recommended practice to spot vehicles to customers whose credit files are frozen and not made available to you. A consumer who is unable to thaw their frozen credit file may be a "red flag" for identity theft.

The good news we can report is that fewer than 5% of all consumers have frozen their credit files. No doubt that percentage will increase as these laws and this credit freeze right receive more publicity and identity theft continues to be a widely-publicized issue, but hopefully the publicity will tell consumers how to thaw their files before they go shopping for credit. Dealers and lenders alike will need to develop procedures for consumers seeking auto financing who have frozen their credit files and do not have their PINs available to quickly make their credit report available.

Originally published June, 2006; updated January, 2008

 

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

FTC Issues Final "Red Flags" Rules: A Short Guide To Compliance

January 07, 2008 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

After 15 months of deliberation, the federal banking regulators and the FTC have issued the final "red flags" identity theft prevention rule required by the 2003 FACT Act.   The rule contains the requirements for written Identity Theft Prevention Programs that auto dealers and other "financial institutions" must develop and implement by the mandatory compliance date of November 1, 2008.

More specifically, the final rule requires each financial institution that creates or holds any consumer credit account, or business credit account for which there is a reasonably foreseeable risk of identity theft, to develop and implement such a Program for combating identity theft in connection with both new and existing accounts.  The final rule gives auto dealers more flexibility than the proposed rule in terms of what their Program must contain.  A dealer's Program must include reasonable policies and procedures that are appropriate to the dealer's size and complexity and the nature of its transactions, for detecting, preventing, and mitigating identity theft.  It does not have to include measures to address all of the 26 (previously 31) red flags that are set forth in the rule.

While the rule looks intimidating at first, you probably are already well on your way to having an identity theft protection program in place without realizing it. You do things today to verify your customer identities.  You get photo IDs, you compare information on credit apps with credit bureau data, you know about fraud alerts, etc. You just don't do them systematically or under a set policy with every customer.  That's really what the red flags rule is requiring that you do.  And it's not that hard.

The red flags rule lays out a four step process for you to follow to develop your dealership's Program. Your Program must consist of four distinct elements, these being reasonable policies and procedures to:

1. Identify relevant "red flags" (these being patterns, practices, or activity that indicate the possibility of identity theft) for your business in establishing new credit accounts for customers and, for buy-here-pay-here dealers, for existing accounts as well. Consumers are the principal focus but the rule also apply to small business and sole proprietorship business credit accounts;

2. Detect and evaluate these red flags in connection with individual customer transactions;

3. Respond to red flags you detect in an appropriate way to prevent identity theft; and

4. Ensure your Program is updated periodically to reflect changes in identity theft risks to customers from your experiences and new identity theft learnings.

Structure your program in four parts to address each requirement.  The 26 "red flags" listed in the rule provide a starting point for possible suspicious activity and your own experience with customers in auto sales will give you more.  So, for example, a customer looking to trade in a near-new vehicle may be a red flag.   

Here are the four steps the rule require and some suggestions for each of them.  Remember to develop a consistent process for all customers.

I. Identify relevant "red flags" (patterns, practices, or activity that indicates the possibility of identity theft) for your establishing new credit accounts for customers.

In DealerTrack's Compliance Corner columns (located behind the "Reference" link along the page once you log in at dealertrack.com), we've identified steps your dealership can take to protect yourself from identity theft risks.  (See, for example, our Compliance Corner column from August 2006, "Some Practical Tips for Avoiding Identity Theft at Your Dealership").  Your first task under the red flags rule is to identify specific things that could occur in your dealership to suggest a reasonably foreseeable risk of possible identity theft. 

Some things are obvious and universal: Photo IDs or other identification documents that appear to have been altered or, if you scan drivers licenses, the information on the bar code doesn't match the information on the front side.   Discrepancies between information a consumer provides on a credit application or buyer's order and information contained in their credit report.  Fraud alerts on credit files or customers who are unable to "thaw" a security freeze on their credit file (using the PIN assigned them by a credit bureau, a consumer can "thaw' a frozen credit file with all three national bureaus in less than 15 minutes by simply making a phone call to each credit bureau).  These are red flags for almost all auto dealers.

Other red flags may require a little more sleuthing.  One critical red flag is a Social Security number.  Always check Social Security numbers.  They can tell you a lot about the person using the SSN.  Social Security numbers are the principal means of identification in this country and every identity thief-every single one--always has either another person's SSN or a SSN that doesn't exist.  With a little work, you can smoke this out.

Here's a quick primer on Social Security numbers.  Since 1972 (and for the most part, prior to then), the first 3 digits tell you in what state the person's mailing address was when they applied for the Social Security number, typically when they were very young.  You can get the state-assigned list for each 3-digit origination code at the following webpage: 

 http://www.socialsecurity.gov/employer/stateweb.htm

Always ask the customer what state they lived in when their Social Security number was issued.  If the customer's answer doesn't match the 3-digit numbers for that state, that is an absolute red flag.

The second two numbers of an SSN roughly correlate to how long ago the Social Security number was issued and can also be used to tell if the Social Security number is phony. The numbering system is a bit complicated but the webpage listed above gives you a link to a page that explains the process and also tells you what the highest 2-digit number for each originating 3-digit number sequence currently are.  Take a look at the webpage for how this works and get your people familiar with it.   

Knowing the highest 2-digit number for each 3-digit originating sequence can tell you if the Social Security number is valid.  If you get a Social with a 2-digit number higher than the highest one issued for the 3-digit originating field, you will know the Social Security number is a fake.  ID theft studies have found that upwards of 5% of identity theft involves stealing children's Social Security numbers.  So if an older person uses a Social Security number with a number near the highest 2-digit code for the 3-digit originating sequence, that too should be a red flag. 

The last 4 digits of a Social Security number are essentially meaningless except to enable you to check the number against the Social Security Administration's Death Master File.  You can do this for free at the following website: http://ssdi.rootsweb.com/.  Just enter the Social Security number.  This service is derived from the Social Security Administration's Death Master File and is estimated to be about 90% accurate.  You can also subscribe to the actual Death Master File and access it directly by going to the Social Security Administration's website, http://www.ntis.gov/products/pages/ssa-death-master.asp.  Doing so will cost you a subscription fee but will give you absolute certainty that the SSN is not on the Death Master File.  Know, however, that the Death Master File is not consistently updated and typically depends on a survivor requesting benefits so there may be a lag time from a person's death until their SSN appears on the Death Master File.

Many identity scoring services, like DealerTrack's RedFlags^TM, automatically identify Social Security number discrepancies as a key element of their analysis.  These services compare all of the customer's presented information against numerous databases of fraudulent information.  You may want to subscribe to and use such a service especially for customers whose Social Security numbers or other information raise red flags.

Other red flags for your Program can be gleaned from experiences your fellow dealers and perhaps other "big ticket" retailers in your area have had with identity thieves.  State and local dealer associations may want to create a database by asking members to identify transactions in which they either thwarted or were victimized by an identity thief and to provide information on what irregularities existed with respect to the transaction that either enabled the dealer to identify the thief or that, in retrospect, should have triggered further inquiry.  Law enforcement officials also have information about techniques that identity thieves use when seeking financing for big ticket items like motor vehicles and these resources may provide valuable red flags for you as well.  A call to your local law enforcement authority may prove very helpful in identifying your red flags.

What's important to remember is that the red flags rule doesn't mandate you use any of the 26 specific red flags listed in the rule, only that your Program consider the 26 and identify customized red flags relevant to your dealership to protect against identity theft risks.  This is not a "one size fits all" regulation.

II. Detecting and evaluating these "red flags" in connection with individual customer transactions.

This second component of the red flags rule deals with how to structure your Program generally to identify and evaluate red flags in individual transactions. 

What's important as a best practice for your Program is to create a mandatory step-by-step process for your people to follow, almost like menu selling.  Once you identify red flags for your dealership (step one), create a list of preset questions and actions that each salesperson must take with respect to every customer that address each of the red flags.  Make it absolutely mandatory so the salesperson can watch and listen to the customer's responses and write them down.  You want the salesperson to be observing and gathering information not trying to think of what to ask next.  If you do the process the same way for every customer, beginning to end, uncertainties and irregularities will begin to stand out as the salesperson or other designated dealership employee gets more experience doing it.  Part of your process may involve running an identity score on the customer and seeing what discrepancies the scoring process identifies.  DealerTrack's RedFlags will give you reasons that were most important in generating a questionable score.

If any irregularities or discrepancies exist, the salesperson or questioning employee should just note them in a form you create for this purpose and elevate the information to a senior dealer manager once all of the steps are completed.  Your program can include the use of out-of-wallet questions, these being questions not readily apparent from a stolen wallet or credit report that presumably only the real person would know.  DealerTrack's RedFlags makes these out-of-wallet questions available to you if you decide to use them in your questioning.

An important element of your program is a procedure for buyer-not-present transactions, such as Internet or phone sales.  Those transactions require greater diligence and scrutiny as an identity thief can be calling you on the phone holding the real person's credit report in his hand.  Using a service like DealerTrack's RedFlags which scores the identity and provides "out of wallet" questions are very useful in these situations.  At minimum, a senior dealership employee should speak with the customer on the phone, at least twice, and listen for nuances in voice, speech patterns, or other indications of nervousness.  It is not a best practice to sell and ship a vehicle merely using paper or the Internet.  The more contact you can have with the customer the more red flags that are likely to emerge.

A recent identity theft study found that 80% of identity thieves preferred using the Internet instead of face-to-face transactions to commit fraud.  For this reason, if you sell and ship vehicles without meeting the customer, it is important to have extra steps in your Program for these transactions.  They may provide the greatest risk to your dealership.

III. Responding to red flags you detect in an appropriate way to prevent identity theft.

Once your salesperson or employee has completed the interview process and identified the presence of any red flags, the decision making process should be escalated to a senior level of management.,  Depending on the level or severity of red flags, the process will continue to be escalated.

All persons involved in the escalation process should speak with the customer using pre-determined questions to refine your dealership's decisioning based on what is identified as problematical in the first instance.  These cases will arise less frequently than you think because identity thieves are generally not comfortable being interrogated especially when they are unable to come up with satisfactory proof that they are who they claim to be.  Many will just walk out of the dealership.  This happens all the time.  If they don't do so, however, you have a number of judgment calls to make, all of which should be properly documented in your deal file.

You can always continue to seek more information about the customer and your Program should contain optional procedures as necessary to do so.  Many identity thieves are "synthetic identity thieves" who combine pieces of information from different people to create a new phony identity with elements of personal information from several people combined into one.  Credit bureaus establish multiple consumer files under the same Social Security number.  For a fee, a credit bureau will tell you if your customer's name has the most activity of any of the consumer files the bureau has established for persons with that Social Security number.  You can do this with any of the three national credit bureaus. 

The red flags rule requires that a senior manager be appointed to be responsible for your Program and it is this person that should evaluate the information and make the final call on a questionable customer, after meeting the person and  seeking more information from the customer to verify the customer's identity, if necessary.  You may want to consider some specialized training for your senior manager in assessing things like body language, contradictions, and evaluating speech tones.  Many police departments offer such programs or can refer you to a good source for such training.

A number of dealers videotape identity verification sessions.  While this involves administrative costs and you have to keep the tapes for the amount of time you keep the deal information, it has proven effective as many, if not most, identity thieves are not anxious to create films of themselves.  Maybe save videotaping as an option of last resort.

The Social Security Administration also has a Social Security Number Verification Service although you have to register in advance for the service at the following website: http://www.ssa.gov/bso/bsowelcome.htm.  These can be good resources to identify a synthetic identity thief and you should include them in your list of procedures to verify identity if inconsistent results come back from your step-by-step process.  If some of the red flags are resolved and others are not, that may indicate your customer is a synthetic identity thief.

You can call your local law enforcement authorities and query them about recent identity theft incidents in your area.  If the police believe they may have the opportunity to apprehend an identity thief, they may be willing to come to your dealership to speak with the individual themselves.  That can be a very effective way of smoking out an identity thief.

Ultimately, however, you may have to make a judgment call on whether to not provide financing for the customer.  You may decline to provide financing in which case you should give the consumer an adverse action notice under the Equal Credit Opportunity Act and the Fair Credit Reporting Act.  Be careful in these situations if the customer then offers to buy the car for cash, as that is a red flag for money laundering which you also need to protect against.

You may also determine that no response is warranted under the particular circumstances and proceed with the deal.  Whatever you decide, document, document, document.  If you sell and finance a car to an identity thief, or if you refuse to finance a legitimate customer because you believe them to be an identity thief, you will be called upon to defend your decision.  Your file should be replete with information of the type described above that justified your decision at the time you made it.  You also should use such a situation as an opportunity to take a look at and refine your Program which the red flags rule also require you to do.  The red flags rule doesn't require that you always get it right.  They only require you establish and implement reasonable procedures to attempt to do so.

 IV. Ensuring your Program is updated periodically to reflect changes in risks to customers from your experiences and new identity theft activity.

Establishing and updating your Red Flags Program will be much like what you did with your Safeguards Program.  Much like information safeguards, identity theft protection is not a static process.  Synthetic identity theft is a good example and is now the means of choice for illegal immigrants seeking to establish an identity and obtain credit in the United States.  The Identity Theft Resources Center, http://www.idtheftcenter.org/ is a good source of information about identity theft.  It is a constant free supplier of news about new identity theft scams and it describes new schemes that you may need to address in your Program. 

The FTC is another good resource for identity theft guidance and you can find good information at their website, http://www.ftc.gov/. Your local law enforcement departments and dealers association can also be good resources.   Schedule periodic meetings with your local police department to get information on what they are seeing with identity theft in your community. The FBI and Secret Service work with local law enforcement on identity theft issues and your local police department can be a link to those resources as well.  What other dealers are experiencing with identity thieves is something every state and local dealer association should compile and disseminate to help prevent members from being victimized.  The information you learn from these resources should be reflected in your revisions to your Program. 

If you are victimized by an identity thief, take that as a warning that your Program may need to be updated.  Analyze the situation carefully in light of the red flags you identified and think about what you could have included in your Program to have aborted the transaction.  In Section V, we will discuss reports that employees involved in executing the Program need to file annually and these are another source for changes you will need to make in your Program.

Hopefully your dealership won't experience the consequences of selling a vehicle to an identity thief, but 13% of consumers in a 2004 Identity Theft Resources Center study indicated their identity had been used to purchase or lease autos.  Based on 10-15 million victims a year, that's a lot of vehicles.

V. Administering Your Identity Theft Protection Program

The processes of creating, implementing and updating your Identity Theft Prevention Program give you a lot of discretion.  However, in terms of administering the Program, the red flags rule is fairly specific with respect to requirements for your Program once it is established.

The rule requires that your initial Program must be approved by your dealership's Board of Directors (or senior management if you don't have a Board) who remain responsible for the ongoing oversight and implementation of the Program.  Among other things, this includes empowering a senior officer to be in charge of the Program and assigning responsibility to persons within the dealership for specific parts of the Program (such as assigning salespersons to follow the step-by-step process discussed in Part II with each customer and formalizing an escalation process if red flags are identified and not satisfactorily resolved).  This can be the same officer who is responsible for your Safeguards Program as there is some overlap between the two.  Staff members must be effectively trained both with respect to the Program as a whole and their specific duties.  Training is very important under the rule.

All staff members performing functions under the Program must report at least annually to the senior officer regarding compliance.  These reports should address and evaluate matters such as the effectiveness of the policies and procedures in mitigating identity theft risk with customer financing; service provider arrangements; and details of incidents involving attempted or actual identity theft and management's response.  The reports should also propose recommendations for changes in the Program.  These reports will be another basis for updating your Program.

Your senior officer should report annually to the Board or senior management on the status of the program and the updates.  It is a good idea to update your Program on a regular basis and not just once a year, especially if you are hit by an incident of identity theft. 

Summary

You can effectively implement your Red Flags Program by breaking the process down into the four steps we have described in this article and giving consideration to the identity theft risks and experiences of auto dealers and other "big ticket" merchants in your area in developing your red flags.  The other steps will follow as you lay out procedures to address each one and develop an escalation process to your senior Program officer depending on the degree and severity of the red flags you identify with a customer.  You can outsource part, but not all, of your Program and a service like DealerTrack Red Flags can help you quickly identify problem areas for emphasis in your data gathering.

Then have your salespeople go through the process the same way every time for every customer and provide an escalation procedure in the event all of the steps do not lead to satisfactory answers.  The judgments that are made in the process should be at multiple levels in your organization if there are any doubts, ending with your senior program officer.  You should document your efforts and information especially with questionable customers (and don't forget the adverse action notice if you decide not to do business with the customer).  Remember, your dealership will be judged by the reasonableness of your Program, the consistency of its administration, and the processes by which you update and refine it.  No person or program can stop all identity theft.

Penalties for non-compliance can include $2,500 per violation under the Fair Credit Reporting Act (in the past, the FTC has deemed each day of non-compliance to be a separate violation) and the possibility for an action by the FTC under Section 5 of the FTC Act that prohibits unfair and deceptive trade practices.  State Unfair and Deceptive Trade Practices laws may also apply.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  Compliance Corner is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

 

APPENDIX - FINAL LIST OF RED FLAGS IDENTIFIED BY REGULATORS IN FINAL RED FLAGS RULE.

(1) Incidents of identity theft that the financial institution or creditor has experienced;

(2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and

(3) Applicable supervisory guidance.

In addition, a financial institution or creditor may consider incorporating into its Program Red Flags, whether singly or in combination, from the following illustrative examples in connection with covered accounts:

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.

3. A consumer reporting agency provides a notice of address disrepancy.

4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;

b. An unusual number of recently established credit relationships;

c. A material change in the use of credit, especially with respect to recently established credit relationships; or

 Suspicious Documents

5. Documents provided for identification appear to have been altered or forged.

6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.

8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.

12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application or the phone number on an application is the same as the number provided on a fraudulent application

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or prison; or

b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.

15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.

16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.

20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account. 

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.

24. The financial institution or creditor is notified that the customer is not receiving paper account statements.

25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor

26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

The Essentials of a Compliance Process

January 18, 2008 | No Comments | share on facebook | retweet | share on LinkedIn

by Gil Van Over

Signs are everywhere. Some give directions, others provide insights. Some warn, some warm. Some greet, some forbid. Bumper stickers are signs that are usually enlightening. I saw one on a minivan the other day that warned, "My other car is a broom." The lady driver certainly looked the part, with curlers in her hair, a cigarette lodged between two front teeth, a cup of coffee in one hand and a cell phone ear bud beeping blue. Her bumper sticker came to life with her non-verbal sign letting me know I was number one when I looked her way.

I only hope her boyfriend/fiancé/husband got the warning before he committed.

"Don't come a-knocking if this van is a-rocking," was on the back of full-sized travel van. I wonder what their grandchildren think when they visit? Too much information.

The feds are not in the bumper sticker making business, but if they were, they could issue these to car dealers.

"Pay attention or pay the consequences."

"The world is our oyster; you're just living in it."

The feds are giving us the info
The feds could also print this one: "We're telling you what you need to do. Just do it!"

Dealers have seen two federal rules promulgated on them in the last five years along with an update to another federal guideline.

The Safeguards Rule (2003) and the Red Flags Rule (2008) both require that dealers adapt processes that most did not have in place prior to the requirements.

The Safeguards Rule, of course, requires that dealers protect consumers' personal, non-public information from being fleeced by identity thieves.

The Red Flags Rule mandates that dealers escalate their responsibilities to help detect and prevent identity theft.

The Federal Sentencing Guidelines (2004) are a set of rules that judges must follow when imposing sentences on guilty parties. With a good compliance and ethics program in place, a judge can reduce potential fines and penalties by up to 95 percent.

All three (Safeguards Rule, Red Flags Rule, and Federal Sentencing Guidelines) provide a dealer with insight of what the federal government considers to be an effective compliance process.

Safeguards Rule
The Safeguards Rule contains five elements a dealer must follow to be in compliance:

• Name a compliance officer
• Conduct a risk assessment
• Develop a policy and procedure
• Provide employee trainingConduct periodic audits

Red Flags Rule
Compliance with the Red Flags Rule requires six elements.

• Name a compliance officer
• Conduct a risk assessment
• Develop a policy and procedure
• Provide employee training
• Conduct periodic audits
• Write an annual report on program's effectiveness

Federal Sentencing Guidelines
The sentencing commission has outlined the elements it considers necessary for an effective compliance and ethics program:

• Standards and procedures to prevent and detect criminal conduct
• Personnel screening related to program goals
• Training
• Auditing, monitoring and evaluating program effectiveness
• Non-retaliatory internal reporting systems
• Incentives and discipline to promote compliance
• Reasonable steps to prevent further offenses upon detection of a violation

The elements of a compliance program
Not surprisingly, a dealer looking to establish a compliance process in sales and F&I should follow the model the government provides.

Name a compliance officer - Put someone in charge. Depending on your size, it can become the additional responsibility of the person responsible for your risk management functions, or it can be a newly created position. Either way, make it someone's responsibility to develop the processes, the procedures, and the policies and report to you.

Conduct a risk assessment - Figure out where your compliance shortcomings are. It could be an inconsistent payment quoting methodology, or the inconsistent use of a menu, or the inconsistent completion of forms. It could be a lack of safeguarding consumer information, or the lack of a crosschecking process to detect employee fraud or the lack of buyer's guides on used cars. The compliance officer is to conduct a thorough risk assessment to determine where your risk is.

Develop a policy and procedure manual - Once the compliance officer has determined where the risks are and how the processes are supposed to work, he or she should develop policy and procedure manuals for both sales and F&I. These manuals must define and describe the organization's expectations on how an employee is to complete certain tasks.

Provide employee training - Now that you have a manual on how the employees are expected to perform their jobs, let them know. Give them a copy of the manual a week before starting the training so that they have ample time to review the material. Then provide the training and have the employees sign an acknowledgement form certifying that they have read the material and agree to abide.

Conduct periodic audits - Ah...the trust but verify stage. This is why I call this a compliance process, not a program. A process must be continually monitored and refined as new information becomes available. A program is like a manufacturer's incentive, it comes and goes and no one remembers it a year later. You must conduct periodic audits and document any shortcomings and corrective actions you took, including disciplinary. You must also refine your policy and procedure manuals to reflect your actual process if the employees find a better way to do something.

Put a compliance process in place and you will want to start a bumper sticker printing business of your own:

"I made more money doing it right."

"No sleeping pills required."

"My other car is a golf cart."

 

Gil Van Over is the president of gvo3 & Associates, a nationally recognized dealer compliance consulting firm. He assists dealers with F&I and sales compliance.

Originally published February, 2008, Dealer Magazine

© 2008 gvo3 & Associates. All Rights Reserved.

 

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.

Back to the Future: Credit Sales vs. Loans and Why the Difference Is Important to You

January 19, 2008 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

You probably know that most American consumer auto finance is done as "three party financing" (customer, dealer, financial institution) and not "two party financing" (customer and financial institution).  You may also know that three-party financing is not a "loan" as is two-party financing.  Only banks and entities that are licensed and regulated as lenders by the federal or state government can make loans.  Dealers sell cars, banks make loans.

The dealer's sale of a car to a consumer can be done in one of two ways.  Either the consumer pays cash (some of the cash may represent proceeds of a loan the consumer has obtained on their own) or the consumer makes a down payment (which can be the agreed-upon value of a trade-in) and agrees to pay the balance of the purchase price over time in monthly installments with "finance charge" added to the cash price for the privileges of being able to defer payments and the time value of money.  This structure is called a "credit sale" and authorized by a common law legal concept known as the "time-price doctrine."  Since there is no loan of money (the seller is merely deferring payment of the cash purchase price), requirements for the seller to be licensed to make loans and restrictions on loans like usury laws (that limit the maximum interest a lender can charge on a loan) don't apply.

The time price doctrine serves two main purposes: 1) It enables big-ticket retail sellers of goods to finance their customers' purchases without needing to be licensed or regulated as lenders by a state's banking department; and 2) It enables financing at rates and on terms that, if structured as a loan, could violate state usury laws or other laws applicable to loan documentation.. 

Contrary to popular belief, the time-price doctrine did not originate in the mid-1970s when the Prime Rate went up close to 20% but state usury laws remained in the single digits.  According to at least one historian, the time-price doctrine was established in England as far back as 1774.* And probably since 1775, plaintiffs' lawyers having been trying to invalidate the time-price doctrine.

The most recent attempt to invalidate the time-price doctrine was a very creative effort in Montana.  A couple purchased a mini-van from a local dealer and financed the purchase through the dealership at a rate of 20.99%.   A predecessor to CitiFinancial became the creditor by buying the Retail Installment Sales Contract (RISC) from the dealer, classic three-party financing.   To escape the time price doctrine, the plaintiffs argued that since their credit was approved by CitiFinancial before they signed the RISC and the dealer had already notified Citi about the buyers' credit status and the sale, the relationship between the dealer and Citi was "one of subterfuge allowing [the dealer] as a retail seller and Citi to charge usurious interest under the guise of entering into a RISC" with the buyers.  A sort of substance over form argument.

Despite this creative argument, the Montana Judicial Court reaffirmed that a retail installment contract is not a loan no matter what the relationship is between the dealer and ultimate buyer of the paper.  It's a credit sale under the time-price doctrine.  So the court dismissed the usury allegations against both the dealer and CitiFinancial.  The time-price doctrine lives for yet another day.

For you as a dealer, the time price doctrine means more than just being able to charge higher APRs than may be allowed by state usury laws (note that in Arkansas and a number of other states, time sales APRs are limited by the same low usury laws that apply to loans).  In some states in the Midwest, dealers do not sign customer RISCs but originate direct loans from lenders and the dealer never signs any financing papers.  A customer signs a note and security agreement at the dealership for a direct loan from the bank, the proceeds of which are assigned to the dealer.  But originating loans as opposed to financing using credit sales may create other problems for auto dealers besides interest rate caps:

• Lenders are obligated to develop and implement complex Customer Identification Programs (CIPs) under Section 326 of the USA PATRIOT Act. Auto dealers currently are not. If you are originating loans for lenders, you are probably also agreeing to take the detailed steps required by the bank to implement their CIP program. Don't confuse CIP programs with the new Red Flags rule. In announcing the Red Flags Rule, the FTC and banking regulators were clear to say that the two are different although there will be some overlap for banks. For dealers, a Red Flags program will in most cases not require the level of detail, and certainly not the level of regulatory reporting, that is required for a bank's CIP.
• Different laws apply to what can be in a loan versus what can be in a RISC. What makes loans popular in some Midwestern states is that banks can charge prepayment penalties for some consumer loans that they cannot charge for RISCs. Permissible fees, charges, and remedies may also differ. Language requirements are different. Compare your mortgage note (a loan) to your vehicle RISC some day. They are very different and I would bet the mortgage is a lot more complicated and written in more arcane legalese.
• Banks are also subject to regulatory and capital requirements for loans they make and hold as well as RISCs they buy. Capital assets must be retained on the bank's balance sheet to support these obligations in the event of default by the consumer. Different types and levels of capital apply to different asset categories. Securitizations became popular in the 1970s as a way to "get the loan off the bank's books" by selling the loan or RISC to a special purpose company that issues notes to investors that are backed by the expected consumer payments. This reduces capital requirements for the bank and gives the bank a source of income for servicing the underlying loans or RISCs.
• Loans can be made more creative and complicated than RISCs. Hence the interest-only and negative amortization types of funky mortgage lending that fueled the subprime mortgage crisis. Banks can do a lot more things with loans than auto dealers can do with RISCs under most state and federal laws. Especially with variable rates. The theory is that bank regulators are watching out for safety and soundness so creativity is OK. Aren't you glad you're not a bank or a regulated lender?
• Other laws can turn on whether you are a lender or a credit seller. A recent appellate court decision in Arkansas held that an auto liability insurer did not have to give a buy-here-pay-here dealer any notice that the consumer's auto policy was about to lapse. The court construed the Arkansas statute requiring notices of cancellation to be given to a lien holder (in this case the dealer) to apply only if the lien holder was a "bank or other lending institution." So when the vehicle sustained a loss, the dealer who was named a lien holder and the loss payee under the policy was out of luck since the policy lapsed for non-payment of premium a few days earlier.

Most of us in auto finance talk about lenders and loans when what we really mean are creditors and credit sales of vehicles under the time-price doctrine.  If your talk and records say "lender" and "loan," you could be increasing your exposure to the next attack on the time-price doctrine as a plaintiff's lawyer might point to your words and records as evidence that you are really in the lending business.   Use the words "credit sale" instead of "loan" and "financing source" instead of "lender" unless you are actually originating direct loans for banks.  Mean what you say and say what you mean and the time-price doctrine will continue to live on.

 

Originally published January, 2008. 

thecomplianceguide.com is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the general nature of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations and circumstances.