The compliance requirements of the new federal regulations went into effect in 2011 have added to the never-ending standards dealerships must contend with. Fortunately, most dealers have found that the Risk Based Pricing Notice and updated Privacy Notice requirements are easy to handle. Utilizing the Credit Score Disclosure exception to Risk Based Pricing Notices and using the New Model Privacy Notices is relatively simple – just a few forms that need to be filled out before the end of the day. The Red Flags Rule however is another story.
Red Flags regulations require a dealership to not only be a good citizen, but to be a cop as well. There are not exceptions, if red flags are detected during a credit transaction, certain proactive steps are required that will create extra work and slow down the overall process.
Many dealerships are utilizing automated Red Flags programs to help stay in compliance with the updated regulations. These programs, such as those available through Route, one, are excellent and make it easier to navigate the Red Flags Rule. However, there’s some due diligence required on the part of dealership personnel when potential “Red Flags” are detected. Unfortunately, this is not an uncommon occurrence. Fraud or active duty alerts on credit bureaus, address discrepancies, multiple recent inquiries, or multiple new accounts recently opened are just some examples of the situations that are considered to be identity theft “Red Flags”.
During compliance reviews recently, we’ve been paying particular attention to how dealership employees are handling the new Red Flags requirements. Not surprisingly, we’re finding that in many instances when red flags are detected during a transaction. This being the case, staff members are struggling to know what to do next.
For instance, we’ve found a number of situations where the red flags program has prompted that a “high risk has been detected” and that “out of wallet questions are required”, but the questions have not been asked of the customer. While it can certainly be uncomfortable to ask a customer personal questions, or request that they supply additional proof of identity or address, it is important that these steps not be avoided due to social uncomfortably. If an identity theft does occur, and the system-recommended steps were not taken, it’s conceivable that the dealership’s exposure to liability will be increased dramatically. The same holds true in a situation where the dealer’s Red Flags procedures are audited by a regulator. Staff members’ proclamations that they had a ‘gut feeling’ that the customers were who they said they were will not likely be enough to satisfy the investigators. The fact that the employees were prompted to follow a particular procedure and failed to do so would almost certainly make matters much worse.
Training is a mandatory requirement of the FTC’s Red Flags Rule. Employees should be well-trained in all aspects of the company’s Identity Theft Protection Program and features of any automated Red Flags systems, including the proper procedures necessary if Red Flags are detected. The training should explain the spirit of the law as well. It is important that all personnel understand that the Red Flags Rule requires employees to be proactive in attempting to prevent identity theft and that any shortcuts create serious liability for the dealership.
Even the best Red Flags program is not infallible. Chances are that an experienced identity thief will succeed despite advanced technology and a dealership’s best efforts. It still happens, and it’s understandable. As long as the company can show that they have performed their due diligence and did not take any shortcuts, their exposure will likely be lessened significantly.
Contact KPA for complete Red Flag compliance training services.