Tag Archive | "Terry O’Loughlin"

O’Loughlin to Deliver Post-CFPB Keynote at Compliance Summit


ORLANDO, Fla. — Organizers of the annual Industry Summit announced that attorney and former dealer regulator Terrence J. “Terry” O’Loughlin will deliver the keynote address for the Compliance Summit portion of the event, which will be held Oct. 8–10 at the Caribe Royale Orlando in Orlando, Fla.

Compliance Summit includes a full-day of front-end compliance training — including workshops, dealer panels, and an interactive open forum — on Monday, Oct. 8, followed by a comprehensive review and certification testing by Automotive Compliance Education. ACE is offering a “Product Specialist” certification for the first time this year.

O’Loughlin, who serves as director of compliance for Reynolds and Reynolds, will kick off the Compliance Summit schedule on Monday at 9:05 a.m.

“Time and again, attendees tell us they remember Terry ‘The Regulator’ O’Loughlin, and not just for the content he delivers onstage,” said show chair David Gesualdo, publisher of F&I and Showroom and Auto Dealer Today. “His reputation precedes him, he speaks from experience, and he is firmly on the side of the rightminded dealer.”

Despite the sweeping changes sparked at the federal level by the election of President Donald Trump, including a defanged and renamed Consumer Financial Protection Bureau, O’Loughlin stressed that dealers must continue to invest in compliance training to protect their businesses as well as their customers.

“The law hasn’t changed, and many state attorneys general have said they will make up the shortfall left by the former CFPB, and there is an army of class-action attorneys who welcome these opportunities,” O’Loughlin warned. “In times of peace, prepare for war.”

Registration for Industry Summit 2018 is open at the event’s website. Register by Sept. 20 to enjoy a $100 early-bird discount. To discuss sponsorship and exhibition opportunities, contact David Gesualdo at (727) 947-4027 or via email hidden; JavaScript is required.

Posted in Auto Industry NewsComments Off on O’Loughlin to Deliver Post-CFPB Keynote at Compliance Summit

Phil Gramm, Jim Leach, Tom Bliley, and You


Compliance Questions

  • Would you like to be subjected to a potential fine of $41,484 per day?
  • Or enter into a 20-year consent judgment where you are subject to biannual audits?
  • Would you like to be subjected to as much as a $50,000 statutory penalty per violation?
  • Or pay legal fees, costs, and damages for breaches of contract or negligence claims that could run into the millions of dollars?

Answering These Questions in the Affirmative

If any of these results seem attractive to you, then haphazardly download great quantities of data from your dealer management system, especially nonpublic personal information (NPI), place it where other people can access it, or, better yet, share it with everyone. You and the dealership will face these consequences.

The Relevant Law Guiding these Results

Today, in 2018, it is only a footnote for the automotive industry that the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act, or GLBA — named after its progenitors, Senator Gramm and Congressmen Leach and Bliley — was enacted to eliminate the Glass Steagall Act of 1933 which, in this author’s viewpoint, was a legislative error. Banks, brokerage firms, and insurance carriers were prohibited from merging under the Glass-Steagall Act, which prevented the concentration of capital.

GLBA repealed this law so that these types of institutions can merge. But two elements of the GLBA are relevant to people in the automobile industry: the Privacy Rule and the Safeguards Rule.

The Privacy Rule: As the name implies, privacy is the issue. When a consumer relationship begins, the dealer must provide a privacy notice to that consumer. There are almost 300 variations of these notices which must tell the consumer how data is collected, shared, used, and protected. In addition, there must be an option provided to the consumer by which he can opt out of any sharing of his data with third parties. This notice must be provided annually. The model privacy form, can be found at: http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm.pdf.

The Safeguards Rule: The Safeguards Rule is the corollary of the Privacy Rule. As one should recognize, dealers are creditors and, as such, must develop a written security plan detailing how the dealership is protecting consumer data. A compliance officer should be appointed to oversee these safeguards. A dynamic plan should be developed which addresses the risk, with designed and tested programs redressing this risk, and reevaluations for changes in the plan as the nature of the business evolves. Encryptions, firewalls, passwords, locked vaults, and desks are examples of safeguards.

Access to Data in the Dealer Management Systems (DMS)

Reckless dealers will allow free access to the data stored in the DMS. And reckless F&I managers will access this data with abandon if given the opportunity. A sophisticated DMS will only provide data to personnel at the store commensurate with their job status and need. In other words, the general manager will have greater access to the stored data than an F&I manager.

User access to data should be reviewed and updated continuously as the Safeguards Rule requires. In DMS parlance, “PII” is being protected. PII is personally identifiable information — any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to solve for anonymous data can be considered PII. NPI is the acronym from GLBA itself for “personally identifiable financial information” and is similar in concept to the PII. Private consumer information, which is not readily available, would be considered NPI. It is “derived using any personally identifiable financial information” that is “not publicly available.”

What Must be Done 

GLBA was passed in 2003 so it would be astounding if a dealer hadn’t already complied with its requirements and continues to do so. It is important to emphasize that the Safeguards Rule must be dynamic and continually updated. Anyone who works at the store should consult this written plan. As the organization evolves, these changes should be expressed in the written plan. This plan should include certain basic protocols for keeping consumer information secure and confidential, such as:

  • Locking rooms and file cabinets where records are kept;
  • Not sharing or openly posting employee passwords in work areas;
  • Encrypting sensitive consumer information when it is transmitted electronically via public networks;
  • Referring calls or other requests for consumer information to designated individuals who have been trained in how your company safeguards personal data; and
  • Reporting suspicious attempts to obtain consumer information to designated personnel.
  • Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
  • When consumer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically secure area.
  • Where possible, avoid storing sensitive consumer data on a computer with an internet connection.
  • Maintain secure backup records and keep archived data secure by storing it offline and in a physically secure area.
  • Maintain a careful inventory of your company’s computers and any other equipment on which consumer information may be stored.
  • Copiers and fax machines may keep records of all documents which have been copied and faxed. These electronic files should be completely deleted before discarding or returning this equipment.
  • When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit.
  • If you collect information online directly from consumers, make secure transmission automatic. If you must transmit sensitive data by email over the internet, be sure to encrypt the data.
  • Dispose of consumer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. This means one must burn, pulverize, or shred papers containing consumer information so that the information cannot be read or reconstructed.
  • Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing consumer information.
  • Check with software vendors regularly to get and install patches that resolve software vulnerabilities;
  • Use anti-virus and anti-spyware software that updates automatically;
  • Maintain up-to-date firewalls, particularly if you use a broadband internet connection or allow employees to connect to your network from home or other offsite locations;
  • Regularly ensure that ports not used for your business are closed; and
  • Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
  • Keep logs of activity on your network and monitor them for signs of unauthorized access to consumer information;
  • Use an up-to-date intrusion detection system to alert you of attacks;
  • Monitor both in- and outbound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
  • Insert a dummy account into each of your consumer lists and monitor the account to detect any unauthorized contacts or charges.

Should a breach occur in spite of your best efforts the following steps should be implemented:

  • Take immediate action to secure any information that has or may have been compromised.
  • Preserve and review files or programs that may reveal how the breach occurred; and
  • If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
  • Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
  • Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
  • Notify the credit bureaus and other businesses that may be affected by the breach.
  • Check to see if breach notification is required under applicable state law.

Compliance Questions Explained

The Federal Trade Commission (FTC) enforces the Privacy Rule and Safeguards Rule against franchise dealers. Its regulatory penalty for violations is $41,484 per day. Certain independent and BHPH dealers will be disciplined by the CFPB.

These two rules don’t specifically allow for individual claims. However, this is not a problem for plaintiffs since violating the GLBA is considered a violation of the state’s Unfair and Deceptive Trade Practices Act (UDAP) which means both state attorneys general and consumers can file lawsuits for these types of violations. In the state of Illinois, for example, the UDAP statutory damage amount is $50,000 per incident.

Furthermore, common law also provides a cause of action, should a dealership and F&I manager fail to carefully safeguard consumers’ NPI. This legal theory is the tort of negligence. A negligence claim has these elements:

  1. The defendant (dealer and/or F&I manager) has a duty to the consumer to keep the data secure;
  2. The defendant breached this data security duty;
  3. This breach was the cause of the consumer’s injury; and
  4. The consumer suffered damages because of the defendant’s breach of its data security duty.

Finally, many contracts include language which addresses the privacy and safeguards of consumer data. If such a contract is materially breached consumers can sue the dealer and you.

The privacy and safeguarding of a consumer’s data is a solemn responsibility. Dealers and all dealer employees need to be cognizant of these responsibilities.

Govern yourselves accordingly.

Posted in Industry, Review FeatureComments (0)

O’Loughlin to Tackle ‘Rules and Regulations’ at Compliance Summit


LAS VEGAS —Terry O’Loughlin, director of compliance for Reynolds and Reynolds and a former regulator, will serve as a featured speaker at the upcoming Compliance Summit Las Vegas, organizers announced Tuesday. The conference will be held Aug. 29–30, 2016, at Paris Las Vegas, as part of Industry Summit.

“Compliance is one of the more unrelenting — and daunting — responsibilities that dealers face. Implementing the right policies and tools in compliance, along with applying best practices, all are proven strategies to help dealers meet those responsibilities, especially considering the likelihood for ever-increasing regulation and scrutiny,” said O’Loughlin, who served in the Florida attorney general’s office before joining the Reynolds Document Services group in 2006 as director of compliance. “Compliance Summit promises to focus on compliance as a critical business management issue for dealers, and I’m pleased to join a number of my professional colleagues in presenting at the conference and being part of the event.”

O’Loughlin’s presentation will be followed by a panel discussion; the event will also include featured speakers and panels dedicated to Your Responsibilities and Easy-to-Implement Processes and Controls and, to conclude the educational sessions, an open forum called “Is It Compliant?”

“This is not Terry’s first rodeo, so to speak, and past attendees of Compliance Summit have singled him out as an informed and passionate speaker,” said David Gesualdo, show chair and publisher of Auto Dealer Today and F&I and Showroom. “When a former regulator and current industry advocate speaks, we are wise to listen.”

Registration for Compliance Summit Las Vegas is open at the event’s website. Attendees are welcome to take part in the rest of Industry Summit, and those who register by July 29 will enjoy a $100 discount. Attendees are also invited to sit for the Certified Automotive Compliance Specialist exam for no additional charge.

For more information about Compliance Summit, including sponsorship and exhibition opportunities, contact David Gesualdo via email  or at 727-947-4027.

Posted in Auto Industry News, Summit UpdatesComments Off on O’Loughlin to Tackle ‘Rules and Regulations’ at Compliance Summit

‘Is It Compliant?’ to Cap Midwest Compliance Summit


CHICAGO — Organizers of Compliance Summit have announced that the Midwest event, which will be held April 20–21, 2015, at the DoubleTree Chicago O’Hare in Rosemont, Ill., will conclude with “Is It Compliant?”, an open-forum discussion of the topics raised in the course of the conference.

“Is It Compliant? proved to be the perfect capstone for our inaugural event in Florida,” said David Gesualdo, show chair and publisher of Auto Dealer Monthly and F&I and Showroom magazines. “Engaging the speakers in an open, friendly environment will provide a last chance for every attendee to make their voice heard and fill in any gaps that may have appeared in the sessions that precede it.”

The discussion will be led by Bob Harkins, director of the AFG Training Academy and the event’s master of ceremonies. He will be joined by featured speakers and panel moderators from prior sessions, including attorneys James Ganther and Terry O’Loughlin of Mosaic Compliance Services and Reynolds and Reynolds, respectively, as well as AFIP’s David Robertson and World Class Dealer Services’ Michael Tuno.

More information about Compliance Summit, including registration and travel information, is available at ComplianceSummit.com. For sponsorship and exhibition opportunities, contact Eric Gesualdo via email hidden; JavaScript is required or call 727-612-8826.

Posted in Summit UpdatesComments (0)

O’Loughlin Joins Midwest Compliance Summit


CHICAGO — Organizers of Compliance Summit, a series of regional events dedicated to front-end compliance, have announced that attorney and compliance expert Terry O’Loughlin has joined the Midwest event, which will be held April 20–21, 2015, at the DoubleTree Chicago O’Hare in Rosemont, Ill.

“Terry’s reputation as a dealer advocate and thought leader in the compliance space is without parallel,” said David Gesualdo, publisher of Auto Dealer Monthly and F&I and Showroom magazines. “His strategies for dealers are rooted in battles he has fought on both sides of the industry.”

O’Loughlin, who serves as director of compliance for Reynolds and Reynolds, has stood at the front lines of front-end compliance issues for the past several decades, including a 16-year tenure with the Florida attorney general’s office, where he worked with state and federal regulators to police dealers and auto finance companies. Since joining the private sector, he has worked with dealers and auto groups to decipher new rules and respond to actions and inquiries related to unfair and deceptive practices, document fraud and false or misleading advertising.

“To paraphrase the Bible, there is really nothing much new under the sun. For the most part, this is generally true of the regulating community,” O’Loughlin said. “Old laws and new laws can be addressed with the same thoughtful approach because regulators’ motives and tools remain the same. Dealers should have an orderly protocol to stay abreast of the compliance landscape and consistently respond to it. But the response needs to be tailored to the real challenges.”

O’Loughlin’s presentation, “Regulations: Where Past is Prologue,” will begin at 9:35 a.m. on Tuesday, April 21, following a welcome address by Chicago native and agency head Randy Crisorio. The Rules and Regulations portion of the agenda will begin with O’Loughlin’s presentation and continue with a panel session dedicated to the topic. Rules and Regulations will be followed by Your Responsibilities, Easy-to-Implement Processes and Controls and Is This Compliant?

Further details, including the full agenda and information about registration and accommodations, will be available in the coming weeks. For sponsorship and exhibition opportunities, contact Eric Gesualdo via email hidden; JavaScript is required or call 727-612-8826.

Posted in Summit UpdatesComments (0)

The Bigger Compliance Puzzle


When it comes to compliance, most of the talk the last several months has centered on the Consumer Financial Protection Bureau (CFPB) and the guidance it issued. The guidance does not directly impact dealers – but it does affect the lenders dealers rely on, and it has certainly changed the way many lenders look at the contracts sent to them for approval.

However the CFPB, and the changes being slowly enacted because of it, aren’t the only regulations dealers need to be aware of. An important part of any agents’ value-added services is to make sure dealers are not neglecting all the other aspects of compliance for which they will be held accountable.

First, and most importantly in many ways, is to make sure there is someone at the dealership itself who has taken ownership of compliance in all aspects of the dealership. Before even identifying any holes in the compliance strategy, there first has to be someone who is responsible for them. “Every dealer should have its own compliance officer,” said Terry O’Loughlin, director of compliance, Integrated Document Solutions, Reynolds and Reynolds. “Agents should encourage the dealer to have someone who is appointed to that position. That person should have responsibility to oversee all compliance efforts.”

He went on to note, “There should be a business plan just for compliance – something a dealer can do cheaply if they appoint someone. It could be their controller, it could be the general manager, or it could be someone else in the office, but someone has to be charged with that responsibility.”

While it is still not a mainstream concept, many dealers are starting to take that advice to heart. “I can tell you that, at least in my experience so far, a good number of dealers are beginning to stir,” said Tom Hudson, chairman, Hudson Cook LLP. “For example, I visited with a large dealership in North Carolina recently; they had commissioned a compliance expert to compile a handbook, when in the past they had never had one. They also appointed their own compliance manager, which is something we’re seeing a little more frequently as well.”

“The dealer needs to know who should have compliance knowledge, then make sure they have it,” said Dave Robertson, executive director, AFIP. He believes, however, that the knowledge shouldn’t be concentrated in one person, but that everyone who deals with contracts needs to be educated. “If people in the dealership are required to do their job relative to regulations – such as the people who write contracts – they must be knowledgeable about them. They can’t be required to follow the rules if they don’t know them.”

While he believes it is important for everyone to be aware of the rules, he does, however, advocate a system of audits to ensure they are following through – rules aren’t any use if they are not being followed. “The dealer must have an audit program where there is a systematic, organized audit,” Robertson said. “They have to make sure the rules are actually being put into practice. There needs to be a regular audit of F&I and deal jackets to make sure everything the staff have learned is, in fact, being followed.”

Once a dealer has appointed their compliance manager, and given them the authority, they need to do audits and, most importantly, follow up with the appropriate consequences when violations are found. So, what should the audit focus on?

O’Loughlin said that the place to start and his first very strong recommendation would be to have every dealer review their Safe-Guards Rule and Red Flags Rule programs, as well as review and update privacy policies. Dealers also need to ensure they are in compliance with the updated Consumer Protection Act which, last October, changed how and when consumers can be contacted by businesses. “If dealers are contacting their customer base, they need to make sure they have an updated authorization agreement so they can send e-mails, call them on the phone, text them, send them faxes or initiate any kind of communication – electronic or otherwise,” he said. “My suspicion is that many dealers haven’t taken this step. There have been cases where dealers called a customer on their cell phones and incurred costs to that customer – and anyone who does that is liable for those costs. This is something dealers want to reevaluate if they have any ongoing reminder campaigns.”

“I had one dealer come to me looking for a deal jacket review,” said Hudson. “I said happy to do it, but what about your underwriting manual, collections manual, red flags manual, etc.? He said ‘we don’t have that’. It is a federal requirement – dealers have to do that, but a lot of dealers are struggling putting together the internal compliance arrangements they need. Big dealerships have been at it for a while, but as you scale down in size, compliance efforts are more wanting. The smallest dealerships still have a long way to go.”

Robertson advised that one of the first places dealers should start when revamping their compliance policy is to seek training. The government, he said, has several comprehensive training programs on specific topics, and then there are a variety of third party programs, like his own AFIP certification for F&I managers. “That is a big component of a dealer’s program,” he stressed again. “People who need the knowledge, must have the knowledge.”

Hudson agreed, noting that if he were a small dealer, there are a few resources he would be pursuing right now. “Go to your state association and lean hard on the director,” he said. “Tell them, look you need to be developing this stuff for all of us, to spread the cost over all the smaller dealerships. They need to develop materials all the small dealers can adapt, and I haven’t seen any sign of that yet.”

Another form O’Loughlin believes dealers should re-evaluate is their arbitration agreements. He noted that the government recently convened a hearing on arbitration clauses, and part of the mandate for the panel is to look at how those clauses apply to consumers. “The expectation is that they’re going to deny the application of arbitration in the future,” he noted. “They haven’t done it yet, but in the meantime, there have been a series of cases that have changed arbitration agreements to be more balanced between the dealer and consumer. If your dealers haven’t looked at them in a while, they should do so now. And they should follow the federal Arbitration Act, rather than state law, is my recommendation.”

O’Loughlin’s final advice? “Start the new year by taking a look at all dealer documentation. Make sure everything is all marked with a current effective date, and that the most current groups of forms are in the library, so F&I managers aren’t using something out of date. It’s not a happy task, but starting on a new year, some forms do expire.”

Hudson wrapped up by quoting O’Loughlin. “Terry has an interesting concept that I agree with – we have been on panels together – and he is fond of saying that anything worth doing is worth doing poorly. That always makes everyone sit up. Dealers all have the obligation to put together privacy manuals, and things like that. The dealer who attempts to do something like that themselves, who sits down, studies the rules, and creates a policy that is homemade, and not bought from a professional – the dealer who makes a stab at doing something – is better off than the dealer who didn’t do anything at all. If the compliance police come in, and ask for a manual on privacy, the dealer who has one that’s not great because they did it themselves is way ahead of the dealer who didn’t do anything. Even a poorly done compliance system is better than none at all – effort counts, it really does.”

For Robertson, it all comes down to treating customers fairly and honestly, and then compliance just becomes a natural fit. “The dealer has to say, can I make a living treating people fairly and doing it right?” he noted. “And if they can’t, there’s a fatal flaw in the business plan. I’ve been in the business for 40 years, and I’ve had them tell me you can’t sell cars without screening, but they have done it wrong for so long, they don’t know how to do it right. For the dealer, though, it’s crucial that if there is ever an opportunity, always do the right thing. I’ve seen that in 50% of lawsuits, if dealer had handled it properly the first time, it wouldn’t have gotten to that point. I don’t want anyone to have something of mine they don’t want to have – if I sold you something you don’t want you’ll do whatever it takes to make sure you don’t keep it. But if the dealer did the right thing at the first opportunity, it wouldn’t have been a problem.”

Posted in Product & TechnologyComments (0)

Page 1 of 212