(267) 481-5636
    Randy Henrick & Associates, L.L.C.
    • Home
    • Services
    • Special Offers
    • About Us/Contact
    • Blog

    ​

    Blogs

    A Primer on Credit Reports

    1/6/2022

    0 Comments

     

    Credit reports come in different varieties and there are requirements and pitfalls with each.  Credit scores, hard pulls, and soft pulls are all credit reports, called “consumer reports” in the federal Fair Credit Reporting Act (FCRA).  But there are also investigative consumer reports and things that don’t look like consumer reports but which are and need to be treated as such.  This is a complex area but let me try to simplify it for you


    Under the FCRA, a “consumer report” means any communication (written or oral)  of any information bearing on a consumer’s credit worthiness, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part as a factor in determining the consumer’s eligibility for: (A) credit or insurance for consumer purposes; (B) employment purposes; or (C) any other purpose authorized under the FCRA.

    Lots of things get caught in this definition but other things don’t.  Excluded from the definition of a consumer report are reports having information solely as to “transactions or experiences” between the consumer and the person making the report.  So, if someone tells you I am delinquent on my debt to them alone, that is not a consumer report.  But if they tell you I am delinquent on many obligations, that is a consumer report if it is used as a factor in establishing my creditworthiness.

    A credit score is definitely a consumer report. It is a numerical assessment of my credit history.

    A traditional credit report accessed through a “hard pull” is an itemized list of the consumer’s credit accounts and an indication of how they have performed.  Accessing a person’s credit report results in a formal inquiry that may cause a temporary lowering of their credit score.  So, if you don’t have a permissible purpose to pull the credit report, that can damage a consumer and be the basis for a lawsuit.

    The best permissible purpose is to get the consumer’s consent to pull their credit report.  Every credit application has language authorizing you to do so.  A signed credit app is the best way to get the consumer’s consent to pull their credit report.

    What about “soft pulls”?  A soft pull is an inquiry of certain limited information about the consumer that does not show up as an inquiry on their credit report.  It is often used to “prequalify” a customer for credit pending a full review based on a hard pull of their credit report. Typically, the information a soft pull returns will include a credit score and certain demographic information. 

    But even a soft pull requires the customer’s consent or another permissible purpose as it is a “consumer report” under the FCRA.  Get the consumer to consent to a soft pull to prequalify and document the consent. While it may be harder for the consumer to show actual damages, statutory damages under the FCRA are available and your making a soft pull without the customer’s consent could be found to be an unfair or deceptive act or practice (UDAP) for which damages of $46,517 per violation could be assessed.

    The only time you can pull a consumer report (hard or soft pull) without the customer’s consent is to “prescreen” the consumer.  When you prescreen, you check the customer’s credit profile against a pre-established list of criteria (e.g., minimum credit score).  If the customer passes the inquiry, you must make a “firm offer of credit” to the consumer.  A prescreen can be used to find whether a customer qualifies for an offer and is always subject to continued qualification after a formal credit review.  A prescreen does not negatively affect the customer’s credit score.

    Investigative consumer reports are ones that seek information about a consumer other than how they pay their bills. This includes information on a consumer's character, general reputation, personal characteristics, or mode of living obtained through personal interviews with neighbors, friends, or associates of the consumer.

    Other than for prescreening, if you have made a hard or soft pull of a consumer report and you don’t finance the customer, you must send the consumer an adverse action notice within 30 days of receipt of the credit application. So, a consumer who seeks prequalification but who is not approved or declines your final credit offer must receive an adverse action notice just like a consumer about whom you made a hard pull.

    Some dealers send adverse action notices to every consumer who applies for credit.  Not a good idea.  Your credit bureau agreements will prohibit you from doing that because they are in the business of selling credit reports, not giving them away for free to persons who received adverse action notices.  Sending an adverse action notice to everyone also is not what the Equal Credit Opportunity Act (ECOA) or the FCRA require.  It can also create ill will with customers who do finance with you and who will be mystified why they got an adverse action notice.

    Know what kind of consumer reports you want to use and as a rule, get the customer’s written consent to make a hard or a soft pull.  Keep the consent document in the deal jacket.  And if you get consent to make a soft pull, you will need another consent (generally on a credit app) if you want to then make a hard pull.  The soft pull consent won’t generally cover you.

    Get the customer’s written consent for the type of pull you are making and be prepared to send an adverse action notice if you don’t get the customer financed.  These two practices are most critical to compliantly accessing credit reports. 
    0 Comments

    New FTC Safeguards Rule Requires Security Actions by Dealers

    12/2/2021

    0 Comments

     
    On October 27, 2021, the U.S. Federal Trade Commission (“FTC) amended the FTC Safeguards Rule.  This Rule requires dealers to protect customer non-public personal information (“NPI”) from wrongful use or disclosure.  The prior Safeguards Rule was enacted in 2003 and gave dealers discretion to adopt a risk-based Safeguards program consistent with their identified risks.   The amended Rule contains more specific requirements for more “comprehensive” Safeguards information security programs.

    Safeguards programs cover the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.  A Safeguards program must be in writing.

    The new Safeguards Rule is largely focused on electronic information.  It imposes a series of mandatory dealer requirements:

    Qualified Individual to Head Safeguards Program
    The amended Safeguards Rule requires the appointment of a single qualified individual (Qualified Individual) responsible for overseeing, implementing and enforcing your information security program.
    ​
    The qualifications necessary for the Qualified Individual will depend upon the size and complexity of a dealership’s information system and the volume and sensitivity of the customer information that the dealer possesses or processes. Security training is one universal requirement. The Qualified Individual of a single store dealer with a very small and simple information system will need less training and expertise than a Qualified Individual for a large dealership with a complex information system.

    Written Risk Assessment and Data Controls Required
    The amended Safeguards Rule adds requirements designed to provide more guidance on how to develop and implement specific aspects of an overall information security program, such as risk assessment, access controls, authentication, data inventory, data disposal, change management, and monitoring. A Safeguards program must address each of these issues.
    A written risk assessment is required up front and periodically to identify and evaluate risks to the systems, evaluate the adequacy of existing controls for addressing these risks, and identify actions necessary to mitigate the risks.

    Protections for Access to and Use of NPI
    The amended Rule requires NPI access to only those persons who need NPI to do their jobs.  It requires dual factor authentication for authorized users to access NPI (something the authorized user knows like a password and something they have like a token or personal access code issued for the transaction). You must keep access records to create an audit trail. Conduct penetration tests annually and vulnerability scans every six months and whenever there are material changes to your business or if you know or have reason to know a circumstance may have a material impact on your Safeguards program.

    All customer NPI must be encrypted, both in transit and at-rest.
     
    Service Providers
    As is the case today, the amended Safeguards Rule requires that you do appropriate due diligence before hiring service providers and specifically with respect to their data security procedures.  Service providers must agree contractually to implement and maintain your established safeguards and they must be periodically assessed as to the continuing adequacy of their safeguards.

    Changes to Your Safeguards Program
    The amended Safeguards Rule adds provisions designed to improve the accountability of dealers’ information security programs, including by requiring the Qualified Individual to make periodic reports to boards of directors or governing bodies. A detailed security incident response program must also be included in your Safeguards program.

    The Rule specifically requires regular enhanced security training of employees and the use of qualified information security personnel.  You also need to make sure the security personnel maintain current knowledge on new security risks.

    Dealers should also be prepared to explain their safeguards to customers — including how they access, collect, process, protect, store, use, transmit and dispose of NPI.

    You must also develop an information disposal program that securely destroys all customer information within two years from when it is last needed, or longer if necessary to meet a legal or business requirement.

    Effective Date and Exempt Entities
    The effective date for most of these new requirements is the fourth quarter of next year but requirements to assess risks, develop solutions to risks, manage service providers, and do employee training take effect in January 2022.

    The amended Rule exempts financial institutions that collect customer information on fewer than 5,000 customers from certain of the new requirements. These include the requirements for a written risk assessment, continuous monitoring or periodic tests, the written incident response plan, and regular reports from the Qualified Individual to the board or senior management. However, these dealers must still have a Safeguards information security program in effect based on identified risks.
    0 Comments

    A Data Security Breach: Your Biggest Risk

    10/12/2021

    0 Comments

     
    I frequently get asked by auto dealers what is the largest risk that a dealer faces in business.  The answer to me is clear: it is the risk of a Safeguards violation and data breach when your customer’s non-public personal information (NPI) is wrongfully accessed or compromised.  Just the costs to respond have put dealers out of business because there are so many fronts to manage.
     
    The All-in Cost of a Data Breach
     
    An annual report of the cost of data breaches, IBM, Cost of a Data Breach 2021, quantified some of the direct and indirect costs.  The study examined breaches containing as few as 2,000 compromised records so it is relevant to auto dealers large and small.
     
    On average, the overall average cost per record compromised in the 2021 study was $161, an increase from $146 per lost or stolen record in the 2020 report year.  So, if 10,000 records were compromised, the all-in cost would be $1,610,000,  
     
    Compromised credentials, such as when a hacker gets access to a user’s system credentials and gets into your system, were the largest cause of NPI breaches. Email compromise such as phishing attacks, social engineering, and malicious insiders were leading examples of how costly data breaches began. Lost business accounted for 38% of the cost.  This includes increased customer turnover, lost revenue due to system downtime and diversion of management talent, and the increasing cost of acquiring new business due to diminished reputation.
     
    Employees working remotely was cited as one reason for the increase in data breaches last year. IT changes such as cloud migration and remote work, increased the costs. Organizations having more than 50% of their workforce working remotely incurred $750,000 in higher costs compared to organizations that did not, a difference of 16.6%. It also took companies with more than 50% of employees working remotely an average of 58 days longer to identify and contain a breach.  It took an average of 287 days to identify and contain a breach.  The longer the delay, the greater the costs.
     
    Ransomware attacks were also quantified by the study.  Ransomware occurs when a criminal takes over and encrypts your system data and refuses to turn over the encryption key unless you pay a ransom.  Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs, but did not include the cost of the ransom.
     
    Costs can be characterized in four categories.  i) Detection and escalation including forensics, audit, containment, and system fixes; ii) Notifications to regulators, law enforcement, affected consumers, and other third parties; iii) Post-breach response – costs of credit monitoring for affected consumers, help desk and inbound communications, PR, legal expenditures, fines, and litigation defense and resolution; and iv) Lost business – business disruption and revenue losses
     
    Safeguards Steps You Can Take to Reduce the Risk
     
    There is no magic bullet that can ensure you will never suffer a security breach.  However, you can take steps to reduce the risk and, if you are ever breached, you will be judged largely by the prudence of the steps you took.  Here are ten basic steps (not a comprehensive list) that all dealers should take:
     
    1,       Education - All your people are at risk for being compromised.  Any employee can click on a phishing link in an email or text message that will enable a hacker to follow them into your system.  It is critical that all personnel be trained upon hire and at least annually thereafter on best safeguards practices from not clicking on links or unknown attachments to keeping paper records containing NPI locked up and not out in the open (clean desk policy) and never giving out personal information or system access credentials. Lock your computer when you walk away from it. 

    2.     System Protections - Your IT people should put NPI on a separate stand-alone server that is not connected to the Internet and requires the dual factor authentication to access. Your system should permit “read only” access to the NPI server and not allow information to be combined or downloaded onto external devices such as USBs or external hard drives

    3.       Credentials - Not everyone in your organization needs access to NPI.Chances are that more people have access to it than need NPI to do their jobs.  Limit permissions to only those you need NPI and give them only the minimum permission they need.  Authenticate people with dual factor authentication, something they know (like a password) and something they have (like a security code sent to a personal smartphone).  And require a sign-in separately for the NPI server from a sign-in to your system generally. 

    4.       Tracking Access to NPI - For electronic records, your IT people can set up a system that tracks each user’s access to NPI.  You can see each user’s pattern of access frequency.  If that pattern spikes at any time, it may be a sign that someone has compromised their credentials and is using them unlawfully.  You will then have the ability to shut the user down or re-credential.  For paper records, having a library system in which users must record taking and returning files will help make sure files don’t disappear or be accessed too frequently which may also suggest a malicious purpose. 

    5.       Passwords - Compromised passwords are one way that hackers access your system.  You should require personnel to use complex passwords.  Preferably 10 or more characters, a combination of Upper case, lower case, numerals, and symbols.  Force password changes every 90 days and prohibit reuse of passwords.  Employees should not share passwords or write them down in a way that can be seen.  As noted above, use dual factor authentication for access to the NPI server. 

    6.       Whitelisting and Blacklisting Web Sites - Your personnel should not have access using your system to access any website.  Web-based email such as gmail, yahoo, icloud and others, are notorious for containing malware-laden content.  Only websites necessary for the dealership’s operations should be permitted or “whitelisted.”  The system should be set up to deny access to any other sites.  The IT staff and your Chief Compliance Officer or security officer should have to sign off before any new website can be whitelisted. 

    7.       Install and Update Firewalls and Security Software - It is critical that your system and your NPI server be protected with firewalls and security software.  If you are going to allow your personnel to use mobile devices to access your system, use mobile device management (MDM)software on the remote devices.  MDM is security software that enables IT departments to implement policies that secure, monitor, and manage end-user mobile devices. This not only includes smartphones, but can extend to tablets, laptops, and even IoT (Internet of Things) devices. Updates should be installed as soon as they are available especially critical updates from the providers.  

    8.      Cyber Insurance - Cyber insurance generally covers your business' liability for a data breach involving NPI.  In the event of a data breach, it can help cover the costs of notifying customers about the breach; providing credit monitoring or other steps to protect the identity of compromised consumers; recovering compromised data; and repairing damaged computers or systems.  The price of cyber insurance has increased substantially over the past few years.  Manage the cost through deductibles and coverage limits.  Some cyber insurance is better than none. 

    9.      Backup Critical Data - This is particularly important given current ransomware attacks in which a hacker gains access to and encrypts your data and refuses to give the encryption key unless you pay a substantial ransom. Hardware failure, viruses, or other causes can make information unavailable as well.  Have a secure backup system in place to which only senior officers and IT staff can get access in the event it is necessary to restore systems or data. 

    10.      P2P and Social Networks - A peer-to-peer (P2P) network is a network between computers through LAN or the Internet. You should remove any P2P networks and any file-sharing clients that have been installed on your system.  Most P2P applications have worldwide sharing turned on by default during installation and run the risk of downloading viruses or malware or having data shared across the Internet.
    0 Comments

    Regulators Adopting New Ways to Use Civil and Criminal Laws to Attack Dealers

    10/6/2021

    0 Comments

     
    The Biden Administration has taken an aggressive approach against auto dealers. One way it has done this is by trying to use existing civil and criminal laws as a lynchpin to address auto dealer conduct even without precedent for doing so.

    The proof requirements and liability for violating consumer credit laws such as the Equal Credit Opportunity Act (ECOA) and the Truth in Lending Act (TILA) can make it difficult for a regulator to encompass all the relief it wants against an auto dealer. So, there is an attempt to use a catch-all provision of the Dodd-Frank Act of 2012 to pick up conduct that may not quite rise to an actionable wrong but which may be “not in conformity” with a law:

    “It shall be unlawful for--
     
    (1) any covered person or service provider--
     
    1. to offer or provide to a consumer any financial product or service not in conformity with Federal consumer financial law, or otherwise commit any act or omission in violation of a Federal consumer financial law; or
    2. to engage in any unfair, deceptive, or abusive act or practice;”
     
    12 U.S.C. § 5536(a)(1).
     
    For example, the U.S. Supreme Court has ruled that disparate impact credit discrimination liability (no intent to discriminate but the result of otherwise lawful actions is a negative effect on protected persons) arises under laws that have “results-oriented” language. ECOA does not have such language and, as a result, there is some question as to whether disparate impact credit discrimination is actionable under ECOA. But is disparate impact “not in conformity” with a federal consumer protection law? Maybe.

    What the FTC and CFPB have effectively done is make disparate impact credit discrimination an action “not in conformity” with a federal consumer protection law or an unfair trade practice, a lower legal standard. An unfair trade practice is any act that “causes or is likely to cause substantial injury to consumers.”  So that becomes the liability lynchpin for disparate impact credit discrimination whereas ECOA may not be.

    The CFPB has done the same thing with adverse action notices. In a recent complaint filed in federal court, the CFPB alleges that a lender failed to timely issue required adverse-action notices and failed to provide accurate denial reasons on its adverse-action notices to thousands of loan applicants, in violation of the Equal Credit Opportunity Act and Regulation B.  The CFPB also alleges that these violations constitute violations of the CFPA as being “not in conformity” with a federal consumer financial law. 
     
    The CFPB has also used its authority under Section 5536(a) to declare marketing and advertising statements to be unfair or deceptive. While these cases have arisen in the mortgage context, the lesson for auto dealers is clear. The government is looking for new ways to come after your perceived violations.

    The penalties that the CFPB can seek for Section 5536(a) violations are much harsher than what is provided for violations of individual consumer protection laws like the $2,000 per Truth in Lending or Consumer Leasing Act violations:

    “Penalty amounts.
     
    (A) First tier. For any violation of a law, rule, or final order or condition imposed in writing by the Bureau, a civil penalty may not exceed $5,000 for each day during which such violation or failure to pay continues.
     
    (B) Second tier. Notwithstanding paragraph (A), for any person that recklessly engages in a violation of a Federal consumer financial law, a civil penalty may not exceed $25,000 for each day during which such violation continues.
     
    (C) Third tier. Notwithstanding subparagraphs (A) and (B), for any person that knowingly violates a Federal consumer financial law, a civil penalty may not exceed $1,000,000 for each day during which such violation continues.”

    12 U.S.C. § 5565(c).


    Another law that has received attention from the Department of Justice is the federal crime of bank fraud. It has an extremely broad and very general prohibition on conduct as follows:

    “Whoever knowingly executes, or attempts to execute, a scheme or artifice--
     
    (1) to defraud a financial institution; or
     
    (2) to obtain any of the moneys, funds, credits, assets, securities, or other property owned by, or under the custody or control of, a financial institution, by means of false or fraudulent pretenses, representations, or promises;
     
    shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.”
     
    18 U.S.C. § 1344

    The federal Department of Justice has used this law to police practices such as payment packing, power booking, straw purchases, misrepresenting customer incomes and other information on credit applications, and just about anything else that a dealer states to a financing source that is untrue or incomplete. 

    Dealer principals and in one case f & I employees have paid heavy fines and gone to jail for deceiving lenders on auto finance credit applications and accounts. In 2018, the DOJ levied a $1.4 million criminal penalty and required more than $730,000 in restitution against a dealer in Pennsylvania for bank fraud. In another case, eight sales and f & iI employees of an Alabama dealership were arrested and criminally charged for bank fraud.  Four pleaded guilty and a sales manager of the dealership was sentenced to 30 months in jail.

    More investigations are underway. The aggressiveness of the CFPB is likely to ramp up now that Biden nominee, former FTC Commissioner, Rohat Chopra has been confirmed as the new CFPB Director. In a statement last year in connection with an FTC auto dealer consent decree, Chopra stated a desire to use the unfairness prong of federal law to attack disparate impact credit discrimination and expressed his desire for “a systemic approach to protecting Americans from auto market abuses.”  

    ​With creative, anti-auto dealer regulators in charge, the increased penalties and possible criminal indictments are coming. Now would be a good time to have us review and audit your compliance practices and make sure you are not engaging in conduct that a regulator could fit under one or more of these federal laws as well as state “unfair and deceptive acts and practices” laws as well.
    0 Comments

    Dealer Rate Participation Assailed in New York Disparate Impact Cases

    9/9/2021

    0 Comments

     
    The New York State Department of Financial Services (“Department”) recently entered into consent decrees with two state auto finance lenders settling allegations of disparate impact credit discrimination. The Department alleged that beginning in 2016, the banks violated state anti-discrimination law and the federal Equal Credit Opportunity Act (“ECOA”) by allowing auto dealers to mark up their buy rates for consumer auto finance.  This practice allegedly resulted in minorities paying higher rates for auto financing than whites.
     
    In deciding that discrimination had occurred, the Department followed the procedures used by Consumer Financial Protection Bureau (“CFPB) during its disparate impact assault on dealer rate participation beginning in 2013.  Since ECOA prohibits collecting customer race or ethnicity for auto finance customers, the Department applied a highly criticized proxy, the BISG proxy, that attempts to identify minority consumers based on surname and geolocation.  In doing so, the Department found that minorities allegedly paid higher rates ranging from 20BP to 59BP over and above what white persons paid. 
     
    According to the Department, each bank,” in violation of New York Executive Law § 296-a, instituted discretionary Dealer Markup policies that resulted in disparate impacts that negatively affected members of racial and ethnic minority groups, without any justification.” Note that all dealer participation was found to be at fault, not just dealer participation where different pricing was allegedly found. The Department expressly found no evidence of intent to discriminate.

    In announcing the consent decrees, New York Financial Services Superintendent Linda A. Lacewell stated, “The Department is committed to ensuring that all individuals, regardless of race or ethnicity, are treated equally by lenders across New York State.  Ensuring access to automobile loans on equitable terms is just one way in which the Department seeks to combat the inequities faced by individuals of color and to achieve economic justice.”

    The two state lenders agreed to pay restitution to affected minority consumers (it is unclear which persons or even how many were negatively affected) plus penalties to the Department of $275,000 and $350,000, respectively. One lender exited the auto finance business altogether while the other agreed to eliminate dealer rate participation and compensate dealers solely through flat fees going forward.
     
    These cases are believed to be the first time that a state regulator has settled claims involving dealer rate participation and alleged disparate impact credit discrimination in auto finance.  It now appears that dealer rate participation may be considered unlawful in New York if it results in minorities paying higher rates than whites.
     
    Other states, as well as the federal CFPB and Federal Trade Commission (“FTC”) are looking at dealer rate participation for similar disparate impact credit discrimination claims.  The issue has garnered the attention of the National Association of Attorneys General.
     
    The Department recognized that a legitimate business reason can justify rate discrepancies.  Dealers are strongly advised to adopt the NADA Fair Credit Compliance Policy & Program which provides for a standard rate participation amount and allows for downward deviations from the standard rate only for identified legitimate business purposes.  Examples of legitimate business reasons include matching a local credit union’s rates, manufacturer incentive rate buydowns, and where a consumer demonstrates an inability to pay at the higher rate.
     
    The NADA Program is based on disparate impact consent decrees entered into by the federal government and requires that each deal be certified as using either the dealer’s standard rate participation or documenting the legitimate business purpose for a lower rate.  Another NADA program applies a similar approach to the sale of voluntary protection products and sets a standard price and then documents a legitimate business reason for selling the products at a lower price.  Consumer advocates claim that minorities and other protected classes of persons pay more for voluntary protection products than white persons do.
     
    Expect disparate impact credit discrimination attacks to continue in progressive states and from the CFPB where consumer activism seems to be back in force with leaders appointed by the Biden Administration. The FTC is now composed of three Democrats and two Republicans and may take up this issue as well.  Having a deal by deal documentation of charging either the standard established rate participation or documenting the legitimate business reason for charging a lower markup is the best protection a dealer can take to avoid being caught up in the disparate impact crossfire.
    0 Comments

    A Data Security Breach: Your Dealership's Biggest Potential Liability

    9/2/2021

    0 Comments

     
    I frequently get asked by auto dealers what is the largest risk that a dealer faces in business.  The answer to me is clear: it is the risk of a Safeguards violation and data breach when your customer’s non-public personal information (NPI) is wrongfully accessed or compromised.  Just the costs to respond have put dealers out of business because there are so many fronts to manage.
     
    The All-in Cost of a Data Breach
     
    An annual report of the cost of data breaches, IBM, Cost of a Data Breach 2021, quantified some of the direct and indirect costs.  The study examined breaches containing as few as 2,000 compromised records so it is relevant to auto dealers large and small.
     
    On average, the overall average cost per record compromised in the 2021 study was $161, an increase from $146 per lost or stolen record in the 2020 report year.  So, if 10,000 records were compromised, the all-in cost would be $1,610,000,  
     
    Compromised credentials, such as when a hacker gets access to a user’s system credentials and gets into your system, were the largest cause of NPI breaches. Email compromise such as phishing attacks, social engineering, and malicious insiders were leading examples of how costly data breaches began. Lost business accounted for 38% of the cost.  This includes increased customer turnover, lost revenue due to system downtime and diversion of management talent, and the increasing cost of acquiring new business due to diminished reputation.
     
    Employees working remotely was cited as one reason for the increase in data breaches last year. IT changes such as cloud migration and remote work, increased the costs. Organizations having more than 50% of their workforce working remotely incurred $750,000 in higher costs compared to organizations that did not, a difference of 16.6%. It also took companies with more than 50% of employees working remotely an average of 58 days longer to identify and contain a breach.  It took an average of 287 days to identify and contain a breach.  The longer the delay, the greater the costs.
     
    Ransomware attacks were also quantified by the study.  Ransomware occurs when a criminal takes over and encrypts your system data and refuses to turn over the encryption key unless you pay a ransom.  Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs, but did not include the cost of the ransom.
     
    Costs can be characterized in four categories.  i) Detection and escalation including forensics, audit, containment, and system fixes; ii) Notifications to regulators, law enforcement, affected consumers, and other third parties; iii) Post-breach response – costs of credit monitoring for affected consumers, help desk and inbound communications, PR, legal expenditures, fines, and litigation defense and resolution; and iv) Lost business – business disruption and revenue losses
     
    Safeguards Steps You Can Take to Reduce the Risk
     
    There is no magic bullet that can ensure you will never suffer a security breach.  However, you can take steps to reduce the risk and, if you are ever breached, you will be judged largely by the prudence of the steps you took.  Here are ten basic steps (not a comprehensive list) that all dealers should take:
    • Education - All your people are at risk for being compromised.  Any employee can click on a phishing link in an email or text message that will enable a hacker to follow them into your system.  It is critical that all personnel be trained upon hire and at least annually thereafter on best safeguards practices from not clicking on links or unknown attachments to keeping paper records containing NPI locked up and not out in the open (clean desk policy) and never giving out personal information or system access credentials. Lock your computer when you walk away from it.
    •  System Protections - Your IT people should put NPI on a separate stand-alone server that is not connected to the Internet and requires the dual factor authentication to access. Your system should permit “read only” access to the NPI server and not allow information to be combined or downloaded onto external devices such as USBs or external hard drives. 
    • Credentials - Not everyone in your organization needs access to NPI.Chances are that more people have access to it than need NPI to do their jobs.  Limit permissions to only those you need NPI and give them only the minimum permission they need.  Authenticate people with dual factor authentication, something they know (like a password) and something they have (like a security code sent to a personal smartphone).  And require a sign-in separately for the NPI server from a sign-in to your system generally. 
    • Tracking Access to NPI - For electronic records, your IT people can set up a system that tracks each user’s access to NPI.  You can see each user’s pattern of access frequency.  If that pattern spikes at any time, it may be a sign that someone has compromised their credentials and is using them unlawfully.  You will then have the ability to shut the user down or re-credential.  For paper records, having a library system in which users must record taking and returning files will help make sure files don’t disappear or be accessed too frequently which may also suggest a malicious purpose. 
    • Passwords - Compromised passwords are one way that hackers access your system.  You should require personnel to use complex passwords.  Preferably 10 or more characters, a combination of Upper case, lower case, numerals, and symbols.  Force password changes every 90 days and prohibit reuse of passwords.  Employees should not share passwords or write them down in a way that can be seen.  As noted above, use dual factor authentication for access to the NPI server. 
    • Whitelisting and Blacklisting Web Sites - Your personnel should not have access using your system to access any website.  Web-based email such as gmail, yahoo, icloud and others, are notorious for containing malware-laden content.  Only websites necessary for the dealership’s operations should be permitted or “whitelisted.”  The system should be set up to deny access to any other sites.  The IT staff and your Chief Compliance Officer or security officer should have to sign off before any new website can be whitelisted. 
    • Install and Update Firewalls and Security Software - It is critical that your system and your NPI server be protected with firewalls and security software.  If you are going to allow your personnel to use mobile devices to access your system, use mobile device management (MDM)software on the remote devices.  MDM is security software that enables IT departments to implement policies that secure, monitor, and manage end-user mobile devices. This not only includes smartphones, but can extend to tablets, laptops, and even IoT (Internet of Things) devices. Updates should be installed as soon as they are available especially critical updates from the providers.  
    • Cyber Insurance - Cyber insurance generally covers your business' liability for a data breach involving NPI.  In the event of a data breach, it can help cover the costs of notifying customers about the breach; providing credit monitoring or other steps to protect the identity of compromised consumers; recovering compromised data; and repairing damaged computers or systems.  The price of cyber insurance has increased substantially over the past few years.  Manage the cost through deductibles and coverage limits.  Some cyber insurance is better than none. 
    • Backup Critical Data - This is particularly important given current ransomware attacks in which a hacker gains access to and encrypts your data and refuses to give the encryption key unless you pay a substantial ransom. Hardware failure, viruses, or other causes can make information unavailable as well.  Have a secure backup system in place to which only senior officers and IT staff can get access in the event it is necessary to restore systems or data. 
    • P2P and Social Networks - A peer-to-peer (P2P) network is a network between computers through LAN or the Internet. You should remove any P2P networks and any file-sharing clients that have been installed on your system.  Most P2P applications have worldwide sharing turned on by default during installation and run the risk of downloading viruses or malware or having data shared across the Internet.
    0 Comments

    Prepare Comprehensive Deal Jackets to Document Your Compliance

    4/30/2021

    0 Comments

     
    In this age of increased regulatory investigations and consumer lawsuits against auto dealers, it is more important than ever that your dealership position itself in the most positive light.  You may be doing everything right from advertising to titling but if you can’t document it, regulators and courts may take adverse inferences.  So let’s consider the critical documentation for your cash and credit transactions, the deal jacket.   More often than not, deal jackets will make or break your case.
     
    Deal jackets should be compiled and organized to lay out the transparent story of a compliant consumer transaction. Purchase, lease, finance, and cash deals will all come under scrutiny someday. And the deal jackets will tell the story.
     
    General Rules for What Should and Should Not Be in a Deal Jacket
     
    While there are no laws that require deal jackets, records retention periods are required by federal laws such as the Equal Credit Opportunity Act and Regulation B (ECOA) (25 months), the Truth in Lending Act and Regulation Z (TILA) (two years), the Consumer Leasing Act and Regulation M (two years), OFAC (five years), and others.  These requirements should be considered a floor, not a ceiling.  The ideal recordkeeping period is a month or two longer than the applicable statute of limitations to bring an action against your dealership.  This will generally be five to seven years depending on state law. Check with your state attorney on record retention periods.
     
    As a general rule, any document a consumer gives you or that you receive or give to a consumer together with any signed documents should be kept in a deal jacket.  A credit application, a driver’s license or proof of identity, proof of income, proof of address, form of down payment and trade-in information are examples of documents a consumer gives you. Include disclosure documents you give to the consumer (e.g., privacy notice, risk-based pricing credit score disclosure notice, adverse action notice, payment quotes including a first pencil and final pencil, “we owes,” CARFAX report on a used vehicle sale and Used Car Buyer’s Guide, payment protection product disclosures).  The customer’s proof of insurance.
     
    Information you learn about a consumer should also be kept in the deal jacket.  Examples are your red flags information report, OFAC report, credit report information, lender credit decisioning documents including rehashes, book outs on trade vehicles, and payoff information on a trade vehicle.
     
    Contracts and signed documents are also a must.  Buyers orders, lease orders, retail installment sales contracts, lease agreements, co-signer notices, preliminary and final menus showing the effect on a monthly payment that the consumer has signed or initialed, titling documents, payment protection product agreements, ancillary docs, and any disclosure documents the customer has signed are examples.
     
    Finally, there are internal deal documents that are best kept in a deal jacket.  These should start with the NADA Fair Credit Compliance Program Dealer Participation Certification Form and NADA Voluntary Protection Product Program Certification Form, IRS Form 8300 for certain cash deals, documentation of how you cleared red flags to verify a customer’s identity or cleared a preliminary OFAC hit, internal dealer-specific documents such as a MCO or another document indicating that the dealer has title to the vehicle being sold.  Profit and commission forms can also be added if necessary.
     
    It is not necessary to keep interim worksheets in a deal jacket.  Four squares can be very confusing and unless the four square clearly reflects the final deal terms that are nowhere else reflected, I am not a fan of keeping four squares.  I am not a fan of using them either.
     
    Organization of Documents in a Deal Jacket
     
    There is no right or wrong way to organize documents in a deal jacket.  The critical point is to organize all of your deal jackets the same way so that an auditor or reviewer will find a consistent layout of documents for a deal.
     
    I like the chronological approach starting with customer inquiries and responses, a list of the vehicle in inventory, and any communication with customers at the outset.  I would put a first pencil here.  This can be followed with a signed credit application, privacy notice, driver’s license or other identity documents, proof of residence and income, and the risk-based pricing credit score disclosure notice.
     
    Identity verification documents could follow next including your red flags provider report, OFAC check, and steps taken to clear red flags or preliminary OFAC hits.  If you used out-of-wallet authentication questions, just indicate how many questions the customer answered correctly.  Do not keep the questions.
     
    Deal documents come next.  The final pencil.  Approvals and declines from creditors to which you sent the credit application and document compliance with stips.  Receipts for the down payment, an IRS 8300 if necessary, and trade-in documentation including title and  vehicle book-out.  For used vehicle saless, a CARFAX given to the customer and a signed Used Car Buyer’s Guide.  A fully-signed buyers order or lease order, a retail installment sales contract or a lease agreement plus any co-signer notice.  The customer’s proof of insurance.  We owes.  Titling documents.  If the customer gave you a credit application but you did not get them financed, send the customer an adverse action notice and keep a copy in the deal jacket. Dead deals need deal jackets too.
     
    Signed preliminary and final menus and voluntary protection product documents should follow.
     
    The internal deal documents not previously included and any other documents can follow.
     
    Unwound Spot Deliveries
     
    If a spot deal is unwound, new documentation must be obtained for the rewritten deal.  The documents relating to the unwound deal should be marked VOID/UNWOUND or similar notation and retained as well. Spot deliveries generate probably the most litigation and it is important to have both deals along with the lender decisions documented to show you weren’t “yo-yo” financing the customer.
     
    Conclusion
     
    If you inadvertently fail to get a customer’s signature or initials, do not sign or initial on the customer’s behalf.  Try to get it after the fact.  A missing signature or initial is better than a forged one.  Training is the key to getting all documents properly signed and initialed.
     
    This article is intended only as a summary and not a comprehensive description of all documents in a deal jacket.  Your deal jackets will speak long after the fact and a good deal jacket may be your best defense to a lawsuit or regulatory challenge.
    0 Comments

    New Illinois Law Effectively Restricts GAP and Products Sales

    3/30/2021

    0 Comments

     
    Illinois Governor Jay Pritzker signed the Predatory Loan Prevention Act which applies to all consumer financing in the state and took effect upon his signature on March 23.  The law adopts a maximum Military Lending Act calculated APR (“MAPR”) of 36% for consumer loans in Illinois.  Consumer loans are defined to include motor vehicle retail installment sales contracts as well as traditional loans.  Only banks, savings associations, credit unions and other federally chartered lenders are exempt from the law.

    The MAPR is an “all in” APR, and includes in the interest calculation, with limited exceptions: (i) finance charges; (ii) application fees; (iii) any credit insurance premium or fee, any fee for a debt cancellation contract, or any fee for a debt suspension agreement; and (iv) any fee for a credit-related ancillary product sold in connection with the credit transaction,  The Department of Defense (“DOD”), which interprets the MLA, has not provided much guidance on what constitutes a “credit-related ancillary product.”

    In 2020, the DOD withdrew a prior interpretation of the MLA that effectively said when a lender extends credit in excess of an item’s purchase price, the exemption from the MLA for motor vehicle acquisition loans would not apply. This change was understood to allow dealers to sell GAP without running afoul of the MLA.  Repealing this interpretation, however, only meant a vehicle financing transaction was exempt from the MLA.  It did not address whether GAP is covered in the MAPR calculation.  A prudent approach for Illinois dealers is to treat GAP premiums as interest for purposes of calculating the MAPR rate under Illinois law.

    It may be possible to act as an agent for a federally chartered lender in the origination of two-party (direct loan) financing.  However, the law does not recognize such an agency approach if “the totality of circumstances indicates that the person or entity [the dealer] is the lender and the transaction is structured to evade the requirements of this Act.”  The question essentially comes down to the dealer’s economic interest in the transaction.  Dealers are advised to consult with their federally chartered lenders to attempt to structure an agency relationship for the dealer to have no economic interest in the financing (such as a non-recourse loan compensated by a flat fee) to not run afoul of this prohibition against evading the requirements of the law.

    Penalties under the new law are harsh.  They include making the credit arrangement null and void from inception.  No interest, principal, fees, or charges can be collected from the consumer.  The Illinois Secretary of Financial and Professional Regulation (“Secretary”) can impose a fine of $10,000 per violation and a violation of the Act is also a violation of Illinois’ UDAP law, the Illinois Consumer Fraud and Deceptive Business Practices Act.  That law allows consumers to sue for actual damages, punitive damages, and attorneys’ fees.

    The Secretary is authorized to write rules under the Act, but it is not known when he or she will do so.

    Reportedly, efforts are underway in the Illinois legislature to amend the new law to exempt purchase money auto financing.  It is unknown what the timing or likelihood of success will be of such legislation. 
    ​
    For now, compliance is a must given the draconian penalties of the new law.  It is recommended that you speak with your DMS provider to determine if it can calculate an MAPR and speak with your federally chartered lenders about an agency arrangement for direct two-party financing.  
    0 Comments

    New Heads of CFPB and FTC Are Not Fans of Auto Dealers

    3/3/2021

    0 Comments

     
    The Biden Administration represents a fundamental shift in federal consumer protection policy.  Nowhere is this more so than in the new heads of the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC). A difficult road may lie ahead for auto dealers.

    The CFPB

    President Biden nominated FTC Commissioner Rohad Chopra to become the new Director of the CFPB after Trump appointee Kathy Kraninger resigned on January 20, 2021. 

    Kraninger exercised many of the CFPB’s regulatory powers in behind-closed-doors supervisory examinations.  The goal was to effect conduct not inflict punishment.  Enforcement actions fell during her tenure and proposed regulations were less favorable to consumer groups.  As an example, she attempted to limit prohibited “abusive practices” to situations where the harm to consumers outweighed the benefits and seek monetary relief only when there was a lack of a good faith effort to comply with the law.

    Chopra comes at consumer protection and auto finance from a vastly different perspective.  Many believe Chopra is reminiscent of former CFPB Director Richard Cordray, who issued Guidance attacking indirect auto finance rate participation as disparate impact credit discrimination. Disparate impact occurs without any intent to discriminate when neutral business practices are determined to have a negative effect on rates and other terms given to protected classes of persons under ECOA.
    “He will be at least as aggressive as former Director Cordray, if not more so,” said Lucy Morris, a former CFPB deputy enforcement director who worked with Chopra in the CFPB’s early years and is now a partner at Hudson Cook. “His statements are very hard-hitting, and the language is quite charged.”

    The CFPB has ramped up hiring of enforcement lawyers since President Biden took office.   On February 9, the Acting Director posted a blog entitled “Calling All Attorneys Interested in Joining the CFPB” at all levels.  Pursuing enforcement actions will be a priority for these new lawyers.

    Take, for example, his comments in connection with the FTC’s settlement of a disparate treatment credit discrimination enforcement action against a New York auto dealer in 2020.  The dealership was charged with credit discrimination based on alleged comments of an f & I manager stating that minorities should be given worse terms.

    To settle the FTC’s lawsuit, the dealer agreed to pay $1.5 million in consumer remediation and FTC penalties.  Chopra gave his views on rate participation and disparate impact credit discrimination in a separate statement:

    "A dealer markup is an undisclosed kickback that dealers earn for convincing prospective car buyers to agree to a higher interest rate than they actually qualify for with a lender. These kickback arrangements are kept secret from car buyers, who end up paying far more for financing.
    It is rare to uncover direct evidence of racist intent. That’s why disparate impact analysis is a critical tool to uncover hidden forms of discrimination, not only in this context but throughout the economy. . . . In addition to discriminatory practices, there is growing evidence of widespread fraud and deceit, including the same “liar loans” that fueled the last recession."

    The FTC

    President Biden’s choice to head the FTC is Democratic Commissioner Rebecca Kelly Slaughter.  Under the Biden Administration, Democrats will outnumber Republicans 3-2 on the FTC.

    Commissioner Slaughter is also no fan of auto dealers.  Writing in the same New York auto dealer case, Slaughter took dead aim at auto dealers:

    "The automobile-financing market in the United States is profoundly broken. Although this matter involves extreme conduct that may make it seem like an outlier, the tricks and traps that [the New York dealer] used against consumers are all too prevalent at auto dealerships across the country.


    The fundamental problem in the auto-dealing market is that auto dealers no longer make most of their money by selling cars. Instead, they make money by selling credit and add-on products, such as guaranteed asset protection (GAP), window etchings, extended warranties, and anti-rust coatings. Nearly all of these moneymaking strategies can be bad for consumers. . . . I agree with Commissioner Chopra that the time has come for the Commission to commence rulemaking proceedings to tackle both the unfair and deceptive consumer abuses as well as the discrimination too often seen at auto dealerships.

    The consumer-dealer relationship is fundamentally unequal, and the dealers have had the upper hand for too long."

    Both Chopra and Slaughter also favor a broad interpretation of what an “unfair or abusive practice” is particularly in the auto dealer context.  Most analysts believe both will apply legal bans on unfair, deceptive, and abusive practices far more broadly than former CFPB Director Kraninger did.  Both also believe that disparate impact credit discrimination, which may not be legally actionable under the Equal Credit Opportunity Act, separately constitutes an unfair trade practice subject to their regulatory enforcement authority.

    What’s a Dealer to Do?

    With these two in charge, it is time to take a look at your compliance policies and practices in sales and f & i.  If you have not already done so, it is time to adopt the NADA Fair Credit and Voluntary Protection Products policies.  These policies set firm dealership rate participation and aftermarket product pricing and require a documented legitimate business justification for charging any customer a lower rate markup or price.  These are intended to follow FTC precedent for mitigating disparate impact credit discrimination risks.  They are really a must.

    Also adopt or refine your customer dispute procedures and apply them the same to all customers.  The CFPB and FTC will generally act on customer complaints and if you can resolve one before it gets to them, you are well advised to do so, even if it means giving the customer a seeming windfall.  Don’t be pennywise and pound foolish.

    Schedule training and AFIP certify your sales and f & I people if you have not already done so.  You need a good story to tell if your dealership comes under scrutiny.  It is going to be a tough four years ahead.
    0 Comments

    Selecting and Contracting with Service Providers

    2/11/2021

    0 Comments

     
    Service providers are necessary for the effective operation of any dealership.  From DMS providers to advertising agencies to CRM systems to IT providers and more, dealers rely on third parties to perform critical functions.  Service providers are given responsibility and placed in a position of trust.  Care must be used in selecting, contracting with, and managing service providers.
     
    Selecting Service Providers
     
    All service providers should be subject to some level of due diligence and scrutiny before being hired.  This is particularly important for service providers that will have access to dealership customers’ nonpublic personal information, dealership strategies, HR and benefit claims, or other confidential information.
     
    Vet a service provider prior to hiring them.  It is a best practice to identify multiple potential service providers and compare their respective track records in the industry and for the services you need.  For example, there are numerous DMS providers.  Which ones will best meet your needs in a way that minimizes complexity and is most user friendly?  Which ones have the best safeguards protections for your customer information?  Are there unique functions of a particular service provider that you find attractive?
     
    Once you have identified several leading service providers, do “due diligence” on their industry history and performance.  Has the service provider been subject to lawsuits from its clients receiving similar services?  What is the service provider’s Better Business Bureau reputation?  Has the service provider experienced a security breach and, if so, how did it address the breach and fix its systematic shortfalls?  Try to get references from other dealers using the same services and speak to the references.  The more important the service provider, the more you need to investigate.

    Putting out an RFP (Request for Proposal) to several competing potential service providers is a good way to get information about them to vet and a way to have each service provider applying for your business on equal terms.  
     
    Contracting with Service Providers
     
    A contract sets forth the terms for the services and, if properly drafted, provides you with important rights to manage the relationship with the service provider. A contract is more than a generic statement of services and the purchase price.   It is critical that you take the time to get the contract language to your satisfaction   It is not advisable to simply sign the vendor’s form contract.
     
    A contract should provide a detailed description of the services to be provided, the payment terms, and the applicable performance standards.  This requires attention to detail and should be specific to the nature of the services to be performed.  Examples of performance standards are percentage of calls handled within a specific time frame, delivery dates, time for responding to calls for IT support, and qualifications of personnel assigned to perform.
     
    Other provisions that should be included in all service provider agreements include:
     
    • Relationship/Independent Contractor  -  You do not want the service provider or any of its employees to be deemed your employees.  A well-drafted “independent contractor” clause is necessary to do this.
     
    • Ownership of Work Product  -  The service provider’s work should be stated to be “work made for hire” under federal copyright laws which means that you will own the work product.  This may not be possible for off-the-shelf or even customized software.  In such a case you should obtain a perpetual, fully-paid-up, and irrevocable license to use the work.
     
    • Confidentiality  -  The service provider should acknowledge the confidentiality of your information and the need to safeguard your customer information in accordance with the FTC Safeguards and Disposal Rules.  If the vendor suffers a security breach or otherwise believes your information may have been compromised, they must notify you immediately.
     
    • Representations and Warranties  -  The service provider should warrant that its work does not infringe or violate the rights of any person or entity.  If a claim is made that the work does infringe, the vendor is obligated to develop a non-infringing workaround that performs the same functions.
     
    • Indemnities  -  If you are sued because of any alleged wrongful act or omission of the service provider, the service provider should defend and indemnify you for any loss and expense.  The same holds true for all claims and arbitration demands.
     
    • Right of Audit  - You should have the right to audit upon reasonable notice the vendor’s performance as well as their program for safeguarding customer information.  If the service provider has access to customer or employee information, they should share penetration and vulnerability test results with you along with their plans to fix issues identified in such tests.
     
    • Term and Termination  -  Depending on the vendor, a one-year contract with automatic renewal terms is often best.  You may want to commit to a longer term to lock in pricing. For complex relationships with long ramp-up times such as DMS providers, you will want longer terms.  You  want the right to terminate for a material breach that is uncured for 30 days or immediately in the event of a financial failure or a takeover.
     
    • Covenant of Cooperation Upon Termination  -  Whenever and however the service provider agreement terminates, you want a continuing covenant of cooperation in transitioning to a successor.  This is particularly important for DMS providers.
     
    • Dispute Resolution  -  Designate an informal dispute resolution process followed by an arbitration clause that will apply to all disputes except for seeking injunctive relief. 
     
    Managing Service Provider Relationships
     
    Service provider relationships should be carefully managed to ensure you are getting the services you agreed to pay for. A best practice is to designate a dealer representative for each service provider, a relationship manager.  This person is responsible for the service provider relationship day to day.
     
    If a service provider is not performing in a satisfactory manner, it is important you take some action even if it means just going up the chain of command to the vendor’s manager who can address the shortfalls.  Under the common law, parties can be held to have effectively amended their contract through “course of dealing.”  The equitable doctrines of estoppel and laches may also operate to preclude you from exercising your contract rights if you have unreasonably delayed in questioning performance.  Use your right of audit, even if you do a remote audit, to stay on top of what the service provider is doing and failing to do.  Then take action.
     
    Document your complaints in writing.  Follow up in writing if the performance does not improve.  Not every shortfall in performance will justify a contractual notice of default.  Use informal means whenever possible.  This will help preserve the relationship and may lead to formally amending the contract if an alternative resolution is necessary.
     
    Do not threaten to exercise legal rights and then fail to do so.  Apart from “course of dealing” risks, repeatedly threatening default generally does not help a relationship.  But if doing so is necessary, such as in the event of a serious financial failure or a material uncured performance shortfall, do not wait to exercise your contract default rights.
     
    Prior to doing so, you should be working to vet and be ready to hire a successor.  Lining up a successor is not contractually prohibited.  As noted above, the contract should have a covenant of cooperation in which the service provider being terminated agrees to work with the successor for a seamless transition.  This cooperation is particularly necessary for vendors such as DMS providers and IT companies.  The more complex the services, the more likely it will take the work of a predecessor provider to ensure the success of a new provider.  One major DMS provider reportedly will not agree to assist a successor.  This is a factor to consider when deciding to hire them in the first place.  You want to avoid disruption to the business.
    Conclusion
     
    Vet all service providers and take the time to make sure your contracts reflect favorable terms.  Manage the relationship and work with the service provider to improve.  Always have a termination plan in mind and be ready to implement it once the contract ends, no matter why or how the relationship terminates.
    0 Comments
    <<Previous

      Author

      Randy Henrick is a leading auto industry compliance consultant. This article is not intended as legal or compliance advice due to the unique nature of a dealer's situation in each state. Randy's articles do provide issues and best practices that you may want to discuss with your attorney or compliance advisor for possible adoption in your dealership. Email Randy at AutoDealerCompliance@gmail.com
      Follow us on Twitter @randyh44

      Archives

      October 2021
      September 2021
      April 2021
      March 2021
      February 2021
      January 2021
      August 2020
      July 2020
      May 2020
      March 2020
      January 2020
      December 2019
      October 2019
      August 2019
      June 2019
      April 2019
      March 2019
      February 2019
      January 2019
      November 2018
      October 2018
      August 2018
      June 2018
      May 2018
      February 2018
      December 2017
      October 2017
      September 2017
      July 2017
      May 2017
      March 2017
      January 2017
      December 2016
      November 2016
      October 2016
      September 2016
      August 2016
      June 2016
      May 2016
      April 2016

      RSS Feed

    Powered by Create your own unique website with customizable templates.
    Back to top