Author Archives | rwilson

The Equifax Data Breach: A Compliance Lesson in Disguise

The Equifax Data Breach: A Compliance Lesson in Disguise

By now, the immensity of the Equifax data breach has started to sink into our collective consciousness … 142 million consumers, half of all Americans, have been adversely affected by the complete failure of Equifax to safeguard their nonpublic personal information (NPI). Keep in mind that those 143 million consumers are going to be adversely affected by the Equifax data breach for the rest of their lives!

So what does this mean for automotive dealerships? This is a compliance lesson, writ large, for all of the world to see. More specifically, this is an example of a compliance failure, the size and scope of which we have never seen before. Whether or not Equifax will survive this catastrophic event remains to be seen. Multiple class actions have been filed alleging the failure of Equifax to comply with the Fair Credit Reporting Act (FCRA), the failure of Equifax to comply with state data breach laws and negligence by reason of its failure, after previous security incidents, to take reasonable action under the circumstances. The dollar exposure of Equifax in these class actions will certainly be in the millions of dollars.

Facts reported in the news indicate that it took Equifax 143 days to discover the data breach and 40 days after the discovery of the breach to notify the affected individuals. State laws vary, but data breach notification acts typically require notice “without unreasonable delay” or “whenever it becomes aware” of the data breach or similar language. Undoubtedly, the length of the delay here was unreasonable and did not occur as soon as Equifax was aware of the data breach and Equifax will suffer the consequences.

In particular, the computer application that the hackers took advantage of was patched approximately two months before the Equifax attack occurred, and notice of this was available on the National Vulnerability database. This episode points to the inescapable conclusion that Equifax did not have a robust data security program in place (e.g. no regular checking for software/application updates, no regular monitoring of published vulnerabilities) and, certainly, had no plan of action for the possibility that a security event could occur (e.g. 40-day delay to figure out what to do).

A complete compliance management system (CMS) would require policies and procedures, training, audit and complaint management and would bring, at a minimum, a double failsafe approach to compliance —first via policies, then via training and, if both of those failed, through audit.

On the dealership floor, the impact of one in two customers suffering the consequences of this monumental data breach will be significant. In response to the Equifax data breach, many consumers have implemented credit freezes and/or have placed a fraud alert on their file. (Does your CMS address credit freezes and fraud alerts?)

If the hackers have gained access to the consumer’s credit information, then there is the possibility of unauthorized charges on the consumers account which will need to be investigated and there will be an increased urgency to ensure that the consumer is actually the person they represent themselves to be. This means compliance with the Red Flags Rule will become even more critical.

What is the takeaway here? Implementation of a complete CMS will be even more critical to protect your customers and reputation. Going forward, fraud prevention and consumer protection will need even added attention from dealerships to avoid being dragged down with Equifax into the failed compliance whirlpool — or is it a cesspool?

DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without specific legal advice based upon your particular situation, jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material. © 2017 Robert J. Wilson

Posted in Featured Articles, Industry0 Comments

Customer Retention and What Not to Do

Customer Retention and What Not to Do

Ask yourself whether the following fact scenario is true or false: Mrs. G and her husband come to a dealer seeking to trade two vehicles for two new cars. The dealership signed a document agreeing to add leather seats to one of the new cars.

When Mr. G called to ask about the leather seats, he was told that the dealership would not be installing them because it did not get a good deal on one of the trade-in vehicles. Mrs. G posted a negative comment on social media about this experience at the dealer. A dealer employee called Mrs. G and said that (1) the leather seats would not be installed until she removed the negative social media post and (2) that the dealership has nude photos of her. This employee said he would share the nude photos of Mrs. G with her husband if she did not remove the negative comment and also that he knew she was a teacher.

Pretty crazy, right? This is what was alleged in a lawsuit in Georgia.

Here is the second scenario: Mr. and Mrs. G go to purchase a new car. Mr. has a screenshot of credit pre-approval on his phone, saved in his photos. The salesperson asks to borrow the phone to show his manager, so Mr. G gives his phone to the employee. Mr. G’s phone was given to the dealership’s sales director, who found nude photos of Mrs. G on the phone and sent the photo to an email address for a swingers’ website. The sales director had an active profile on the swingers’ site. When Mr. G got his phone back, he noticed that a photo of his wife had been accessed. He then accessed his sent emails and saw that the photo had been emailed to the swingers’ website.

Again, these facts are what was alleged in a lawsuit in Dallas.

The mantra of customer retention seems even more urgent when conventional wisdom tells us it is much more expensive to acquire a new customer than to retain an old customer. While there is, admittedly, pressure on the dealership floor to make sales, how do you balance meeting sales goals while retaining customers?

Beyond Breach of Contract

Certainly, in the first scenario, the dealership entered into a written contract with its customer which it unilaterally breached by refusing to perform the leather installation. If this is where the story stopped, the fallout could include a breach of contract claim, perhaps an unfair trade practices claim and maybe a complaint with the local attorney general’s office. Obviously, attempting to use nude photos of the customer to coerce her to do something escalated this fact pattern from a breach of contract to something altogether different.

In the second scenario, had the sales manager not gone “fishing” into the stored photos on the customer’s phone, then presumably the sales transaction could have been completed without further incident. This conduct is so outrageous that it almost defies belief.

Each dealership should, of course, as part of its written policies and procedures, specifically set forth expectations of behavior, even for situations which seem self-evident. Privacy and nonpublic personal information (NPI) must be safeguarded, and certainly all customers should be treated with respect — if customer retention is the priority it should be.

So what is the takeaway here? Obviously, if a contract is entered into, both sides should honor its terms and if there is a question, counsel should be retained for review and analysis before any action is taken. While the first scenario only resulted in a suit against the local Georgia dealer, the second scenario resulted in a suit against both the Dallas dealer and Toyota Motors North America. Both dealers have shattered their reputations, and the second dealer may have jeopardized its relationship with its distributor.

The story does not mention any pre-employment screening which may or may not have been performed in the second scenario, but obviously this manager-level employee had significant judgment and decisionmaking deficits, beyond the moral issues. While compliance issues gather their fair share of headlines, ordinary contract and privacy issues can be just as damaging to the dealer’s wallet and, more importantly, reputation.

Just protecting NPI is no longer a good benchmark for dealerships. Recent headlines regarding the hacking of Sony Entertainment and even the hacking of the Democratic National Committee established that protecting all customer information is the new standard, NPI included. While protecting NPI is the regulatory standard, to preserve your reputation with your customers, dealers must take affirmative action to safeguard and keep all customer information secure — photographs, email addresses, telephone numbers, everything that is unique to the customer.

“Keeping it secure” is the new norm to maintain customers for life. Hands-on management requires scrutiny in screening employees, notifying employees of written expectations of conduct and behavior as well as periodic review. Boundary setting is considered the hallmark of good management, and these two scenarios prove this true.

Content in this article is intended for informational purposes only and should not be construed as legal advice, and should not be relied upon or acted upon without specific legal advice based upon your unique jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material.

Posted in Industry0 Comments

Compliance Management System or Compliance Training?

Compliance Management System or Compliance Training?

What is the important and significant difference between a compliance management system (CMS) and compliance training? Why is one preferable to the other in the compliance space for dealerships? A “system” has been defined as describing a set of connected parts forming a complex whole or an organized set of procedures by which something is done. The key concept centers on the “connectedness” of the components forming a larger set. “Training,” on the other hand, is defined as the action of teaching a particular skill or behavior.

The CFPB has said that they expect every large participant (including “nonbank,” i.e. auto finance companies) to have a CMS in place, not just training. Auto finance sources, in turn, require your dealers to implement a CMS in their stores. In the event a finance source discovers that a dealer has failed to implement a CMS, drastic measures are sure to follow. There is a popular misconception that “training = system,” rather than the more accurate description: “system > training.”

The Four Prongs

The CFPB has outlined at least four prongs, or interconnected parts, that form the larger whole of a CMS: policies and procedures, training, audit and complaint management. As you can see, training is just one component of a larger system of compliance, but it is not a “system” unto itself.

Many dealers are tempted to say they train their staff and consider themselves to be compliant. While there may be training, what happens if an issue arises in any of the other three prongs that the CFPB has identified as part of a CMS?

For instance, what if there is a question regarding written policies and procedures, or regarding a customer complaint or a question regarding an audit? What is the process to be followed? Who has supervisory responsibility? How can consistent, repeatable processes be followed?

The answer is that mere training is not enough. You need an interconnected system. Given the high turnover of employees and the lack of up-to-date information around the key areas of legal requirements that dealers face just to sell cars, a CMS is the only sure way to stay current and have consistent and repeatable compliance processes embedded in the dealer workflow.

One More System Won’t Hurt

Dealer workflow is no stranger to systems. The “S” in “DMS” stands for “system.” Sales of vehicles, ancillary products or parts and service are frequently tied into menu-selling systems. These systems integrate all the disparate items under one “roof” so all opportunities are fully and completely explored. Doesn’t it make sense to also use a system to integrate all compliance expectations and processes under one “roof”?

A CMS should serve to automate, making sure all employees receive lessons appropriate to their job duties. A CMS should generate reports regarding employees who have passed (or not passed) their training and the time required to do so. A CMS should establish consistent and repeatable processes to address problems and issues as they arise and can also serve to suggest revisiting procedures and training to lessen the likelihood of the same issue coming up repeatedly.

Why would a dealer consider implementing training rather than a complete CMS? The only answers that spring to mind are price or lack of knowledge. The old adage that if it is worth doing, it is worth doing well applies here. Training is a halfway (or perhaps even a 25%) solution to compliance. If you read any compliance headlines, you can easily see that the penalties are in the millions of dollars. Price should not realistically be a deciding factor.

After reading this article, you cannot claim a lack of knowledge of the difference between mere training and a complete compliance management system. Some of you may be familiar with the television and movie series “Star Trek.” If so, you are likely familiar with a villain named the Borg, which is collection of human/cyborgs linked together in a hive called the Collective. The Borg are known for several quotes and I would like to paraphrase one here: “Resistance is futile. You will comply.”

While I am not necessarily equating the CFPB with the Borg, compliance in some format is here to stay and best practices mandate that a complete system is needed to address this requirement. In the case of system versus training, the undisputed evidence favors system over training; there is no valid excuse or justification for adopting an incomplete compliance solution so go out there and get a complete compliance management system today!

Posted in Industry1 Comment

Who Are You? Who? Who? Who? Who?

Who Are You? Who? Who? Who? Who?

If you are of a certain age, you will quickly recognize the refrain from the 1978 double platinum “Who Are You?” album by rock legends, The Who. While the song is about band member Pete Townsend getting questioned by the local men in blue after a bender, on the dealership floor, the question is more focused on getting to know the prospective buyer.

More specifically, your dealers need to know the identity of each buyer, and they need to know that the buyer is not an identity thief.

What we are talking about is, of course, the Red Flags rule. The Red Flags rule is designed to identify “red flags” or reasonably foreseeable risks of identity theft. The goal of the rule is the protection of customers who may be victims of identity theft, but it protects your dealer clients as well.

Red Flags and the CMS

Generally speaking, each dealership should have an identity theft program in place as part of a larger compliance management system (CMS), which consists of policies and procedures, training, auditing and complaint management.

The Red Flags rule requires an evaluation of certain risk factors such as alerts from consumer reporting agencies, presentation of identification documents which appear altered or do not match the physical appearance of the customer, unusual activity in the customer account (e.g. material change in the use of credit), among others.

From a practical perspective, there are at least two additional considerations. First, many, if not most, dealers outsource Red Flags compliance and then stop thinking about it. Have your dealers updated their policies and procedures to reflect the outsourced Red Flags process? Does their sales force check the red flags identified by the FTC? What is the procedure if a red flag is discovered? Reliance on third-party software may not be sufficient to comply with the rule if a comprehensive compliance process is not implemented.

Full Indemnity

The second practical consideration concerns vehicle financing. Most, if not all, larger indirect financing sources will require full indemnity and repurchase of any purchases obtained through identity fraud.

There is no insurance policy which will cover a loss caused by violating the law so, as a practical matter, your dealer will suffer a double loss in that they will need to pay back the bank and they will not have the vehicle. In addition, the FTC can impose a fine of $3,500 per violation in addition to seeking per-day penalties and UDAAP damages. The total financial cost of identity theft to the dealership can be substantial.

Dealers are increasingly relying on the internet to drive sales. Completing sales remotely creates a large identity theft risk because the ability to verify the customer’s identity is more difficult. The buyer can send a “Photoshopped” driver’s license via email, for example, or provide a fraudulent credit card.

So what is the takeaway here? Identifying red flags is required to protect against identify fraud, and having a good program in place will go a long way toward protecting both the customer and your business. You and your dealers need to take action to protect their reputations and preserve customer loyalty. You need to take action to keep the growing problem of identity theft out of your clients’ dealerships by verifying that the potential customer is exactly who he or she says they are.

As Pete Townsend says, you “really wanna know” who are you, Mr. Customer? Who? Who? Who? Who?

Posted in Industry0 Comments

Can I Get Your Number?

Can I Get Your Number?

Back in the old days, before the advent of modern communication such as Facetime, WhatsApp, Skype and many other platforms, the only real social media platform was the telephone. Asking someone for their phone number was a right of passage which either ended up in joy or disaster when you received (or did not receive) someone’s phone number.

Of course,  sometimes you might end up with a phone number that does not belong to the person, if you were asking Elaine in a “Seinfeld” episode. (How quaint, I know.) You might be asking yourself exactly what this trip down memory lane has to do with selling cars. Well, in 2017, the issue of express consent when asking for someone’s cell phone number continues to be very important, and agents can play a key role in keeping their dealers in compliance.

Match the Consent to the Message

The Telephone Consumer Protection Act (TCPA) generally prohibits a dealership employee from making a call (or sending a text) to a consumer’s mobile phone without their prior express consent (while using an automatic telephone dialing system or artificial or prerecorded voice). For purposes of this article, I am going to stick to the consent issue and not address autodialer-related issues. So what type of consent is required before calling a consumer’s cell phone?

The type of consent depends on the type of message. If the telephone call is not a telemarketing call but is purely informational, then only prior express consent is required. Examples of purely informational calls would be a school closing call, a fraud alert call or airline notification calls. If the call is a telemarketing call, then prior express written consent is required.

Telemarketing calls typically offer and market goods or services to consumers or seek to induce consumers to make a purchase of goods or services in the future. If the call is a mix of non-telemarketing and telemarketing, then prior express written consent is required. Some calls fall outside these two categories (i.e. purely informational or telemarketing) such as political calls (no more, please!), surveys or debt collection calls.

Assuming written consent is required, what sort of information should be considered for inclusion? Consider including the following:

  • The specific company to which consent is given
  • The consumer’s phone number
  • Clear evidence of consent
  • Clear and conspicuous disclosure that consent permits the seller to send telemarketing messages
  • Disclosure that the calls will be made with automatic telephone technology
  • Disclosure that consent is not required to purchase products or services
  • The customer’s electronic or written signature

What’s the Damage?

The TCPA provides for uncapped statutory damages of $500 per violation, which is tripled to $1,500 per violation for willful violations. There has been a large increase in TCPA actions, from 14 in 2007 to 3,710 in 2015. The lawsuits span many different industries due to the possibility of high class-action statutory damages and have included such notable companies as Twitter, CVS and the Buffalo Bills, to name a few. In Illinois, final approval has been given to a $75.5 million TCPA class-action suit against Capital One and its affiliates.

So what is the takeaway here? Compliance with the TCPA is necessary, and noncompliance can be very costly. Your dealers must obtain prior written consent before communicating any telemarketing message or text. They should also require all their service providers to be TCPA-compliant. If one of your dealers’ service providers violates the TCPA, the dealer can be vicariously liable.

Finally, consider an opt-out mechanism to allow your dealer clients’ customers to revoke consent from future telemarketing. Retain consent records for four years; this is the statute of limitations for TCPA actions. And keep in mind that if someone tells you their phone number is 867-5903, you can safely assume they do not want you to call them — unless their name is Tommy Tutone!

Posted in Industry0 Comments

Who Will Make Auto Retail Great Again?

Who Will Make Auto Retail Great Again?

There is an old adage (some say a curse) that says, “May you live in interesting times.” Surely we are doing so now. The $64,000 question is what does the Trump presidency mean for the automotive industry?

Some attention-grabbing headlines state that Trump will dismantle the Dodd-Frank Wall Street Reform and Consumer Protection Act. Digging deeper, however, does not provide any detail on how this will occur. Mr. Trump has repeatedly said he is against red tape and is for regulatory reform, but nothing is known besides the rhetoric.

Scant Evidence of Reform

There have been some interesting developments, which may hint of changes to come. One possible indication of the coming change has been the creation of the Financial CHOICE Act. The FCA seeks to change both the leadership and funding of the CFPB and even repeal indirect auto lending guidance! The FCA was just approved by the House Financial Services Committee in September, and some believe that Trump may pursue it or some version of it.

As many of you know, our favorite four-lettered friend, the CFPB, was “created” under the authority of Dodd-Frank. Can the CFPB, the “child” of Dodd-Frank, be dismantled under President-elect Trump? While there is no consensus, a common thread of opinion is that the CFPB may have its regulatory authority scaled back, but it will not be eliminated.

One theory is that Trump will seek to remove the CFPB’s zealous current single director, Richard Cordray, and replace him with a five-person bipartisan committee. Another proposal to control the CFPB would be to tie its funding to Congressional approval. (The CFPB is currently funded by the Federal Reserve System and is not subject to Congressional budgetary control.)

If either of these proposals come to pass, the CFPB will be subject to oversight by Congress and its policies and actions will also be subject to committee leadership.

The Line in the Sand

You may be (rightfully) asking yourself what all this has to do with selling cars. Well, although Congress provided a “carve out” in the CFPB’s authority over automotive dealers who routinely assign retail installment sales contracts to third-party finance entities, the CFPB has direct authority over buy here, pay here dealerships. The CFPB has shown a willingness to attack lending sources for the automotive industry, including American Honda Finance Corporation, Fifth Third Bank and BB&T Bank, who in combination paid over $100 million in fines and settlements regarding claims of discriminatory lending (while denying any wrongdoing).

Ironically, the CFPB itself has been charged with racial discrimination against its own employees, the very actions over which it has enforcement authority.

Another area in which President-elect Trump has promised changes which impact the automotive industry is in the area of trade. Trump has proposed a tariff for trade between the United States and Mexico, which could affect automakers such as Fiat Chrysler, GM and Ford.

According to the Center for Automotive Research, the Big Three have invested over $25 billion in Mexican operations. Some industry groups have estimated that such a tariff will add $5,000 to the cost of a $15,000 car. What will be the impact, particularly on entry- level vehicles, of such a policy? How will this affect sales on the dealership floor and, in particular, those dealerships with offshore facilities?

Interesting times can include both bad and good times. With Republican control of the House, Senate and White House, the chances of change in regulatory policy and authority are high. What remains to be seen is how the political change will affect dealerships and growth in 2017 and beyond.

Keep in mind that other regulatory agencies that impact dealerships, such as the FTC, DOJ, and state attorneys general, remain firmly in place even if there are changes at the CFPB. In the meantime, compliance with the current law and treating customers fairly and honestly will continue to be a best practice, no matter which way the political winds blow.

Posted in Industry0 Comments

Page 1 of 212