Groups Offer Insights into Pending Federal Identity Theft Regulations
PORTLAND, Ore. — Compli, the National Independent Auto Dealers Association and the American Financial Services Association recently offered input on the proposed Red Flag Rules to educate dealers and executives in the industry on the upcoming changes.
Compli said it is reaching out to dealerships to alert them to the potential requirements imposed by pending Fair Credit Reporting Act regulations, which are designed to help curb the rising tide of identity theft.
As currently written, the proposed regulations will change the way dealerships handle virtually all vehicle sales transactions, including retail installment sales contracts, loans and leases, the company said.
Compli said it is encouraging dealerships throughout the country to review the new proposed regulations and then review their current compliance systems and methods.
Auto Industry Organizations Show Concern
The new regulations are based on Sections 114 and 315 of the Fair and Accurate Credit Transactions Act, which was signed into law in 2003. These two sections of the FACT Act amend Sections 615 and 605, respectively, of the FCRA. The new and complex regulations will apply to "financial institutions and creditors," which includes almost every dealership in the U.S., according to Compli.
Some representatives of industry groups — including Ford Motor Credit, the National Automobile Dealers Association, the National Independent Auto Dealers Association, Nissan Motor Acceptance Corp. and others — have reported that the regulations are "ambiguous," "exceedingly burdensome" and will cause "undue controversy or difficulty."
For example, according to Compli, the proposed amendments would require that:
— A dealership evaluate its current identity theft prevention practices and its understanding of all of the "red flags" of identity theft that apply during a credit transaction. This means that, while the proposed rules provide a few dozen examples of the so-called red flags, each dealership must perform an internal audit to identify which red flags may be unique to its business, Compli pointed out.
— Once a dealership completes this evaluation, it must create new policies and train all relevant staff to recognize the applicable red flags and know what actions to take when red flags are found.
— A dealership's designated program manager must continuously monitor new identity theft trends and determine the need for applicable updates to the dealership's compliance program.
— Once each year, a dealership's designated program manager must provide detailed reports on the compliance program's effectiveness.
One example of the dozens of red flags suggested by the Federal Trade Commission is the verification of whether or not the date of birth and Social Security number provided by a customer match the accepted ranges provided by the federal government.
Most dealers would have a hard time being able to recognize that information today, executives noted. In addition, dealers should train their staffs to recognize any discrepancies between the address provided by a consumer during a credit transaction and the consumer's address provided to the dealer by consumer credit reporting agencies.
These amended regulations will affect virtually all vehicle sales transactions and will require increased vigilance by dealerships to manage and monitor regulatory compliance, Compli reported.
Until the proposed rules are finalized, dealers will have to wait for clear answers as to the extent of necessary changes and when the changes will be required. Even once enacted, many questions will likely remain about the regulations, specifically the red flags that the FTC "suggest" be monitored as part of its "flexible, risk-based approach," Compli highlighted.
For now, dealers can assess their current regulatory compliance program and prepare for the new regulations by completing a Dealership Compliance Appraisal provided at no charge by Compli at www.compli.com. Compli said its DCA allows dealers to conduct a confidential assessment of their dealership's existing methods of compliance with regulations and employment practices.
NIADA Chimes In
In mid September, the NIADA said it filed comments regarding the Red Flag Rules on behalf of its members and affiliated companies.
Keith Whann, general counsel for the NIADA, requested that the agencies offer specific examples of factors that could indicate that a Red Flag is not evidence of risk of identity theft. Moreover, the NIADA asked for examples on how to mitigate incidents of identity theft and requested a list of measures that can be taken if evidence of risk of identity theft is found.
The NIADA also told the Federal Financial Institution Regulatory Agencies and FTC that requiring written reports on an annual basis can be overly time consuming and burdensome, especially for small business such as dealerships.
"Finally, we objected to the FTC's estimate of burdens that would be imposed on motor vehicle dealers in complying with the proposed Red Flag Rules as being vastly underestimated, both in terms of the number of financial institutions that would be subject to the rules and the estimated burdens," Whann pointed out.
According to the proposed rules, "motor vehicle dealers would incur less burden than other high-risk entities."
"The rationale provided was that their loans are typically financed by financial institutions that are also subject to these proposed regulations and, therefore, that motor vehicle dealers are likely to use the financial institutions' programs as a basis for developing their own programs," Whann said.
"We pointed out that there is an enormous disparity in the size of dealerships and their business practices," he continued. "Moreover, it is incorrect to assume that any motor vehicle dealer will simply adopt an identity theft program established by another financial institution.
"To date, motor vehicle dealerships have adopted their own polices and procedures to comply with laws and regulations pertaining to the protection of customer information and the prevention of fraud and identity theft that they will have to establish their own policies and procedures to comply with the Red Flag Regulations and Guidelines as well," Whann said.
AFSA Also Comments on Red Flag Rules
After reviewing the proposed Red Flag Rules, the American Financial Services Association also offered some feedback to the appropriate agencies, asking for clarification of certain portions and identifying sections that are overly burdensome or could cause more issues than they solve.
"The Red Flag Rules will create a substantial set of new compliance obligations for the financial services industry," said Robert McKew, senior vice president and general counsel, in an e-letter to the agencies. "In many instances, complying with the new requirements will be expensive and burdensome and will inconvenience consumers by increasing the time and potentially the costs involved in obtaining financial products and services.
"Although AFSA acknowledges the need for the rule, we believe it is extremely important that the agencies impose only those requirements that are essential to accomplishing their mission," according to McKew.
One of the points of contention for the association was that, as written, the proposed rule extends to situations where financial institutions provide credit for businesses.
"Although businesses can in some cases be subject to identity theft, the problem is much more significant and costly in connection with consumers," McKew said. "Furthermore the Customer Identification Program requirements issued pursuant to the Patriot Act apply to businesses as well as consumers; thus, there already is a regulatory requirement in place that protects business entities from the most common type of identity theft risks — those associated with new-account openings."
Moreover, the AFSA asked the agencies to limit the regulations to cover only individuals who have been approved by a financial institution to open an account.
"Financial institutions often obtain consumer reports in connection with reviewing existing accounts," the AFSA's general counsel pointed out. "Address discrepancies in such situations — where the relationship with the consumer is already in place — present little or no risk of identity theft.
"Furthermore, institutions and creditors should not be required to comply with Section _.82 when they decline to proceed with a transaction (because, for example, the consumer's credit score was too low to qualify for a loan)," McKew continued. "Given that the Red Flag Rule, including section _.82, will create a whole new set of costs and burdens for the industry, we urge the agencies to limit the new obligations to those situations in which they will have a material impact on identity theft prevention."
Finally, the AFSA also commented on the need for the proposed regulations to cover indirect lending.
"The rule does not, however, address situations such as indirect lending, in which multiple financial institutions and creditors are involved in a transaction. AFSA believes that the Red Flag Rules should clarify how the rules will apply in such transactions," McKew wrote.