Compliance Complacency: How Much Compliance is Enough?

1. Do you trust all of your employees with your own sensitive personal information, such as Social Security number, pin numbers to bank accounts, etc.? Invariably the answer is no, so I break it down a little further.

2. Do you trust your management team with this same information? Once again, the answer is no.

3. Finally, I break it down one step further. Do you trust your senior manager, vice president, general manager, etc. with this information? Generally, the answer is still no.

Every time a customer applies for financing at your dealership, he or she in effect is entrusting you and all of your employees with their most sensitive information. There is an implicit agreement between your organization and that customer that demands their private data be handled in a safe and responsible manner while in your possession. It is your duty and the responsibility of every dealership employee who comes into contact with this information to follow a strict set of guidelines that governs privacy protection.

Most dealers have basic systems in place to protect a client’s data—secure storage of files and applications, the shredding of unused or duplicate documents, etc. Many also have compliance manuals their employees are required to read, and then sign, to follow dealership policies and procedures. With the Red Flags compliance,  most dealerships and organizations have revisited their existing programs and modified them to fit these new guidelines set down by the Federal Trade Commission..

The question every general manager and dealer principal needs to ask themselves now is: have I done enough? Does the policy address all of the major points of the act? Who is going to identify and respond to potential violations at the management level? Are these policies enough to insulate the dealer from violations, should they occur? Unfortunately, many dealers don’t have definitive answers for some or all of these questions.

Like any new or newly-enforced set of laws, there will be growing pains associated with becoming compliant with the Red Flags Rule. When reading the guidelines for implementing the proper procedures for an institution to achieve compliance, there are many gray areas regarding what exactly is required of the organization. Some leeway has been given to individual businesses regarding the design of a program that is appropriate to their size and complexity. If and when Red Flags cases begin to appear in the courts, the term “best practices,” will most likely be involved in the determination of an organization’s liability.

When advising a dealer on the term “best practices,” I usually give it my sleep test. I ask the dealer if they sleep soundly at night. Do they know there is little or no possibility of a violation in their store, and if there is a violation, will it be easily detected, documented and resolved with the systems they currently have in place?

If dealers can sleep soundly at night after being asked this question, chances are they have a good program in place. If like most, however, they have doubts and are truthful with themselves, then immediate action needs to be taken.

The first and most important element of any business is its people. Without the right people in the right positions, no business, large or small, will succeed. The same is doubly true when addressing compliance issues. If your people have not been properly trained and supervised, even the best programs will fail. It is vital to have all employees on the same page when it comes to privacy issues. This can be achieved in a number of ways:

1. Ongoing training combined with tight supervision from a dedicated senior manager – Once a month have the most senior manager or even the dealer hold a meeting to address privacy issues and Red Flags.

2. Establish a compliance officer or manager. This can be a new position, or it can be an existing senior manager who takes it on as an additional duty. Either way, make it an official and documented action. Give the position a title and put it on the individual’s business cards. Make sure your new compliance manager knows that he/she is 100 percent accountable. Have the compliance officer generate weekly reports to be reviewed by the GM or dealer, and keep these reports on file.

3. Conduct external audits. Have an outside source come in periodically and review policies and procedures. If possible, have them observe the employees during normal business hours to get a feel for the level of dedication to the compliance program.

Another important piece of the puzzle is data loss prevention (DLP). Most dealers do not have any type of effective electronic DLP process in place. Every day, sensitive information streams in and out of the dealership via electronic means and most dealers are unaware of the requirements for keeping data secure. Credit applications and decisions are transmitted to banks on secure encrypted connections, but much of that same information is conveyed at one time or another through unprotected and unsafe methods, putting the dealership at risk.

An effective DLP platform can isolate, record and/or help prevent potentially harmful actions. Many of these platforms are relatively inexpensive and some offer excellent customization and support features. Having the ability to monitor and directly control the flow of information into and out of the dealership will prove invaluable if and when the need arises to prove compliance with Privacy Act laws.

It is more important now than ever to protect yourself and your business from unnecessary exposure to liabilities. As we move into the age of Red Flags enforcement, it is possible—with a little effort and diligence—to greatly increase awareness, improve procedures and decrease exposure to the serious liabilities of privacy violations.