Author Archives | Jim

When Compliance Met Technology

When Compliance Met Technology

I recently met a friend at a local McDonald’s for a cup of coffee. To my surprise, there were no order-takers behind the counter. Rather, a row of sleek kiosks accepted my order and payment; a minute later, a runner brought out our coffee.

Technology, it seems, is capable of changing everything. Why not dealership compliance?

To answer that question, a bit of history is helpful. Once upon a time, dealership legal compliance was a sometimes thing, certainly driven more by the ethics of a given dealer than any technology.

Enforcement, too, was erratic. Egregious cases of consumer fraud were prosecuted with much media fanfare, but a constant drip of “normal graft” was tough to defeat. Then, in the decade from 1999 to 2009, all that began to change. What changed it was the confluence of law and technology.

Federal Regulations

First, the law. While such standards as the Truth in Lending Act, Consumer Leasing Act and Fair Credit Reporting Act had been on the books for years, it was the Gramm-Leach-Bliley Act of 1999 that seemed to be a wake-up call. The GLBA created the Privacy Rule and the Safeguards Rule. They relate to one another and must be considered together.

The Privacy Rule requires dealers to inform customers what nonpublic personal information (NPI) the dealer collects, what the dealer does with that NPI, and how it safeguards that NPI. If the dealer shares a customer’s NPI with non-affiliated third parties, the Privacy Rule allows the customer to opt out from that sharing in certain circumstances.

The Safeguards Rule sets forth the minimum standards a dealership must meet in protecting its customers’ NPI. When a privacy notice says the dealership protects that NPI “in accordance with law,” it means the dealership is satisfying the requirements of the Safeguards Rule.

Then came the Red Flags Rule. Like the Privacy Rule and The Safeguards Rule before it, the Red Flags Rule enacted a set of bright-line obligations the dealership must meet. If the Safeguards Rule was meant to prevent identity theft, the Red Flags Rule was designed to spot identity thieves before they could do more damage.

Advancing Technology

All of this evolved against a background of burgeoning technology development and usage. When the Gramm-Leach-Bliley Act was passed, smartphones had not yet been invented. The internet was accessed at dial-up speeds. And social media? Mark Zuckerberg was in eighth grade.

Those three technologies — the internet, smartphones, and social media — did more to accelerate legal compliance than any single law intended to constrain dealership behavior. Let’s look at each in turn.

The internet provides near-instantaneous access to information that is practically without limit. This reduces a reality that once both protected dealership profits and obscured their sins: informational asymmetry. That fancy term means one side had all the knowledge. And when one side has all the knowledge, that side usually wins. Remember the expression “Knowledge is power”? In fact, it is.

Informational asymmetry meant that customers didn’t know how much a dealer had invested in any piece of its inventory, or how reliable particular vehicles were, or if a used car had been in a wreck. Under such circumstances, customers were in no position to drive a hard bargain.

The internet changed all that, and smart phones made access to the internet easy, quick, and cheap. Want to know what a car should cost? Visit Kelley Blue Book or any of a host of other valuation sites. Want to know if there is an open recall on the car of your dreams? Visit All of a sudden, negotiating got a whole lot fairer, and dealers’ margins got a whole lot thinner.

Social media gave everyone a platform to praise or curse dealership behavior. The odds of any given dealership becoming a target of an FTC investigation are remote. But the odds of a dealership getting flamed on Facebook, Yelp or Twitter (more likely, all three) are a certainty.

OK, back to the law part of all this. If a dealer sinned in the 1980s, the only people who knew about it were the victims and those who read newspapers. If a dealer sins today, the news can travel around the world and literally into everyone’s hands in an instant.

Because of the internet, knowledge of what is and is not legal is more common than ever. Awareness of identity theft, in particular, has reached dizzying heights in the wake of the Equifax breach. The Safeguards Rule and the Red Flags Rule connect that awareness to the world of retail automotive. And instances of consumer fraud, always wrong, are now easier to discover.

In short, it is technology that is really driving the increased interest in dealership compliance. That is not a bad thing. In addition to being the driver of compliance awareness, technology can be the most effective means of achieving compliance.

Next time, we’ll examine how technology can ensure dealership compliance with legal requirements and consumer expectations.

Posted in Product & Technology0 Comments

Certified for the Future

Certified for the Future

If I could predict the future, I’d be at the nearest 7-11 buying one (and only one) lottery ticket. But here I am writing this article, which tells you all you need to know about my powers of prognostication. Still, I can’t help but occasionally peer into my crystal ball and try to interpret what I see. And what I see is a little scary — at least for those who aren’t prepared.

Here’s what I believe: First, the Federal Trade Commission (directly) and the Consumer Financial Protection Bureau (indirectly) issue regulations that affect the retail automotive world. But when it comes to actually impacting a dealership financially, neither the FTC nor the CFPB are as tough as they think.

I also believe the local plaintiff’s bar does more to affect dealership behavior than distant federal authorities. Consumer lawyers have a direct economic stake in finding, exposing and exploiting dealership violations. And trust me, it is very lucrative.

I also believe that technology, particularly social media, will eventually supplant consumer lawyers as the most effective factor in regulating dealership behavior.

Lastly, I believe no one trusts what dealerships say about themselves. However, consumers tend to believe what total strangers say about dealerships, especially if those strangers just bought a car or had one serviced at a dealership. And that’s the power of social media.

Facebook may not seem like a big threat, as scathing reviews posted there are only read by people connected to the reviewer who care or are in the market for a car. But people who go to or are almost all in the market for a car. Get blasted on those or similar sites and your topline revenue will take a hit.

In short, a herd of ticked-off customers with Internet access will have more power to influence dealership behavior than the FTC or CFPB. That’s not just the future; it increasingly describes our present.

If the fair, ethical and legally-compliant treatment of customers, as broadcast across social media, is the future of dealership regulation, how should dealers respond? The answer is obvious: Create a process that ensures customers are treated fairly, ethically, and in a legally compliant manner.

At the end of the day, most federal consumer-protection laws are designed to do just that. So doing right by regulators will also satisfy the real regulators: your customers.

The process must include a consistent, verifiable training program that includes the legal requirements for each job description at a dealership, not just F&I personnel. Per the National Automobile Dealers Association, the average dealership has 67 employees, of whom three or four are F&I managers. That means a program that only trains 4% of the workforce is going to fall short 96% of the time.

To address this need, Compliance Summit, in cooperation with Automotive Compliance Education, offered the ACE-certified Compliance Specialist program to attendees at no additional charge. Certification candidates will have access to online, interactive, video-based training on a broad range of dealership compliance topics. On Tuesday, Aug. 30, leading industry compliance experts (and yours truly) provided live test preparation, followed by the certification exam after lunch. Those who passed will receive the ACE Certified Compliance Specialist designation.

ACE is designed to assure continuous proficiency. Certified Compliance Specialists will be required to recertify annually by reviewing a current “Annual Update” module that focuses on developments relevant to their certification level over the preceding year, and passing the recertification exam.

Making the certification more meaningful is the program’s emphasis on processes that apply the theoretical aspects of regulatory language to real-life situations.

ACE is spearheaded by Gil Van Over III, founder and president of compliance auditing firm gvo3 & Associates. The idea spawned from the constant violations he came across while reviewing dealership operations, infractions that could have been prevented with proper training. “I created ACE to fill that need,” he says.

In addition to launching Compliance Specialist certification at Compliance Summit, ACE will provide certifications tailored to F&I personnel, sales associates, sales managers, business office personnel, and compliance officers. Each program will be offered online at, which will go live following the conclusion of Compliance Summit. Live review and test sessions are also expected to be part of future Compliance Summits.

The programs are designed to provide the basis for customer experiences that satisfy both the federal regulators and the real regulators: customers. That’s how smart dealers will face the future.


Posted in Industry0 Comments

Dealership Compliance under the Gramm-Leach-Bliley Act

Dealership Compliance under the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act of 1999, or “GLB” as it is more commonly called, is the law with the biggest impact on the dealership community since the Truth in Lending Act was passed in 1968. From GLB flow at least two major rules that affect every dealership in America: the Privacy Rule and the Safeguards Rule. And because of those rules’ emphasis on protecting nonpublic personal information (“NPI”), the Red Flags Rule (authorized under the Fair and Accurate Credit Transactions Act (“FACTA”) of 2003), which treats identity theft, is often lumped together with them when considering the protection of customer data.

All three of those rules were discussed at the inaugural Compliance Summit by a panel comprised of Doug Fusco,CEO of DealerSafeGuardSolutionS, Becky Barrows, HR and compliance director for KeyRoyal Financial Services, and Michael Tuno, president of World Class Dealer Services.

It is worth noting that none of the panelists are attorneys, and none of their companies are law firms. Rather, they all serve in one way or another the dealership market, and the services of each have grown to address compliance issues dealerships face. That highlights a key take-away from the panel session, everybody who has a piece of the dealership industry can have a piece of the compliance function. If every vendor included a compliance feature that addressed its core services, dealerships would have much of their compliance needs addressed in the ordinary course of doing business. But that happy state has yet to arrive, so the panel spoke both to what can be done and what they are doing.

Becky Barrows affirmed that outside vendors are well-positioned to help with compliance issues. “Dealers are in the business of selling and repairing cars, so compliance can be a bit outside their wheelhouse. This represents a huge business opportunity for outside experts who can provide what dealers aren’t good at doing themselves.”

The first GLB area where a little knowledge and advice could be helpful to dealers is the Privacy Rule. Asked if the Privacy Rule is widely understood and followed by dealers, Michael Tuno responded, “No and no. No to all of the above!” He went on to explain that there is a disconnect between the language of a statute or rule and a dealer’s understanding of it. Using the Privacy Rule as an example, Tuno said that dealers were aware of the rule at the time it was issued, but had no idea what to do about it. Even the FTC’s online model form generator wasn’t much help – dealers were confused by the options they faced on the screen. It was as if the rule and the Government guidance were written by lawyers for lawyers, and most dealers aren’t lawyers!

What Tuno was able to do as an F&I partner for his dealerships was develop an understanding of the Privacy Rule and the FTC forms generator and walk his dealer clients through the process. You don’t need to be a lawyer to do that.

With respect to the Safeguards Rule, Tuno takes the same approach. As he put it, “The first thing I do for a dealer is ask if they’ve appointed a compliance officer, which the Safeguards Rule requires. If the answer is ‘no,’ I know we’ve got to help them understand the rule’s requirements and meet them. It isn’t hard – it’s mostly a process of education.”

Doug Fusco’s company develops compliance monitoring software and related business processes. From his perspective, GLB compliance is driven by “creating verifiable patterns and practices. Show that you have something in place and execute against it so you can defend yourself by making a greater than ‘check the box’ effort to comply.”

Fusco also endorsed the use of a compliance survey to help educate dealers about GLB and other legal requirements. A simple form that asks yes/no questions addressing all of the major requirements of GLB/FACTA creates a good road map, identifying both what is being done and what needs to be done.

“Simple” was a word Michael Tuno latched onto. “What we’ve found works the best is keeping it simple. Start there. You don’t want to get too complicated. Start with policies and procedures and then move on to training on those policies and procedures. And then audit the process to make sure it’s having the intended effect. The audit serves a huge function to keep the ship on the right path.”

The panelists agreed that GLB is all about protecting NPI. Becky Barrows explained what could constitute NPI in the dealership environment: “Anything that’s not available to the public. So we’re not talking about phone numbers. But checking account numbers and driver license numbers would be NPI. Like Michael’s company, we conduct audits to see how dealer’s actually protect NPI. And the number one offense is deal jackets lying around unprotected. Deal jackets are full of NPI, and if they’re not protected, the dealership has a real problem.”

Tuno followed up with his version of the Golden Rule as the sum and substance of GLB compliance. “Don’t leave unprotected any data you wouldn’t want other people to see. If you don’t want the world to see your credit report, don’t treat someone else’s credit report casually.”

The panel was asked to relate real-life GLB horror stories (careful to keep secret the offending dealers’ identities, of course). Doug Fusco told a common tale. “I was visiting a dealership that was a part of a fairly large dealership group. There was paperwork everywhere, and no effort made to keep it secure. I brought this to the attention of the General Manager, who shrugged and said, ‘yeah, but we lock it all up at night.’ So I conducted an audit – at 7:30 in the morning. Needless to say, there was no evidence anything had been locked up. I calculated $23 million in potential fines before I reported back to the General Manager. The big fines come from knowingly violating the law, and they knew. Needless to say, that got his attention.”

So how do you battle GLB and other compliance violations? Fusco offered his “3 E’s” – Education, Enablement, and Enforcement. Those vendors that are in the dealership are in a position to offer training, the tools that enable behavior consistent with that training, and the audits that enforce the process. This is not limited to “compliance companies.” F&I partners, HR services, income development specialists – anyone who has a dog in the fight can bring in the 3 E’s if the will is there to do it.

One valuable lesson that the panel provided was that reasonable minds can disagree about what documents actually contain NPI – but all agreed that this very uncertainty makes protecting all customer data the best possible practice. As Michael Tuno put it, “We don’t want F&I managers making decisions on a document-by-document basis, ‘protect this/don’t protect that.’ Protect everything and you’ll be good.” That’s the best practice.”

That is probably the simplest approach to GLB compliance, and the ultimate conclusion of the panel: protect everything and you’ll be OK. Vendors that serve the dealership community have a role to play in that effort. The future may well belong to those that do.

Posted in Industry0 Comments

Digital Compliance, Part 3

Digital Compliance, Part 3

Serialized articles are like turkey after Thanksgiving: eventually, you get tired of turkey sandwiches, turkey soup, and turkey burritos. It’s time to move on to other things. So this will be the last installment on the topic of Digital Compliance. One last 1,000-word helping and we can put away the cranberry sauce for another year.

In the past two months, we’ve examined online solutions for OFAC, the Safeguards Rule, the Red Flags Rule, F&I menus, the Dodd-Frank Act, Environmental, Health & Safety, Human Resources, and Compliance Training. In this installment, we will consider Product Training, Deceptive Trade Practices, and Audits & Review.

Product Training

I know what you’re thinking – what does product training have to do with compliance? Everything. Indulge a true story to illustrate why (the facts have been changed to protect the author).

Once upon a time, there was a car dealership that sold GAP. Lots of GAP. Virtually every financed deal had GAP in it. And the F&I personnel always proclaimed the benefits of GAP: in the event of a total loss or unrecovered theft, GAP would pay the difference between the actual cash value of the vehicle and remaining balance on the loan.

Small problem – that description of benefits is not true: every GAP policy the dealership sold had a limit of 125 percent of MSRP. And since almost every car the dealership delivered was over-financed (150 percent of MRSP or more), there was almost always a deficiency in the amount paid to GAP claimants. A class action lawsuit followed.

In the course of the lawsuit, the dealership claimed that it was really the GAP provider and its agent that was to blame. If only the provider and agent had explained the limitation, the dealership would never, ever have misled the car-buying public!

Online product training, focusing on the precise contract the dealership sells for GAP, VCSs, and so on, takes away that argument. It is easy to prove exactly what dealership personnel were trained with respect to features, benefits, limitations, and exclusions. This protects providers, agents, and even dealership management. If an F&I manager misleads a customer about a product’s coverages, the dealership can prove how it trained its employees. Any deviation from the company line would be argued to be a frolic of the employee for which the dealership should not be held liable.

Of course, it also helps that dealership personnel who are knowledgeable about a product’s features and benefits are likely to sell more of it. So this creates the happy marriage of compliance and profitability.

Any online training provider should be able to create custom modules and LMS-based testing to verify learning.

Deceptive Trade Practices

This is another counterintuitive topic. How can an online solution detect or prevent deceptive trade practices?

Digitally recording and reviewing the F&I transaction, that’s how. Like online product training, this is both a compliance tool and a sales tool. Let’s look at each function in turn.

First, the sales tool angle. How do NFL players prepare for upcoming games and improve their level of play? By reviewing film. Successful players spend many hours in the film room, watching tape of opponents to prepare to overcome them and tape of their own performance to correct their shortcomings.

The same can happen at dealerships. If a transaction is recorded, review with a manager can detect flaws and correct them. For example, I’ve watched tape of an F&I practitioner that constantly clicked his pen during product presentations. He wasn’t even aware he was doing it – it was just a nervous habit. Once it was pointed out to him in a tape review, he stopped that behavior. Oh, and his PRU doubled overnight.

Then there’s the compliance tool angle. Simply stated, if an F&I practitioner knows his presentation is being filmed and reviewed, what are the odds he will intentionally mislead a customer? And if he inadvertently makes a material error, it can be detected and corrected before it spawns a lawsuit.

Let me put on my lawyer pants and make one thing perfectly clear: do NOT record F&I transactions if you do not intend to review them. To do otherwise is to risk creating evidence of misbehavior that can be used against you. And I would suggest archiving recordings only for the period of time necessary to use them for the purposes mentioned above, then delete them. If you want to pursue this mode of digital compliance, please consult your own counsel first.

A system I’m aware of that combines recording and reviewing by a third party for legal and procedural compliance is offered through IAS.

Audit & Review

As the old saying goes, you cannot expect what you do not inspect. But third-party audits are typically expensive, as they entail travel and expense accounts. Once again, though, the Internet can come to the rescue and eliminate the travel.

Gvo3 & Associates has developed a program that allows for F&I compliance audits from remote locations. Gvo3 provides the dealership with a matrix of deals it wants to review, reducing the chances a dealer will “cherry-pick” the deals it wants examined. Those deal jackets are then scanned and uploaded to a secure gvo3 site for review. After the review is completed, a webinar-based review session with the dealership and written report are provided. After this is completed, the deal files are deleted from the gvo3 site.

While online audits and reviews shouldn’t completely replace “boots on the ground” audits, they can fill the gap between them economically and efficiently.


You made it – three consecutive articles on the broad topic of digital compliance. Feel free to contact the author if you have any questions. Now go stagger off to watch some football. You’ve earned it!

Posted in Product & Technology0 Comments

Digital Compliance, Part 2

Digital Compliance, Part 2

Last month in this space, we discussed the existence and usefulness of inexpensive “digital” compliance tools. For purposes of this series, we consider “digital compliance” to mean any compliance tool or solution that is:

  • Web- or computer-based
  • Automated
  • Efficient
  • Effective

Part 1 evaluated digital compliance as it applied to OFAC, the Safeguards Rule, the Red Flags Rule, and F&I menus. This month we’ll look at the Dodd-Frank Act, Environmental, Health & Safety, Human Resources, and Compliance Training. Next month (assuming reader mail doesn’t suggest additional topics) we’ll wrap up by examining digital compliance solutions for Product Training, Deceptive Trade Practices, and Audits & Review.

Dodd-Frank Act

The topics of Adverse Action Notices and Risk-based Pricing Notices have generated great angst in the dealership community of late, due in large measure to the Dodd-Frank Wall Street Reform and Consumer Protection Act. I could argue that Act neither meaningfully reforms Wall Street nor protects consumers, but it certainly got dealers’ attention.

The reason for dealer attention was the expansion of disclosures that adverse action notices must contain. Dodd-Frank amends the Fair Credit Reporting Act to require creditors to disclose in their adverse action notices:

  • A numerical credit score used in making the credit decision
  • the range of possible scores under the model used
  • Up to four key factors that adversely affected the consumer’s credit score (or up to five factors if the number of inquiries made with respect to that consumer report is a key factor)
  • The date on which the credit score was created
  • The name of the person or entity that provided the credit score

And then there’s risk-based pricing. Dodd-Frank requires risk-based pricing notices (RBPN) be given in situations where credit is offered on terms “materially less favorable” than “the most favorable terms available to a substantial portion of consumers” where the credit decision was “based in whole or in part on the consumer report.” In the alternative, dealers may provide an “exception notice” to all consumers after a credit score is obtained and before a financial contract is consummated.

Confused yet?

Fortunately for dealers, many third party vendors in the credit-approval process provide compliant adverse action notices and RBPN. In addition, CRM and DMS systems generally can print a compliant notice as well. You can check out CoreLogic Credco’s solution at; RouteOne’s at; and ProCredit Express’ at So you’re covered, right? In the immortal words of Lee Curso, “Not so fast, my friend…”

It’s easy to provide a customer in F&I with an exception notice, but what about unsold showroom traffic? And how do you ensure a proper notice was actually provided in F&I, or emailed (after securing permission to use email), or mailed within 30 days of a credit bureau being pulled? And how do you document that your dealership complied? Remember, in the world of compliance, if it isn’t documented, it didn’t happen. So be sure to determine that the solution you choose addresses those issues.

Environmental, Health & Safety

In the EHS arena, dealerships need to comply with OSHA, DOT, EPA, State regulations, and the local press corps if things don’t always work out. Inspections are a part of this, and those generally require real people making actual site visits. But the miracle of the internet can improve and automate many processes.

For example, consider Material Safety Data Sheets (MSDS). An MSDS explains the properties of a given substance used or present at a dealership. They are intended to provide workers with procedures for handling or working with the covered substance in a safe manner, and must be available for workers and emergency personnel.

MSDS can be stored, catalogued and updated in thick black three-ring binders. Or the appropriate MSDS can be accessed online and maintained on the dealership’s behalf by a third party vendor. For my money, the latter approach is the way to go.

Similarly, DOT/Hazmat training can be had online. Online solutions for the management of documentation are also available, including inspection reports, issue logs, safety committee meeting notes, DOT and other employee certifications, and accident reports. Online dashboards make status easy to observe and track. For one such vendor, see KPA at

Human Resources

Much of the value of digital compliance solutions lies in their ability to create repeatable, verifiable processes. One of the areas in which this capability is tremendously important is Human Resources (HR). Treating all employees consistently and fairly is vital in order to both do right and avoid lawsuits based on discrimination or wrongful termination.

Web-based applications exist to make consistent and compliant HR actions easy. Such tools address Recruitment and applicant training, performance management, incident reporting, even online advice from employment law attorneys. Dashboards can provide a bird’s-eye view of the status of individuals and the dealership as a whole.

When employees sue employers, the value of being able to document reasonable actions cannot be overestimated. Web-based solutions create checklists and processes to be followed, and a secure archive of those actions from which reports can easily be generated. Paper employee files look archaic by comparison.

For an example of such a web-based solution, see HotlinkHR at

Compliance Training

True fact: delivering a motor vehicle in an American retail transaction is one of the most heavily-regulated activities on earth. It is only slightly less regulated (deep breath…) than building a nuclear power plant on a bald eagle eating a manatee in the wetlands behind Al Gore’s house. Seriously. A dealership’s daily business involves the Fair Credit Reporting Act, Equal Credit Opportunity Act, Regulation M, Regulation Z, the Magnuson-Moss Warranty Act, Red Flags Rule, Safeguards Rule, Used Car Rule, Holder-in-Due-Course Rule, Privacy Rule, Disposal Rule, Credit Practices Rule, Telemarketing Sales Rule, Cash Reporting Rule, CAN-SPAM, FTC Act, FACT Act, OFAC, and the Equal Employment Opportunity Act.

That was just a partial list – to tell you the truth, in all this confusion I kind of lost track myself. So you’ve got to ask yourself one question: How can a dealership’s non-attorney employees follow laws they don’t even know exist? Do you feel lucky? Well do ya, punk?

With apologies to Dirty Harry, it’s easy to cut through the confusion with a web-based legal compliance training program that educates dealership employees on the laws that govern their jobs. Coupled with a Learning Management System, records and reports are created that demonstrate who took the training, when, and how they did on the module-end test that confirms learning took place. Done right, this can even create admissible evidence in support of a dealership’s position in consumer litigation.

Curricula can be tailored for the specific job description of the learner. So, for example, every employee can take Sexual Harassment training, while only F&I personnel would take a module on the legal implications of F&I menus. Automated reporting features can be configured to give the appropriate manager regular emails concerning the progress of those in his department.

To see one such program – mine – go to

If you’ve made it this far, good news: only one more article to wrap this up. And the finale will include a compliance checklist to keep all these obligations (and the options to address them) straight.

Posted in Product & Technology1 Comment

Digital Compliance, Part 1

Digital Compliance, Part 1

Research and my own experience have shown that (a drum roll, please)… dealers are cheap. And I don’t mean that in a negative way. Rather, in the past few years of tightening car sales and constipated margins, the best dealers have trimmed their expenses to the extent possible. Lazy brothers-in-law got laid off. Jets went up for sale.

Against this backdrop, dealers understand that, while they need effective and verifiable compliance solutions, they are hesitant to spend hard dollars for services that can’t prove ROI. Fortunately, effective and verifiable web-based solutions are readily available. And they can be cheap.

Compliance topics that lend themselves to digital solutions include:

  • OFAC
  • Safeguards Rule
  • Red Flags Rule
  • F&I Menus
  • Dodd Frank/Adverse Action Notices
  • Environmental, Health & Safety
  • Human Resources
  • Compliance Training
  • Product Training
  • Deceptive Trade Practices
  • Audit & Review

Let’s examine how web-based technologies can contribute to compliance in those areas, affordably. We’ll look at the first four this time, and hit the remainder in the next issue or two.


Complying with the requirements of the Office of Foreign Asset Control (OFAC) is perhaps the easiest and cheapest digital solution of all. OFAC prohibits businesses from dealing with any person or entity on its list of Specially Designated Nationals, popularly referred to as the “bad guy list.” Interestingly, there is no minimum dollar level for OFAC compliance so, technically, you should be subject to an OFAC check just before hearing “Want fries with that?”

One free way of running an online OFAC check is to go to and clicking until you get to the bad guy list, then searching for your customer’s name. But while free, this is cumbersome and only as reliable as the operator – who will only get paid if the deal goes through. And even under the best of circumstances, this free approach does not automatically create and archive a record of the effort. In the world of compliance, that is a serious deficiency – if it isn’t documented, it didn’t happen.

Most credit reporting agencies have an inexpensive online OFAC check function. For a quarter or so, you can run the customer’s name against the bad guy list and create a record of your having done so. Now that’s value!

Other popular sources of OFAC checks include RouteOne (, ProCredit Express (, and Veratad (

Whichever solution you use, beware of one common pitfall: OFAC requires a check of every customer, not just every finance customer. This means you need a process in place to catch cash customers. All of the solutions mentioned above can be used in connection with a cash transaction. The real trick is remembering to do so.

Safeguards Rule

The Federal Trade Commission Safeguards Rule is intended to make financial institutions (as dealerships are considered under the Rule) protect consumers’ nonpublic personal information (NPI). The Rule requires dealerships to:

  1. Designate a Program Coordinator;
  2. Conduct a risk assessment;
  3. Design and implement safeguards to control the risks identified by the assessment;
  4. Oversee its service providers; and
  5. Periodically reevaluate the program and amend it as necessary.

Items 1, 2, 4, and 5 are labor-intensive and not well served by online tools. But item 3 – the nuts and bolts of the Rule – is a problem with a digital solution. Several, in fact.

The two great risks to NPI at a dealership are paper files and computer data. Consider that a deal jacket almost certainly contains enough NPI to steal an identity. Credit applications are the Holy Grail for identity thieves. And computer files – the dealership’s DMS – contain the NPI of all of their customers. Clearly, these must be protected.

To address the risk that paper files present, some dealerships electronically scan the entire deal jacket and then shred the original paper files. If there are no paper files, there are no paper files to steal. Iron Mountain has a robust document management solution (, as does DealerTrack ( The former is more generic; the latter tailored to the automotive market. Lazy Days RV Center, the largest RV dealership in the world, has been taking this approach for almost a decade. “In all that time,” says Harold Oehler, Lazy Days’ general counsel, “we’ve never had a problem finding a document. It was the paper documents that were more likely to go missing.”

To protect computer files, it should go without saying that strong firewalls should be in place. But don’t put an exaggerated level of trust in firewalls alone. Firewalls merely limit the number of open ports through which data may be stolen. Preventing such theft is the real job. To accomplish this, dealers should invest in up-to-date anti-virus, anti-malware, and anti-phishing programs.

Furthermore, almost every organization should have an intrusion detection system (ISP). ISPs detect unauthorized attempts to access a computer network, or internal attempts to violate network policies (such as the entire customer database being downloaded from a workstation in the service department – true story).

To learn more about ISPs, check out Intrusion, Inc. ( or, for a free solution, try Sourcefire’s Snort at

Red Flags Rule

The gist of the Red Flags Rule can be summed up in just seven words:

  1. Policy
  2. Training
  3. Detect
  4. Prevent
  5. Mitigate
  6. Oversee
  7. Ensure

To string those words together, the Rule requires financial institutions (again, including dealerships) to have an identity theft prevention program (ITPP) that is, the policy, train its employees on that policy, to detect, prevent and mitigate the effects of identity theft at or through the dealership. The dealership must oversee its service providers so that they comply with the Rule to the extent applicable to their operations, and ensure that the ITPP continues to work over time.

To a greater or lesser degree, all seven of those requirements have an electronic solution. The most significant involve the requirements of detection, prevention, and mitigation.

Many vendors have tools to detect attempts of identity thieves to steal cars by using another person’s identity. For example, ADP Dealer Services ( offers a Red Flags solution that goes a long way towards detecting attempts at identity theft and, as important, documenting those efforts. So does DealerTrack, ProCredit Express, and others. These solutions focus on elements of the transaction to determine the likelihood of fraud. If that likelihood is strong enough, knowledge-based authentication (out-of-wallet challenge questions) can be applied. This is both simple and effective. And best of all, cheap.

Mitigation is a bit more tricky. The only meaningful form of mitigation I can think of is identity theft recovery and monitoring service. This service scans the internet (both the legitimate and “Black” internet) 24/7, looking for misuse or sale of a customer’s NPI. If identity theft occurs, trained recovery specialists restore the victim’s identity to its pre-event status. Some dealers give away a year of this service with every car delivered, then upsell additional years in F&I to create a profit center. For more information, contact… me. My company provides this service, and I’ve got three kids in college!

One word of warning: many companies provide Red Flags compliance tools and almost all of them claim to be “complete” or “turnkey” solutions. But given that there are seven significant requirements, and most solutions address two or three at best, these claims should be taken with a grain of salt.

F&I Menus

When F&I menus first came on the scene, they were novel, clever, and paper. Then along came PC-based menus – a great improvement. Now they come in web-enabled versions, and I am a big fan. Properly used, these selling tools are compliance tools as well.

By consistently presenting all products to all customers, F&I menus can reduce the risk of discrimination claims. Archived menus provide proof, if ever needed, of the pricing put in front of a customer. Written disclaimers can be clearly presented. A clear paper trail connecting the desking tool, buyer’s order, and installment sale contract is created. In short, a properly used electronic F&I menu can be a dealership’s (and its counsel’s) best friend.

Such menus are easy to find. Check out IAS, LP (, The Impact Group, Inc. (, or MaximTrak (

That’s just a sampling of the digital solutions available to enhance dealerships’ compliance efforts on the cheap. We’ll discuss more in the coming issues, and conclude with a checklist dealers can consult to evaluate how they’re doing in these important areas.

Posted in Product & Technology0 Comments