All the pieces
in one place.
Articles on Compliance
Red Flags Rule Made Simple
Originally appearing in P&A Magazine
Posted on June 03, 2010
By: Jim Ganther
The Red Flags Rule went into effect on January 1, 2008. Its “enforcement date” – meaning the date FTC enforcement against dealerships becomes possible – has been postponed several times and is currently slated for December 31, 2010.
The slippage surrounding the enforcement date has led many in the industry to the false conclusion that the Red Flags Rule does not yet apply. This assumption is incorrect. The only piece of the Rule that isn’t effective is the FTC’s right to go after dealerships that violate the Rule, but that is a remote risk in any case.
The most immediate impact for a dealership that fails to comply with the Red Flags Rule is that its funding sources could turn off. The Rule applies to banks, credit unions and captive lenders as well as dealerships, and allows those funding sources to do business only with dealerships that follow the Rule themselves. That requirement has been in place since November 1, 2008.
Despite the severe practical penalty for failing to follow the Rule, anecdotal evidence suggests two realities: (1) most dealerships don’t know the scope of their obligations under the Rule; and (2) most dealerships therefore are probably not in full compliance with the Rule.
The Rule (codified at 16 CFR 681) has three operative sections:
So, what exactly is a “red flag,” anyway? A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. The Rule identifies five categories of red flags and provides over two dozen examples of such red flags. Examples the Rule provides include
Things like these should raise a “red flag” in the mind of the dealership employee that encounters them, hence the name of the Rule. Dealerships must create a program that detects, prevents and mitigates identity theft by addressing the red flags that are relevant to their operations.
When the Red Flags Rule was announced in the Joint Final Rules and Guidelines, it weighed in as a 256-page cure for insomnia. But in its simplest form, it can be distilled down to just seven words:
Reasonable minds can come up with a longer or shorter list of requirements, or a different way to characterize them, but the foregoing list provides an easy way to discuss a dealership’s obligations, and makes the whole issue easier to understand. With that in mind, here is an overview of dealership obligations under the Rule.
At the core of the Rule is the requirement for “financial institutions” (which includes most dealerships) to create a written Identity Theft Prevention Program (ITPP). This is actually a misnomer, as no dealership can prevent identity theft – by the time an identity thief shows up to buy a car using a stolen identity, the theft has already occurred. But what the ITPP can do is prevent further damage from the identity theft, at least at the dealership.
The ITPP must be reviewed and approved in writing by the dealership’s board of directors or senior management. This requirement of a name on the “blame line” is clearly intended to extend liability to the dealer principal or senior management personally. “My GM handles that” will not be a defense!
The policy must reflect a consideration of all the red flags that might arise in the dealership, and establish a consistent process to address them. And if there is an irreducible minimum standard to be set forth in an ITPP, it is that no vehicle may be delivered in a case where an identified red flag remains unresolved.
Interestingly enough, the Rule does not require training about the scope of the Rule itself (though that is a good idea). Rather, the Rule requires training about the scope of the dealership’s ITPP. At a bare minimum, a procedure must be in place that confirms receipt of the ITPP by the dealership employees it involves, and that those employees have read it, understand it and agree to follow it.
This type of training is well-suited for computer-based interactive instruction that tracks the ITPP itself. Coupled with a learning management system (LMS), this training can record and archive the fact of each employee’s training and the results. When it comes to lawsuits or enforcement actions, if it isn’t documented it never happened. An LMS makes sure the training is documented.
Detection of identity theft can be as easy as noticing the photo on a doctored driver license doesn’t match the age of the person it describes. Or it can be nearly impossible in the case of a professional ID theft ring. Common sense is the best defense.
The dealership’s ITPP should require certain basic steps be taken in every transaction. For example, careful examination of a customer’s driver license, paying specific attention to the following factors:
Transactions falling under the Rule normally include pulling a credit report on the customer. Those employees who review credit reports should check the credit report for the following:
Finally, a dealership could install a system to check, by electronic means, the following:
There are numerous vendors for such electronic verification processes, most of which can include OFAC checks as well. Electronic verification has the benefit of being easy, automated and fast.
As mentioned above, “prevent” really must mean the prevention of further damage from an identity theft. By the time it becomes an issue at the dealership, the ID theft has already occurred and cannot logically be prevented.
To understand the difference between detection and prevention, it is helpful to understand the difference between identity “verification” and “authentication.”
Identity theft is precisely that – the theft of an actual identity as opposed to creating a false identity. Thus, when a dealership employee is presented with an identity, that identity is likely a real one. Verification means taking steps to confirm the identity is real.
Authentication is the more important step. Authentication means confirming that the identity presented actually belongs to the person offering it. Performing this step properly is the best means of preventing further damage from identity theft at the dealership.
So, how do you authenticate an identity? How much time do you have?
The quickest and most effective method is to use “knowledge-based authentication,” or out-of-wallet challenge questions. This means presenting a customer with questions that cannot be answered by the information commonly carried in a wallet or contained in a credit bureau. Remember, an identity thief can run a credit report on the victim. So if questions are used that involve information in a credit report, the dealership is presenting an open-book test.
Out-of-wallet questions are computer-generated and use data that is more than 7 years old, the age limit for information on a credit report. By asking questions an identity thief can’t answer (“In what state did you live in 1983?”), a dealership can confidently authenticate the identity of its customers.
Out-of-wallet questions should present at least four – and preferably five – possible answers, and at least three questions. The odds of an identity thief correctly answering three five-option questions correctly are 1 in 125. In real life, once a question set is presented to an identity thief, one of three things happens: the thief “forgot something in the car,” has to go to the bathroom or simply runs out of the dealership. In any event, delivery of a car to a thief is thwarted.
For those dealerships with more time or no Internet access, a manual system is possible. A dealership could require customers to present three of the credit cards listed on a credit report, or a current passport or multiple other forms of government-issued ID. If this method is chosen, it must be consistent and documented. Photocopies of the identity-proving documents (but not credit cards!) should be kept.
This approach, however, includes its own risks. All such identifying documents by their nature contain nonpublic personal information (NPI).
And NPI must be protected pursuant to the FTC Safeguards Rule. For my money, the electronic challenge question method is the way to go.
The requirement that dealerships “mitigate” identity theft suffers from a major flaw: the Rule does not define “mitigate.” Using plain English, this should mean at least to lessen the impact of the identity theft. At best, it means the restoration of an identity to its pre-event status.
In practice, this means that the dealership’s ITPP should include the requirement that the dealership “eat” the car it delivers to an identity thief – effectively buying back the deal from the victim who had no knowledge of the transaction. As a court will probably require this anyway, it is not really adding much to the dealership’s risk.
Including fully-managed (not “assisted”) ID recovery service to every transaction is a more proactive means of satisfying this ill-defined legal requirement. It is not my position that the Rule requires this – I don’t know how Courts will interpret this requirement – but it would help a dealer sleep at night, and it is inexpensive.
Any business covered by the Red Flags Rule is required to “oversee” its service providers. This means that a dealership can only engage companies that also follow the Rule to the extent it applies to them. This is accomplished by contracts, or addenda to existing contracts, that pass along a dealership’s obligations under the Rule. The purpose behind this requirement is to prevent a dealership from evading its obligations by contracting out its duties to a third party that may not follow the Rule. This is one buck that cannot be passed!
A dealership must ensure its ITPP continues to work over time. The Rule requires a report be made to the dealership board of directors or senior management at least annually on the dealership’s compliance with the Rule.
The report should address material matters related to the dealership’s ITPP and “evaluate issues such as the effectiveness of the policies and procedures of the [dealership] in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving
identity theft and management’s response; and recommendations for material changes” to the ITPP.
A good place to start the annual report is to document any instances of identity theft at the dealership in the previous year. Then ask the question, “How could this have been prevented?” Then amend the ITPP accordingly to address the issue.
In addition to all the foregoing, the ITPP must address the filing of suspicious activity reports when identity theft occurs or is attempted at the dealership, and filing notices of address discrepancy when such are detected.
The Red Flags Rule is a lot to digest, but it is a manageable task. And the biggest beneficiary may be the dealership itself, as a properly implemented ITPP should prevent the dealership from buying back paper for a car delivered to an identity thief.
This article was written by:
Jim Ganther - has written 10 posts on P&A Magazine.
Jim Ganther is president of Mosaic Compliance Services. He is an attorney and a member of the National Association of Dealer Counsel.