Tag Archive | "Gramm-Leach-Bliley Act"

Phil Gramm, Jim Leach, Tom Bliley, and You


Compliance Questions

  • Would you like to be subjected to a potential fine of $41,484 per day?
  • Or enter into a 20-year consent judgment where you are subject to biannual audits?
  • Would you like to be subjected to as much as a $50,000 statutory penalty per violation?
  • Or pay legal fees, costs, and damages for breaches of contract or negligence claims that could run into the millions of dollars?

Answering These Questions in the Affirmative

If any of these results seem attractive to you, then haphazardly download great quantities of data from your dealer management system, especially nonpublic personal information (NPI), place it where other people can access it, or, better yet, share it with everyone. You and the dealership will face these consequences.

The Relevant Law Guiding these Results

Today, in 2018, it is only a footnote for the automotive industry that the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act, or GLBA — named after its progenitors, Senator Gramm and Congressmen Leach and Bliley — was enacted to eliminate the Glass Steagall Act of 1933 which, in this author’s viewpoint, was a legislative error. Banks, brokerage firms, and insurance carriers were prohibited from merging under the Glass-Steagall Act, which prevented the concentration of capital.

GLBA repealed this law so that these types of institutions can merge. But two elements of the GLBA are relevant to people in the automobile industry: the Privacy Rule and the Safeguards Rule.

The Privacy Rule: As the name implies, privacy is the issue. When a consumer relationship begins, the dealer must provide a privacy notice to that consumer. There are almost 300 variations of these notices which must tell the consumer how data is collected, shared, used, and protected. In addition, there must be an option provided to the consumer by which he can opt out of any sharing of his data with third parties. This notice must be provided annually. The model privacy form, can be found at: http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm.pdf.

The Safeguards Rule: The Safeguards Rule is the corollary of the Privacy Rule. As one should recognize, dealers are creditors and, as such, must develop a written security plan detailing how the dealership is protecting consumer data. A compliance officer should be appointed to oversee these safeguards. A dynamic plan should be developed which addresses the risk, with designed and tested programs redressing this risk, and reevaluations for changes in the plan as the nature of the business evolves. Encryptions, firewalls, passwords, locked vaults, and desks are examples of safeguards.

Access to Data in the Dealer Management Systems (DMS)

Reckless dealers will allow free access to the data stored in the DMS. And reckless F&I managers will access this data with abandon if given the opportunity. A sophisticated DMS will only provide data to personnel at the store commensurate with their job status and need. In other words, the general manager will have greater access to the stored data than an F&I manager.

User access to data should be reviewed and updated continuously as the Safeguards Rule requires. In DMS parlance, “PII” is being protected. PII is personally identifiable information — any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to solve for anonymous data can be considered PII. NPI is the acronym from GLBA itself for “personally identifiable financial information” and is similar in concept to the PII. Private consumer information, which is not readily available, would be considered NPI. It is “derived using any personally identifiable financial information” that is “not publicly available.”

What Must be Done 

GLBA was passed in 2003 so it would be astounding if a dealer hadn’t already complied with its requirements and continues to do so. It is important to emphasize that the Safeguards Rule must be dynamic and continually updated. Anyone who works at the store should consult this written plan. As the organization evolves, these changes should be expressed in the written plan. This plan should include certain basic protocols for keeping consumer information secure and confidential, such as:

  • Locking rooms and file cabinets where records are kept;
  • Not sharing or openly posting employee passwords in work areas;
  • Encrypting sensitive consumer information when it is transmitted electronically via public networks;
  • Referring calls or other requests for consumer information to designated individuals who have been trained in how your company safeguards personal data; and
  • Reporting suspicious attempts to obtain consumer information to designated personnel.
  • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
  • When consumer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically secure area.
  • Where possible, avoid storing sensitive consumer data on a computer with an internet connection.
  • Maintain secure backup records and keep archived data secure by storing it offline and in a physically secure area.
  • Maintain a careful inventory of your company’s computers and any other equipment on which consumer information may be stored.
  • Copiers and fax machines may keep records of all documents which have been copied and faxed. These electronic files should be completely deleted before discarding or returning this equipment.
  • When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.
  • If you collect information online directly from consumers, make secure transmission automatic. If you must transmit sensitive data by email over the internet, be sure to encrypt the data.
  • Dispose of consumer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. This means one must burn, pulverize, or shred papers containing consumer information so that the information cannot be read or reconstructed.
  • Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing consumer information.
  • Check with software vendors regularly to get and install patches that resolve software vulnerabilities;
  • Use anti-virus and anti-spyware software that updates automatically;
  • Maintain up-to-date firewalls, particularly if you use a broadband internet connection or allow employees to connect to your network from home or other offsite locations;
  • Regularly ensure that ports not used for your business are closed; and
  • Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
  • Keep logs of activity on your network and monitor them for signs of unauthorized access to consumer information;
  • Use an up-to-date intrusion detection system to alert you of attacks;
  • Monitor both in- and outbound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
  • Insert a dummy account into each of your consumer lists and monitor the account to detect any unauthorized contacts or charges.

Should a breach occur in spite of your best efforts the following steps should be implemented:

  • Take immediate action to secure any information that has or may have been compromised.
  • Preserve and review files or programs that may reveal how the breach occurred; and
  • If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
  • Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
  • Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
  • Notify the credit bureaus and other businesses that may be affected by the breach.
  • Check to see if breach notification is required under applicable state law.

Compliance Questions Explained

The Federal Trade Commission (FTC) enforces the Privacy Rule and Safeguards Rule against franchise dealers. Its regulatory penalty for violations is $41,484 per day. Certain independent and BHPH dealers will be disciplined by the CFPB.

These two rules don’t specifically allow for individual claims. However, this is not a problem for plaintiffs since violating the GLBA is considered a violation of the state’s Unfair and Deceptive Trade Practices Act (UDAP) which means both state attorneys general and consumers can file lawsuits for these types of violations. In the state of Illinois, for example, the UDAP statutory damage amount is $50,000 per incident.

Furthermore, common law also provides a cause of action, should a dealership and F&I manager fail to carefully safeguard consumers’ NPI. This legal theory is the tort of negligence. A negligence claim has these elements:

  1. The defendant (dealer and/or F&I manager) has a duty to the consumer to keep the data secure;
  2. The defendant breached this data security duty;
  3. This breach was the cause of the consumer’s injury; and
  4. The consumer suffered damages because of the defendant’s breach of its data security duty.

Finally, many contracts include language which addresses the privacy and safeguards of consumer data. If such a contract is materially breached consumers can sue the dealer and you.

The privacy and safeguarding of a consumer’s data is a solemn responsibility. Dealers and all dealer employees need to be cognizant of these responsibilities.

Govern yourselves accordingly.

Posted in Industry, Review FeatureComments (0)

Dealership Compliance under the Gramm-Leach-Bliley Act


The Gramm-Leach-Bliley Act of 1999, or “GLB” as it is more commonly called, is the law with the biggest impact on the dealership community since the Truth in Lending Act was passed in 1968. From GLB flow at least two major rules that affect every dealership in America: the Privacy Rule and the Safeguards Rule. And because of those rules’ emphasis on protecting nonpublic personal information (“NPI”), the Red Flags Rule (authorized under the Fair and Accurate Credit Transactions Act (“FACTA”) of 2003), which treats identity theft, is often lumped together with them when considering the protection of customer data.

All three of those rules were discussed at the inaugural Compliance Summit by a panel comprised of Doug Fusco,CEO of DealerSafeGuardSolutionS, Becky Barrows, HR and compliance director for KeyRoyal Financial Services, and Michael Tuno, president of World Class Dealer Services.

It is worth noting that none of the panelists are attorneys, and none of their companies are law firms. Rather, they all serve in one way or another the dealership market, and the services of each have grown to address compliance issues dealerships face. That highlights a key take-away from the panel session, everybody who has a piece of the dealership industry can have a piece of the compliance function. If every vendor included a compliance feature that addressed its core services, dealerships would have much of their compliance needs addressed in the ordinary course of doing business. But that happy state has yet to arrive, so the panel spoke both to what can be done and what they are doing.

Becky Barrows affirmed that outside vendors are well-positioned to help with compliance issues. “Dealers are in the business of selling and repairing cars, so compliance can be a bit outside their wheelhouse. This represents a huge business opportunity for outside experts who can provide what dealers aren’t good at doing themselves.”

The first GLB area where a little knowledge and advice could be helpful to dealers is the Privacy Rule. Asked if the Privacy Rule is widely understood and followed by dealers, Michael Tuno responded, “No and no. No to all of the above!” He went on to explain that there is a disconnect between the language of a statute or rule and a dealer’s understanding of it. Using the Privacy Rule as an example, Tuno said that dealers were aware of the rule at the time it was issued, but had no idea what to do about it. Even the FTC’s online model form generator wasn’t much help – dealers were confused by the options they faced on the screen. It was as if the rule and the Government guidance were written by lawyers for lawyers, and most dealers aren’t lawyers!

What Tuno was able to do as an F&I partner for his dealerships was develop an understanding of the Privacy Rule and the FTC forms generator and walk his dealer clients through the process. You don’t need to be a lawyer to do that.

With respect to the Safeguards Rule, Tuno takes the same approach. As he put it, “The first thing I do for a dealer is ask if they’ve appointed a compliance officer, which the Safeguards Rule requires. If the answer is ‘no,’ I know we’ve got to help them understand the rule’s requirements and meet them. It isn’t hard – it’s mostly a process of education.”

Doug Fusco’s company develops compliance monitoring software and related business processes. From his perspective, GLB compliance is driven by “creating verifiable patterns and practices. Show that you have something in place and execute against it so you can defend yourself by making a greater than ‘check the box’ effort to comply.”

Fusco also endorsed the use of a compliance survey to help educate dealers about GLB and other legal requirements. A simple form that asks yes/no questions addressing all of the major requirements of GLB/FACTA creates a good road map, identifying both what is being done and what needs to be done.

“Simple” was a word Michael Tuno latched onto. “What we’ve found works the best is keeping it simple. Start there. You don’t want to get too complicated. Start with policies and procedures and then move on to training on those policies and procedures. And then audit the process to make sure it’s having the intended effect. The audit serves a huge function to keep the ship on the right path.”

The panelists agreed that GLB is all about protecting NPI. Becky Barrows explained what could constitute NPI in the dealership environment: “Anything that’s not available to the public. So we’re not talking about phone numbers. But checking account numbers and driver license numbers would be NPI. Like Michael’s company, we conduct audits to see how dealer’s actually protect NPI. And the number one offense is deal jackets lying around unprotected. Deal jackets are full of NPI, and if they’re not protected, the dealership has a real problem.”

Tuno followed up with his version of the Golden Rule as the sum and substance of GLB compliance. “Don’t leave unprotected any data you wouldn’t want other people to see. If you don’t want the world to see your credit report, don’t treat someone else’s credit report casually.”

The panel was asked to relate real-life GLB horror stories (careful to keep secret the offending dealers’ identities, of course). Doug Fusco told a common tale. “I was visiting a dealership that was a part of a fairly large dealership group. There was paperwork everywhere, and no effort made to keep it secure. I brought this to the attention of the General Manager, who shrugged and said, ‘yeah, but we lock it all up at night.’ So I conducted an audit – at 7:30 in the morning. Needless to say, there was no evidence anything had been locked up. I calculated $23 million in potential fines before I reported back to the General Manager. The big fines come from knowingly violating the law, and they knew. Needless to say, that got his attention.”

So how do you battle GLB and other compliance violations? Fusco offered his “3 E’s” – Education, Enablement, and Enforcement. Those vendors that are in the dealership are in a position to offer training, the tools that enable behavior consistent with that training, and the audits that enforce the process. This is not limited to “compliance companies.” F&I partners, HR services, income development specialists – anyone who has a dog in the fight can bring in the 3 E’s if the will is there to do it.

One valuable lesson that the panel provided was that reasonable minds can disagree about what documents actually contain NPI – but all agreed that this very uncertainty makes protecting all customer data the best possible practice. As Michael Tuno put it, “We don’t want F&I managers making decisions on a document-by-document basis, ‘protect this/don’t protect that.’ Protect everything and you’ll be good.” That’s the best practice.”

That is probably the simplest approach to GLB compliance, and the ultimate conclusion of the panel: protect everything and you’ll be OK. Vendors that serve the dealership community have a role to play in that effort. The future may well belong to those that do.

Posted in IndustryComments (0)

Top 5 Legal Musts for Agents


As we all know, in general, the motor vehicle sales business is highly regulated. This is especially true when you focus on the F&I portion of the business. In today’s business and regulatory environment it is important that F&I providers and agents have an understanding of the laws and regulations that impact the industry. While a complete discussion of all the applicable laws is beyond the scope of a single article, below are the top five laws and a brief summary of each that, in my opinion, are a must-know for agents.

Before we jump into my top five, no legal discussion would be complete without addressing the importance of using proper terminology. In general, it is of utmost importance that agents know about and understand the product itself, as well as use the proper terminology when referring to particular products and credit transactions. Unfortunately, it is common practice for key terms to be misused by industry insiders, the media, lawmakers, regulators, attorneys and the courts. As a result, this misuse has resulted in unnecessary increased risk and exposure to dealers, F&I providers and agents. It is important to know and understand the differences between a Retail Installment Sales transaction and a Loan; GAP Waiver and GAP Insurance; Warranty and Service Contract; and Insurance and Non-Insurance Terms. For example, in a Retail Installment Sales transaction the dealer is extending credit to the buyer for the purchase of the vehicle and the dealer is the “creditor.” Contrast this with the Loan scenario where the consumer, through an agreement with a “lender” such as a bank or finance company borrows money (i.e. gets a loan) and uses the proceeds to pay the dealer for vehicle.

The Dodd-Frank Act
The Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB) in 2010. The law has resulted in significant reforms in all areas of the financial services industry – including the car business. Under the law, there is an exemption for those motor vehicle dealers that have both sales and service operations. However, even though a dealer may not be subject to CFPB regulation, all of the same rules still apply, and the Federal Trade Commission (FTC) still has authority over those dealers exempt from regulation by the CFPB. In addition, as we are recently seeing, the CFPB is indirectly impacting the dealer through the regulation of those banks and financial institutions they do regulate. For example, the CFPB has issued a bulletin addressing discrimination and rate spread for indirect finance transactions through dealers. In addition, it is believed the CFPB is also looking at the pricing of F&I products sold through dealers.

Magnuson-Moss Warranty Act
Warranties are regulated on both the federal and state level; on the federal level, they are governed by the Magnuson-Moss Warranty Act (MMWA). Under the MMWA, manufacturers and sellers are required to provide consumers with detailed information about the warranty coverage on the product purchased, and the rights and obligations of the consumer and warrantor. The MMWA does not apply to oral warranties and does not require the provision of a written warranty, however, if a written warranty is offered it must comply with the MMWA. For example, the warranty must indicate whether it is “full” or “limited,” must be in a single, easy to read document and must be available to the consumer before buying the product. It is important to note that the requirements of the MMWA and the FTC’s Used Car Rule regarding the Buyers Guide on used vehicles are interrelated as they both address import warranty disclosure requirements. As such, the Buyers Guide cannot serve as the written warranty to comply with the MMWA. In addition, understanding the difference between a Warranty and a Service Contract and using the terms properly is crucial. Basically, a Warranty is included in the purchase price of a product, not sold separately, and comes from either the manufacturer or seller. On the other hand, a Service Contract is purchased separately from the product itself, is often administered by a third-party, only covers those items outlined in the contract and is in addition to any warranty.

Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLB) is the federal law that governs a motor vehicle dealer’s responsibility as it pertains to the non-public personal information that a dealer obtains, possesses and shares. Within the GLB are the Privacy Rule and the Safeguards Rule. The Privacy Rule covers the non-public personal information from customers who apply for, or obtain credit from, the dealer. The Privacy Rule is the source of the dealer requirement to provide the customer with the initial and annual privacy notices that outlines what the dealer will or will not do with the information it obtains. The Safeguards Rule deals with how the dealer protects the non-public personal information provided by the customer. The Safeguards Rule requires a dealer to have a written information security plan to address the various safeguards in place to collect, store and dispose of the non-public personal information it has. Depending upon the dealer’s specific operation, enforcement of the GLB can come from either the CFPB or the FTC. It is also important to know that various states have their own privacy laws too.

Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) is the primary law that addresses consumer credit and the gathering, use and sharing of consumer credit information by creditors, consumer reporting agencies and others. The FCRA requires that users of consumer reports have a permissible purpose to obtain a consumer report. The list of permissible purposes is specific in the FCRA, and the best practice to comply with the requirement is to have the written authorization of the consumer to pull their credit.In addition, the FCRA is the law behind the Red Flag Rule, the Risked Based Pricing Rule, the Disposal Rule (requiring the dealer to properly dispose of consumer information) and is also one source of the Adverse Action Notice requirement.

Truth In Lending Act
The Truth in Lending Act (TILA) and its implementing regulations (Reg. Z) requires creditors (i.e. dealers) to provide disclosures regarding the cost and terms of credit to consumers. TILA is not concerned with interest rates, late charges and related fees – that is all governed by state law. However, TILA does specify what fees and charges in a credit sale are considered finance charges. Unless properly disclosed, the cost of F&I products may have to be included in the finance charge calculation. Note that the Dodd-Frank Act increased the threshold for TILA coverage from $25,000 to $50,000, and provides that the threshold be adjusted for inflation every year. For 2013, the threshold amount is $53,000, which means that TILA does not apply when the “amount financed” exceeds this amount. As a result of this threshold increase, more finance transactions will be covered by TILA and Reg. Z

It is impossible to cover every detail of each of these in a single article, but hopefully now you have a better idea of where to start, and why it is important that you educate yourself on these acts and how they effect both your and your dealers’ businesses. For more information on any of these, you can visit the CFPB (consumerfinance.gov) or FTC (ftc.gov) Web sites, or feel free to e-mail me directly with any questions.

Posted in F&I, Top ArticleComments (0)