Compliance Headaches: Adverse Action and the “Red Flags” Rule

Adverse Action

Adverse action is not a new subject for dealers, but it is one they still find problematic. What is required of a dealer when it comes to adverse action? Like many compliance issues, the devil is in the details.

Dealers are subject to the requirements of both the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA). Both laws have the same basic intent: to protect the consumer. The ECOA’s purpose is to ensure that any entity that extends credit does so “with fairness, impartiality, and without discrimination.” The purpose of the FCRA is to ensure “accuracy and fairness of credit reporting.” Both the ECOA and the FCRA require creditors to send adverse action notices in certain circumstances. In most dealerships, both laws will apply to the majority of credit transactions.

What is adverse action?
Adverse action is defined in the ECOA as “a refusal to grant credit in substantially the amount or on substantially the terms requested,” and the FCRA incorporates that same definition when applied to a credit transaction. The difference with the application of the FCRA’s requirements is that the denial of credit is based upon information in a report from a credit reporting agency (CRA) or information obtained from a third party other than a CRA. However, it should be noted that, contrary to what some dealers believe, adverse action obligations may exist even if a customer’s credit report is never pulled.

It’s also important to remember that adverse action includes more than just a simple denial of credit. If the creditor makes a counteroffer to extend credit under different terms or in a different amount than what was requested, but the customer refuses those conditions, that is also adverse action.

Are dealers creditors?
The ECOA defines “creditor” as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” The FCRA adopts that definition as well. The Federal Reserve Board’s Regulation B, which contains the rules to implement the ECOA, attempted to clarify that definition by changing it to any person “who regularly participates in a credit decision, including setting the terms of credit.” Here’s where things get a little tricky. Nothing really clarifies what constitutes regularly participating in a credit decision, and courts have reached different conclusions on the matter.

According to Michael P. Shanahan, Esq., of Stewart & Irwin, PC, in Indianapolis, Ind., “I think that you have to take the general consensus among attorneys in the industry and among what the court findings have been, and I think you have to say that dealers are creditors.” He continued, “The NADA has issued guidance on it, the FTC has determined that dealers are creditors, so I think there’s overwhelming evidence out there to suggest that dealers are creditors … but what may not be as concrete is the interpretation of what denying of credit or setting the terms of credit is.”

According to the “CARLAW F&I Legal Desk Book,” authored by Thomas B. Hudson and the attorneys of Hudson Cook LLP, dealers may be regarded as setting the terms of credit when they determine the APR based on a buy rate, set the payment term, or set other terms like the down payments and amount financed.

Spot delivery of a vehicle could very well be seen as a credit decision on the dealer’s part; the vehicle was delivered before the third party actually approved it. There’s still the possibility of adverse action if the deal has to be unwound.

Shanahan added that dealers could potentially be interpreted as making a credit decision if they take a credit application, pull the customer’s credit report and then decide which bank or finance company to send it to. It could be argued that it was a credit decision to use the information in the customer’s credit report to decide where to send the deal. In the case of Treadway v. Gateway, the court ruled that the dealership had taken adverse action by not submitting the customer’s application to any finance company, thus effectively denying them credit.

When are adverse action notices sent?
“Our position has been that the easiest way for a dealer to avoid problems is to give the notice out to everybody they take a credit application from at the time they take the credit application,” said Shanahan. Arguably, he explained, a customer could be regarded as having applied for credit the moment they turn the application in to the dealership.

Assuming the dealership is not BHPH, the dealer already knows the dealership will not be extending credit to the customer. The customer can be given an adverse action notice along with an explanation that the dealership is considered a creditor under the ECOA and FCRA, that the dealership itself will not extend credit and that the deal depends on being able to find a bank or finance company to buy the contract from the dealership. After that, if the third-party finance company denies credit, it is that company’s responsibility to notify the customer; the dealership has already fulfilled its obligation. In fact, Shanahan noted, some finance companies are beginning to include in their dealer agreements that dealers must comply with ECOA/FCRA requirements separate from the finance company.

If dealers prefer not to hand out a notice to everyone, how do they know when they’re required to send an adverse action notice? At the very least, dealers should always send adverse action notices when faced with the following situations: 1) the customer submits a credit application but the dealer does not send it to any bank or finance company; 2) the customer cannot be financed either because no finance source approves the deal on terms acceptable to the dealership or the customer does not accept or use the credit they offer; and 3) a spot delivery deal is unwound or a deal must be re-contracted.

The “Red Flags” Rule

The most talked-about compliance issue for dealers this year is undoubtedly the “Red Flags” Rule. Technically speaking, that name actually refers to Part 681.2 of Title 16 of the Code of Federal Regulations, which officially went into effect on January 1, 2008. This new regulatory wrinkle is likely causing headaches in many dealerships across the country. The inception of this rule means that dealers are now required to be shoulder-to-shoulder with banks and finance companies on the front lines of identity theft detection and prevention.

Some dealers might be sweating, as the mandatory compliance date of November 1, 2008 is rapidly approaching. After all, no one wants to be caught out of compliance when the drop-dead date arrives. The new regulation requires each financial institution or creditor – and the rule specifically includes automobile dealers in its definition of “creditor” – to have “a written Identity Theft Prevention Program (ITPP) that is designed to detect, prevent, and mitigate identity theft” in place.

While the scope of the rule does seem rather broad and somewhat vague, dealers shouldn’t let that scare them. In fact, it’s actually beneficial because it allows financial institutions and creditors to tailor a program to fit the specific needs of their business, to include only the red flags applicable to their respective industries. A dealership’s program must accomplish four primary objectives: identify red flags applicable to the dealership’s accounts and incorporate them into its program, detect those identified red flags, respond appropriately to any detected red flags, and ensure the program is periodically updated to reflect changes in identity theft risks.

The “Red Flags” Rule applies to a creditor’s “covered accounts,” which it defines as an account that involves or is designed to permit multiple payments or transactions and any other account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

Loosely translated, a covered account in a dealership could be any account where the potential exists for information to be stolen from the dealership or for the dealership to be presented with stolen identity information. According to “A Dealer’s Guide to the Red Flags Rule,” part of the CARLAW Compliance Series, authored by Michael A. Benoit of Hudson Cook, LLP, covered accounts “will likely consist of the installment sale and lease contracts the dealers originate (regardless of whether the accounts are sold to a finance company), and house accounts through which consumers can pay the dealership for goods and services over time.”

Where to begin
The first step for a dealer putting together an ITPP is to identify the areas of the dealership that are vulnerable to identity theft. If dealers are compliant with the FTC Safeguards Rule, they have conducted at least one risk assessment of the dealership and are aware of some areas where problems could occur. The Safeguards Rule, however, does not specifically provide for business or commercial accounts. The “Red Flags” Rule could encompass such accounts since there is a reasonably foreseeable risk of identity theft as a result of transactions involving those accounts.

Dealers also need to remember that, much like the Safeguards Rule, they need to look internally for areas that could be exploited by identity thieves. Dealership personnel, of course, have easy access to customer information and should be monitored, but is there also potential for a third-party service provider to access the dealership’s database?

As part of the rule, dealers are required to exercise appropriate oversight of service provider arrangements. Dealers need to take a look at their agreements with any third parties, like computer vendors or companies mining the DMS to provide reports, and determine if there are potential risks to the dealership’s data.

Determine what red flags to look for
Once the vulnerable accounts have been identified, the dealer must come up with “red flags,” which are patterns, practices or specific activities that indicate the possible existence of identity theft. The regulation states that an ITPP should include red flags from five categories: notifications or other warnings from consumer reporting agencies or service providers, the presentation of suspicious documents, the presentation of suspicious personal identifying information, unusual use of or suspicious activity related to a covered account, and notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with the dealership’s covered accounts

A supplement to the regulation offers 26 examples of red flags dealers may want to incorporate into their programs. Including these 26 red flags is not mandatory; however, they do merit consideration. Should dealers include all 26 examples just to be sure? Not necessarily.

Since businesses are expected to tailor their programs to fit specific needs, including all 26 (regardless of their relevancy to the business) could imply that the dealer has simply thrown together a list without giving it any real consideration. Including only those red flags pertinent to the dealership reflects the likelihood that the dealer has given serious consideration to the matter. “The fact that you examined them and didn’t include all of them is proof that you did something,” said Shanahan. “It’s evidence in itself that you analyzed the program and identified the red flags like it says you’re supposed to.”

The list of examples offered by the rule is not exhaustive, so dealers should also draw upon any past encounters they’ve had with identity theft and information from outside sources like dealer associations and the news media.
 
Determine how to recognize and deal with red flags
Once red flags have been identified and incorporated into the program, the dealer must then determine how to detect them. Dealers can examine a customer’s identity documents for inconsistencies, ask questions about past debts and residences from the content of credit reports, or go so far as to request additional information such as a utility bill. It may be helpful to implement a fixed process for sales and F&I people to use in verifying customers’ identities.

Dealers must then determine the appropriate steps for dealing with red flags that have been detected. According to Benoit in “A Dealer’s Guide to the Red Flags Rule,” there can be a wide range of appropriate responses, depending on the degree of risk posed. The program needs to establish progressive steps for dealership personnel to resolve red flags, including seeking assistance from senior employees or management, and the program should set out the proper actions to take if a red flag cannot be resolved. It can be as simple as discontinuing the transaction or as serious as notifying law enforcement.
Decide when to update the program
The last thing the written program must cover is policies and procedures for ensuring the program is periodically updated. The regulation does not specify how often this should occur, so it’s up to dealers to decide how often their programs need to be re-evaluated.

Once a program has been put together that covers all four primary objectives, it must be approved by a board of directors, an appropriate committee of the board of directors or by someone on the level of senior management if no board exists. The board or senior manager is also responsible for oversight of the program, which includes assigning specific responsibility for implementing the program. While the regulation does not specify that one person must be responsible for implementing the program, some dealers may find it easier to designate a program coordinator, just as they did for the Safeguards Rule. This person would be responsible for periodically re-evaluating the program and submitting reports to the overseer.

After the program is in place
With the program written, approved and in place, the next step is training. Anyone dealing with covered accounts or anyone who would come into contact with customer information will need to be trained. This means sales staff, F&I staff, parts and service people (if there are commercial accounts), and, most likely, the dealership’s entire office staff will have to be taught what the red flags are and how to spot them. Training should be an ongoing process, since the program will be periodically updated, and employees will need to be briefed on any new identity theft tactics and methods for detecting them.

After the program is established and personnel have been trained, the challenge is maintenance. The program coordinator must file reports with the overseer at least annually. These reports should address the effectiveness of the dealership’s policies and procedures for handling identity theft risks, arrangements with third-party service providers, any major incidents involving identity theft that have occurred and the dealership’s response to those incidents, and any recommendations for changes to the program.

Dealers should be prepared to make changes to their programs as needed, rather than holding off until it’s time for a report to be filed. A program should be promptly updated after a dealership experiences an incident involving identity theft. Shanahan said, “If an incident of identity theft occurs in your dealership and your dealership’s program did not have a red flag that would appropriately indicate the potential for the identity theft that occurred, I think you should update your program right then and there.”
 
“Failure to update the program can be a real risk for the dealer,” said Emily Marlow Beck of Hudson Cook, LLP. “A lot of folks will get all excited about complying in time for the November 1st deadline … they’ll develop a program, and then they’ll forget about it and they’ll never update.” This can indeed be very risky. While nothing has been mentioned about the FTC conducting any audits to ensure dealerships are complying, many dealers will recall that the FTC conducted audits for compliance with the Safeguards Rule.

Consequences of non-compliance
Penalties for non-compliance are stiff. A knowing violation of the regulation results in a $2,500 civil penalty for each violation, and “each violation” could potentially be interpreted as being one violation per customer. If the dealer is unfortunate enough to receive a “cease and desist” letter from the FTC, they could be facing additional penalties up to $11,000 per violation. If that weren’t frightening enough, there is the possibility of individuals being able to bring claims under their state unfair and deceptive acts and practices laws (UDAP ), and many of those UDAP laws interpret a violation of a federal rule as being a violation of state law as well. “UDAP laws can have attorney’s fees, damages—the whole kit and caboodle,” said Beck.

In order to be as prepared as possible for any potential allegations of non-compliance, dealers should make sure they keep on file any and all information they accumulate about the “Red Flags” Rule and their IDPP, not just the reports filed with the board or senior management. “Any research [dealers have] done, they need to keep in a folder, anybody they’ve consulted with—they need to keep that information because that information is evidence that they did what they were supposed to do,” said Shanahan.

Seeking outside help
For dealers who seek help with their program from an outside consultant or vendor, there are a few things to keep in mind. They should check the qualifications of any third party enlisted to help build their program, and the third party needs to understand the dealership’s individual needs and the requirements of the “Red Flags” Rule.

Beware of someone offering a cookie-cutter solution; no single IDPP will work for every dealership. Beck warned: “There’s no shortcut to going through the steps. Your program needs to be custom-made for your particular dealership. If someone is offering you a turnkey program that’s just plug-and-play, ready-to-go, it probably won’t be complaint because it’s not going to fit the specific needs of your dealership. The rule’s not a one-size-fits-all rule; it’s not designed to be.”

Regardless of how a dealer comes up with an IDPP, both Beck and Shanahan recommended consulting an attorney who specializes in the auto retail industry to make sure the program complies with the regulation. And, Shanahan cautioned, any program a dealer comes up with is useless if dealership personnel don’t actively adopt it. “It’s up to the dealership to become compliant; it has to embrace the policies and procedures. If the dealership … doesn’t embrace that program, they haven’t really done anything.”

Dealers going cross-eyed over adverse action and the “Red Flags” Rule can take heart; there are resources available to help them handle the nuances of both issues. In addition to the sources previously mentioned here, different dealer groups and vendors may have educational opportunities like seminars or Webinars.

NADA offers “A Dealer Guide to Adverse Action Notices” as part of its Management Series. The detailed guide, prepared for the NADA by Anne Fortney, Esq. and Lisa DeLessio, Esq. of Hudson Cook, LLP, offers scenarios to illustrate when a notice should be sent and includes sample forms. The book details what must be included in ECOA and FCRA notices, along with any special language required.

DealerTrack’s “Compliance Guide—Tips to Protect Your Dealership, 2008 Edition,” and its corresponding Web site, www.thecomplianceguide.com, cover not only adverse action and the “Red Flags” Rule, but a host of other compliance topics. The Web site offers links to other helpful resources, as well.

Vol 5, Issue 8