Author Archives | rwilson

Who Are You? Who? Who? Who? Who?

Who Are You? Who? Who? Who? Who?

If you are of a certain age, you will quickly recognize the refrain from the 1978 double platinum “Who Are You?” album by rock legends, The Who. While the song is about band member Pete Townsend getting questioned by the local men in blue after a bender, on the dealership floor, the question is more focused on getting to know the prospective buyer.

More specifically, your dealers need to know the identity of each buyer, and they need to know that the buyer is not an identity thief.

What we are talking about is, of course, the Red Flags rule. The Red Flags rule is designed to identify “red flags” or reasonably foreseeable risks of identity theft. The goal of the rule is the protection of customers who may be victims of identity theft, but it protects your dealer clients as well.

Red Flags and the CMS

Generally speaking, each dealership should have an identity theft program in place as part of a larger compliance management system (CMS), which consists of policies and procedures, training, auditing and complaint management.

The Red Flags rule requires an evaluation of certain risk factors such as alerts from consumer reporting agencies, presentation of identification documents which appear altered or do not match the physical appearance of the customer, unusual activity in the customer account (e.g. material change in the use of credit), among others.

From a practical perspective, there are at least two additional considerations. First, many, if not most, dealers outsource Red Flags compliance and then stop thinking about it. Have your dealers updated their policies and procedures to reflect the outsourced Red Flags process? Does their sales force check the red flags identified by the FTC? What is the procedure if a red flag is discovered? Reliance on third-party software may not be sufficient to comply with the rule if a comprehensive compliance process is not implemented.

Full Indemnity

The second practical consideration concerns vehicle financing. Most, if not all, larger indirect financing sources will require full indemnity and repurchase of any purchases obtained through identity fraud.

There is no insurance policy which will cover a loss caused by violating the law so, as a practical matter, your dealer will suffer a double loss in that they will need to pay back the bank and they will not have the vehicle. In addition, the FTC can impose a fine of $3,500 per violation in addition to seeking per-day penalties and UDAAP damages. The total financial cost of identity theft to the dealership can be substantial.

Dealers are increasingly relying on the internet to drive sales. Completing sales remotely creates a large identity theft risk because the ability to verify the customer’s identity is more difficult. The buyer can send a “Photoshopped” driver’s license via email, for example, or provide a fraudulent credit card.

So what is the takeaway here? Identifying red flags is required to protect against identify fraud, and having a good program in place will go a long way toward protecting both the customer and your business. You and your dealers need to take action to protect their reputations and preserve customer loyalty. You need to take action to keep the growing problem of identity theft out of your clients’ dealerships by verifying that the potential customer is exactly who he or she says they are.

As Pete Townsend says, you “really wanna know” who are you, Mr. Customer? Who? Who? Who? Who?

Posted in Industry0 Comments

Can I Get Your Number?

Can I Get Your Number?

Back in the old days, before the advent of modern communication such as Facetime, WhatsApp, Skype and many other platforms, the only real social media platform was the telephone. Asking someone for their phone number was a right of passage which either ended up in joy or disaster when you received (or did not receive) someone’s phone number.

Of course,  sometimes you might end up with a phone number that does not belong to the person, if you were asking Elaine in a “Seinfeld” episode. (How quaint, I know.) You might be asking yourself exactly what this trip down memory lane has to do with selling cars. Well, in 2017, the issue of express consent when asking for someone’s cell phone number continues to be very important, and agents can play a key role in keeping their dealers in compliance.

Match the Consent to the Message

The Telephone Consumer Protection Act (TCPA) generally prohibits a dealership employee from making a call (or sending a text) to a consumer’s mobile phone without their prior express consent (while using an automatic telephone dialing system or artificial or prerecorded voice). For purposes of this article, I am going to stick to the consent issue and not address autodialer-related issues. So what type of consent is required before calling a consumer’s cell phone?

The type of consent depends on the type of message. If the telephone call is not a telemarketing call but is purely informational, then only prior express consent is required. Examples of purely informational calls would be a school closing call, a fraud alert call or airline notification calls. If the call is a telemarketing call, then prior express written consent is required.

Telemarketing calls typically offer and market goods or services to consumers or seek to induce consumers to make a purchase of goods or services in the future. If the call is a mix of non-telemarketing and telemarketing, then prior express written consent is required. Some calls fall outside these two categories (i.e. purely informational or telemarketing) such as political calls (no more, please!), surveys or debt collection calls.

Assuming written consent is required, what sort of information should be considered for inclusion? Consider including the following:

  • The specific company to which consent is given
  • The consumer’s phone number
  • Clear evidence of consent
  • Clear and conspicuous disclosure that consent permits the seller to send telemarketing messages
  • Disclosure that the calls will be made with automatic telephone technology
  • Disclosure that consent is not required to purchase products or services
  • The customer’s electronic or written signature

What’s the Damage?

The TCPA provides for uncapped statutory damages of $500 per violation, which is tripled to $1,500 per violation for willful violations. There has been a large increase in TCPA actions, from 14 in 2007 to 3,710 in 2015. The lawsuits span many different industries due to the possibility of high class-action statutory damages and have included such notable companies as Twitter, CVS and the Buffalo Bills, to name a few. In Illinois, final approval has been given to a $75.5 million TCPA class-action suit against Capital One and its affiliates.

So what is the takeaway here? Compliance with the TCPA is necessary, and noncompliance can be very costly. Your dealers must obtain prior written consent before communicating any telemarketing message or text. They should also require all their service providers to be TCPA-compliant. If one of your dealers’ service providers violates the TCPA, the dealer can be vicariously liable.

Finally, consider an opt-out mechanism to allow your dealer clients’ customers to revoke consent from future telemarketing. Retain consent records for four years; this is the statute of limitations for TCPA actions. And keep in mind that if someone tells you their phone number is 867-5903, you can safely assume they do not want you to call them — unless their name is Tommy Tutone!

Posted in Industry0 Comments

Who Will Make Auto Retail Great Again?

Who Will Make Auto Retail Great Again?

There is an old adage (some say a curse) that says, “May you live in interesting times.” Surely we are doing so now. The $64,000 question is what does the Trump presidency mean for the automotive industry?

Some attention-grabbing headlines state that Trump will dismantle the Dodd-Frank Wall Street Reform and Consumer Protection Act. Digging deeper, however, does not provide any detail on how this will occur. Mr. Trump has repeatedly said he is against red tape and is for regulatory reform, but nothing is known besides the rhetoric.

Scant Evidence of Reform

There have been some interesting developments, which may hint of changes to come. One possible indication of the coming change has been the creation of the Financial CHOICE Act. The FCA seeks to change both the leadership and funding of the CFPB and even repeal indirect auto lending guidance! The FCA was just approved by the House Financial Services Committee in September, and some believe that Trump may pursue it or some version of it.

As many of you know, our favorite four-lettered friend, the CFPB, was “created” under the authority of Dodd-Frank. Can the CFPB, the “child” of Dodd-Frank, be dismantled under President-elect Trump? While there is no consensus, a common thread of opinion is that the CFPB may have its regulatory authority scaled back, but it will not be eliminated.

One theory is that Trump will seek to remove the CFPB’s zealous current single director, Richard Cordray, and replace him with a five-person bipartisan committee. Another proposal to control the CFPB would be to tie its funding to Congressional approval. (The CFPB is currently funded by the Federal Reserve System and is not subject to Congressional budgetary control.)

If either of these proposals come to pass, the CFPB will be subject to oversight by Congress and its policies and actions will also be subject to committee leadership.

The Line in the Sand

You may be (rightfully) asking yourself what all this has to do with selling cars. Well, although Congress provided a “carve out” in the CFPB’s authority over automotive dealers who routinely assign retail installment sales contracts to third-party finance entities, the CFPB has direct authority over buy here, pay here dealerships. The CFPB has shown a willingness to attack lending sources for the automotive industry, including American Honda Finance Corporation, Fifth Third Bank and BB&T Bank, who in combination paid over $100 million in fines and settlements regarding claims of discriminatory lending (while denying any wrongdoing).

Ironically, the CFPB itself has been charged with racial discrimination against its own employees, the very actions over which it has enforcement authority.

Another area in which President-elect Trump has promised changes which impact the automotive industry is in the area of trade. Trump has proposed a tariff for trade between the United States and Mexico, which could affect automakers such as Fiat Chrysler, GM and Ford.

According to the Center for Automotive Research, the Big Three have invested over $25 billion in Mexican operations. Some industry groups have estimated that such a tariff will add $5,000 to the cost of a $15,000 car. What will be the impact, particularly on entry- level vehicles, of such a policy? How will this affect sales on the dealership floor and, in particular, those dealerships with offshore facilities?

Interesting times can include both bad and good times. With Republican control of the House, Senate and White House, the chances of change in regulatory policy and authority are high. What remains to be seen is how the political change will affect dealerships and growth in 2017 and beyond.

Keep in mind that other regulatory agencies that impact dealerships, such as the FTC, DOJ, and state attorneys general, remain firmly in place even if there are changes at the CFPB. In the meantime, compliance with the current law and treating customers fairly and honestly will continue to be a best practice, no matter which way the political winds blow.

Posted in Industry0 Comments

The Shoulder Bone Is Connected to the Back Bone

The Shoulder Bone Is Connected to the Back Bone

Many of you may be familiar with the children’s sing-along song called “Dem Bones” or “Dry Bones.” Most verses recite the connection between the bones: “Shoulder bone connected to the back bone, back bone connected to the hip bone,” and so on.

You may be wondering what, exactly, this has to do with you. Well, any agent who has an interest in keeping their dealers off the federal regulatory radar needs to understand the security measures those agencies are demanding and how to meet them.

Assembling the Skeleton

Well, the “back bone” of every dealership is the dealer management system (DMS). Connected to that “back bone” are lots of other “bones” such as the business development system (BDS), a customer relationship manager (CRM), menu sales tools, iPads, smartphones, laptops and other devices.

Contained in the DMS are pieces of nonpublic personal information (NPI) pertaining to clients and potential clients which can be part of this digitally interconnected skeleton. One variety of this digital interconnectivity is referred to as peer-to-peer (P2P) file-sharing technology.

The federal Safeguards Rule requires, among other things, that dealers have a written security plan that contains administrative, technical and physical safeguards of customer’s information. Customer’s information includes NPI, which includes information a customer provides to the dealer to obtain a financial product or service.

Think about your typical dealer client. How many points of access to the customer NPI in the DMS back bone are there? If a salesperson pulls up their CRM to call Charlie Customer, does he have access to the DMS with Charlie’s credit score, credit application, date of birth, driver’s license number and other pieces of NPI? Can the salesperson access the DMS from his or her laptop while offsite?

Aside from the “front of the house” type of issue of controlling digital interconnectivity, have you reviewed your dealers’ agreements with their finance sources lately? As you may be aware, as far as the CFPB is concerned, the dealership is what is called a “service provider” for Mr. Big Bank. That means that the bank can be held liable for any improper act that is committed by one of its dealers.

As a consequence, almost all dealer/finance source contracts have some pretty scary indemnity/chargeback language incorporating compliance addendums or similar language. What this means, as a practical matter, is that failure to secure NPI in the DMS “back bone” could not only create liability for any injuries that the customer may suffer and reputational risk for the dealer, but could seriously jeopardize the dealer’s financing source.

Case Study

Franklin Budget Car Sales of Statesboro, Ga., used a computer network to conduct business and collect customer information and data, including such items as online credit applications, outside lead information, customer automobile and payment records, and finance and insurance records.

Franklin also, unfortunately, had P2P software installed on a computer connected to its network. As a result, the NPI of 95,000 customers was made available on the P2P network. Anyone operating a computer containing compatible P2P software would have access to view or download any files shared on the P2P network.

The FTC found this practice to be a violation of the Safeguards Rule. No financial penalty was assessed; however, Franklin was required to completely overhaul its information security program and report to the FTC for a period of 20 years. Keep in mind that there was no allegation that any of the 95,000 affected customers’ NPI was actually used to the detriment of the customers, just that it was available on the P2P network.

So what is the takeaway here? Well, while the back bone may be connected to the hip bone, you should take appropriate steps to make sure that the NPI on your dealers’ DMS is properly secured, that their computer network (and all devices with access to their computer network) contain no P2P software, and that they maintain adequate “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of personal information collected from or about customers.

Posted in Industry0 Comments

Disparate Impact 2.0

Disparate Impact 2.0

There is a knock on your favorite dealer’s door. He opens it to find a representative from his primary indirect lender, who announces they are going to do an unannounced deal-jacket audit to check for ECOA compliance. This could turn out to be a very long day, depending on the compliance program the dealer has in place.

Are your dealers ready for the next knock on the door? They should be, because federal regulators are putting immense pressure on banks and finance companies, and dealers are feeling it. Let’s discuss what auditors are looking for and how a clear understanding of the theory of “disparate impact” can help you prepare your dealers for any inquest.

Just a Theory

By way of refresher, the Consumer Financial Protection Bureau (CFPB) and the U.S. Department of Justice (DOJ) use disparate impact to go after indirect automotive lenders under ECOA, which is shorthand for the Equal Credit Opportunity Act. The ECOA generally makes it illegal to discriminate based upon race, gender, age, national origin, religion and other factors. Many car buyers are considered members of one or more protected classes under the law.

Under the disparate impact theory, an analysis is needed to determine if members of protected classes are being treated fairly compared to similarly situated individuals who are not in a protected class. To determine whether protected class members were involved in automobile loan transactions, the CFPB uses something called the Bayesian Improved Surname Geocoding (BISG) methodology.

The BISG theory is based on census data, and census data, in turn, is based on citizens making their own (unverified) report of their own ethnic background and providing their last name. BISG takes a portion of a ZIP code and list of surnames and concludes (arbitrarily) that if 80% or more of the census group were in a protected class, then 100% of their neighbors are deemed to be in the protected class as well.

The assumption here is that 80% somehow equals 100%. The further assumption is, for instance, that if a certain percentage of members of a protected class have a certain surname, then that percentage is present in the ZIP code being analyzed.

This whole process is sometimes referred to as using a “proxy,” since indirect automobile lenders cannot directly collect this information. Quite understandably, this use of BISG/proxies has been referred to as “junk science” by no less than the House of Representatives’ Financial Services Committee. In fact, the chairman of that committee, Rep. Jeb Hensarling (R-Texas), has gone so far as to refer to the CFPB as a “dangerously out of control agency” and said the CFPB is essentially “inventing” discrimination by using these methods.

While the withering criticism of the CFPB’s use of shaky theories to establish a disparate impact case is encouraging, it does not eliminate this practice, and disparate impact claims continue to exist in 2016. … Or do they?

Reason for Hope

Last June, the U.S. Supreme Court issued a decision in the Texas Department of Housing and Community Affairs v. Inclusive Communities Project Inc. The issue at hand was whether disparate impact theories can be used in a case arising out of the Fair Housing Act (FHA). Proponents of disparate impact theories and detractors of disparate impact theories both thought that the case may finally lay to rest any doubts about the validity of this theory.

In a 5-4 decision, the Supreme Court found that Congress intended to include disparate impact in the FHA. The CFPB might have claimed a total victory if the justices hadn’t gone on to say that mere statistical evidence is not enough to sustain a disparate impact claim. On the contrary, the Supreme Court imposed what they called a “robust causality requirement,” demanding proof that a particular policy caused the statistical disparity regarding the protected class.

This causation requirement gave renewed optimism to those seeking to eliminate the disparate impact theory from the CFPB’s arsenal. The Supreme Court also described a “valid interests” defense: If the underlying policies or policy was necessary to achieve a “valid interest,” then the disparate impact claim could be defeated. Keep in mind that the Inclusive Communities case was decided under the auspices of the FHA and not the ECOA, as applied to indirect automotive lenders.

So what is the final takeaway? Disparate impact claims appear to have survived the FHA case, although defenders of these claims have gained some insight into valid defenses, too. Neither side can claim complete victory. That leaves you, the agent, with two key questions to ask of all your dealer clients:

  • Does your dealership have written policies and procedures regarding your credit policy?
  • Does your dealership maintain written documentation of valid business reasons for deviating from your written credit policy?

If your dealers consistently apply and document their credit policies as part of a comprehensive compliance management system, their next unannounced audit visit from an indirect lender will go much more smoothly.

Posted in Industry0 Comments

Privacy: None of Your Business?

Privacy: None of Your Business?

Are privacy concerns part of your business? If not, they should be. Ignoring them can unnecessarily expose your agency, your reputation and your dealer clients to great harm. To begin with, it is necessary to understand NPI.

NPI is a common abbreviation for nonpublic personally identifiable financial information. Personally identifiable financial information, in turn, means any information a consumer provides in order to obtain a financial product or service from you, typically a loan application. Car dealers who extend credit or arrange financing or leasing have certain responsibilities with regard to safeguarding NPI.

NPI is commonly found in dealerships in credit applications, driver’s licenses, credit card numbers and credit reports, to name a few, and can be on paper or in computer files. Let’s take a closer look at the process and benefits of securing this information.

Leave No Stone Unturned

Let’s start at the top. Does your dealership have policies and procedures in place to address safeguarding NPI? What happens to the customer’s driver’s license while they are taking a test drive? Do they sit on your salesman’s desk or in his or her drawer? What about credit card numbers? Do they sit in an unsecured area when a customer wants to get a rental car?

Do all employees have “all access” to the dealership computer network where customers’ NPI is stored? Are secure passwords and authentication required to access NPI, and is there a suspension protocol after a certain number of unsuccessful attempts? What are your polices regarding paper records? Where are they stored and who has access to the storage area? Where do you store “dead deal” files? How about “closed deal” files? These files are filled with NPI. Where are they stored, how are they secured and who has access to them? What happens when you need to move these files within the dealership or to a different building? What are your policies and procedures to keep them secure? How many sets of keys are there to the secure room and who has those keys? What happens when your salesmen or managers get up to leave their desks? What is displayed on their screen and is the network secured before they leave their desks? What are your remote access policies?

The policies and procedures should be overseen by a compliance coordinator with authority to carry out the duties of the position and who reports to the general manager or dealer. Can your dealer clients say, in good faith — as required by the Safeguards Rule — that they maintain “physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”? Is there a training program in place so that existing employees and new hires are trained on the compliance issues, including the importance of securing NPI and protecting the business’ reputation?

When Disaster Strikes

One increasing risk of failing to secure NPI is a data breach or other security incident. In 2015 alone, there were almost 800 reported data breaches; many more go unreported. Each time a data breach happens, a business’ reputation suffers, money is lost and that business may come under strict regulatory scrutiny.

Have your dealers performed a risk assessment or security audit? Do you know if there are vulnerabilities in the process to taking, processing, storing and disposing of NPI? As previously mentioned, I would bet that your dealers’ sales desks and storage areas could be areas of concern as far as securing NPI goes. Is there a process for addressing any reports or discoveries of security vulnerabilities? Do you use industry standard methods to secure and monitor your network? Do you test your information security program regularly?

Does your business use outside service providers who have access to your customer’s NPI? For instance, do you use a contact management/business development system such as BDC or CRM which interfaces with your DMS? Can those other applications access NPI which you have stored in your DMS? Do you have a segmented network? Do you have contracts with written security expectations from the service provider? Do you oversee your service provider to verify they are compliant with your security expectations?

While it may be tempting to consider these ideas as something that will never happen to you or your clients, you should be aware of the consequences. Aside from the incalculable value of the loss of their customer’s goodwill, the FTC can seek civil penalties of $100,000 per violation against the business and $10,000 per violation against liable officers and directors. In addition to these civil sanctions, there can also be criminal penalties and claims of unfair trade practices. You may have heard of LifeLock, a company that specializes in identity theft prevention. LifeLock was recently penalized $100 million, in part because it failed to establish and maintain a comprehensive information security program. This is a company that is supposed to specialize in security! And that is a lot of zeros and a lot of reasons why compliance and privacy should have your undivided attention.

If you are reading this article, then you must know the importance of privacy rights and nonpublic personal information. Protecting privacy and customers’ NPI must be part of your business plan, now and for the future. As the old adage goes, no one plans to fail, but many fail to plan. While perhaps no system can be “bulletproof,” it makes good business sense to make reasonable efforts to protect yourself from the dangers of not securing customer privacy and NPI. Go out there and do all you can to protect yourself, your business and your dealer clients’ hard-earned goodwill and implement your security program!

Posted in Industry0 Comments

Page 1 of 212