Randy Henrick & Associates, L.L.C.

Blogs

Randy Henrick to Partner with Ignite Consulting Partners

1/6/2020

0 Comments

IGNITE CONSULTING PARTNERS ANNOUNCES NEW ADDITION TO THE TEAM !



Ignite Consulting Partners, a leading provider of compliance services to car dealers and finance companies, is pleased to begin 2020 by announcing a new addition to its team.
Randy Henrick has joined the team as the leader of Ignite’s new Franchise Dealer Group. "Through Randy's work at DealerTrack, he is a recognized expert in the compliance challenges faced by franchise dealers, so it's only natural that he assumes a leadership role with Ignite,'' said Richard Hudson, Ignite's Managing Member. Randy's background includes auto finance, privacy, data security, and consumer credit. He was DealerTrack's regulatory and compliance counsel for twelve years. He is a frequent speaker at industry events and published author of numerous articles, including monthly articles in Subprime Auto Finance News. Randy also provides training and compliance audits to dealers.
"Randy is a thought leader on dealer training and education, which philosophically aligns with Ignite's vision, plus he brings a wealth of expertise that will be a benefit our clients, both franchise and independent dealers,'' said Steve Levine, Ignite's Chief Legal and Compliance Officer.   "I am pleased to affiliate with a dynamic and growing compliance leader such as Ignite," said Henrick. "I think our association will benefit dealers of all types and provide creative and effective compliance solutions to our clients."
Randy will continue to offer compliance services and resources to dealers as principal of Randy Henrick & Associates, LLC. Contact us at autodealercompliance@gmail.com

0 Comments

2020 Auto Dealer Compliance Hot Issues

12/10/2019

0 Comments

It’s time to take out our annual crystal ball and see what are likely to be hot compliance issues for auto dealers in 2020. Remember that 2020 is an election year. Many state Attorneys General are running for re-election and a big splash enforcement action against an auto dealer is almost a regular campaign event to attract consumer support and consumer plaintiff attorneys’ campaign contributions.

Safeguards and Data Security - The Federal Trade Commission (“FTC”) dived into the auto dealer safeguards world with its consent decree against DMS provider DealerBuilt in 2019. The FTC found DealerBuilt to have inadequate safeguards procedures (and they didn’t even have a safeguards policy).
The FTC ordered specific safeguards requirements for DealerBuilt as part of its 20-year enforcement consent decree. These included encrypting personal data at rest and in motion; testing its system as well as monitoring and authenticating access permissions to customer data; performing vulnerability scans and penetration tests on its network several times per year; contractually requiring service providers to safeguard information; submitting to an annual third-party assessment of its security practices; and reporting to the FTC.

The FTC also issued proposed regulations to amend the Safeguards Rule. The Rule, since it was passed in 2002, has required dealers and other covered persons to implement security procedures reasonably related to their risk assessment. The Safeguards Rule does not require any specific security practices.

But the proposed amendment would, among other things, require all dealers to:
- designate a senior officer as the Chief Information Security Officer responsible for managing compliance with the dealer’s Safeguards Plan;

- encrypt customer non-public personal information at rest and in motion;
- create and periodically test an incident response plan to consist of a committee of internal officers and external professionals to respond to an actual or suspected security breach;
- place access controls on information systems, require two-factor authentication (a password and a biometric or one-time code), and permit access only to individuals who need consumer information to do their job;
- adopt audit controls of who accesses customer information and when;
- conduct annual penetration testing and biannual vulnerability assessments of your system;
- oversee service providers on information security and train employees at least once a year on best security practices; and
- develop secure procedures for destruction of information when no longer needed.

Americans with Disabilities Act (“ADA”) Website Compliance - A number of courts have ruled that websites are “places of public accommodation” under Title 3 of the ADA. This means dealers need to make their websites accessible to people with disabilities such as people who are sight-challenged or hard of hearing. Lawyers have been holding dealers up with settlement demands where the dealer site is not ADA-compliant. Attorneys have filed hundreds of ADA suits when they have been unable to extort settlements.

There are no federal standards to clarify what compliance is but there are industry standards such as the Web Content Accessibility Guidelines (WCAG). WCAG 2.0 AA is frequently referenced by courts.

Your best action is to take affirmative steps to attempt to make your website accessible to disabled individuals. You have flexibility in meeting the ADA and a good faith effort to do so may be enough to dissuade the lawyers from making you the next target. Here are some elements you should include:

Start by adding alt text to every meaningful page on your site. All video-only and audio-only content needs a text transcript. Transcripts should be clearly labeled and linked below the media. All video with sound should contain accurate closed captioning. Any live video presentations must have closed captions. Audio descriptions of video and images should also be included.
Use proper markup techniques to structure your website’s content (e.g. use correct heading tags and HTML for ordered and unordered lists). Present content in a meaningful order and sequence so that it reads properly. When providing detailed instructions, make it so they aren’t reliant on a single sensory ability.

There must be a color contrast ratio of at least 4.5:1 between all text and background. Text must be able to be resized up to 200% without negatively affecting the ability to read content or use functions.

All content and functions on a website must be accessible by keyboard only (i.e. no mouse). Keyboard-only users must never get stuck on any part of the website; they must be able to navigate forwards and backwards. If there any time limits on a website or content that blinks, scrolls, or moves, users should have the ability to turn it off, pause it, stop it, adjust it, or extend it.

Your website also must be predictable and understandable. Sections 4 and 5 of WCAG v 2.0 A describe procedures to accomplish this as well.

3. Criminal Prosecutions of Dealer Principals - The past two years have shown an increase in federal and state authorities seeking criminal convictions of dealer principals as well as sales and f & i employees for wrongful acts at the dealership. The wrongful acts include payment packing, misrepresenting income and other fields on credit applications, misstating down payments on retail installment sales contracts and lease agreements, and other bad acts.

The Department of Justice (DOJ) has used laws against bank fraud and wire fraud as the lynchpins for these prosecutions.

Bank fraud covers any “scheme or artifice” intended to “defraud a financial institution,” or the use of deceptive means to obtain something of value that a financial institution owns or controls. A conviction under the federal law can result in up to 30 years in prison, a fine of up to $1 million, or a combination of the two.

The essential elements of wire fraud are: (1) a scheme to defraud; and (2) the use of, or causing the use of, interstate wire communications to execute the scheme.

So, dealer acts that misstate a customer’s income to obtain credit or that “front end” optional aftermarket products that result in a bank being undersecured or making an unsafe or unsound credit decision will qualify. The DOJ has used both these parameters to seek and obtain criminal prosecutions against dealer principals and the sales and f & i managers who committed the wrongful acts.

State AGs are also using the criminal law against dealer principals. AGs in Pennsylvania, Massachusetts, California, New York, and New Jersey have been particularly active.

Internet Advertising - The FTC has issued guidelines for Internet advertising and most of its advertising enforcement actions now address websites and social media. Google “FTC Advertising and Marketing on the Internet: Rules of the Road”

The same rules that apply to print and television advertising apply to Internet advertising. Triggering terms require inclusion of triggered terms under Truth in Lending and the Consumer Leasing Act. “Clear and conspicuous” disclosures must be placed close to the headline and not buried in scrolling text paragraphs. Hyperlinks can be used but not for any disclosure that is “an integral part of the claim.”

Social media advertising generally involves many moving images and sounds. This can distract from required disclosures especially if they are not located on the same page or require the customer to move around the page to find them.

The FTC’s requirements for clear and conspicuous disclosures on social media in particular require that ads considered as a whole be honest, straightforward, and disclosures be clear and conspicuous given consumer reading habits on the Web. Consider your own reading habits of scrolling paragraphs and understand that the disclosures must be at the top and not buried in the middle of rambling text. The FTC guidelines describe additional online advertising requirements such as making the disclosures clear and conspicuous in any device on which they can be seen and not using media that does not have capacity for necessary disclosures.

Military Lending Act (“MLA”) - Since December 2017, Department of Defense rules have effectively prohibited the sale of GAP and credit insurance to MLA covered persons. Your credit bureau will typically identify whether a consumer is an MLA covered person when it provides you with a credit report. Until the rule is repealed (hopefully some time in 2020), make sure you check a consumer’s status under the MLA before you sell them GAP, credit insurance, or give them an option of taking cash out of a financing.

Other Issues - Other issues include the FTC’s field tests of dealers’ use of Used Car Buyers Guides on all used vehicles offered for sale; new federal laws prohibiting use of paid reviews on websites without disclosing the reviews are paid testimonials and prohibiting use of prohibitions against posting negative comments about the dealership online; FTC scrutiny of “spot deliveries” or “yo-yo financing” as the FTC has termed the practice in consent orders with dealers; Equal Credit Opportunity Commission (EEOC) actions against auto dealers for sexual harassment and sex discrimination; and battles with DMS providers and state laws as to who owns and can use dealer data.

Other and new issues will also emerge. Keep up with ongoing developments by reading publications, attending compliance programs, and working with your state dealer associations.

And have a Happy New Year!

0 Comments

EEOC On the Aggressive Against Dealers for Discrimination

10/15/2019

0 Comments

Among the regulatory compliance actions we have seen in just the past few months are increased interest by the Equal Employment Opportunity Commission (EEOC) in dealer and automobile industry workplace discrimination.

Most recently, the EEOC has filed actions for age, disability, and sex discrimination against dealers. Several private sexual harassment and sex discrimination lawsuits have also been filed against dealers seeking six and seven figure damages awards.

Age Discrimination

The EEOC’s most recent action was filed against a dealer group in Cleveland. The EEOC accused the dealer of intentionally subjecting older workers to age discrimination. According to the suit, the dealer discriminated against a former employee by refusing to re-hire her because of her age (52), and for terminating two sales employees because of their ages (67 and 70).

As a result of these practices, the EEOC brought a lawsuit alleging the dealer violated the Age Discrimination in Employment Act (ADEA), which prohibits age discrimination in employment against people who are age 40 or older, according to the lawsuit. The lawsuit seeks monetary relief, including back pay and liquidated damages for the three former employees, plus attorney’s fees. The suit also seeks injunctive relief to prevent future age discrimination, including an order for the dealer to institute policies, practices and procedures that conform to the requirements of federal law.

Disability Discrimination

In another recent case, The Ford Motor Company's Kentucky Truck Plant in Louisville, Ky., will pay up to $537,760 and furnish other relief to resolve a disability discrimination charge by the EEOC.
The EEOC's investigation found reasonable cause to believe that the Kentucky Truck Plant failed to hire applicants due to their disabilities. This also included screening out applicants based on criteria not shown to be job-related and consistent with business necessity, and failing to use the results of post-offer, pre-employment medical examination in accordance with the requirements of the Americans with Disabilities Act (ADA). Ford chose to voluntarily resolve the matter with the EEOC, without an admission of liability, to avoid an extended dispute.

The conciliation agreement provides relief to 12 individuals in addition to the person who filed a charge with the EEOC, and the EEOC retains discretion to distribute some of the funds to individuals it has yet to identify. The agreement also calls for the Kentucky Truck Plant to provide additional written guidance and training to employees involved in the pre-employment, post-conditional offer medical exam process, along with one-hour training on the ADA to the facility labor relations staff.

In a disability discrimination suit against a dealer, the dealer agreed to pay $27,100 to a former employee as part of the settlement of a lawsuit brought by the EEOC.

According to the EEOC's lawsuit, the company refused to provide a medical leave of absence as an accommodation to an employee who suffered from anxiety and depression and then fired her because of her disability.

In addition to paying the former employee $2,100 in back pay, the dealer will also pay $25,000 in compensatory damages. Further, the dealer agreed to:

·         review and revise its written policy prohibiting disability discrimination, to ensure that the policy specifically explains the process by which an employee requests a reasonable accommodation;
·         disseminate a copy of the policy to all employees;
·         within 90 days of entry of the decree, have all employees sign and acknowledge receipt of the revised policy; and
·         train all managers at its corporate office and at its dealerships on disability discrimination and reasonable accommodations.

Sex Discrimination

Sex discrimination and sexual harassment or retaliation are probably the most likely legal actions a dealer will face.

Recently, the EEOC brought a lawsuit against a dealer in St. Louis claiming it violated federal law when it refused to hire a female salesperson.

According to the suit, the owners bought an existing car dealership in 2017. After the purchase, they hired all the prior owner’s staff except one, the sole female salesperson, despite her successful sales record and previous customer service award. At the time, an executive told another manager, "This is not a lady's job yet."

Such alleged conduct violates Title VII of the Civil Rights Act of 1964 ("Title VII") which prohibits discrimination in employment based on race, color, national origin, sex, and religion. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit in U.S. District Court for the Western District of Oklahoma where the dealership group has its headquarters. The agency seeks monetary damages, training on anti-discrimination laws, posting of anti-discrimination notices at the worksite, and other injunctive relief.

"Federal law has guaranteed equal employment opportunity for women for over 50 years, but some employers still say, 'not yet'," said Andrea G. Baran, the EEOC's regional attorney in St. Louis. "We are committed to ensuring that the millions of women who work in male-dominated industries every day are judged solely on their abilities, not their gender."

In another suit in Reno, Nevada, the EEOC sued a dealer for quid pro quo and hostile work environment sexual harassment and sex discrimination.

According to the EEOC's lawsuit, a female car salesperson hired into an all-male sales department was denied access to online training, sales opportunities, and payroll advances routinely available to her male counterparts. Her male co-workers frequently refused to assist her, despite readily helping each other. Frequently, her deals were overly scrutinized and rejected without justification. In addition, on an almost daily basis, she endured offensive comments about her sex, appearance and weight, and negative comments about women working in car sales. Although the discriminatory conditions were reported to management by both the saleswoman as well as a manager, the company took no action. Finally, the saleswoman was forced to quit to escape the abuse, the EEOC said.

Such alleged conduct violates Title VII. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit in U.S. District Court for the District of Nevada and seeks monetary damages on behalf of the saleswoman, training on anti-discrimination laws, posting of notices at the worksite, and other injunctive relief.

"Our investigation found that sex-based discrimination was very open and flagrant - the saleswoman was warned during her interview that the all-male staff did not want women around, and that certainly turned out to be true," said William Tamayo, director of the EEOC's San Francisco District Office. "When an employer knows its workplace is infected with discriminatory attitudes, the employer is required by law to take steps to prevent and halt a hostile work environment. Instead, [the dealer] did nothing, and forced a valuable employee to quit to escape unacceptable abuse."

Race and National Origin Discrimination

The EEOC sued a dealership when the general manager at a Wheaton, Md. store repeatedly made derogatory comments to a sales consultant, who is of South Asian origin and is dark-skinned. Although the sales consultant objected, the comments persisted, sometimes in the presence of others. In addition to the demeaning names, the general manager even threw things at him. On one occasion, the general manager groped the sales consultant while calling him a "serial killer" and "creepy brown person." The general manager asked the sales consultant who he was going to kill and where the bodies were buried, the EEOC charges.

The sales consultant felt traumatized by the groping incident and as a result took leave. He complained to the dealership’s human resources director who, after a purported investigation, told the sales consultant he either would have to continue reporting to the general manager or transfer to another dealership an hour away. The EEOC says that the sales consultant was forced to resign based on the dealership’s inadequate response to the unlawful harassment.

The EEOC filed suit in the U.S. District Court for the District of Maryland, Greenbelt Division, after first attempting to reach a pre-litigation settlement through its conciliation process.

What’s a Dealer to Do?

This aggressive enforcement policy of the EEOC means that now is a good time to review your anti-discrimination and anti-harassment policies and schedule training for all your employees.

All such policies should contain a clear anti-retaliation provision ensuring that employees can and should report violations either through an internal escalation process, directly to a senior officer, or through a third-party whistleblower hotline. The third-party approach is probably most palatable to aggrieved employees and best to preserve confidentiality to the extent it can be preserved.

Studies have shown that the two biggest obstacles to employees reporting workplace wrongdoing are a fear of retaliation or a belief that nothing will change. Both fears must be displaced by senior management’s buy in and making visible changes in the workplace such as disciplining or terminating the offenders. Your dealership must be committed to a zero-tolerance policy for workplace discrimination or any form of harassment.

Harassment outside of the workplace can also be imputed to the dealer. This occurs when, for example, a manager takes subordinates out for drinks after work or at an office holiday party. Your dealership should also have a policy on office fraternization and dating. These situations are also ripe for sexual harassment and retaliation claims. Under no circumstances should managers be permitted to seek to date their subordinates and managers must show exemplary behavior as the models for the workplace.

If claims are reported, you must have a process in place to investigate and address the allegations quickly and completely. An external employment lawyer can be a good resource to help you establish such a process and possibly serve as a resource in the investigation team which can enable certain communications to be privileged.

Finally, do not forget to review employment hiring processes and make certain they are covered by your policies as well. Periodically look at your workforce and promote diversity in hiring. An all-male, all-white sales force was a catalyst for several of the EEOC’s actions described above. Don’t be the next victim.

0 Comments

The Need for a Compliance Management System in Your Dealership

8/16/2019

0 Comments

I don’t have to tell you that auto dealers are among the most heavily regulated businesses in the U.S. Federal, state and local laws and regulations from sales and f & I to environmental and OSHA are just the beginning. It is important to have a master compliance system for coordinating all the dealership policies as well as laying out for employees expectations for behavior both in the workplace and with customers. Hence a Compliance Management System (CMS).

There is no “one size fits all” CMS although there are basic things it should include. A dealership’s Code of Ethics and Code of Conduct signed off on by the Board is an important place to start because these touch everything the dealer does. They also establish the corporate “culture of compliance” which is something any regulator investigating the dealership will want to see and know.

Both the Code of Ethics and Code of Conduct need to be ingrained in every employee and vendor working at the dealership. It is also important to get third party buy in from remote vendors working on your business. IT vendors, security vendors, DMS providers, agencies producing material or providing temporary staffing. The list goes on. All must acknowledge and commit to the Code of Ethics and Code of Conduct for all dealer-related activities.

Risk-Based Analysis of Issues Applicable to the Dealer

Before appointing a Chief Compliance Officer and adopting substantive policies that compose the CMS, the Board or its representatives must do a risk-based analysis of issues and risks the dealer faces in everyday affairs. This includes things like sexual harassment (the issue that drives the majority of lawsuits a dealer will encounter); data privacy and Safeguards; wholesale vehicle acquisition; complying with laws and regulations for pulling credit bureaus, taking credit apps, telemarketing, and prospecting; aftermarket product selling; fair lending; OSHA and workplace safety; environmental issues; insurance issues; licensing and periodic regulatory audits; resolving customer disputes; manufacturer relations; customer identity verification procedures (the FTC Red Flags Rule); and other issues. A consumer complaint process is a necessary component of a CMS.

From this risk assessment, the Board will determine its risk tolerance in the various areas identified and begin the process of issuing compliance procedures to meet the risks. The nuts and bolts of the CMS policies will be drafted by the Chief Compliance Officer in conjunction with counsel but the Board prioritizes risk and indicates the areas where attention and process must be focused.

Ultimately it is the Board or senior management that is responsible for the CMS and through its practices, statements, audits and periodic meetings with the CCO, the Board must exercise its oversight of dealership compliance. A CCO should report to the Board or, if the dealer has no Board, the Chief Executive Officer.

Appointment of Chief Compliance Officer and Preparing Policies

The appointment of a Chief Compliance Officer (CCO) is necessary as the CMS is developed and processes and procedures are developed for managing risk and reporting deviations from behavior. The CCO should be “at the table” as new products and procedures are developed by the dealership. He or she must make sure the Board is informed and the Board must make available resources to the CCO so that all processes and procedures can be followed, tested, audited and refined.

For example, customer data Safeguards is a policy required by the Federal Trade Commission (FTC). The Board should assess the risk of data being compromised in both paper and electronic format and work with the CCO to adopt permissions; track each individual access to non-public personal information by each user; establish a standard for unusual use that will be flagged and require further investigation; have a security incident response committee consisting of senior management, the CCO, legal counsel, an IT or forensics specialist, a breach response firm and PR firm, and other internal and external resources to investigate the incident and manage a breach. A data breach is your biggest single risk of being financially put out of business and the policies and procedures to track data and manage its use is a critical element of a Safeguards Policy and CMS.

Having a periodic system vulnerability analysis by “white hat” hackers who attempt to break into your system and doing penetration tests on authorized devices is a must in today’s environment. A CCO must keep the Board informed on new security issues and obtain the approval and resources to test the system and make necessary changes.

Policies and Procedures

A policy sets forth a higher-level standard about what the law, regulations and dealership require and establishes a procedure for prospective violations and how they are to be handled and addressed. Procedures take the broad sweep of a policy and provide specific details to each position in the organization that the policy touches.

It is important for line managers to be the first level of defense by assessing the compliance behavior of their direct and indirect reports. If an incident or pattern of non-compliance is detected, the line manager meets with the CCO to begin implementation of the process described in the policy for potential violations. Depending on the seriousness of the violation, senior management or the Board may also need to be involved.

A good example is a sexual harassment policy. The policy should make clear that even the appearance of sexual harassment or a hostile work environment are triggers for corrective action. Employees must feel they can report misconduct without retaliation and the use of a third party reporting company may make employees less fearful than reporting a possible violation internally. Anonymity must be preserved but not guaranteed as in the course of a disciplinary proceeding or investigation, the reporting person’s identity is likely to come out. This is why a non-retaliation policy is critical. The reporting procedures and non-retaliation policy should be publicized to all employees by training, posters in the lunchroom, and other visible assurance.

Reporting and Audits

Any CMS must have reporting procedures and procedures for internal as well as external audits of compliance. This can be anything from periodic inspection of deal jackets by the CCO to ensure documentation is being handled properly to a financial audit to an OSHA audit. The CCO will not do all the audits but will work with the subject matter auditing teams (internal or external) to make sure that identified discrepancies are quickly addressed and policies and procedures changed accordingly, as necessary.

Training, the Employee Handbook, and Updates

Ongoing training of all employees is a critical element of a CMS and is required periodically by some states such as New York and California for sexual harassment and other subjects. Generally, there is no required format for training although state law may require a live trainer for certain subjects. Check with your local counsel.

The Employee Handbook should include the Code of Ethics and Code of Conduct in their entirety and link to the other policies as well as constitute a basis for Human Resources topics such as paid time off, disability and other benefits. It is best to have the Employee Handbook done electronically with each page dated so that as revisions are made, they can be identified. It does not have to be a long document but all employees should read the Employee Handbook and link to the policies and procedures applicable to their jobs. A test on the Employee Handbook once a year is another good practice to supplement training.

Updates come from many different places. Changes in law, case law decisions, new regulations, audit findings, and employee feedback are main examples. But patterns of behavior that don’t rise to the level of a violation can also create the need for changes. Security is a constantly evolving area and employees should be reminded of best Internet practices and perhaps subjected to a mock phishing drill where a fake phishing email is sent out to all employees to track who clicks on the link. Behavioral testing has been shown to be more productive generally than simple book training. Again, consider your risk options and what procedures work best for your dealership.

Summary

A CMS is the lifeline of a dealership. If done properly, it will establish the culture of compliance and bring employees into the culture by providing the process and procedures they need to do their jobs compliantly. Systems will be in place to require managers to report potential incidents, systematic procedures will track access to customer information, and auditing will identify issues that can be corrected or better performed. The evolving nature of a CMS will require ongoing training but it can be customized to each employee’s position so everyone doesn’t have to learn everything.

Regulators have expressed a strong desire for a CMS and if broken down into the pieces discussed in this article, involving the Board and appointing a knowledgeable Chief Compliance Officer, the process should not be daunting. Especially if input is sought from employees or managers in developing the process and procedures so they have an ownership interest as well. Good luck with your CMS process and seek help from your outside counsel or compliance resource as necessary.

0 Comments

FTC Safeguards Consent Order for the Auto Dealer Industry

6/21/2019

0 Comments

The FTC recently entered into a 20-year consent decree with an auto dealer management system (“DMS”) provider having approximately 180 auto dealer clients. The consent decree related to deficiencies in its Safeguards process and security system that permitted a hacker to access its unsecured backup database that contained the unencrypted nonpublic personal information (“NPI”) of approximately 12.5 million consumers, stored by 130 of its dealer customers. The entire customer files and all NPI of five dealers were accessed through an open port on the DMS provider’s backup storage unit.

The complaint is the first FTC Safeguards action involving data breaches in the auto industry. It effectively lays out the FTC’s requirements for meeting the Safeguards Rule with respect to auto dealers. In this case, the auto dealers outsourced their data storage to the DMS provider and failed to take steps to monitor or investigate the DMS provider’s security until it was too late. The breach was uncovered when one dealer found all of its customers’ NPI for sale on the Internet.

The Security Failures of the DMS Provider

Here are the shortfalls in the DMS provider’s Safeguards program. These are shortfalls you should consider in your annual Safeguards review and your Safeguards policy updates.

Failing to conduct periodic risk assessments or perform vulnerability and penetration testing of the network - Data security is a moving target as new threats emerge daily. An IT Professional can run tests attempting to hack into your system as well as doing tests on individual workstations to see if any have been compromised. Running mock phishing tests on employees and seeing how many click on the mock link is another good idea. This should be done at least annually and any system deficiencies or compromised workstations immediately corrected and any attackers who have gotten in must be immediately quarantined and disabled.
Failure to use readily available security measures to monitor its systems and assets at discrete intervals to identify data security events and the effectiveness of security measures - You need your IT officer to map the normal workings of your system and identify irregular patterns of activity that may indicate someone has hacked in. Examples would be irregular patterns of access to NPI by or through system users or administrative privileges being exercised by unauthorized persons. This requires that every access to NPI be tracked and evaluated in relation to normal business activity. Irregular behavior should be quickly investigated and addressed with the user.
Failing to impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access NPI databases - You should establish a “white list” of permitted third party Internet sites for both entry to your system and access from your system with entry from and access to other sites, including all Web-based email, prohibited. If a user wants to access a non-white listed site, they should have to obtain permission from your IT officer who will check the safety of the site. Authentication controls such as passwords, tokens, or biometric features should also be in place to access NPI.
Failing to encrypt NPI at rest and in motion - The DMS provider’s back up system contained all of the customer NPI in plain text in an unsecured storage device without any access controls or authentication protections, such as passwords or tokens. It was accessible to anyone through an open port. None of it was encrypted. All customer NPI should be encrypted both when being transmitted and in storage. Failing to do so violates the Safeguards Rule.
Failing to have a reasonable process to select, install, secure, and inventory devices with access to personal information - As noted, the DMS provider did not inventory any of its devices or install anti-virus or anti-malware security software. When inventorying and securing devices, you need to include any personal devices that employees or vendors use to access your system. Your IT officer should have the ability to cut off access from any device at any time.

The FTC’s Conclusion and Response

The FTC concluded that the DMS provider’s ‘failures to provide reasonable security for the sensitive personal information about dealership consumers and employees, and business financial information, "has caused or is likely to cause substantial injury to consumers and small businesses in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.”

The DMS provider agreed to a 20-year consent decree to settle the FTC’s finding of unfair data security practices and Safeguards Rule violation claims. It includes requiring the DMS provider to establish a comprehensive information security program with the following minimum components:

written documentation of the program;
submission of the documentation to its board of directors annually;
have an independent third party assess its security twice-yearly;
designation of a responsible employee to maintain the program;
annual risk assessments;
annual training of employees
implementation of adequate security controls;
an annual assessment of the adequacy of those security controls;
annual penetration testing of all devices capable of accessing the system;
system vulnerability testing every four months;
vendor and service provider management with contractual requirements;
regular program maintenance and changes based on reviews;
certify its compliance with the consent order to the FTC annually;
report data security incidents within 10 days;
create records for 20 years; and
permit the FTC to request additional information or interview anyone affiliated with the DMS provider in order to ensure compliance.

The FTC also required the DMS provider to adopt specific security controls, network and system monitoring, data access controls, encryption of data, and device inventories. Although these controls address the specific issues that led to the DMS provider’s security incident, dealers should take notice that these are the Safeguards protections that the FTC expects to be adopted in connection with a consumer auto finance business.

As a final penalty, the FTC forced the DMS provider to agree that “[n]o documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or similar claim.”

Summary and What It Means for You

The FTC has now spoken on what specific things it requires an auto industry Safeguards program to include. Now would be a good time to look at your Safeguards program to determine which of these specific protections you are lacking and begin to implement them into your program. The compliance burden of the FTC is only the beginning of problems this DMS provider will have to face as dealer and consumer lawsuits, actions by state regulators, and further investigations and audits will impose great costs and diversion of business time. A study by Verizon found that three out of five small businesses that suffered a security breach went out of business within six months. Doing your best to prevent being the next one is time and money well spent compared to the alternative.

0 Comments

State Attorneys General Cracking Down on Dealer Advertising

4/22/2019

1 Comment

State Attorneys General (“AGs”) are being very aggressive in going after auto dealer advertising. State unfair and deceptive practice (“UDAP”) laws as well as Section 5 of the FTC Act allow for the recovery of damages, attorney’s fees, and restitution for wrongful conduct. Let’s take a look at some of the activity from this year.

Indiana

We’ve all seen them and most of us have probably used them to attract customers. Mailing pieces to consumers indicating that if a scratch-off number on the mailing matches a prize number on the mailing (and they all do), they have won a sweepstakes. Large photos of prizes such as a new vehicle, a large amount of cash, a big screen color TV, and the like are blasted across the top. All the customer has to do is come to the dealership to match their prize number against a board at the dealership to see what they have won.

Only in small mouse type, frequently not on the same page, does the mailing indicate that no purchase is necessary and the odds of winning the prizes. One of these pieces that I reviewed recently gave the odds of winning the vehicle and other displayed prizes at 1,000,00:1. The odds of winning a $5 gas gift card were 1:999,996 meaning only four people in a million would win a large prize and all others the gift card. Unclaimed prizes were not awarded and were deemed to be forfeited. By making everyone a “winner” of a prize, I was told the sweepstakes eliminated the element of chance and thus was not an illegal lottery. But that is not the end of the story.

The Indiana AG recently saw a similar piece and apparently was not amused.

Instead of suing individual dealers (over 56 of whom sent these pieces to over 2.1 million Indiana consumers), the AG sued the promotional advertising agency that designed the pieces. The AG alleged an unfair trade practice under Indiana law which has the same standard for an unfair trade practice as does a violation of Section 5 of the FTC Act.

The complaint alleges that all the mailings contained game pieces purporting to determine whether recipients had won prizes – which included such valuable items as vehicles, TVs or $1,000 in cash. Each mailing, however, contained identical game pieces with winning numbers. Thus, each mailing allegedly communicated to all recipients that they had won significant prizes when they had not. Recipients who went to dealerships to claim winnings were awarded “prizes” much less valuable than those advertised – typically such items as a $5 Walmart gift card, a scratch-off lottery ticket, a cheap MP3 player or a mail-in rebate coupon for $10 off the purchase of a turkey.

The Indiana AG seeks a permanent injunction; $500 per consumer who was mailed a piece and went to a dealership; civil penalties under Indiana law; and reimbursement of the AG’s investigative and other costs.

Pennsylvania

Pennsylvania has established a mini-Consumer Financial Protection Bureau in its AG’s office and the Bureau of Consumer Protection has been taking dead aim on dealer advertising.

In a recent action, the AG sued 20 dealers as part of an advertising sweep that targeted auto dealers and their salespeople who advertised vehicles for sale without disclosing that the sale was being conducted by a dealer, as is required under Pennsylvania law. All auto dealers in this sweep advertised on Craigslist as individual sellers, rather than as dealers, providing insufficient information to consumers viewing their postings.

The Office of Attorney General has so far collected more than $10,500.00 in civil penalties and costs for the illegal advertisement of at least 178 vehicles to Pennsylvania consumers. A few the lawsuits remain outstanding.

New Jersey

Another state that is establishing its own mini-Consumer Financial Protection Bureau sued (and put out of business) two buy-here-pay-here dealers and their owner personally for deceptive and unconscionable business practices which included deceptive advertising.

Violations alleged that defendants sold high-mileage, used autos at grossly inflated prices with excessive down payments; financed the sales through in-house loans with high interest rates and “draconian” terms that created a high risk of default; and then repossessed and resold the vehicles over and over again to different consumers in a practice they refer to as “churning.”

The AG also alleged that defendants engaged in deceptive advertising, failed to disclose the damage and/or required substantial repair and bodywork required for used motor vehicles, and failed to provide consumers with complete copies of signed sales documents, including financing agreements.

In addition to significant civil money penalties, the State is seeking to permanently close the two subject car dealerships and ban the owner from ever operating a car dealership again. The case also seeks restitution for affected consumers.

Ohio

The Ohio AG felt it necessary to issue guidance to auto dealers describing advertising requirements under Ohio law and warning about the consequences of deceptive advertising. Ohio also allows consumers to sue auto dealers under a private right of action for triple their damages and their attorneys’ fees.

Among other things, an advertised purchase price must include the total amount that a consumer is required to pay the dealer pursuant to the contract. Only tax, title, and registration fees and documentary service changes may be excluded, and the exclusions must be referenced in a disclosure. If a rebate, discount, or price reduction is not available to all consumers, the amount may not be subtracted to arrive at an advertised price.

Massachusetts and Delaware

These two states jointly settled an action with Exeter Finance for unfair trade practices in providing subprime auto financing to dealer customers. Exeter was fined $6 million, $5.5 million by the Massachusetts AG and $500,000 by the Delaware AG. As part of the settlement, Exeter will waive deficiency balances and other post-default charges on some of its loans and ask major credit reporting agencies to delete trade lines associated with the accounts of affected borrowers.

Exeter, a subprime lender, was accused of facilitating the origination of auto financing in Massachusetts and Delaware that the company knew or should have known were unfair and in violation of the state consumer protection laws. Officials explained courts have held that lending is unlawful under the state UDAP statutes if finance companies do not have a basis for believing that borrowers will be able to repay their loans in normal course.

Previously, the Massachusetts AG settled with Santander Bank in the sum of $22 million for similar conduct.

While directed at the lender, the allegations of putting customers into financing a reasonable dealer knows they cannot afford (an example being an unwound spot deal with worse credit terms for the customer) could apply to dealers as well.

What This Means for Auto Dealers

These are not the only states that have shown aggressive policing of dealer ads. Many states are establishing watchdog groups focusing on dealer ads that in the past may have been on the bubble such as the sweepstakes ads. And the FTC too has identified auto dealer advertising as a priority for 2019.

Here are ten best practices for all dealer ads:

Make sure your ads contain all triggered terms required by federal Regulations Z (credit sales) and Regulation M (leases);

Make sure your ads are accurate and for the advertised price, omit only tax, title, registration and the document fee permitted by your state’s law. Indicate in a conspicuous disclosure that those items are extra;

Don’t advertise terms that most of your customer base will not qualify for such as price reductions or low APRs for customers with high credit scores;

Make sure you have enough of the advertised vehicles to meet the reasonably anticipated consumer demand. If not, give the exact number available. A very low number of such vehicles may be interpreted as a “bait and switch” ad;

Many states require you to give the advertised price to any qualified customer even if the customer has not seen the ad;

Don’t stack rebates especially unconditional rebates (available to everyone) with conditional rebates (available only to certain groups like recent graduates, military or first responders, or returning customers), Itemize the rebates you want to advertise;

Don’t put disclosures in mouse type, text that bleeds into the background, or are not in proximity to the headine the disclosure explains. Putting a disclosure on a different page from the headline is not recommended;

Be careful with sweepstakes ads. They are easily shown to be come-ons designed to get the customer into the showroom with no real possibility of winning a meaningful prize. See Indiana above;

For Internet ads, place the disclosures in close proximity to the headline, don’t use pop-up disclosures unless absolutely necessary, make disclosures clear and conspicuous and put an expiration date on every Internet ad; and

Don’t bury Internet disclosures in long columns of text and be sure the disclosures are optimized to be clear and conspicuous on any device that can access them.

Expect more regulatory enforcement actions and more lawsuits involving dealer advertising.

1 Comment

CFPB Finds Unfair and Deceptive Practices in Not Crediting Consumers with Ancillary Products Rebates

4/5/2019

1 Comment

The Consumer Financial Protection Bureau ("CFPB") indicated in recent Supervisory Highlights that is examining “unfair and deceptive practices” regarding rebates for certain ancillary products after examining the behavior by at least one captive finance company.

The CFPB found that vehicle buyers sometimes also finance the purchase of ancillary products such as an extended service contract when they enter into a retail installment sales contract for a vehicle. Then as finance companies know, if the contract holder later experiences a total loss or repossession, the servicer or contract holder may cancel the ancillary products in order to obtain pro-rated rebates of the premium amounts for the unused portion of the products.

In these situations, the Bureau acknowledged the rebate is payable first to the servicer to cover any deficiency balance and then to the borrower.

“Generally, the servicer contractually reserves the right to request the rebate without the borrower’s participation, although it does not obligate itself to do so. The borrower also retains a right to request the rebate,” the CFPB said.

During its examinations of extended warranty products and policies used by this unnamed captive, the CFPB found the amount of a potential rebate for the products depended on the number of miles driven. The Bureau said its examiners observed instances where one or more servicers used the wrong mileage amounts to calculate the rebate for extended service contract cancellations.
“For some borrowers who financed used vehicles, the servicers applied the total number of miles the car had been driven to calculate rebates,” the CFPB said. “However, the servicer(s) should have applied the net number of miles driven since the borrower purchased the automobile.”

The CFPB concluded that “The miscalculation reduced the rebate available to certain borrowers and led to deficiency balances that were higher by hundreds of dollars. The servicer(s) then attempted to collect the deficiency balances.”

The CFPB stated that “One or more examinations found that servicer attempts to collect miscalculated deficiency balances were unfair Collecting inaccurately inflated deficiency balances caused or was likely to cause substantial injury to consumers. And these borrowers could not reasonably have avoided collection attempts on inaccurate balances because they were uninvolved in the servicer’s calculation process.” These findings are the predicate for an unfair and deceptive practices action.

The CFPB concluded that the injury of this activity is not outweighed by countervailing benefits to consumers or competition. For example, officials emphasized the additional expense the servicers would incur to train staff or service providers to make certain that refund calculations are correct would not outweigh the substantial injury to consumers.

In response to its findings, the CFPB said the finance companies conducted reviews to identify and remediate affected consumers based on the mileage they drove before the repossession or total loss of their vehicles. The Bureau added that the finance companies also began to verify mileage calculations directly with the issuers of the products subject to rebate.

Additionally, the CFPB indicated its examiners observed instances where one or more servicers did not request rebates for eligible ancillary products after a repossession or a total loss. The finance company then sent these consumers deficiency notices listing a final deficiency balance claiming to net out available “total credits/rebates,” including insurance and other rebates. The notices also stated that future additional rebates may affect the amount of the surplus or deficiency, but that “at this time, we are not aware of any such charges.” This behavior too resulted in overstating deficiencies.

The CFPB said that the servicers’ records contained information that it had not sought the eligible rebates. Examinations showed that the average unclaimed rebate was roughly $1,700.

“One or more examinations identified these communications as a deceptive act or practice. The deficiency notices misled borrowers because it created the net impression that the deficiency balance reflected a setoff of all eligible ancillary-product rebates, when in fact, the servicers’ systems showed that it had not sought one or more eligible rebates,” the CFPB said.

The CFPB further concluded that “It was reasonable for consumers to interpret this deficiency balance as reflecting any eligible rebates because the servicers were both contractually entitled and financially incentivized to seek and apply eligible rebates to the deficiency balance. And the misrepresentation was material to consumers because they may have pursued rebates on their own had the servicers not represented that there were not additional rebates available.”

“In response to these findings, the servicers conducted reviews to identify and remediate affected borrowers. The servicers also changed deficiency notices to clarify the status of eligible ancillary product rebates,” the CFPB concluded.

It is critical that consumer deficiencies first take into consideration rebates from ancillary products based on the net mileage driven by the consumer at the time of repossession or total loss. Failing to credit the consumer with the net rebates can lead to an unfair and deceptive trade practice by the CFPB or FTC.

1 Comment

A Way for Dealers to Sell GAP to MLA-covered Borrowers

3/11/2019

0 Comments

On December 14, 2017, the Department of Defense (“DOD”) issued a regulation concerning the exemption from the Military Lending Act (“MLA”) for purchase money auto financing credit secured by the vehicle. The MLA is a law passed in 2006 protecting service members and their families by requiring extensive disclosures and prohibiting certain contract provisions. Purchase money vehicle financing is exempt and it was believed that this exemption included all aftermarket products sold with the vehicle in the transaction as well.

DOD’s new interpretation said that a transaction is exempt from the MLA “that finances the [vehicle] itself and any costs expressly related to that [vehicle]. . . provided it does not also finance any credit-related product or service.” This means if the auto financing transaction includes GAP or credit insurance, the whole transaction is arguably outside of the exemption and subject to the MLA.

As a result, auto dealers cannot sell and finance GAP in indirect auto finance without running afoul of MLA penalties which include the inability to take a security interest in the vehicle. Other penalties can include voiding of contracts from inception; civil liability of actual damages or $500 statutory damages recoverable in class actions; punitive damages; costs and attorney’s fees, along with possible criminal liability.

Possible Actions in Response to the DOD's December 2017 Interpretation
Trade associations and dealer groups have been lobbying the DOD to revoke the December 2017 interpretation. They were apparently close to doing so in June 2018 but a change in DOD and other agency personnel delayed and politicized the issue. The timing of the revocation of the DOD interpretation is now uncertain.

The main result is dealers should not offer credit insurance or GAP to MLA-covered borrowers in indirect auto finance transactions. This means you will have to check every customer to see if they are an MLA-covered borrower using one of the "safe harbors" for doing so --these being either a DOD MLA website or a credit report indicating the person's MLA status-- before selling them GAP or credit insurance. Do this at the time the consumer submits a credit application or within 30 days earlier if, for example, you are doing a pre-screen mailing. Document your doing so in the deal jacket.

But it’s not so easy. At least 11 states have military anti-discrimination statutes. Each state interprets its law differently. In response to a claim of military discrimination for not selling GAP to MLA covered borrowers, the dealer could argue that the federal MLA and DOD interpretation preempts their state’s anti-discrimination law Consult your local attorney or compliance professional on the law in your state to get a sense of whether a the courts will recognize federal pre-emption as a defense to an alleged credit discrimination against protected military members under your state's law.

A Solution for Dealers to Enable MLA Borrowers to Finance GAP
There is another solution making its way around the industry. The prohibition on taking a security interest in a vehicle on a compliant MLA contract does not apply to banks, credit unions, or savings associations (collectively “banks”). A number of banks—principally credit unions--are preparing compliant MLA loan agreements (not an easy task with all the disclosures and computing an alternative MLA APR) that permit a vehicle security interest. Reportedly, several large banks are also exploring this alternative.

If an MLA-covered borrower wants to purchase GAP, the solution for dealers is to contract to become an agent of one of these banks and engage in “direct” or “two-party” financing where you act as an agent of the bank in contracting for a direct loan from the bank to the consumer instead of the more-familiar three-party indirect credit sale of the vehicle. The proceeds of the loan are directed to the dealer and the bank is named as the original creditor on the loan agreement. The dealer gets a service fee for handling the paperwork for the bank. For MLA-covered borrowers who want GAP or credit insurance, this solution should work.

Most industry experts believe the DOD December, 2017 regulation will be revoked or repealed at some point, probably later this year. But there is no guarantee. Trade associations are also working the legislative front with the Congress. But until one of these approaches leads to a repeal, contract with a bank that offers compliant MLA loan agreements to establish a two-party lending relationship so your MLA-covered borrowers can finance GAP like everyone else.

0 Comments

BE CAREFUL WITH OUT-OF-STATE DELIVERIES AS MANY RISKS APPLY

2/25/2019

0 Comments

The Internet has become a way of life in selling vehicles. It enables customers to contact dealers and obtain information more readily and can be a source of selling. But it comes with real dangers of identity fraud that can leave a dealer required to repurchase an agreement and with little, if any, hope of recovering the vehicle.

Since 2010, Customs Agents have seized over 3,500 stolen vehicles in U.S. ports bound for other countries. Many of those cars were headed to Africa or Eastern Europe, or other areas where they can be sold for great profit. The vast majority of these vehicles were stolen by financial identity fraud perpetrated on dealers who delivered the vehicles to an out-of-state identity thief.

Dr. Stephen Coggeshall, ID Analytics’ chief analytics and science officer and a respected identity theft expert, described the problem of identity fraud with out-of-state deliveries as follows:

“Any transaction that takes place in a faceless environment online has a lot higher potential for fraudsters for a number of reasons. It’s much easier to misrepresent yourself — who you are — in a faceless transaction. But also, the odds of you getting caught are a lot smaller. You’re not physically at a dealership.”

A Red Flags program will have difficulty identifying the theft due to the effectiveness of “synthetic” identity theft. A fraudster creates a synthetic identity by making up a Social Security number (since 2011, Social Security numbers are no longer linked to states of residence but are issued randomly), adds false personally identifying information to it and establishes a credit file.

Dr. Coggeshall says that using synthetic identities is now “the dominant mode of identity fraud,” overtaking other methods like identity theft and identity manipulation. Particularly when it comes to remote auto fraud.

Synthetic identities are incredibly difficult to trace, because they don’t lead back to a real person. Fraudsters use a combination of elements such as a fabricated Social Security number, name, date of birth, address or phone number, and then establish that identity by applying for credit cards or a cellphone. Credit bureaus establish upwards of 40 people on the same Social Security number.

“It’s actually not that hard to establish the validity of a synthetic identity,” Dr. Coggeshall says. “And once you’ve done that, you can start doing all sorts of things.” Hence the rise in motor vehicle identity fraud. Every time you ship a vehicle out of state instead of making the customer come to the dealership, you run the risk of that person being an identity thief waiting to ship the vehicle overseas or sell it to a chop shop. It doesn’t take more than a few of those transactions to negatively impact your bottom line.

In a related sense, straw purchases are also more readily accomplished via out of state shipments to Internet sales. These lead to repurchase requests too.

Out-of-state deliveries produce practical issues as well. Titling vehicles can become problematic if you are not familiar with the idiosyncrasies of the remote state’s title office and you don’t want dealer plates in far-away locations. Disputes with the buyer may inadvertently wind up being litigated or arbitrated in the buyer’s home state as well, even if your Buyer’s Order says otherwise. Obviously, repossession rights upon default will be subject to a group of laws and requirements different from those in your state. “Home town”: justice could easily come into play in the buyer’s favor in any dispute.

Do enough deliveries into the remote state and their tax authorities might claim you are “doing business” there and want to tax you. This is another risk.

0 Comments

2019 CRYSTAL BALL FOR AUTO DEALER SALES AND F&I

1/1/2019

0 Comments

2018 was a year marked by increased compliance enforcement by the Federal Trade Commission (“FTC”) and State Attorneys General (State AGs”).
The fines imposed the past two years have increased substantially from those in earlier years. For example, the FTC fined a California dealer group $3.4 million in 2017 for a variety of unfair and deceptive practices, including its first foray into “yo-yo” (spot delivery) practices. In 2018, the FTC conducted a field investigation of over 90 dealers in 22 geographic areas and found that only 7% had displayed the correct new form Used Car Buyer’s Guides on their used vehicles in inventory. Recalls also continue to be a problem for dealers as 2018 set a record for vehicles recalled by manufacturers. The FTC fined dealerships for selling “certified” used vehicles without either fixing or informing the customers of open recalls. Advertising fines and penalties are now well up into the six figures as well.
What can we expect in sales and f&I compliance in 2019? Here’s a crystal ball of some issues at the top of regulator agendas that may ripen into enforcement actions and lawsuits in the coming year.
1. New Unfair and Deceptive Acts and Practices (UDAPs) - The FTC and State AGs imposed fines in excess of $1 million for “yo-yo” financing; fraudulently submitting or changing customer information on credit apps or deal stips; and advertising vehicle specials for which the dealer should have known most customers in its geographic area could not qualify. These were new first-time UDAP practices for the FTC and were coupled with payment packing, misrepresentations, and some of the past UDAP practices to fine dealers or enter into 20-year consent decrees. In 2019, look for the FTC to continue to regulate by enforcement (declaring practices to be UDAPs that had not been previously prosecuted or prohibited by FTC-issued regulations). The FTC is partnering with local law enforcement agencies as it did with the missing Used Car Buyer’s Guide investigation. Look for more “on the ground” enforcement activity as the FTC in conjunction with AGs, DMV representatives and local law enforcement come out of the ivory tower and enforce dealer misbehavior in the real world. Mystery shoppers and agents in the field will be a large part of 2019 compliance enforcement.
State AGs will continue to pick up auto dealer enforcement activity. Since 2015, the New York Attorney General has obtained more than $17 million in restitution and penalties as part of his office’s crackdown on the practice of ‘jamming,’ or payment packing.”   State AGs in Arizona, Connecticut, Illinois, Massachusetts, Virginia and Florida, among others, have been particularly aggressive.
2.  Data Security Breaches and Safeguards Rule Violations - 2018 was another record year for data security breaches both in the number of breaches and the number of records compromised. I recently attended a data security program in which the speaker stated that data is the new oil, and he is right. Hackers and their like are compiling dossiers on millions of individual U.S. persons from both publicly available information (like motor vehicle registration records) and personal information readily for sale on the dark Web, like information from the 2017 Equifax breach that affected nearly 145 million U.S. consumers. The 2018 Verizon Data Breach Investigations Report found that 58% of data breach victims globally are small and mid-size businesses (“SMBs”). Many SMBs report doing very little to protect themselves because they lack the required resources, capabilities, and knowledge.    A Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached Dealers, whose data security tends to be quite lax when compared to larger companies, are a treasure trove for personal information including Social Security numbers, driver’s licenses, employment and income information, and other data that facilitates identity theft (also on track to be a record in 2018). Expect more major data breaches and more FTC and State AG action in looking at dealer Safeguards Programs. In California, a new Consumer Privacy Act was passed that provides more protections for consumer data, penalties for breaches, and, for many uses, requires “opt-ins” instead of “opt-outs” when it comes to sharing or using data.
The FTC entered into a 20-year consent decree in 2018 with a dealer for an inadequate Data Safeguards Program. Expect more of the same in 2019.
2a. Breach of Vehicle-Communicated Data - As the industry moves to experiment with driverless vehicles and as data points are exchanged among vehicles on the road today as part of Internet of Things connected devices (“IoT-connected devices”)., the security of the data being transmitted becomes an expanding risk for hackers or criminal enterprises. Most vehicle data being communicated is not encrypted and can easily be hacked by someone wanting to cause damage to the vehicle’s operation, questioning of the prospect of driverless cars, or stealing the technology as has occurred in many other industries. This is an IoT-connected devices issue that needs to be followed as if and when hacking of this type happens, it will throw the auto industry into a crisis. Less a dealer issue than a manufacturer technology issue but remember, you sold the IoT-connected vehicle that had its data compromised and abused.
3. Aftermarket Products - Regulators know that dealer profits are largely generated from the back-end sale of aftermarket products. The CFPB and FTC are not big fans of aftermarket products believing most are overpriced and deliver questionable value to consumers. The CFPB ordered a national auto finance company to refund $9 million to consumers and pay a $2.5 million fine for making claims about their GAP policy’s protection features while failing to inform consumers that its GAP policy was capped at 125% of the vehicle’s value at the time of loss. Recent enforcement actions have also begun to look at the value of aftermarket products relative to their cost as well as the amount of the dealer’s markup to sell the product at retail. States are also looking more closely at refund issues.
Payment packing or front-loading an aftermarket product is always unlawful. All optional aftermarket products should be presented fully and honestly using an easily-understood menu and the customer should initial all products accepted and rejected. Parity in pricing products, or at least in bundles of products, is another best practice. Expect to see aftermarket products in an FTC enforcement action in 2019.
4. Military Lending Act - Due to the Department of Defense’s December 2017 interpretation of the Military Lending Act (“MLA”) (an interpretation that I think will be repealed some time in 2019), sale of GAP or credit insurance to MLA covered persons (broader than service people and their families) requires compliance with the MLA. Most dealers and financial institutions are not set up to comply with the MLA in terms of calculating a separate Military APR, making written and oral disclosures to MLA covered persons, eliminating arbitration clauses and making other changes from a standard credit sale. A dealer is prohibited by the MLA from taking a security interest in a vehicle as well and only a regulated financial institution can directly do so. A standard RISC will not contain the necessary disclosures and the penalties for non-compliance are significant including a customer’s right to void the RISC from inception meaning a consumer could possibly return the car and be entitled to all payments made as well as the amount of any allowance given for their trade-in. Remember that service people are a preferred group at the CFPB and that filters to other regulators as well.
5.     Spot Deliveries -   By adopting the term “yo-yo financing” in its 2017 $3.4 million fine of a California dealership group, the FTC laid out its leanings on an issue the plaintiff’s bar has had at the top of its agenda for years, spot deliveries. What percentage of your spot delivery deals are unwound? If it is more than a small number, you run the risk of a bait-and-switch UDAP practice, one the FTC and many State AGs are examining in response to a growing number of consumer complaints. Make sure your conditional delivery agreement is mutual and fair and be prepared to show you had a reasonable belief that one of your finance companies would purchase the original contract based on its past conduct.
In view of the high dollar stakes of enforcement actions and the growing aggression of the FTC and certain State AGs against auto dealers, now would be a good time to review your Compliance Management System and your compliance policies, especially privacy and Safeguards policies. Make any necessary changes based on testing such as a vulnerability test of your system to hacking. Train and test your people too. Frequently. On data safeguards, people are your biggest risk and an untrained employee is your worst nightmare. Emphasize warnings about phishing schemes, complex passwords, and avoiding other schemes criminals use to compromise a user’s credentials and enter your system.

0 Comments

<<Previous

Author

Randy Henrick is a leading auto industry compliance consultant. This article is not intended as legal or compliance advice due to the unique nature of a dealer's situation in each state. Randy's articles do provide issues and best practices that you may want to discuss with your attorney or compliance advisor for possible adoption in your dealership. Email Randy at AutoDealerCompliance@gmail.com
Follow us on Twitter @randyh44

​

Author

Archives