Two of the senior vice presidents from the American Financial Services Association took time during their orchestration of the 2023 Vehicle Finance Conference in Dallas for this episode of the Auto Remarketing Podcast.
Celia Winslow and Danielle Fagre Arlowe discussed the latest developments on the federal and state level, respectively, in connection with actions by lawmakers and regulators.
To listen to the conversation, click on the link available below.
Download and subscribe to the Auto Remarketing Podcast on iTunes.
The American Recovery Association (ARA) recently released a policy statement associated with the revamped Safeguards Rule set to be implemented by the Federal Trade Commission in June.
In connection with the mandate, ARA specifically believes recovery professionals should engage in the following best practices:
● Immediately after recovery, cut new keys to the vehicle
● Once keys are cut, access the vehicle to retrieve, inventory, and securely store all personal effects
● Eliminate all consumer information from the vehicle’s computer or other electronic repository or database accessible through the vehicle
ARA then said that every subsequent custodian of the vehicle along the chain of custody should, as a matter of best practice, verify that all consumer information has been eliminated from the vehicle and take responsibility for removing any remaining consumer information before the vehicle moves to the next custodian.
The association recommended its members work together with their finance company and servicer clients to establish compliance protocols and ensure all custodians participate in consumer-protection processes.
“ARA expects that many lenders and servicers that issue recovery assignments share ARA’s concern about these important consumer-protection and regulatory issues, and will support the best-practices points above in working together with ARA members to implement them. That said, there may be lenders or servicers that do not share ARA’s position,” the association said in a news release.
ARA strongly urged members to consider the following issues when working with finance companies and servicer clients when it comes to the FTC Safeguards Rule, as well as any other statute, regulation, or law that governs the protection of consumer data and privacy:
● Do you understand the finance company’s or servicer’s internal processes for protecting consumer data and property during their respective stages of the repossession process, including, but not limited to, eliminating consumer data from vehicle computers and other electronic repositories and databases accessible through the vehicle?
● Have you obtained written assurance that the lender or servicer has such internal processes and that those processes will be applied to assignments you will be working? Does your service agreement delineate responsibility for protection of consumer data and privacy between the parties based on their custody of the vehicle?
● Does your service agreement contain any representations or warranties about the lender or servicer compliance protocols for protecting consumer privacy or consumer data while the vehicle is in their custody?
● Are there opt-out, waiver, indemnification, or hold harmless provisions in your service agreement? Do they speak to the issue of protecting consumer privacy and consumer data and whose responsibility that is at the various stages of the repossession process based on the chain of custody?
“The long-and-short is this: ARA members conduct themselves with consumer interests in mind,” the association said. “That includes these critical privacy and data protection issues, which are implicated by the FTC’s Safeguards Rule. To the extent the rule applies to recovery professionals, the industry must stay vigilant to ensure compliance.
“This policy statement is not legal advice, nor a substitute for legal advice. ARA cannot give you legal advice. You must work with your internal or outside counsel to determine the appropriate course of action with respect to the issues discussed in this policy statement,” the association went on to say.
The Federal Trade Commission (FTC) seems to be in full assault mode when it comes to regulating auto dealers. It is doing so by proposing new rules and by entering consent decrees with allegedly offending dealers.
And 2022 has been a banner year for both.
In March, the FTC entered into a consent decree with an eight-store dealer in Illinois. The FTC required the auto dealer to pay $10 million, the largest amount an auto dealer has ever had to pay to settle an FTC claim. The FTC alleged multiple wrongdoings by the eight dealerships including deceptively saddling customers with unwanted voluntary protection products (VPPs) and committing “disparate impact” credit discrimination by charging minorities higher rate participation and higher prices for VPPs even if there was no intent to discriminate
In October, the FTC entered into a consent decree with another dealership group located in suburban Washington, DC making many of the same charges. In this case, the dealer and its president and vice president personally agreed to pay more than $3.3 million to settle the FTC’s charges. As in the Illinois case, the FTC alleged that the dealership deceived consumers by tacking hundreds to thousands of dollars in “illegal junk fees” onto car prices and for discriminating against Black and Latino consumers with higher financing costs and fees. Disparate impact credit discrimination was again cited.
In the October action, the FTC alleged that the dealer regularly advertised certified, reconditioned, or inspected cars at specific prices, but then added extra certification, reconditioning, or inspection fees that it falsely claimed consumers are required to pay. The FTC also claimed that Black and Latino consumers paid on average about $291 and $235, respectively, more in interest than non-Latino white consumers did. It also alleges that Black and Latino consumers paid on average an extra fee 24 percent and 42 percent more often, respectively, than non-Latino White consumers.
The FTC defines “junk fees” as “unfair or deceptive fees that are charged for goods or services that have little or no added value to the consumer, including goods or services that consumers would reasonably assume to be included within the overall advertised price.” It is unclear who would make this interpretation and what would be necessary to defend a fee to the FTC.
The FTC has also been active on the rulemaking front. In June, it issued a proposed Trade Regulation Rule affecting auto dealers. The proposed rule was styled to ban junk fees and bait-and-switch advertising tactics. A dealer would have to disclose in advertising and communications a true “offering price” for a vehicle that would be full price a consumer would pay, excluding only taxes and government fees. With this proposed rule, the FTC appears to be particularly pushing the elimination of junk fees, bait-and-switch ads, add-ons with no value, worthless aftermarket product, and mew disclosures to purportedly level the playing field.
The Trade Regulation Rule would also prohibit dealers from charging consumers “junk fees” for fraudulent add-on products and services that provide no benefit to the consumer such as “nitrogen filled” tires that contain no more nitrogen than normal air. The proposal would prohibit dealers from charging consumers for an add-on without their clear, written consent and would require dealers to inform consumers about the price of the car without any of optional add-ons.
In October, the FTC indicated its intention to publish a rule banning junk fees and other practices. The Rule targets unnecessary charges for worthless, free, or fake products or services; unavoidable charges imposed on captive consumers; and surprise charges that secretly push up the purchase price. One way the FTC described these fees was as follows:
Consumers can experience junk fee shock when companies unexpectedly tack on mystery charges they did not know about, consent to, or factor into the purchase. Companies might hide these fees in the fine print, cram them on at the end of a purchase process, or use digital dark patterns or other deception to collect on them. Some companies might claim that they do not charge any fees and then add on fees after the purchase or sign up.
In taking these actions, the FTC made unsupported broad generalizations about auto dealer behavior and undertook to expand its authority under Section 5 of the FTC Act which prohibits unfair and deceptive practices (UDAPs). The FTC claims that disparate impact credit discrimination is a UDAP. This ignores the law where the Equal Credit Opportunity Act (ECOA) is the only federal law on credit discrimination and the U.S. Supreme Court indicated in a 2015 opinion that statutory language like that which appears in ECOA does not support disparate impact but only intentional discrimination.
In taking these actions, the FTC appears to be usurping the legislative process that our Constitution provides to the Congress. The FTC also interprets laws — a power the Constitution confers on the judiciary — to expand its authority in a way that no Court has done The FTC knows that no auto dealer is going to finance a costly lawsuit to strike down its interpretations and there don’t appear to be any trade associations willing to take on the battle either.
With three Democrats and only one Republican on the FTC pending a further Republican appointment, these punitive interpretations and actions show no signs of slowing down. Be careful in advertising to advertise only legitimately available vehicles and indicate the number available on the advertised terms. Don’t promise credit approval. A menu is still the best tool to obtain the consumer’s understanding and acceptance of voluntary protection products. Be careful with fees you cannot defend as legitimate. Can you support your doc fee in relation to the administrative cost of generating documents to close and finance a deal?
This would be a good time to have your attorney or compliance professional review your website, ads, and social media along with your policies and practices on fair lending, discrimination, and fees. Don’t become the next victim of the FTC’s wrath.
Randy Henrick is an auto dealer compliance expert who provides compliance consulting services to dealers directly at Ignite Consulting Partners, www.ignitecp.com. Randy served for 12 years as Dealertrack's lead regulatory and compliance attorney and wrote all Dealertrack’s Compliance Guides while there. Randy audits deal jackets, writes, and reviews compliance policies, acts as an expert witness in litigation, and does training for dealers on auto finance compliance and procedures. Email Randy directly at [email protected].
While a notable portion of the industry was in San Diego for Used Car Week, the Federal Trade Commission made a decision involving the Safeguards Rule that likely delighted attendees mingling about the Manchester Grand Hyatt, but also at dealerships, finance companies and other service providers throughout automotive.
The FTC made a unanimous decision to extend the compliance deadline for six months, allowing financial services companies to better prepare for the Safeguards Rules. Now instead of a December mandate, companies now have until June.
The FTC reiterated through a news release that the regular approved changes to the Safeguards Rule in October 2021 that include more specific criteria for what safeguards financial institutions must implement as part of their information security programs. While many provisions of the rule went into effect 30 days after publication of the rule in the Federal Register, other sections of the rule were set to go into effect on Dec. 9.
Officials explained the provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:
—Designate a qualified individual to oversee their information security program
—Develop a written risk assessment
—Limit and monitor who can access sensitive customer information
—Encrypt all sensitive information
—Train security personnel
—Develop an incident response plan
—Periodically assess the security practices of service providers
—Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information
In a separate statement, commissioner Christine Wilson elaborated about why it was important to make this decision, one requested by the American Financial Services Association along with ACA International, the Consumer Data Industry Association and the National Automobile Dealers Association.
“While I continue to note my concerns about the revisions to the recently amended Safeguards Rule, I support extending the effective date,” Wilson said. “Labor shortages of qualified personnel have hampered efforts by companies to implement information security programs. Some estimates place the shortage of cybersecurity professionals in the 500,000 range. Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended rule by year end.
“The revisions finalized in December 2021 did not merely codify basic security practices of most financial institutions. Rather, the modifications imposed new onerous, misguided and complex obligations,” Wilson continued. “Safeguarding customer information is important. But it is still unclear whether these mandates will translate into a significant reduction in data security risks or offer other substantial consumer benefits. Regardless of the rule’s effects, companies should be given the time necessary to correctly implement the Final Rule’s burdensome requirements. For these reasons, I support extending the effective date until June 2023.
In another news release, AFSA pointed out that this request also was endorsed by the Small Business Administration’s Office of Advocacy, other trade groups and a bipartisan group of Congressional members led by Rep. Chrissy Houlahan (D-Pa.).
“AFSA member companies provide crucial services in our economy,” AFSA senior vice president Celia Winslow said. “Extending the implementation date of the rule means that companies will be able to make appropriate enhancements to systems and staffing, ultimately benefiting consumers.”
Perhaps dealerships and other segments of the auto finance and retail spaces can take solace in the dissenting statement from one of the former leaders of the Federal Trade Commission, which ordered a Washington, D.C.-area dealer group to pay more than $3.3 million in penalties over “junk fees” and alleged discrimination.
Last week, the FTC announced an action against Passport Automotive Group for what the regulator called in a news release as “deceiving consumers by tacking hundreds to thousands of dollars in illegal junk fees onto car prices and for discriminating against Black and Latino consumers with higher financing costs and fees.”
The FTC said Passport Automotive Group, president Everett Hellmuth and vice president Jay Klein will pay more than $3.3 million to settle the FTC’s lawsuit, which the regulator said will be used to refund consumers harmed by Passport’s conduct.
Before his pre-planned resignation from his position, FTC commissioner Noah Joshua Phillips said in his dissenting statement that he had no objections to three of the four counts against the dealer group. However, the other count in the allegations prompted Phillips to explain his opposition to the regulator’s actions.
“The Equal Credit Opportunity Act (ECOA) prohibits creditors from discriminating against an applicant with respect to any aspect of a credit transaction on the basis of race, color, religion, national origin, sex, marital status, age, or because of receipt of public assistance. Per the complaint, Passport’s discretionary markup policy imposed higher costs on Black and Latino consumers in violation of ECOA,” Phillps wrote.
“The complaint also alleges that the higher costs Passport imposed on Black and Latino consumers caused substantial injury to those consumers, were not reasonably avoidable by them, and were not outweighed by any benefits to consumers and competition, and therefore Passport’s conduct was unfair. This is the first case in which the Commission has alleged that the disparate impact of business conduct is unfair,” he continued.
“I have no quarrel with Counts I and II, nor Count IV’s allegation that Passport’s discretionary markup policy violated ECOA. I would have voted in favor of a complaint limited to those complaint counts. I cannot support Count III and its novel interpretation of unfairness,” Phillips went on to say.
“Count III accomplishes nothing in this case. The sole reason for its inclusion is to announce to the world that the FTC has expanded its unfairness jurisdiction to include antidiscrimination. But because that announcement raises myriad questions about the liability rule, it serves no useful function for businesses eager to stay on the right side of the law,” he added.
Despite Phillips’ reasons, the FTC voted 4-1 in favor of the enforcement that climaxed a matter that began four years ago.
In 2018, the FTC brought action against Passport, its president and vice president, alleging the company mailed more than 21,000 fake “urgent recall” notices to consumers in 2015 and 2017, to “lure them” to visit dealerships.
In its complaint announced, the FTC alleged that Passport regularly advertises certified, reconditioned, or inspected cars at specific prices, but then added extra certification, reconditioning, or inspection fees that it falsely claims consumers are required to pay.
The FTC also alleged that Passport charged Black and Latino consumers hundreds of dollars more in financing costs and fees, on average, than White consumers. In its complaint against Passport, the FTC alleges that the company has for years violated the FTC Act and the Equal Credit Opportunity Act by:
• Charging illegal “junk fees,” as the FTC said Passport advertised vehicles as “certified,” “inspected,” or “reconditioned” at specific prices. But the FTC alleged that when customers try to pay the amount advertised for those vehicles, Passport added hundreds or thousands of dollars in fees. These fees either increase the price over what was advertised or negate any discounts the consumers negotiated.
The complaint cited one case in which a vehicle advertised for $24,050 was in fact sold for $26,440 “due to illegal add-on fees.”
The FTC said, “Passport frequently described the extra fees it charges to customers for inspection, reconditioning, or certification as required when in many instances, auto manufacturers specifically prohibit dealers from charging separately for certification costs.
• Discriminating against Black and Latino customers, as the complaint alleged that Passport regularly charged Black and Latino customers more in financing costs and fees than they charge non-Latino white customers.
Although Passport claimed that it had a policy to prevent discrimination, the complaint alleged that Passport did not even enforce or monitor the policy.
The FTC’s complaint alleged that Black and Latino consumers paid on average about $291 and $235, respectively, more in interest than non-Latino white consumers did. It also alleged that Black and Latino consumers paid an extra fee on average of 24 percent and 42 percent more often, respectively, than non-Latino White consumers.
According to the news release, Passport, its president and its vice president have agreed to a proposed federal court order that would:
• Prohibit them from charging different groups different markups: The order would require Passport to establish a fair lending program to ensure it does not discriminate going forward, including a provision that will require each Passport dealership location to either charge no financing markup or charge the same markup rate to all consumers.
• Prohibit them from deceiving consumers about prices and fees: The order would prohibit Passport from misrepresenting the cost or terms to buy, lease, or finance a vehicle, or whether a fee or charge is optional. It would also require them to only charge consumers fees with their express, informed consent.
• Require them to pay money to refund consumers: The order would require Passport to pay the FTC $3.38 million to refund consumers harmed by Passport’s unlawful actions.
“With this action against Passport and its top executives, the Commission is continuing its crackdown on junk fees and discriminatory practices that harm Black and Latino consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “As families struggle with rising prices, companies that think they can hit consumers with hidden fees should think again.”
The FTC said it files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the district court judge, according to the FTC.
As many dealers are aware, the Federal Trade Commission (FTC) recently issued new requirements to its Safeguards Rule that take effect Dec. 9. The rule requires auto dealerships with more than 5,000 customer records in their database to develop, implement and maintain an information security program to protect customer information.
To help with compliance, many dealers have hired third-party service providers such as a DMS vendor, law firm or information technology (IT) firm to write, implement and supervise the required information security program.
However, many dealers are not aware that they cannot rely solely upon third-party vendors in order to attain compliance. This means that the dealership must also designate a qualified employee to oversee said third-party supervision. The employee does not have to hold a particular degree or title, but they do need to be aware of, and knowledgeable about, the Safeguards Rule, to ensure that the dealership is compliant.
Section 314.4 of the new FTC rule states “Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual” (if the qualified individual is employed by a third-party service provider).
This makes it clear that ultimately, the buck stops with the business owner. If a breach happens or there is a customer problem, a dealer cannot get off the hook by pointing a finger at the third-party service provider.
Additionally, it is the dealership employee’s responsibility to complete a risk assessment of all third-party providers that the dealership uses. For example, if you hire a document shredding company, a risk assessment must be completed before that company takes any documents offsite.
Additionally, the dealership employee is responsible for enforcing the rule and training other employees on the rule. The dealership employee must also write and submit an annual written report to the governing body of the dealership.
AFIP Certification recommended
The NIADA and other F&I training companies offer some compliance resources, but for comprehensive training, consider getting certified by the Association for Finance & Insurance Professionals (AFIP). AFIP is a non-profit, non-aligned sanctioning body that offers a comprehensive certification course designed to give dealership professionals all of the knowledge necessary to maintain compliance for the FTC Safeguards Rule as well as a number of other rules and regulations.
For most independent dealerships, it makes sense for the dealer principal to become the qualified, designated employee. Many dealers have become fearful of potential fines related to this rule, but there really isn’t any reason to be afraid. Knowledge is empowerment. One of the biggest benefits that attendees take away from a training class is increased confidence in how to respond to customer complaints.
Recently in AFIP certification classes there has been a shift from primarily F&I managers and general managers in attendance, to a variety of people in different roles; including dealer principals, used car managers, accounting personnel, marketing personnel and legal personnel. In today’s world compliance is every employee’s responsibility, and is no longer just in the domain of the F&I manager.
AFIP certification covers far more than just the Safeguards Rule. Enrollees will also learn about the Truth in Lending Act, Consumer Leasing Act, Equal Credit Opportunity Act (ECOA) and more.
Becoming AFIP certified helps independent dealers to reduce the number and dollar amount of chargebacks and consumer complaints; and reduces the likelihood of agency fines and settlements.
Dealership employees can get certified either online via a learning management system, or take a live, two-day workshop offered in a variety of cities. Advantages of in-person training over online training include increased focus, fewer distractions, and a comprehensive curriculum.
In her role with the EasyCare University and GWC University training teams, Erica Cooper is responsible for new hire onboarding, internal sales training, curriculum development, in-dealership coaching, and classroom training. Before joining APCO, Cooper was a Master Instructor in the Credit and Financial Services field, developing learning solutions with a focus on federal regulations and the impact they have on underwriting processes. She has also earned the prestigious title of AFIP Certified Master Instructor.
Dealer compliance expert Randy Henrick acknowledged moderate surprise that the Federal Trade Commission didn’t delay December implementation of the revamped Safeguards Rule even as industry associations and a fellow government agency recommended it.
In this episode of the Auto Remarketing Podcast, Henrick reiterated what dealers, finance companies and other service providers need to do as a result.
To listen to the conversation, click on the link available below, or visit the Auto Remarketing Podcast page.
Download and subscribe to the Auto Remarketing Podcast on iTunes or on Google Play.
The Federal Trade Commission announced last week that it began sending payments to consumers impacted by dealerships operating in Arizona and New Mexico that the regulator shut down two years ago.
The FTC said it is sending payments totaling more than $415,000 to 3,508 consumers who financed a car or truck at a Tate’s Auto dealership after Jan. 1, 2013 and later had the vehicle repossessed.
Officials reiterated that Tate’s Auto allegedly deceived consumers about payment information and falsified information on consumers’ financing applications.
The FTC sued Tate’s Auto in 2018 for inflating consumers’ income on financing applications to third-party finance companies, as well as deceiving consumers about the lease or financing terms of the vehicles they were acquiring.
Officials pointed out that many of Tate’s customers were citizens of the Navajo Nation, and Tate’s Auto frequently ran radio and print ads in Navajo media.
The FTC settled with the dealerships in August 2020 and ultimately reached a settlement with the individual defendant in July 2021 that required the defendant to pay money for consumer redress.
“The FTC wishes to acknowledge the valuable assistance of the Navajo Nation Human Rights Commission during the investigation of this case,” officials said in a news release.
The FTC added that eligible consumers will receive a check in the mail, unless they specifically requested a PayPal payment. Recipients should cash checks within 90 days or redeem PayPal payments within 30 days.
The Federal Trade Commission said on Tuesday that the regulator has declined to extend the public comment period for its proposed rule that would ban “junk fees and bait-and-switch advertising tactics that can plague consumers throughout the car-buying experience.”
Despite efforts by organizations such as the National Automobile Dealers Association to seek an extension, the FTC said the deadline for members of the public to comment about the proposal remains Sept. 12.
In its decision declining to extend the deadline, the FTC through a news release that it has received requests from stakeholders asking to extend the deadline, as well as from stakeholders asking to keep the deadline as is.
The FTC noted that by the time the public comment period closes, members of the public will have had 80 days to review the proposed rule.
The FTC vote to decline the extension of the comment period was 5-0.
NADA president and chief executive officer Mike Stanton released the following statement in response to the FTC vote.
“The FTC’s refusal to grant a routine extension of a public comment period, particularly for a proposed rule of such sweeping magnitude that involved no advanced notice, further displays an unnecessary and misguided rush to judgement in this matter,” Stanton said.
“This proposed rule would cause great harm to consumers by significantly extending transaction times, making the customer experience much more complex and inefficient, and increasing prices, and NADA again urges the FTC to go back to the drawing board before forcing a series of unstudied and untested mandates lacking evidence that will have such significant negative impacts on customers,” he went on to say.
The FTC unveiled the proposal in June, citing its activities from the past decade as the trigger.
Dring the past 10 years, the FTC recapped that it has brought more than 50 law enforcement actions related to automobiles and helped lead two nationwide law enforcement sweeps that included 181 state-level enforcement actions in these areas.
The regulator also mentioned complaints from consumers related to automobiles remain in the top 10 complaint types received by the FTC, with more than 100,000 complaints from consumers annually over the past three years.
In the Notice of Proposed Rulemaking announced on June 23, the FTC is seeking comment on proposed measures that would:
• Ban bait-and-switch claims: The proposal would prohibit dealers from making a number of deceptive advertising claims to lure in prospective car buyers. This deal deception can include the cost of a vehicle or the terms of financing, the cost of any add-on products or services, whether financing terms are for a lease, the availability of any discounts or rebates, the actual availability of the vehicles being advertised, and whether a financing deal has been finalized, among other areas. “Once in the door or on the hook, consumers face the fallout of false promises that don’t pan out.”
• Ban fraudulent junk fees: The proposal would prohibit dealers from charging consumers junk fees for fraudulent add-on products and services that provide no benefit to the consumer (including “nitrogen filled” tires that contain no more nitrogen than normal air).
• Ban surprise junk fees: The proposal would prohibit dealers from charging consumers for an add-on without their clear, written consent and would require dealers to inform consumers about the price of the car without any of optional add-ons.
• Require full upfront disclosure of costs and conditions: The proposal would require dealers to make key disclosures to consumers, including providing a true “offering price” for a vehicle that would be full price a consumer would pay, excluding only taxes and government fees. It would also require dealers to make disclosures about optional add-on fees, including their price and the fact that they are not required as a condition of purchasing or leasing the vehicle, along with disclosures to consumers with key information about financing terms.
Members of the public can submit comments on the proposed rule at regulations.gov.
Now even another government agency thinks implementation of the enhanced Safeguards Rule from the Federal Trade Commission should be delayed.
Recently, the Small Business Administration (SBA) Office of Advocacy delivered a letter to the FTC, echoing many of the points previously made via a separate letter sent by the American Financial Services Association, ACA International, the Consumer Data Industry Association and the National Automobile Dealers Association.
The SBA Office of Advocacy also is seeking the FTC to delay the implementation from December until the same month next year.
The SBA’s letter came from Jennifer Smith, who is assistant chief counsel for economic regulation and banking, and Major Clark III, who is deputy chief counsel for Office of Advocacy.
“Because of the economies of scale, less robust recruiting and human resources budgets, and the waiting period for equipment that is being obtained by the larger companies, the problems that are outlined in the letter are magnified for small entities. Small entities do not have the buying power of large companies or additional resources to pay a premium for equipment,” Smith and Clark wrote. “Likewise, as noted in the industry letter, there is a labor shortage for workers needed to implement these safeguards. During a labor shortage, employers with the resources to offer high wages and other incentives are able to attract talent. It is more difficult for small firms that cannot afford the pay scales or incentives to attract talented employees.
“In addition, small financial institutions will need to modify their methods for evaluating these risks and the manner that they document them. Small entities must also ensure that the service providers they work with meet many of the requirements of the rule as well as amend contracts to reflect the changes,” Smith and Clark continued.
“Safeguarding customer information is extremely important. However, it is also important for the requirements of the rule to be implemented correctly,” they added.
In July, AFSA, ACA International, the Consumer Data Industry Association and NADA sent their letter to April Tabor, who is acting secretary of the FTC, explaining their position.
“Our members appreciate the FTC’s work to protect customers’ information, and they have every incentive to work alongside the commission to ensure the right safeguards are in place to protect customers, their institutions, and the financial marketplace as a whole,” the associations wrote. “At the same time, the residual effects of COVID-19 on the labor market and supply chain, as well as dueling regulatory demands and the technological changes required for proper compliance, make it difficult for covered entities to uplift their information security programs to meet the requirements in the final rule.
“To that end, we are calling for a year-long delay of the effective date to give covered entities — and their service providers — more time to properly implement the final rule’s modifications,” they continued.
The associations articulated four reasons for seeking the delay, including:
1. Members cannot hire enough skilled people fast enough to feel comfortable that they have sufficient coverage.
2. The final rule is not the only major initiative on the docket.
3. Equipment and external resources are in short supply.
4. Preparing a written risk assessment that conforms to the FTC’s specific criteria — the bedrock of the final rule — is a manual, subjective, time-consuming process.
“Moreover, the deficit in skilled workers is even greater when looking specifically at cybersecurity professionals,” the associations wrote.
“Much has been made of the growing patchwork of privacy and data security laws, rules, and guidance in the United States and the burdens it places on covered entities. This is an active space, with no signs of slowing down,” they continued.
“Additionally, some of the Final Rule’s modifications require technological changes to the existing security program. These changes include the establishment of a multi-factor authentication system, a move toward least privileged access, and an encryption process for all forms of customer information,” they went on to say. “While the amount of work required to fulfill these directives will depend on the entity’s current program, in almost all cases these technological changes will require significant investments of time and money to implement.”
