Tag Archive | "compliance"

Obama Nominates Former Ohio AG to Lead New Bureau

WASHINGTON — President Obama has named former Ohio Attorney General Richard Cordray as his nomination for director of the new Consumer Financial Protection Bureau (CFPB), which was created by the passage of the Dodd Frank Act last year. The nomination will require Senate confirmation, which, by all account, will be a problem.

Cordray previously served as Ohio’s treasurer and as head of the CFPB’s enforcement division for the last six months under current interim director and agency architect Elizabeth Warren.

During the announcement, President Obama discussed Dodd-Frank’s provisions, which included making taxpayer-funded bailouts illegal, Wall Street reforms and stronger consumer protection rules.

“Already, the agency is starting to do a whole bunch of things that are going to be important for consumers — making sure loan contracts and credit card terms are simpler and written in plain English,” the president said. “Already, thanks to the leadership of the bureau, we’re seeing men and women in uniform who are getting more protections against fraud and deception when it comes to financial practices.”

In her White House blog post announcing the nomination, Warren described Cordray as someone that would be a “strong leader” for the CFPB. She added that he is someone with “a proven track record of fighting for families during his time as head of the CFPB enforcement division, as attorney general of Ohio and throughout his career.”

“He was one of the first senior executives I recruited for the agency, and his hard work and deep commitment make it clear he can make many important contributions in leading it,” Warren continued in her blog post. “Rich is smart, he is tough and he will make a stellar director. I am very pleased for him and very pleased for the CFPB.”

In this month’s Legal column, Tom Hudson, partner at the law firm of Hudson Cook LLP, talked about the many challenges the CFPB is facing as it gets set to assume regulatory authority on July 21. The Republican-controlled Senate has already said it will block President Obama’s nomination. Republican lawmakers also have introduced several proposals to reduce the bureau’s power and independence.

Because of efforts put forth by the National Automobile Dealers Association, dealers were largely excluded from the CFPB’s oversight. However, the Dodd-Frank Act granted the FTC new rulemaking powers as it pertains to dealers. The agency is now hosting a series of roundtables to determine where it should focus its attention when it assumes its new powers. The next roundtable is scheduled for Aug. 2-3 at St. Mary’s University School of Law.

Posted in Auto Industry NewsComments (0)

Zurich to Help Dealers Navigate Expected New Regs

SCHAUMBURG – Zurich has launched an awareness campaign for automobile dealers to help them navigate the maze of new laws and regulations expected to affect their businesses in 2011 and beyond. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), Truth in Lending Act, and the laws of Title X are just a few of the rules and regulations automobile dealers need to understand and follow in order to be in compliance with the law, reported F&I and Showroom.

“Many auto dealers don’t know that the passage of Dodd-Frank will have a substantial impact on the way franchised auto dealers conduct financial transactions beginning July 21, 2011,” said Glenn Roberts, national training and business development manager for Zurich North America Commercial. “Zurich is looking out for auto dealers by helping them know that Dodd-Frank is not just for big banks and Wall Street.”

In order for Zurich to help educate its customers on rules and regulations affecting auto dealers, Zurich collaborated with Hudson Cook LLP, a law firm specializing in legal issues that face auto dealers, to develop a comprehensive legal guide that will be used to train and educate Zurich’s employees. That information will now be share with the company’s customers.

Zurich is encouraging its customers to raise these issues with their respective attorneys to develop a compliant F&I office. Some of the information Zurich is ready to help auto dealers understand is detailed below:

• The Dodd-Frank Act amended the Truth in Lending Act (TILA) to increase the scope of credit and leases covered by TILA. In addition, the range of damages available under TILA and the class action cap have been raised. The federal agencies responsible for drafting and maintaining regulations dealing with these coverage amounts will revise those regulations to reflect the changes, which become effective July 21, 2011.

• The Dodd-Frank Act amended the Fair Credit Reporting Act to require creditors, which includes dealers, to provide the actual credit score used to help make the credit decision to consumers in an adverse action notice.

• Congress gave the Federal Trade Commission (FTC) more authority and a mandate to regulate dealers for unfair and deceptive acts and practices. Count on the FTC to increase its regulation and enforcement of dealers.

• State attorneys general may enforce the laws of Title X, which are federal consumer financial laws and rules issued by the Bureau of Consumer Financial Protection. Attorneys general have historically been aggressive in pursuing dealers. They will now be armed with new enforcement tools and remedies.

Posted in Auto Industry NewsComments (0)

CoreLogic Credco Introduces Online Dashboard for Red Flags Compliance

POWAY, Calif. – CoreLogic Credco, a provider of automotive specialty credit reporting solutions and a division of CoreLogic has introduced Red Flag Viewpoint, an integrated online reporting dashboard that combines, summarizes and delivers easy-to-read reporting on Red Flags Rule compliance efforts for automotive dealers.

Developed in collaboration with Compli and part of Credco’s comprehensive Red Flag compliance suite, Red Flag Viewpoint is designed to help dealers meet the Red Flags Rule’s requirement of regularly monitoring and updating their Identity Theft Prevention Program.

The Red Flags Rule went into effect January 1, 2008, and is scheduled for mandatory enforcement by the Federal Trade Commission beginning January 1, 2011.

“Without sufficient data and the latest technological advances, deterring identity theft and maintaining compliance with the Red Flags Rule can be a complex, time-consuming task,” said Kevin Clements, senior vice president of corporate development for CoreLogic Credco. “Red Flag Viewpoint is specifically designed to simplify the monitoring and reporting requirement of the Rule, easily and effectively, allowing dealers to stay focused on sales objectives and other critical operations.”

Red Flag Viewpoint’s proprietary algorithms and reporting capabilities enable dealers to conveniently analyze their applicant portfolio on multiple levels to monitor for potential Red Flag risk. Available on Compli’s intuitive web-based platform, the easy-to-use interface lets users report directly off key identity verification alert statuses; access dynamic views of their entire applicant pool and associated risks; and export data for auditing and reporting.

Using Red Flag Viewpoint means dealers can easily monitor, analyze and report on a wide range of customer data provided exclusively by Credco. They can drill down on metrics and audit reports for detailed analytics, or view customer data as broadly as needed. Reporting analytics can also be viewed either on entire dealers groups or individual dealers. For more information, automotive dealers can call (866) 348-2404 or visit www.credcoservices.com/RFM.

Posted in Auto Industry NewsComments (0)

Red Flags Rule Made Simple

The Red Flags Rule went into effect on January 1, 2008. Its “enforcement date” – meaning the date FTC enforcement against dealerships becomes possible – has been postponed several times and is currently slated for December 31, 2010.

The slippage surrounding the enforcement date has led many in the industry to the false conclusion that the Red Flags Rule does not yet apply. This assumption is incorrect. The only piece of the Rule that isn’t effective is the FTC’s right to go after dealerships that violate the Rule, but that is a remote risk in any case.

The most immediate impact for a dealership that fails to comply with the Red Flags Rule is that its funding sources could turn off. The Rule applies to banks, credit unions and captive lenders as well as dealerships, and allows those funding sources to do business only with dealerships that follow the Rule themselves. That requirement has been in place since November 1, 2008.

Despite the severe practical penalty for failing to follow the Rule, anecdotal evidence suggests two realities: (1) most dealerships don’t know the scope of their obligations under the Rule; and (2) most dealerships therefore are probably not in full compliance with the Rule.

The Rule (codified at 16 CFR 681) has three operative sections:

  • 681.1 Duties of uses of consumer reports regarding address discrepancies. The requirements of this brief section can actually be considered under the next one.
  • 681.2 Duties regarding the detection, prevention, and mitigation of identity theft. This is where the action is. New obligations live here.
  • 681.3 Duties of card issuers regarding change of address. As most dealerships don’t issue credit cards, we’ll skip that one.

So, what exactly is a “red flag,” anyway? A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. The Rule identifies five categories of red flags and provides over two dozen examples of such red flags. Examples the Rule provides include

  • Documents provided for identification appear to have been altered or forged;
  • The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification; and
  • An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Things like these should raise a “red flag” in the mind of the dealership employee that encounters them, hence the name of the Rule. Dealerships must create a program that detects, prevents and mitigates identity theft by addressing the red flags that are relevant to their operations.

When the Red Flags Rule was announced in the Joint Final Rules and Guidelines, it weighed in as a 256-page cure for insomnia. But in its simplest form, it can be distilled down to just seven words:

  1. Policy
  2. Training
  3. Detect
  4. Prevent
  5. Mitigate
  6. Oversee
  7. Ensure

Reasonable minds can come up with a longer or shorter list of requirements, or a different way to characterize them, but the foregoing list provides an easy way to discuss a dealership’s obligations, and makes the whole issue easier to understand. With that in mind, here is an overview of dealership obligations under the Rule.


At the core of the Rule is the requirement for “financial institutions” (which includes most dealerships) to create a written Identity Theft Prevention Program (ITPP). This is actually a misnomer, as no dealership can prevent identity theft – by the time an identity thief shows up to buy a car using a stolen identity, the theft has already occurred. But what the ITPP can do is prevent further damage from the identity theft, at least at the dealership.

The ITPP must be reviewed and approved in writing by the dealership’s board of directors or senior management. This requirement of a name on the “blame line” is clearly intended to extend liability to the dealer principal or senior management personally. “My GM handles that” will not be a defense!

The policy must reflect a consideration of all the red flags that might arise in the dealership, and establish a consistent process to address them. And if there is an irreducible minimum standard to be set forth in an ITPP, it is that no vehicle may be delivered in a case where an identified red flag remains unresolved.


Interestingly enough, the Rule does not require training about the scope of the Rule itself (though that is a good idea). Rather, the Rule requires training about the scope of the dealership’s ITPP. At a bare minimum, a procedure must be in place that confirms receipt of the ITPP by the dealership employees it involves, and that those employees have read it, understand it and agree to follow it.

This type of training is well-suited for computer-based interactive instruction that tracks the ITPP itself. Coupled with a learning management system (LMS), this training can record and archive the fact of each employee’s training and the results. When it comes to lawsuits or enforcement actions, if it isn’t documented it never happened. An LMS makes sure the training is documented.


Detection of identity theft can be as easy as noticing the photo on a doctored driver license doesn’t match the age of the person it describes. Or it can be nearly impossible in the case of a professional ID theft ring. Common sense is the best defense.

The dealership’s ITPP should require certain basic steps be taken in every transaction. For example, careful examination of a customer’s driver license, paying specific attention to the following factors:

  • Does the address on the license match that on the credit report?
  • Does the picture and physical description fit the person offering the license?
  • Does the birth date on the license match the apparent age of the person offering the license?
  • Does the license show any obvious indication of being fake or altered?

Transactions falling under the Rule normally include pulling a credit report on the customer. Those employees who review credit reports should check the credit report for the following:

  • Fraud alert
  • Notice of address discrepancy
  • Credit freeze
  • Active duty military alert
  • A recent and significant increase in the volume of inquiries
  • An unusual number of recently established credit relationships
  • A material change in the use of credit, especially with respect to recently established credit relationships
  • An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor

Finally, a dealership could install a system to check, by electronic means, the following:

  • Customer’s Social Security Number against the SSA Master Death File
  • Address discrepancies
  • Identity verification
  • Age verification

There are numerous vendors for such electronic verification processes, most of which can include OFAC checks as well. Electronic verification has the benefit of being easy, automated and fast.


As mentioned above, “prevent” really must mean the prevention of further damage from an identity theft. By the time it becomes an issue at the dealership, the ID theft has already occurred and cannot logically be prevented.

To understand the difference between detection and prevention, it is helpful to understand the difference between identity “verification” and “authentication.”

Identity theft is precisely that – the theft of an actual identity as opposed to creating a false identity. Thus, when a dealership employee is presented with an identity, that identity is likely a real one. Verification means taking steps to confirm the identity is real.

Authentication is the more important step. Authentication means confirming that the identity presented actually belongs to the person offering it. Performing this step properly is the best means of preventing further damage from identity theft at the dealership.

So, how do you authenticate an identity? How much time do you have?

The quickest and most effective method is to use “knowledge-based authentication,” or out-of-wallet challenge questions. This means presenting a customer with questions that cannot be answered by the information commonly carried in a wallet or contained in a credit bureau. Remember, an identity thief can run a credit report on the victim. So if questions are used that involve information in a credit report, the dealership is presenting an open-book test.

Out-of-wallet questions are computer-generated and use data that is more than 7 years old, the age limit for information on a credit report. By asking questions an identity thief can’t answer (“In what state did you live in 1983?”), a dealership can confidently authenticate the identity of its customers.

Out-of-wallet questions should present at least four – and preferably five – possible answers, and at least three questions. The odds of an identity thief correctly answering three five-option questions correctly are 1 in 125. In real life, once a question set is presented to an identity thief, one of three things happens: the thief “forgot something in the car,” has to go to the bathroom or simply runs out of the dealership. In any event, delivery of a car to a thief is thwarted.

For those dealerships with more time or no Internet access, a manual system is possible. A dealership could require customers to present three of the credit cards listed on a credit report, or a current passport or multiple other forms of government-issued ID. If this method is chosen, it must be consistent and documented. Photocopies of the identity-proving documents (but not credit cards!) should be kept.

This approach, however, includes its own risks. All such identifying documents by their nature contain nonpublic personal information (NPI). And NPI must be protected pursuant to the FTC Safeguards Rule. For my money, the electronic challenge question method is the way to go.


The requirement that dealerships “mitigate” identity theft suffers from a major flaw: the Rule does not define “mitigate.” Using plain English, this should mean at least to lessen the impact of the identity theft. At best, it means the restoration of an identity to its pre-event status.

In practice, this means that the dealership’s ITPP should include the requirement that the dealership “eat” the car it delivers to an identity thief – effectively buying back the deal from the victim who had no knowledge of the transaction. As a court will probably require this anyway, it is not really adding much to the dealership’s risk.

Including fully-managed (not “assisted”) ID recovery service to every transaction is a more proactive means of satisfying this ill-defined legal requirement. It is not my position that the Rule requires this – I don’t know how Courts will interpret this requirement – but it would help a dealer sleep at night, and it is inexpensive.


Any business covered by the Red Flags Rule is required to “oversee” its service providers. This means that a dealership can only engage companies that also follow the Rule to the extent it applies to them. This is accomplished by contracts, or addenda to existing contracts, that pass along a dealership’s obligations under the Rule.
The purpose behind this requirement is to prevent a dealership from evading its obligations by contracting out its duties to a third party that may not follow the Rule. This is one buck that cannot be passed!


A dealership must ensure its ITPP continues to work over time. The Rule requires a report be made to the dealership board of directors or senior management at least annually on the dealership’s compliance with the Rule.

The report should address material matters related to the dealership’s ITPP and “evaluate issues such as the effectiveness of the policies and procedures of the [dealership] in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes” to the ITPP.

A good place to start the annual report is to document any instances of identity theft at the dealership in the previous year. Then ask the question, “How could this have been prevented?” Then amend the ITPP accordingly to address the issue.

In addition to all the foregoing, the ITPP must address the filing of suspicious activity reports when identity theft occurs or is attempted at the dealership, and filing notices of address discrepancy when such are detected.

The Red Flags Rule is a lot to digest, but it is a manageable task. And the biggest beneficiary may be the dealership itself, as a properly implemented ITPP should prevent the dealership from buying back paper for a car delivered to an identity thief.

Posted in IndustryComments (0)

DealerTrack Announces Enhancements to Its Compliance Solution

LAKE SUCCESS, NY – DealerTrack, Inc., a provider of on-demand software and data solutions for the U.S. automotive retail industry, announced a number of enhancements to its compliance solution. Using the solution, dealers can more easily comply with legal and regulatory requirements and monitor their businesses’ activities.

The enhancements include a new Compliance Dashboard, which provides an overview of compliance-related activity across a store’s current deals on a single screen, as well as new functionality and design features that streamline navigation and increase the system’s effectiveness in encouraging full compliance on every deal. All of the new functionality is now available automatically to all DealerTrack Compliance subscribers at no additional cost.

The Compliance Dashboard provides a compact, single-screen view to help dealers identify users, documents and deals that are out of compliance. Highlights of the Dashboard include:

  • Compliance Score – Provides an easy-to-understand benchmark of deals in a selected time period to give dealers a sense of their overall compliance level.
  • Compliance Score Trends – Compares the trend in a dealer’s compliance scores against average compliance scores for dealers nationwide that use the DealerTrack Compliance solution.
  • Additional Enhancements – The DealerTrack Compliance solution upgrade also includes a number of new features that enhance navigation and functionality; messages that highlight problems with incomplete deals more effectively; greater integration with the F&I process to notify users when there is a problem near the finalization of a deal; and enhanced reporting with drill-down capabilities to give quicker insight into problem areas.

“With these new upgrades, we truly believe that the industry’s best compliance solution has just gotten even better,” said Raj Sundaram, senior vice president, solutions and services group at DealerTrack. “We listened to feedback from our customers and have implemented a number of improvements that not only make our solution easier to use, but help dealers to more effectively monitor and increase compliance levels in their stores. Our new Compliance Dashboard provides a unique bird’s-eye view and streamlines the process through improved navigation and one-click access to all compliance activity.”

The DealerTrack Compliance solution is a critical component of the DealerTrack Performance Suite. It is the industry’s most comprehensive compliance offering, encompassing credit transactions and identity verification, menu selling, tracking and reporting, and electronic document management. It helps protect a dealer’s business by providing a framework that strongly encourages and simplifies adherence to all applicable laws and regulations at both the federal and state levels.

Posted in Auto Industry NewsComments (0)

FTC Delays Red Flags Enforcement to December

The Federal Trade Commission has delayed enforcement of the Red Flags Rule for a fifth time, extending the deadline to Dec. 31, 2010. According to the FTC’s Website, the extension was made at the request of Congress, which is considering legislation that could affect the scope of entities covered by the rule.

“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule — and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

The Red Flags Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities — known as “red flags” — that could indicate identity theft.

The Rule became effective on Jan. 1, 2008. Full compliance for all covered entities was originally required by Nov. 1, 2008. Most recently, the FTC announced in October 2009 that at the request of certain members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The commission has urged Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than Dec. 31, 2010, the Commission will begin enforcement as of that effective date.

Posted in Auto Industry NewsComments (0)

Page 15 of 16« First...1213141516