There is no “one size fits all” CMS although there are basic things it should include. A dealership’s Code of Ethics and Code of Conduct signed off on by the Board is an important place to start because these touch everything the dealer does. They also establish the corporate “culture of compliance” which is something any regulator investigating the dealership will want to see and know.
Both the Code of Ethics and Code of Conduct need to be ingrained in every employee and vendor working at the dealership. It is also important to get third party buy in from remote vendors working on your business. IT vendors, security vendors, DMS providers, agencies producing material or providing temporary staffing. The list goes on. All must acknowledge and commit to the Code of Ethics and Code of Conduct for all dealer-related activities.
Risk-Based Analysis of Issues Applicable to the Dealer
Before appointing a Chief Compliance Officer and adopting substantive policies that compose the CMS, the Board or its representatives must do a risk-based analysis of issues and risks the dealer faces in everyday affairs. This includes things like sexual harassment (the issue that drives the majority of lawsuits a dealer will encounter); data privacy and Safeguards; wholesale vehicle acquisition; complying with laws and regulations for pulling credit bureaus, taking credit apps, telemarketing, and prospecting; aftermarket product selling; fair lending; OSHA and workplace safety; environmental issues; insurance issues; licensing and periodic regulatory audits; resolving customer disputes; manufacturer relations; customer identity verification procedures (the FTC Red Flags Rule); and other issues. A consumer complaint process is a necessary component of a CMS.
From this risk assessment, the Board will determine its risk tolerance in the various areas identified and begin the process of issuing compliance procedures to meet the risks. The nuts and bolts of the CMS policies will be drafted by the Chief Compliance Officer in conjunction with counsel but the Board prioritizes risk and indicates the areas where attention and process must be focused.
Ultimately it is the Board or senior management that is responsible for the CMS and through its practices, statements, audits and periodic meetings with the CCO, the Board must exercise its oversight of dealership compliance. A CCO should report to the Board or, if the dealer has no Board, the Chief Executive Officer.
Appointment of Chief Compliance Officer and Preparing Policies
The appointment of a Chief Compliance Officer (CCO) is necessary as the CMS is developed and processes and procedures are developed for managing risk and reporting deviations from behavior. The CCO should be “at the table” as new products and procedures are developed by the dealership. He or she must make sure the Board is informed and the Board must make available resources to the CCO so that all processes and procedures can be followed, tested, audited and refined.
For example, customer data Safeguards is a policy required by the Federal Trade Commission (FTC). The Board should assess the risk of data being compromised in both paper and electronic format and work with the CCO to adopt permissions; track each individual access to non-public personal information by each user; establish a standard for unusual use that will be flagged and require further investigation; have a security incident response committee consisting of senior management, the CCO, legal counsel, an IT or forensics specialist, a breach response firm and PR firm, and other internal and external resources to investigate the incident and manage a breach. A data breach is your biggest single risk of being financially put out of business and the policies and procedures to track data and manage its use is a critical element of a Safeguards Policy and CMS.
Having a periodic system vulnerability analysis by “white hat” hackers who attempt to break into your system and doing penetration tests on authorized devices is a must in today’s environment. A CCO must keep the Board informed on new security issues and obtain the approval and resources to test the system and make necessary changes.
Policies and Procedures
A policy sets forth a higher-level standard about what the law, regulations and dealership require and establishes a procedure for prospective violations and how they are to be handled and addressed. Procedures take the broad sweep of a policy and provide specific details to each position in the organization that the policy touches.
It is important for line managers to be the first level of defense by assessing the compliance behavior of their direct and indirect reports. If an incident or pattern of non-compliance is detected, the line manager meets with the CCO to begin implementation of the process described in the policy for potential violations. Depending on the seriousness of the violation, senior management or the Board may also need to be involved.
A good example is a sexual harassment policy. The policy should make clear that even the appearance of sexual harassment or a hostile work environment are triggers for corrective action. Employees must feel they can report misconduct without retaliation and the use of a third party reporting company may make employees less fearful than reporting a possible violation internally. Anonymity must be preserved but not guaranteed as in the course of a disciplinary proceeding or investigation, the reporting person’s identity is likely to come out. This is why a non-retaliation policy is critical. The reporting procedures and non-retaliation policy should be publicized to all employees by training, posters in the lunchroom, and other visible assurance.
Reporting and Audits
Any CMS must have reporting procedures and procedures for internal as well as external audits of compliance. This can be anything from periodic inspection of deal jackets by the CCO to ensure documentation is being handled properly to a financial audit to an OSHA audit. The CCO will not do all the audits but will work with the subject matter auditing teams (internal or external) to make sure that identified discrepancies are quickly addressed and policies and procedures changed accordingly, as necessary.
Training, the Employee Handbook, and Updates
Ongoing training of all employees is a critical element of a CMS and is required periodically by some states such as New York and California for sexual harassment and other subjects. Generally, there is no required format for training although state law may require a live trainer for certain subjects. Check with your local counsel.
The Employee Handbook should include the Code of Ethics and Code of Conduct in their entirety and link to the other policies as well as constitute a basis for Human Resources topics such as paid time off, disability and other benefits. It is best to have the Employee Handbook done electronically with each page dated so that as revisions are made, they can be identified. It does not have to be a long document but all employees should read the Employee Handbook and link to the policies and procedures applicable to their jobs. A test on the Employee Handbook once a year is another good practice to supplement training.
Updates come from many different places. Changes in law, case law decisions, new regulations, audit findings, and employee feedback are main examples. But patterns of behavior that don’t rise to the level of a violation can also create the need for changes. Security is a constantly evolving area and employees should be reminded of best Internet practices and perhaps subjected to a mock phishing drill where a fake phishing email is sent out to all employees to track who clicks on the link. Behavioral testing has been shown to be more productive generally than simple book training. Again, consider your risk options and what procedures work best for your dealership.
A CMS is the lifeline of a dealership. If done properly, it will establish the culture of compliance and bring employees into the culture by providing the process and procedures they need to do their jobs compliantly. Systems will be in place to require managers to report potential incidents, systematic procedures will track access to customer information, and auditing will identify issues that can be corrected or better performed. The evolving nature of a CMS will require ongoing training but it can be customized to each employee’s position so everyone doesn’t have to learn everything.
Regulators have expressed a strong desire for a CMS and if broken down into the pieces discussed in this article, involving the Board and appointing a knowledgeable Chief Compliance Officer, the process should not be daunting. Especially if input is sought from employees or managers in developing the process and procedures so they have an ownership interest as well. Good luck with your CMS process and seek help from your outside counsel or compliance resource as necessary.