Author Archives | rwilson

The Shoulder Bone Is Connected to the Back Bone

The Shoulder Bone Is Connected to the Back Bone

Many of you may be familiar with the children’s sing-along song called “Dem Bones” or “Dry Bones.” Most verses recite the connection between the bones: “Shoulder bone connected to the back bone, back bone connected to the hip bone,” and so on.

You may be wondering what, exactly, this has to do with you. Well, any agent who has an interest in keeping their dealers off the federal regulatory radar needs to understand the security measures those agencies are demanding and how to meet them.

Assembling the Skeleton

Well, the “back bone” of every dealership is the dealer management system (DMS). Connected to that “back bone” are lots of other “bones” such as the business development system (BDS), a customer relationship manager (CRM), menu sales tools, iPads, smartphones, laptops and other devices.

Contained in the DMS are pieces of nonpublic personal information (NPI) pertaining to clients and potential clients which can be part of this digitally interconnected skeleton. One variety of this digital interconnectivity is referred to as peer-to-peer (P2P) file-sharing technology.

The federal Safeguards Rule requires, among other things, that dealers have a written security plan that contains administrative, technical and physical safeguards of customer’s information. Customer’s information includes NPI, which includes information a customer provides to the dealer to obtain a financial product or service.

Think about your typical dealer client. How many points of access to the customer NPI in the DMS back bone are there? If a salesperson pulls up their CRM to call Charlie Customer, does he have access to the DMS with Charlie’s credit score, credit application, date of birth, driver’s license number and other pieces of NPI? Can the salesperson access the DMS from his or her laptop while offsite?

Aside from the “front of the house” type of issue of controlling digital interconnectivity, have you reviewed your dealers’ agreements with their finance sources lately? As you may be aware, as far as the CFPB is concerned, the dealership is what is called a “service provider” for Mr. Big Bank. That means that the bank can be held liable for any improper act that is committed by one of its dealers.

As a consequence, almost all dealer/finance source contracts have some pretty scary indemnity/chargeback language incorporating compliance addendums or similar language. What this means, as a practical matter, is that failure to secure NPI in the DMS “back bone” could not only create liability for any injuries that the customer may suffer and reputational risk for the dealer, but could seriously jeopardize the dealer’s financing source.

Case Study

Franklin Budget Car Sales of Statesboro, Ga., used a computer network to conduct business and collect customer information and data, including such items as online credit applications, outside lead information, customer automobile and payment records, and finance and insurance records.

Franklin also, unfortunately, had P2P software installed on a computer connected to its network. As a result, the NPI of 95,000 customers was made available on the P2P network. Anyone operating a computer containing compatible P2P software would have access to view or download any files shared on the P2P network.

The FTC found this practice to be a violation of the Safeguards Rule. No financial penalty was assessed; however, Franklin was required to completely overhaul its information security program and report to the FTC for a period of 20 years. Keep in mind that there was no allegation that any of the 95,000 affected customers’ NPI was actually used to the detriment of the customers, just that it was available on the P2P network.

So what is the takeaway here? Well, while the back bone may be connected to the hip bone, you should take appropriate steps to make sure that the NPI on your dealers’ DMS is properly secured, that their computer network (and all devices with access to their computer network) contain no P2P software, and that they maintain adequate “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of personal information collected from or about customers.

Posted in Featured Articles, Industry0 Comments

Disparate Impact 2.0

Disparate Impact 2.0

There is a knock on your favorite dealer’s door. He opens it to find a representative from his primary indirect lender, who announces they are going to do an unannounced deal-jacket audit to check for ECOA compliance. This could turn out to be a very long day, depending on the compliance program the dealer has in place.

Are your dealers ready for the next knock on the door? They should be, because federal regulators are putting immense pressure on banks and finance companies, and dealers are feeling it. Let’s discuss what auditors are looking for and how a clear understanding of the theory of “disparate impact” can help you prepare your dealers for any inquest.

Just a Theory

By way of refresher, the Consumer Financial Protection Bureau (CFPB) and the U.S. Department of Justice (DOJ) use disparate impact to go after indirect automotive lenders under ECOA, which is shorthand for the Equal Credit Opportunity Act. The ECOA generally makes it illegal to discriminate based upon race, gender, age, national origin, religion and other factors. Many car buyers are considered members of one or more protected classes under the law.

Under the disparate impact theory, an analysis is needed to determine if members of protected classes are being treated fairly compared to similarly situated individuals who are not in a protected class. To determine whether protected class members were involved in automobile loan transactions, the CFPB uses something called the Bayesian Improved Surname Geocoding (BISG) methodology.

The BISG theory is based on census data, and census data, in turn, is based on citizens making their own (unverified) report of their own ethnic background and providing their last name. BISG takes a portion of a ZIP code and list of surnames and concludes (arbitrarily) that if 80% or more of the census group were in a protected class, then 100% of their neighbors are deemed to be in the protected class as well.

The assumption here is that 80% somehow equals 100%. The further assumption is, for instance, that if a certain percentage of members of a protected class have a certain surname, then that percentage is present in the ZIP code being analyzed.

This whole process is sometimes referred to as using a “proxy,” since indirect automobile lenders cannot directly collect this information. Quite understandably, this use of BISG/proxies has been referred to as “junk science” by no less than the House of Representatives’ Financial Services Committee. In fact, the chairman of that committee, Rep. Jeb Hensarling (R-Texas), has gone so far as to refer to the CFPB as a “dangerously out of control agency” and said the CFPB is essentially “inventing” discrimination by using these methods.

While the withering criticism of the CFPB’s use of shaky theories to establish a disparate impact case is encouraging, it does not eliminate this practice, and disparate impact claims continue to exist in 2016. … Or do they?

Reason for Hope

Last June, the U.S. Supreme Court issued a decision in the Texas Department of Housing and Community Affairs v. Inclusive Communities Project Inc. The issue at hand was whether disparate impact theories can be used in a case arising out of the Fair Housing Act (FHA). Proponents of disparate impact theories and detractors of disparate impact theories both thought that the case may finally lay to rest any doubts about the validity of this theory.

In a 5-4 decision, the Supreme Court found that Congress intended to include disparate impact in the FHA. The CFPB might have claimed a total victory if the justices hadn’t gone on to say that mere statistical evidence is not enough to sustain a disparate impact claim. On the contrary, the Supreme Court imposed what they called a “robust causality requirement,” demanding proof that a particular policy caused the statistical disparity regarding the protected class.

This causation requirement gave renewed optimism to those seeking to eliminate the disparate impact theory from the CFPB’s arsenal. The Supreme Court also described a “valid interests” defense: If the underlying policies or policy was necessary to achieve a “valid interest,” then the disparate impact claim could be defeated. Keep in mind that the Inclusive Communities case was decided under the auspices of the FHA and not the ECOA, as applied to indirect automotive lenders.

So what is the final takeaway? Disparate impact claims appear to have survived the FHA case, although defenders of these claims have gained some insight into valid defenses, too. Neither side can claim complete victory. That leaves you, the agent, with two key questions to ask of all your dealer clients:

  • Does your dealership have written policies and procedures regarding your credit policy?
  • Does your dealership maintain written documentation of valid business reasons for deviating from your written credit policy?

If your dealers consistently apply and document their credit policies as part of a comprehensive compliance management system, their next unannounced audit visit from an indirect lender will go much more smoothly.

Posted in Industry0 Comments

Privacy: None of Your Business?

Privacy: None of Your Business?

Are privacy concerns part of your business? If not, they should be. Ignoring them can unnecessarily expose your agency, your reputation and your dealer clients to great harm. To begin with, it is necessary to understand NPI.

NPI is a common abbreviation for nonpublic personally identifiable financial information. Personally identifiable financial information, in turn, means any information a consumer provides in order to obtain a financial product or service from you, typically a loan application. Car dealers who extend credit or arrange financing or leasing have certain responsibilities with regard to safeguarding NPI.

NPI is commonly found in dealerships in credit applications, driver’s licenses, credit card numbers and credit reports, to name a few, and can be on paper or in computer files. Let’s take a closer look at the process and benefits of securing this information.

Leave No Stone Unturned

Let’s start at the top. Does your dealership have policies and procedures in place to address safeguarding NPI? What happens to the customer’s driver’s license while they are taking a test drive? Do they sit on your salesman’s desk or in his or her drawer? What about credit card numbers? Do they sit in an unsecured area when a customer wants to get a rental car?

Do all employees have “all access” to the dealership computer network where customers’ NPI is stored? Are secure passwords and authentication required to access NPI, and is there a suspension protocol after a certain number of unsuccessful attempts? What are your polices regarding paper records? Where are they stored and who has access to the storage area? Where do you store “dead deal” files? How about “closed deal” files? These files are filled with NPI. Where are they stored, how are they secured and who has access to them? What happens when you need to move these files within the dealership or to a different building? What are your policies and procedures to keep them secure? How many sets of keys are there to the secure room and who has those keys? What happens when your salesmen or managers get up to leave their desks? What is displayed on their screen and is the network secured before they leave their desks? What are your remote access policies?

The policies and procedures should be overseen by a compliance coordinator with authority to carry out the duties of the position and who reports to the general manager or dealer. Can your dealer clients say, in good faith — as required by the Safeguards Rule — that they maintain “physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”? Is there a training program in place so that existing employees and new hires are trained on the compliance issues, including the importance of securing NPI and protecting the business’ reputation?

When Disaster Strikes

One increasing risk of failing to secure NPI is a data breach or other security incident. In 2015 alone, there were almost 800 reported data breaches; many more go unreported. Each time a data breach happens, a business’ reputation suffers, money is lost and that business may come under strict regulatory scrutiny.

Have your dealers performed a risk assessment or security audit? Do you know if there are vulnerabilities in the process to taking, processing, storing and disposing of NPI? As previously mentioned, I would bet that your dealers’ sales desks and storage areas could be areas of concern as far as securing NPI goes. Is there a process for addressing any reports or discoveries of security vulnerabilities? Do you use industry standard methods to secure and monitor your network? Do you test your information security program regularly?

Does your business use outside service providers who have access to your customer’s NPI? For instance, do you use a contact management/business development system such as BDC or CRM which interfaces with your DMS? Can those other applications access NPI which you have stored in your DMS? Do you have a segmented network? Do you have contracts with written security expectations from the service provider? Do you oversee your service provider to verify they are compliant with your security expectations?

While it may be tempting to consider these ideas as something that will never happen to you or your clients, you should be aware of the consequences. Aside from the incalculable value of the loss of their customer’s goodwill, the FTC can seek civil penalties of $100,000 per violation against the business and $10,000 per violation against liable officers and directors. In addition to these civil sanctions, there can also be criminal penalties and claims of unfair trade practices. You may have heard of LifeLock, a company that specializes in identity theft prevention. LifeLock was recently penalized $100 million, in part because it failed to establish and maintain a comprehensive information security program. This is a company that is supposed to specialize in security! And that is a lot of zeros and a lot of reasons why compliance and privacy should have your undivided attention.

If you are reading this article, then you must know the importance of privacy rights and nonpublic personal information. Protecting privacy and customers’ NPI must be part of your business plan, now and for the future. As the old adage goes, no one plans to fail, but many fail to plan. While perhaps no system can be “bulletproof,” it makes good business sense to make reasonable efforts to protect yourself from the dangers of not securing customer privacy and NPI. Go out there and do all you can to protect yourself, your business and your dealer clients’ hard-earned goodwill and implement your security program!

Posted in Industry0 Comments

What Is a CMS and Why Do I Need One?

What Is a CMS and Why Do I Need One?

You may have heard of the term “CMS” and wondered what it meant. In the context of regulatory compliance, it stands for “compliance management system.”

A CMS provides dealership management with a systematic framework for compliance, from cradle to grave, in the lifecycle of products and services subject to supervision by the Consumer Financial Protection Bureau (CFPB).

A properly designed CMS will establish responsibilities and lines of communication and ensure compliance is “baked into” business processes. It will also provide a mechanism to review proper execution and to correct problems. A CMS represents “best practices” for dealers, and should help lower the risk of violating the law and harming consumers.

Agents can do their clients a great service by introducing this concept and taking an active role in building each dealer’s CMS. Let’s take a closer look at why these systems are so important and how they are designed.

F&I Under Fire

The CFPB does not have direct oversight over new- and used-vehicle dealers under certain circumstances. More particularly, dealers are exempted if they meet two requirements: first, they are predominantly engaged in the sale, lease and servicing of motor vehicles; and second, they routinely assign retail installment sales contracts to third-party finance entities.

On the other hand, “buy here, pay here” (BHPH) dealers, who own their own finance companies and do not routinely assign retail installment sales contracts (or retail leases) to unrelated finance entities may be subject to CFPB authority. The same is true for dealerships that do not have a service department.

Keep in mind that the CFPB has jurisdiction over auto financing at large banks, credit unions and affiliates with assets of more than $10 billion dollars. The CFPB has also revised the definition of “larger participants” to include any nonbank auto finance companies (e.g. captive finance companies) that make, acquire or finance 10,000 loans or leases in a year. The CFPB estimates that these nonbank auto finance companies originate 90% of all nonbank auto loans and leases.

The CFPB also has jurisdiction over indirect lenders under many laws such as the Equal Credit Opportunity Act (ECOA), unfair or deceptive acts or practices under Dodd-Frank, the Truth in Lending Act (TILA), the Consumer Leasing Act (CLA) the Fair Credit Reporting Act (FCRA) and the privacy of consumer financial information standards set by the Gramm-Leach-Bliley (GLB) Act, among others.

The ECOA generally makes it illegal for a lender to discriminate on any prohibited basis, including race, color, religion, national origin, sex, marital status and age. ECOA issues can arise in dealer-arranged financing when the dealer has the opportunity to increase the auto loan interest rate above the rate quoted by the indirect lender, typically referred to as “markup” or “dealer reserve.” The ECOA risk is that the markup is illegally based upon prohibited factors. So while there is a carveout for dealers as described above, the CFPB can and does still have the very real ability to supervise and affect dealers and their businesses.

CMS Essentials

Now that you have some idea about the extent to which the CFPB can affect business on the dealership floor, your dealers still may ask why they need a CMS. The short answer is that the CFPB says so and it makes good business sense. A CMS demonstrates a commitment to compliance with applicable consumer protection laws. If that doesn’t convince your dealers, remind them that a customer who feels they have been treated fairly makes for repeat business and referrals.

The CFPB Supervision and Examination Manual (Ver. 2, October 2012) states, in part, “The CFPB expects every regulated entity under its regulation and supervision authority to have an effective compliance management system (CMS).” When the CFPB starts an investigation, they typically start by asking for a copy of the written CMS. How would your dealers answer that question?

A CMS is expected to show policies and procedures showing how the business complies with federal consumer protection laws. Do you have this? A CMS should demonstrate operational and training procedures. Have you implemented such a program? A CMS should show auditing, testing and complaint management. What is your process for these functions?

Ultimately, a CMS improves customer satisfaction and customer retention which, in turn, increases profitability. A CMS just makes good business sense and helps to reinforce the good name and reputation of the dealership. The old saying that an ounce of prevention is worth a pound of cure applies doubly in the compliance space. So don’t delay. Go out there and help your dealers by implementing a CMS today!

Posted in Industry0 Comments