Periodically Review Compliance Processes

I’ve become acquainted with a very persistent spider. Every morning, I put on the coffee and wander a couple hundred feet down to the street to fetch the paper. The path meanders down a hillside through lots of azaleas, and I have the morning sun at my back. Nearly every morning, there’s a huge, complex spider web that’s maybe eight feet across that catches the sun’s rays, revealing the spider’s latest art. I usually wreck it, to make sure he has something to do for the remainder of the day, only to repeat the process the next day.

Those cobwebs are a thing of beauty, but whenever I see them, I think of cobwebs that aren’t so pretty—compliance cobwebs.

Compliance cobwebs appear in dealerships that are savvy enough to make a serious stab at compliance, but aren’t savvy enough to follow through on all of their compliance responsibilities. Let me give you an example.

The Federal Trade Commission’s Safeguarding Rule requires a dealership to create a safeguarding policy to make sure nonpublic financial information of customers doesn’t end up in the wrong hands. The policy can range from fairly simple to complex, depending on the dealership’s operations, and it has to be written down. The policy must name a dealership person to be in charge of safeguarding, and the policy must be updated from time to time.

The guys over at Cobweb Motors attended an industry conference and heard a compliance presentation about this new safeguarding requirement. They hadn’t been in business long, so they decided that they’d try to save some money by crafting their safeguarding policy themselves.

They spent a lot of time on the FTC’s website, and did a pretty good job of coming up with a policy that complied with the rule. Because their operation was confined to one lot, and because they had very little in the way of technology, their policy was on the fairly simple side. Their policy stated that it would be subject to review from time to time, and it named the general manager as the person in charge of their safeguarding policy.

More than a little pleased with themselves, they put a copy of the policy on their bookshelf and promptly forgot it.

A few short years go by. Cobweb Motors has become very successful, with a dozen stores in three states, new computer equipment, websites, social networking programs, and deals with lead providers and a number of other vendors. The general manager who was the person in charge of their safeguarding policy didn’t work out all that well and moved on.

The dealership’s safeguarding policy, however, still sits undisturbed on the bookshelf. Cobweb compliance.

Then one day, the FTC shows up and asks to see the safeguarding policy. The policy as written has little or no resemblance to the policy needed for Cobweb Motors’ expanded operations, and when the FTC determines that there hasn’t been anyone in charge of things since the former GM left, the FTC decides a little enforcement action is in order.

Meanwhile, the folks over at Careful Motors had a similar experience. They developed their safeguarding policy, named an employee to be in charge and put it on the bookshelf. Their policy, however, called for a review of the policy every six months with a notice of the required review calendared for several of the dealership’s management team (an easy thing to do with Outlook), so in case the employee tasked to review the policy moved on to another job, the review would still occur.

Every six months, the employee would pull the policy off the shelf, read through it to determine whether it was still appropriate and accurate for the dealership, document the review, and add the documentation to the policy. Most of the reviews would take no more than a half-hour or so.

When the FTC calls on Careful Motors, will we likely see enforcement action? Probably not.

The Safeguarding Rule isn’t the only federal regulation that requires the dealership to review and reassess earlier attempts at compliance. The Red Flags Rule, for example, contains such a requirement.

And even when there is no express regulatory requirement for a periodic review of forms and operations, dealers need to periodically check to make sure the cobwebs haven’t crept in. Laws and regulations change, forms companies revise and replace forms, and lawsuits require forms and procedural changes. When you’re scheduling those required safeguarding and red flags reviews, why not include as many of your dealership’s other forms and procedures as you can?

Get rid of those cobwebs!

Vol. 8, Issue 8