|Compliance in general is an ongoing headache for dealers. Adverse action, in particular, is something many have been struggling to get a handle on for quite some time. Compounding their worries, dealers will soon have to contend with the new “Red Flags” Rule. Both of these concepts have the potential to significantly impact a non-compliant dealership. What do dealers need to know about them?|
Dealers are subject to the requirements of both the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA). Both laws have the same basic intent: to protect the consumer. The ECOA’s purpose is to ensure that any entity that extends credit does so “with fairness, impartiality, and without discrimination.” The purpose of the FCRA is to ensure “accuracy and fairness of credit reporting.” Both the ECOA and the FCRA require creditors to send adverse action notices in certain circumstances. In most dealerships, both laws will apply to the majority of credit transactions.
What is adverse action?
It’s also important to remember that adverse action includes more than just a simple denial of credit. If the creditor makes a counteroffer to extend credit under different terms or in a different amount than what was requested, but the customer refuses those conditions, that is also adverse action.
Are dealers creditors?
According to Michael P. Shanahan, Esq., of Stewart & Irwin, PC, in Indianapolis, Ind., “I think that you have to take the general consensus among attorneys in the industry and among what the court findings have been, and I think you have to say that dealers are creditors.” He continued, “The NADA has issued guidance on it, the FTC has determined that dealers are creditors, so I think there’s overwhelming evidence out there to suggest that dealers are creditors … but what may not be as concrete is the interpretation of what denying of credit or setting the terms of credit is.”
According to the “CARLAW F&I Legal Desk Book,” authored by Thomas B. Hudson and the attorneys of Hudson Cook LLP, dealers may be regarded as setting the terms of credit when they determine the APR based on a buy rate, set the payment term, or set other terms like the down payments and amount financed.
Spot delivery of a vehicle could very well be seen as a credit decision on the dealer’s part; the vehicle was delivered before the third party actually approved it. There’s still the possibility of adverse action if the deal has to be unwound.
Shanahan added that dealers could potentially be interpreted as making a credit decision if they take a credit application, pull the customer’s credit report and then decide which bank or finance company to send it to. It could be argued that it was a credit decision to use the information in the customer’s credit report to decide where to send the deal. In the case of Treadway v. Gateway, the court ruled that the dealership had taken adverse action by not submitting the customer’s application to any finance company, thus effectively denying them credit.
When are adverse action notices sent?
Assuming the dealership is not BHPH, the dealer already knows the dealership will not be extending credit to the customer. The customer can be given an adverse action notice along with an explanation that the dealership is considered a creditor under the ECOA and FCRA, that the dealership itself will not extend credit and that the deal depends on being able to find a bank or finance company to buy the contract from the dealership. After that, if the third-party finance company denies credit, it is that company’s responsibility to notify the customer; the dealership has already fulfilled its obligation. In fact, Shanahan noted, some finance companies are beginning to include in their dealer agreements that dealers must comply with ECOA/FCRA requirements separate from the finance company.
If dealers prefer not to hand out a notice to everyone, how do they know when they’re required to send an adverse action notice? At the very least, dealers should always send adverse action notices when faced with the following situations: 1) the customer submits a credit application but the dealer does not send it to any bank or finance company; 2) the customer cannot be financed either because no finance source approves the deal on terms acceptable to the dealership or the customer does not accept or use the credit they offer; and 3) a spot delivery deal is unwound or a deal must be re-contracted.
The “Red Flags” Rule
The most talked-about compliance issue for dealers this year is undoubtedly the “Red Flags” Rule. Technically speaking, that name actually refers to Part 681.2 of Title 16 of the Code of Federal Regulations, which officially went into effect on January 1, 2008. This new regulatory wrinkle is likely causing headaches in many dealerships across the country. The inception of this rule means that dealers are now required to be shoulder-to-shoulder with banks and finance companies on the front lines of identity theft detection and prevention.
Some dealers might be sweating, as the mandatory compliance date of November 1, 2008 is rapidly approaching. After all, no one wants to be caught out of compliance when the drop-dead date arrives. The new regulation requires each financial institution or creditor – and the rule specifically includes automobile dealers in its definition of “creditor” – to have “a written Identity Theft Prevention Program (ITPP) that is designed to detect, prevent, and mitigate identity theft” in place.
While the scope of the rule does seem rather broad and somewhat vague, dealers shouldn’t let that scare them. In fact, it’s actually beneficial because it allows financial institutions and creditors to tailor a program to fit the specific needs of their business, to include only the red flags applicable to their respective industries. A dealership’s program must accomplish four primary objectives: identify red flags applicable to the dealership’s accounts and incorporate them into its program, detect those identified red flags, respond appropriately to any detected red flags, and ensure the program is periodically updated to reflect changes in identity theft risks.
The “Red Flags” Rule applies to a creditor’s “covered accounts,” which it defines as an account that involves or is designed to permit multiple payments or transactions and any other account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
Loosely translated, a covered account in a dealership could be any account where the potential exists for information to be stolen from the dealership or for the dealership to be presented with stolen identity information. According to “A Dealer’s Guide to the Red Flags Rule,” part of the CARLAW Compliance Series, authored by Michael A. Benoit of Hudson Cook, LLP, covered accounts “will likely consist of the installment sale and lease contracts the dealers originate (regardless of whether the accounts are sold to a finance company), and house accounts through which consumers can pay the dealership for goods and services over time.”
Where to begin
Dealers also need to remember that, much like the Safeguards Rule, they need to look internally for areas that could be exploited by identity thieves. Dealership personnel, of course, have easy access to customer information and should be monitored, but is there also potential for a third-party service provider to access the dealership’s database?
As part of the rule, dealers are required to exercise appropriate oversight of service provider arrangements. Dealers need to take a look at their agreements with any third parties, like computer vendors or companies mining the DMS to provide reports, and determine if there are potential risks to the dealership’s data.
Determine what red flags to look for
A supplement to the regulation offers 26 examples of red flags dealers may want to incorporate into their programs. Including these 26 red flags is not mandatory; however, they do merit consideration. Should dealers include all 26 examples just to be sure? Not necessarily.
Since businesses are expected to tailor their programs to fit specific needs, including all 26 (regardless of their relevancy to the business) could imply that the dealer has simply thrown together a list without giving it any real consideration. Including only those red flags pertinent to the dealership reflects the likelihood that the dealer has given serious consideration to the matter. “The fact that you examined them and didn’t include all of them is proof that you did something,” said Shanahan. “It’s evidence in itself that you analyzed the program and identified the red flags like it says you’re supposed to.”
The list of examples offered by the rule is not exhaustive, so dealers should also draw upon any past encounters they’ve had with identity theft and information from outside sources like dealer associations and the news media.
Dealers must then determine the appropriate steps for dealing with red flags that have been detected. According to Benoit in “A Dealer’s Guide to the Red Flags Rule,” there can be a wide range of appropriate responses, depending on the degree of risk posed. The program needs to establish progressive steps for dealership personnel to resolve red flags, including seeking assistance from senior employees or management, and the program should set out the proper actions to take if a red flag cannot be resolved. It can be as simple as discontinuing the transaction or as serious as notifying law enforcement.
Once a program has been put together that covers all four primary objectives, it must be approved by a board of directors, an appropriate committee of the board of directors or by someone on the level of senior management if no board exists. The board or senior manager is also responsible for oversight of the program, which includes assigning specific responsibility for implementing the program. While the regulation does not specify that one person must be responsible for implementing the program, some dealers may find it easier to designate a program coordinator, just as they did for the Safeguards Rule. This person would be responsible for periodically re-evaluating the program and submitting reports to the overseer.
After the program is in place
After the program is established and personnel have been trained, the challenge is maintenance. The program coordinator must file reports with the overseer at least annually. These reports should address the effectiveness of the dealership’s policies and procedures for handling identity theft risks, arrangements with third-party service providers, any major incidents involving identity theft that have occurred and the dealership’s response to those incidents, and any recommendations for changes to the program.
Dealers should be prepared to make changes to their programs as needed, rather than holding off until it’s time for a report to be filed. A program should be promptly updated after a dealership experiences an incident involving identity theft. Shanahan said, “If an incident of identity theft occurs in your dealership and your dealership’s program did not have a red flag that would appropriately indicate the potential for the identity theft that occurred, I think you should update your program right then and there.”
Consequences of non-compliance
In order to be as prepared as possible for any potential allegations of non-compliance, dealers should make sure they keep on file any and all information they accumulate about the “Red Flags” Rule and their IDPP, not just the reports filed with the board or senior management. “Any research [dealers have] done, they need to keep in a folder, anybody they’ve consulted with—they need to keep that information because that information is evidence that they did what they were supposed to do,” said Shanahan.
Seeking outside help
Beware of someone offering a cookie-cutter solution; no single IDPP will work for every dealership. Beck warned: “There’s no shortcut to going through the steps. Your program needs to be custom-made for your particular dealership. If someone is offering you a turnkey program that’s just plug-and-play, ready-to-go, it probably won’t be complaint because it’s not going to fit the specific needs of your dealership. The rule’s not a one-size-fits-all rule; it’s not designed to be.”
Regardless of how a dealer comes up with an IDPP, both Beck and Shanahan recommended consulting an attorney who specializes in the auto retail industry to make sure the program complies with the regulation. And, Shanahan cautioned, any program a dealer comes up with is useless if dealership personnel don’t actively adopt it. “It’s up to the dealership to become compliant; it has to embrace the policies and procedures. If the dealership … doesn’t embrace that program, they haven’t really done anything.”
Dealers going cross-eyed over adverse action and the “Red Flags” Rule can take heart; there are resources available to help them handle the nuances of both issues. In addition to the sources previously mentioned here, different dealer groups and vendors may have educational opportunities like seminars or Webinars.
NADA offers “A Dealer Guide to Adverse Action Notices” as part of its Management Series. The detailed guide, prepared for the NADA by Anne Fortney, Esq. and Lisa DeLessio, Esq. of Hudson Cook, LLP, offers scenarios to illustrate when a notice should be sent and includes sample forms. The book details what must be included in ECOA and FCRA notices, along with any special language required.
DealerTrack’s “Compliance Guide—Tips to Protect Your Dealership, 2008 Edition,” and its corresponding Web site, www.thecomplianceguide.com, cover not only adverse action and the “Red Flags” Rule, but a host of other compliance topics. The Web site offers links to other helpful resources, as well.
Vol 5, Issue 8
Vehicle Administrative Services is now the exclusive roadside assistance provider for service contract administrator AUL Corp.