(267) 481-5636
    Randy Henrick & Associates, L.L.C.
    • Home
    • Services
    • Special Offers
    • About Us/Contact
    • Blog

    ​

    Blogs

    FTC’s Recent Actions Point to Aggressive Pursuit of Auto Dealers

    8/17/2020

    0 Comments

     
    The Federal Trade Commission (FTC) has recently indicated its displeasure with auto dealers and that is a sign that dealers may need to tidy up their compliance practices.
     
    Recent FTC Consent Order
     
    In May, the FTC entered into a $1.5 million consent order with a New York dealer.  The FTC’s lawsuit alleged alleges the company jacked up what consumers had to pay by fabricating fees, inflating charges, and sneaking in stealth add-ons. The lawsuit also alleges the defendants discriminated against African American and Hispanic consumers by charging them higher financing markups and fees, in violation of the Equal Credit Opportunity Act (ECOA) and Regulation B.
     
    According to the complaint, the dealer also overcharged consumers by dinging them for as much as $695 in documentation fees, an amount limited by New York law to no more than $75. In addition, the lawsuit alleges the defendants often gave consumers one figure for the agreed-upon total, but then inflated the price without the buyer’s knowledge in other documents – a practice the dealer’s employees called “air money.”
     
    The FTC assessed the $1.5 million fine against both the dealership and its General Manager personally.  The settlement also requires the company to implement a fair lending program that safeguards against discrimination.   FTC oversight continues for 15 years.  This case alone should serve as a reminder to other businesses that may be overdue for an ECOA compliance check.
     
    FTC Study on Consumer Auto Sales and Financing Processes
     
    But the FTC wasn’t done.  In July, the FTC released a study conducted by its Bureau of Consumer Protection concerning auto dealers.[1]  Based in large part on interviews with 38 consumers, the study found misleading auto advertising, loan falsification, “yo-yo” financing, deceptive add-on fees, and privacy and data security issues, among other practices.  
     
    Advertisements with misleading financing terms (as well as those with deceptive price and discount offers) remain a concern.  Some consumers found out belatedly that they did not qualify for these advertised finance offers, that they could not combine a 0% APR offer with other incentives, or that the car they selected did not qualify for the advertised rate.
     
    Negotiating price was another fact cited by the FTC.  Customer confusion on the sales negotiating process or being compelled to only negotiate monthly payment were among the factors cited by the FTC study.
     
    Particular criticism was directed at auto dealers’ f & I offices.  Many consumers complained that vehicle prices and rebates negotiated by the salesperson were not honored by the f & i office.  The FTC study concluded, “In financing negotiations, dealers should honor discounts or other terms sales personnel promise consumers, or sales personnel should not promise them. If there are limitations on the discounts or terms being offered, dealership representatives, whether on the sales floor or in the financing office, should explain those limitations clearly and consistently.”
     
    Aftermarket products were another area of FTC criticism.  The study characterized aftermarket (add-on) products as follows:
     
    Most study participants’ contracts included charges for add-ons, but the interviews revealed consumers who were unaware which add-ons they had purchased, were unable to identify add-ons in the paperwork, were unclear what those add-ons included, and sometimes did not realize they had purchased any add-ons at all. Indeed, add-ons were the single greatest area of confusion observed in the study.
     
    Many consumers were left with the impression that aftermarket products were required to get financing or that add-on products were free (payment packing). Undisclosed limitations of add-on products, the absence of the cost of add-on products, and the requirement of bundling add-on products in lieu of being able to buy products separately were also cited by the FTC. 
     
    The FTC study also criticized spot delivery practices.
     
    Some participants in the qualitative study were surprised to learn that financing they expected to be final was not. Some participants expressed confusion about the concept of spot delivery. Some consumers had never heard the term, others knew of it but did not know what it meant, and a few thought it meant something that it doesn’t. For example, one consumer thought spot delivery was a cooling-off period. Some consumers were unaware that they had signed forms describing spot delivery and potential cancellation.
     
    Finally, the report criticized how consumers are treated in the sales and finance process.  Consumers are overwhelmed with documents and information that dealers pressured them into signing without reading.  The process was so lengthy that it left them feeling overwhelmed or experiencing “buyer’s fatigue” by the time they reached the financing portion of the transaction.

    What This Means for Auto Dealers
     
    The FTC’s recent actions criticize many common practices of auto dealers and suggest enforcement actions for unfair and deceptive practices for these actions are coming.  Also, in the consent decree, two Commissioners wrote statements supporting disparate impact credit discrimination cases against auto dealers.  Disparate impact discrimination occurs when you can’t prove intentional discrimination but a statistical analysis shows that members of ECOA protected classes (race, color, religion, national origin, sex, marital status, age, or because you get public assistance) get worse credit terms than non-protected persons, typically white males. 
     
    It is recommended that dealers adopt the NADA fair credit policy and program[2] which provides a way to address disparate impact credit discrimination risk by using a standard dealer participation rate (markup of sell rate) and use it for every customer unless you can document a specific business justification for providing a lower rate.
     
    Aftermarket product selling seems to be the biggest issue of the FTC study.  You should charge the same price for your aftermarket products and follow the 300% rule—offer 100% of your products to 100% of your customers, 100% of the time.  While using a menu is not required by any law, it is a best practice to show the customer considered the costs and benefits of each product or group of products and made an informed decision to accept or reject them.
     
    Advertising is another FTC hot point.  Try not to give disclosures in inconspicuous or unreadable mouse type and leave disclosures on the screen for a long enough time for consumers to read and comprehend them.  This is especially true for disclaimers and disclosures that not all customers will qualify for an advertised rate or other advertised terms.
     
    Negotiating price tactics were also criticized by the FTC.  While there is no legal prohibition on negotiating payment amount, it can be susceptible to payment packing when room is left in the quoted monthly payment for other products to be included and represented to be free.  State Attorneys General have been particularly aggressively in bringing enforcement actions against dealers for payment packing.
     
    Again, in most states, spot deliveries are lawful.   But make sure the customer understands that the agreed-upon financing is subject to being purchased by a lender and that, if not, either party can return the collateral (the vehicle and the trade-in along with any funds the customer has put down) and walk away.  Be careful about pressuring a consumer into new, less favorable terms.  Be sure to date the new contract the date it is signed and not backdated to the original deal.  Also send the customer an adverse action notice because of a change to terms less favorable to the customer.
     
    The FTC study is definitely worth a read.  Now would be the time to look at your compliance in these and other areas and make certain you are not taking the risk of being on the FTC’s enforcement agenda given all the new scrutiny of auto dealers.

    __________________
    [1] A link to the FTC study is available at https://www.ftc.gov/reports/buckle-navigating-auto-sales-financing

    [2] The NADA Fair Credit Policy and Program can be found at https://www.nada.org/faircredit/
    0 Comments

    Protect Your Car Dealership via Best Auto Dealer Compliance Solutions

    7/14/2020

    0 Comments

     
    Business initiation is a murky task due to the prevailing compliance roadblocks. You, as a dealer, are subjected to various laws and regulations. On the ground of non-adherence to these sets of protocols, you will get heavy penalties. And fines are exorbitant in nature. Of course, you won’t like this type of grievous imposition in the wake of any compliance breach!
    ​
    So, here, automotive dealership compliance comes in to force. It consists of all laws and regulations in your dealership area. It incorporates laws of selling, buying, financing, and insuring. It’s also wide due to the inclusion of customer communication. So, it’s very crucial for all automotive dealerships to be and remain in compliance


    Picture
    Picture
    Different types of Auto Dealership Compliance Services:Before moving ahead, you need to ask yourself few questions. Today, it’s an age of the Internet and cloud computing. Everyone is equally vulnerable to cyber threats. So, will you survive in the business, if your customer data is wrongfully compromised?
    Business reputation becomes crucial if you encounter any growth. Without it, a commercial organization will completely paralyze. So, could you afford any reputation risks of advertising, sales, or F-I compliance violation?
    The answer to the above questions is an absolute NO.
    So, protecting yourself from dealership compliance issues is a big deal. The penalties are prejudicial to a career if not addressed carefully. These can be possible through robust awareness, training, and prevention. It’s imperative to strategize your dealership as there are so many regulations to adhere to.
    That’s why there are different compliance services available online nowadays. These are advertising, data security, mitigation of data breach risks, digital retailing, red flags, FTC & CFPB compliance. Above all, the consumer notice has a pivotal role in the entire journey of compliance procedure.
    Let’s discuss:
     
    AdvertisingThe Federal Trade Commission (FTC) has bought over 40 dealer advertising enforcement actions since 2012. So, reviewing your advertising for compliance with FTC guidelines and regulations is essential. Thus, an expert needs to review your advertising properly - especially if you have already entered an FTC consent mandate.
     
    Mitigation of Data Breach RisksThe security compromise of your customer data is the biggest financial risk. As a dealer, you need to ensure all the data security loopholes are to be fixed in time. It has been seen that 60% of small to mid-size businesses went out of business within 6 months after a data breach. In this scenario, it’s recommended to seek advice from a specialist to
    curb the menace of data threats.
     
    Customer CommunicationIf your dealership is complying with various automotive regulations – then it’s fine. However, it’s important to send customers risk-based pricing and adverse action notices. A specialist can guide you on when and how to send risk-based pricing and privacy notice. They can review this issue and help you become compliant. Here, you can use digital marketing notices and campaigns. So, don’t be laggard in this race.
     
     
    FTC and CFPB ComplianceThe FTC has become violently active in bringing enforcement actions against dealers. It adopts CFPB’s rules and regulations approach in
    0 Comments

    How Remote Delivery of Vehicles May Give Customers a Right to Cancel the Deal and What You Can Do to Avoid That Right

    5/21/2020

    0 Comments

     
    The coronavirus pandemic of 2020 has changed the way dealers do business.  Many dealers are adopting newr sales and vehicle delivery practices to accommodate state shelter-in-place laws or consumer stay-at-home mandates.  One way dealers are doing this is by arranging to bring the vehicle to the consumer's home, both for test drives and for vehicle delivery upon purchase or lease by the consumer.

    If not done properly, negotiating or delivering a vehicle other than at the seller's principal place of business can trigger an FTC rule as well as state laws governing door-to-door sales.  These require giving the customer a three-day right of cancellation of the transaction and mandate notices and forms relating to this right to cancel be delivered as well.

    The FTC's Rule on Cooling Off Period for Sales Made at Homes and Other Locations Outside of the Seller's Place of Business has been around since 1972.  Like state door-to-door sales laws, it requires that if the sale is conducted at the consumer's home, or any location other than the seller's place of business, the consumer must receive a three-day right of cancellation of the deal after it is consummated.  The consumer must be given a regulatory notice and two copies of a form to use to cancel by mailing one copy back to the dealer.   You have to wait five days to send the contract to a financing source and, if the customer cancels, return their down payment and trade-in vehicle within 10 days.  Not an ideal scenario for most dealers.

    However two main exceptions to the Rule apply to defeat having to give the three-day notice of cancellation.  One exception is when the deal is conducted entirely  by mail, telephone or online and without any personal contact with the consumer prior to vehicle delivery. 

    The second exception is when the sale is the result of prior negotiations at the seller's permanent place of business where the goods are sold regularly. 

    An FTC staff letter from 2001 stated that where the sale was negotiated and finalized without any face-to-face dealings, the dealer could bring the final contract documents along with the vehicle to the consumer and have the consumer sign the documents in their driveway.  This would not run afoul of the Rule.

    The danger comes when a test drive is conducted at a site other than your dealership.  In this case, if the sale or finance negotiations begin at the test drive, you won't meet either exception.  Likewise, if you deliver the vehicle and attempt to upsell the consumer on aftermarket products or change the deal at their home, you will also be responsible for giving the three-day notice of cancellation.

    The best scenario is when the customer comes to the dealership for the test drive and any negotiations begin there.  This would fit the second exception of the sale or lease being the result of prior negotiations at the seller's permanent place of business.  But what if the customer won't come to the dealership?

    The second  best solution is to have someone from the dealership with no authority to negotiate or conduct sales being the person to bring the vehicle to the remote location for the test drive and make it clear that any negotiations must be done by calling or emailing a salesperson whose name and contact information are given to the consumer.  Then, presumably, all negotiations will be done remotely. 

    This may not be a practical solution for some dealers.  If you must send a salesperson with the vehicle for a test drive, first adopt a Test Drive Policy that states clearly no sales or finance negotiations can occur at a remote test drive.  When the salesperson returns to the dealership, they should put a note in the deal jacket or files that indicates the test drive took place and there were no discussions of price or financing terms consistent with the policy.  The negotiations would begin only on a followup call or email to the consumer.  Again, all negotiations are done remotely.

    Same thing with delivery.  Do not deliver the vehicle without the final paperwork and do not attempt to continue negotiations for any product, service, or terms at the remote site.  If necessary, have the customer sign the documentation in their driveway, not in their home.  A better solution would be to have the customer electronically sign, sign and fax, or scan and email the signed documents to you for countersignature so when you deliver the vehicle, you are also delivering the final documentation signed by both sides.  (Don't forget to first send the customer electronically a review copy required by Truth in Lending first).

    These procedures should enable you to avoid having to give the three-day right of cancellation under the FTC Rule.  But you also have to worry about your state's law.  Some states such as Connecticut, New York, Ohio, and Kansas have adopted the FTC Rule.  Other states have not.  Many of those states do not have the exception for when the deal is conducted entirely  by mail, telephone or online and without any personal contact with the consumer prior to vehicle delivery.  Most states do have the exception for remote delivery when the initial negotiations are done at the dealership but check with your local counsel to learn the rules in your state and how to avoid the three-day right of cancellation under your state's law which may be harder than avoiding it under the FTC Rule.

    Serious penalties and consequences can flow if you are required to give the right of cancellation but fail to do so.  It is a violation of Section 5 of the FTC Act (unfair or deceptive practices) for which the penalties currently are $43,580 per violation.  This figure is adjusted upward annually to reflect inflation.  State laws give private rights of action and state Attorneys General can enforce both the FTC Rule and state law together.

    Courts have also ruled that if a customer is not given a right to cancel when they are entitled to receive one, they have a "reasonable time" to cancel the transaction.  This could be a period of months and result in the consumer getting a free "test drive" for an extended period of time.  And hope you don't sell their trade because they are entitled to get it back when they cancel.  If the deal was financed by a lender, the lender will also require you to repurchase the contract.  So take care not to put yourself in a position where you negotiate with the consumer away from your dealership which could trigger the three-day right to cancel.

    The FTC has said it is taking careful note of complaints and conduct that violates the law during the coronavirus epidemic.  Remote sales are increasing substantially so it is important that you be aware of the possible three-day right to cancel.  For remote test drives and remote deliveries, you can either give the FTC-mandated notice and two copies of the three-day right to cancel and wait five days to finance the paper or try to fall within one of the exceptions by taking the conduct described above.

    We are here to help you so give us a call at 267-481-5636 or email us at AutoDealerCompliance@gmail.com and we will do what we can to help you through the coronavirus times and the behavioral changes necessary to cope.
    0 Comments

    Contract Force Majeure Clauses May Provide a Defense to Delays in Performance Due to the Coronavirus or Related Government Action

    3/30/2020

    0 Comments

     

     The coronavirus pandemic has made it difficult to impossible for dealers to perform certain contractual obligations.  Especially where shelter-in-place orders are in effect and auto dealer sales operations are considered to be non-essential businesses, a dealer forced to close its sales business may be unable to make payments due on floorplan loans or meet franchise sales quotas.  Other contractual obligations may be difficult or impossible to perform as well.
     
    One possible avenue for relief may be available in contract “force majeure” or Act of God clauses.  These clauses are typically contained in the contract boilerplate and are designed to allow a party to delay its performance or even terminate the contract if an enumerated force majeure event occurs.  The clause will list a series of events that typically include acts of military intervention, strikes, civil unrest, natural disasters, acts of God, and other calamities.  Some contracts include a “catch all” provision making reference to any unforeseen act beyond a party’s control, or words to that effect (e.g., “any act or occurrence beyond a party’s reasonable control and due to no fault of the party”).
     
    Reviewing Contract Force Majeure Provisions
     
    Force majeure clauses are not consistent across all contracts.  Your contract’s force majeure clause will dictate what events may delay or excuse performance.  An act of God is generally defined as an unusual or extraordinary natural event, such as floods, earthquakes, volcanic eruptions, tornadoes, hurricanes, blizzards, etc.  The contract clause may list pandemics or acts of government authority as examples of force majeure events or contain other language that may cover the coronavirus and associated government responses.  A general “catch-all” clause could also be argued to delay or excuse  performance.  The contract language of the clause will ultimately determine whether or not you may be able to delay performance of a contractual obligation.
     
    Know that courts generally interpret force majeure clauses strictly, meaning they will not give an overly expansive interpretation to the enumerated events such as by limiting acts of God to mean extraordinary weather-related events.  A contract without a catch-all clause will be most strictly construed.  A catch-all clause at least gives you an argument that the list is not meant to be exclusive and a party’s ability to control the event is the determinative factor. Know, however, that most courts interpret a general catch-all provision to cover only externalities that are similar to those specifically stated in the balance of the clause.
     
    If a Force Majeure Event Applies, What Performance Does the Contract Require?
     
    Assuming there is a specific reference to a pandemic or you want to argue a “catch-all” clause applies to make the coronavirus outbreak and government responses a force majeure event, you still need to review the contract clause to see what performance is required.
     
    Force majeure clauses may codify an impossibility standard and require that performance of contractual obligations be “impossible” before all obligations are excused. Others may be less stringent, requiring only that the performance, in light of the triggering event, would be “commercially impractical.” So if your state or municipality has adopted a ban on gatherings of more than 50 people, that may provide a basis to fail to perform a meeting scheduled during the applicable time.  Also, not all force majeure clauses provide for termination of an agreement; many only excuse a delay in  performance, providing that any failure to perform due to a triggering event during the force majeure event  will not constitute a breach under the relevant agreement.
     
    Many force majeure clauses also require the affected party to make reasonable efforts to perform during the force majeure event to the extent it can do so. Again, it is the language of your specific contract that determines whether this is the case.
     
    Notice Required to be Given to the Other Party
     
    All force majeure clauses require the non-performing party to give notice to the other party, sometimes within very tight time deadlines.  Notice provisions may specify the form of the notice, to whom it must be sent, and the manner in which it must be sent. Additionally, many agreements will require that notices must provide sufficient specificity to make clear why the relevant triggering force majeure event applies to a given provision in a contract.
     
    Be sure to read the clause carefully and give timely notice in the manner required by the contract.
     
    Impossibility of Performance Defense
     
    In many states under the common law, there is an implied defense to performance if  a situation occurs that makes performance impossible.
     
    The party asserting this defense will bear a heavy burden of proving that the event was unforeseeable and truly rendered performance impossible, and the doctrine generally is applied narrowly. For example, assertions that the event rendered performance more expensive or difficult have been rejected under the impossibility doctrine.  Asa  result, some states, like California, have enacted statutes to address the impossibility of performance defense.  In California, the California Civil Code excuses performance under a contract when: “it is prevented or delayed by an irresistible, superhuman cause, or by the act of public enemies of this state or of the United States, unless the parties have expressly agreed to the contrary.”
     
    The presence of a force majeure clause in a contract does not necessarily negate the defense of impossibility of performance but may cause the court to interpret the impossibility defense in a manner consistent with the force majeure clause.
     
    Summary
     
    For any contracts made difficult or impossible to perform due to the coronavirus or the acts of government authorities such as shelter-in-place orders, review your contract carefully with your attorney and pay particular attention to the force majeure clause.  Note whether you can argue it applies and, if so, deliver timely and sufficient notice, and comply with  any performance standards the clause requires.  Again, note that these clauses tend to be strictly construed by the courts but they may provide at least a bargaining chip to negotiate new performance arrangements with your counterparty.
     
     
    ​

    0 Comments

    Used Car Selling Compliance Risks and Best Practices

    3/20/2020

    0 Comments

     
    U.S. franchised dealers sold approximately 4.1 million used cars in 2019, an all-time high.  Overall, there were about 40 million used cars sold versus about 17 million new.   Used car sales are becoming a greater percentage of dealer sales generally.  Consumer “sticker shock” on new vehicle pricing (the average U.S. new vehicle sold for more than $37,000 in 2019, compared to just over $20,000 for a used vehicle) and the greater inventory of used vehicles spawned largely by vehicles coming off lease, were major factors. 
     
    But used car selling brings with it compliance risks that new car selling does not.  A new car typically comes with a manufacturer warranty and is priced at or below the manufacturer’s published MSRP.  The manufacturer assumes much of the risk relating to a new car sale.  
     
    A variety of different factors come into play with used cars including valuation, prior uses and vehicle condition, dealer or third-party warranties, title issues, and the dealer’s selling used vehicles that may be defective or less reliable than the consumer expects.  Litigation and arbitration relating to used vehicle sales is significantly higher than litigation and arbitration claims on new car sales.
     
    Let’s look at some compliance issues you need to be aware of in selling used vehicles.
     
    Used Car Buyers Guide
     
    The Federal Trade Commission (FTC) requires a Used Car Buyers Guide to be prominently affixed to every used vehicle a dealer offers for sale.  If the sales transaction is negotiated in Spanish, the customer must be given a Spanish copy of the Buyers Guide.  (Best practice: Give a copy of the Spanish Buyers Guide to any customer whose primary language is Spanish, even if the deal is negotiated in English).  The Buyers Guide becomes part of the sale contract and overrides any inconsistent terms.
     
    The FTC revised the Used Car Buyers Guide form in 2017.  You can find a copy on the FTC’s website, https://www.ftc.gov/tips-advice/business-center/guidance/buyers-guide.  Except in Maine and Wisconsin (which have their own forms), you should complete and display the FTC form on every used vehicle in inventory.  An FTC sweep of 94 dealers in 2018 revealed that only 7 were in compliance.  The others received a warning from the FTC that failure to comply may result in a fine of $43,280 per violation.  This is the measure of damages under Section 5 of the FTC Act prohibiting unfair and deceptive practices.
     
    The Used Car Buyers Guide focuses on dealer warranties, or the absence thereof.  Approximately 37 states permit “as is” sales of used vehicles without any dealer warranties.  The other 13 states and the District of Columbia do not permit disclaimer of implied warranties such as the warranty of merchantability which means the car runs as expected. 
     
    If you offer a warranty, it must be designated as a “full” warranty or a “limited” warranty.  You need to give the duration of the warranty, the specific vehicle systems covered in a limited warranty (the back of the Buyers Guide lists vehicle systems), the percentage of repair costs the dealer will pay, and any exclusions.  If a manufacturer or third-party warranty applies, you may, but are not legally obligated to, disclose that as well.  The detail is required only for a dealer warranty.
     
    There is no legal obligation for the consumer to sign the Buyers Guide but it is a good practice to do so.  You can put a box on the back of the Guide stating “I hereby acknowledge receipt of the Buyer’s Guide at the closing of this sale.”
     
    Complete the dealer information on the back of the Buyers Guide and designate a named person (not Used Car Sales Manager) and their phone number for a customer to contact.
     
    Remember that the Buyers Guide is not the warranty, only a summary of it.  Give the customer a copy of the complete warranty terms and conditions.
     
    Certified Used Vehicles
     
    A dealer can designate a used vehicle of the same franchise it represents as “certified’ if all of the following conditions are satisfied:
     
    1. A manufacturer or dealer warranty applies.
    2. A manufacturer representative has certified the vehicle.
    3. You have conducted additional inspections on the vehicle over and above the inspections you perform on used vehicles generally.
    4. You have cured any outstanding recalls on the vehicle.
    5. You have met all state law requirements for the sale of ‘certified’ vehicles.
     
    “As Is” Sales and Disclaiming Warranties
     
    As noted above, in approximately 37 states, a dealer can sell a used vehicle “as is” without any warranties.  In the other 13 states and the District of Columbia, implied warranties cannot be disclaimed.  In all states, implied warranties cannot be disclaimed if you provide an express warranty or sell the customer a vehicle service contract within 90 days of sale.
     
    Just because you are selling a vehicle “as is” does not mean you can withhold negative information about the vehicle from the consumer such as its prior use, whether it was in an accident, or is a lemon law or rebuilt salvage vehicle.  A number of states have lemon laws that define a “lemon” (usually based on the number of unsuccessful repairs) and require that the vehicle be disclosed as such.  Giving the customer a vehicle history report like a CarFaxÒ is a good idea but not an assurance of no liability.
     
    State laws govern the duty to inspect and disclose both patent and latent defects.  Any merchant is considered to be more qualified than a consumer to inspect and disclose any defects that a reasonable inspection would uncover.  Actively concealing defects or misrepresenting the condition of a vehicle is always a no-no.  Check with your local attorney to understand how far your state’s law goes in requiring inspections and disclosing the results.  It is always a good idea to keep a copy of the inspection report in the deal jacket to show your good faith.
     
    Claims Involving Vehicle Titling
     
    Some used car dealers retitle vehicles to avoid having to disclose vehicle damage.  A vehicle that has incurred water or hurricane damage may need a water damage title in some states and most states require a salvage title if an insurance company has declared the vehicle a total loss.  But some states do not.  “Title washing” occurs when a dealer takes the vehicle to a state that does not have the necessary title branding to obtain a clean title.  Title washing also occurs when an unscrupulous dealer removes the damage branding from the physical title.
     
    Title washing is a federal and state felony and dealers have served jail time for mass title washing.  Don’t even think about it.
     
    Odometer Disclosures
     
    The federal Truth in Mileage Act requires the seller of a vehicle to disclose the odometer reading on the vehicle and certify whether, to the best of their knowledge, the odometer reading is accurate, the reading is inaccurate, or the mileage is in excess of the odometer’s limits, such as if a car with a million miles was sold.  This is typically done on the title and both the buyer and the seller must sign the certification and disclosure.
     
    Odometer tampering is relatively easy to do.  It involves removing the vehicle’s circuit board or using a device on the circuit board.  A recent eBay search found such devices for sale for a price of approximately $120. 
     
    Rolling back odometers violates federal and state law.  Penalties start at $43,280 per violation as a deceptive practice under Section 5 of the FTC Act. The Truth in Mileage Act provides for civil penalties of up to $10,281 per violation with each vehicle a separate violation, criminal penalties, and up to three years imprisonment for willful violations.
     
    Other Issues
     
    Be careful when advertising used cars.  Try to avoid qualitative descriptions like “good as new,” “near new,” “runs perfectly.”  These can come back and bite you.  Stick to quantitative descriptions such as giving the year, make, model, and mileage, indicating the number of owners, and whether a full service history is available.  You also need to comply with Truth in Lending triggered terms if you are advertising financing of the vehicle.  Many states also have laws requiring that if you advertise a vehicle in any medium for a set price, you must offer that price to every consumer, even those who never saw the ad.  Be able to defend your pricing with reference to an industry source such as NADA, Kelley Blue BookÒ, or Black Book.
     
    Some dealers sell used vehicles without airbags or defective aftermarket airbags.  Unless disclosed to the consumer, some Attorneys General have ruled this to be an unfair or deceptive trade practice and it likely violates an implied warranty of merchantability as well.
     
    Selling ‘grey market” vehicles from Canada or Mexico should also be avoided.  These vehicles may not meet U.S. environmental and safety requirements and their sale in the U.S. frequently voids the manufacturer’s warranty.
     
    Recent Enforcement Activity
     
    State Attorneys General have been particularly active in scrutinizing dealer used car sales for violations.
     
    In 2020, the Arizona Department of Transportation brought criminal charges against seven persons operating an illegal ring that altered over 31,000 vehicle titles from unlicensed dealers in 42 states for about $100 per title.  The defendants altered the titles to make it appear as though the unlicensed dealers bought the vehicles from one of the suspects’ 31 operations with dealer licenses.
    In 2019, the California Attorney General brought two actions.  One against a dealership for title washing to conceal liens on used vehicles and another for deceptive advertising of used vehicles.  The Pennsylvania Attorney General sued for deception and missing disclosure documents, Massachusetts and Delaware sued for financing customers on terms they could not afford, and the Ohio Attorney General brought two actions for failing to deliver clean titles.  Many Attorney General actions are brought and settled in confidential examinations and enforcement actions.  The settlements usually involve substantial penalties and reimbursements to affected customers.
     
    Summary
     
    As the front-line seller of used vehicles, your obligations to disclose warranties, defects, and odometer readings, along with your obligation to deliver a clean and accurate title, can provide challenges in used car selling.  Do a reasonable inspection (and a beyond-reasonable inspection for certified vehicles) and be up front with the customer about issues and expectations for the vehicle.  Selling used vehicles is an area ripe for regulatory investigations, arbitration claims, and lawsuits, but having a systematic process to obtain, inspect, and disclose issues with the vehicle should help you manage used car selling successfully.
    0 Comments

    Randy Henrick to Partner with Ignite Consulting Partners

    1/6/2020

    0 Comments

     


       IGNITE CONSULTING PARTNERS ANNOUNCES NEW ADDITION TO THE TEAM !
       
       

    Ignite Consulting Partners, a leading provider of compliance services to car dealers and finance companies, is pleased to begin 2020 by announcing a new addition to its team. 
    Randy Henrick has joined the team as the leader of Ignite’s new Franchise Dealer Group.  "Through Randy's work at DealerTrack, he is a recognized expert in the compliance challenges faced by franchise dealers, so it's only natural that he assumes a leadership role with Ignite,'' said Richard Hudson, Ignite's Managing Member. Randy's background includes auto finance, privacy, data security, and consumer credit.  He was DealerTrack's regulatory and compliance counsel for twelve years. He is a frequent speaker at industry events and published author of numerous articles, including monthly articles in Subprime Auto Finance News. Randy also provides training and compliance audits to dealers. 
    "Randy is a thought leader on dealer training and education, which philosophically aligns with Ignite's vision, plus he brings a wealth of expertise that will be a benefit our clients, both franchise and independent dealers,'' said Steve Levine, Ignite's Chief Legal and Compliance Officer.   "I am pleased to affiliate with a dynamic and growing compliance leader such as Ignite," said Henrick.  "I think our association will benefit dealers of all types and provide creative and effective compliance solutions to our clients." 
    ​Randy will continue to offer compliance services and resources to dealers as principal of Randy Henrick & Associates, LLC.  Contact us at autodealercompliance@gmail.com

    0 Comments

    2020 Auto Dealer Compliance Hot Issues

    12/10/2019

    0 Comments

     

    It’s time to take out our annual crystal ball and see what are likely to be hot compliance issues for auto dealers in 2020.  Remember that 2020 is an election year.  Many state Attorneys General are running for re-election and a big splash enforcement action against an auto dealer is almost a regular campaign event to attract consumer support and consumer plaintiff attorneys’ campaign contributions.
     
     Safeguards and Data Security  -  The Federal Trade Commission (“FTC”) dived into the auto dealer safeguards world with its consent decree against DMS provider DealerBuilt in 2019.  The FTC found DealerBuilt to have inadequate safeguards procedures (and they didn’t even have a safeguards policy).   
    The FTC ordered specific safeguards requirements for DealerBuilt as part of its 20-year enforcement consent decree.  These included encrypting personal data at rest and in motion; testing its system as well as monitoring and authenticating access permissions to customer data; performing vulnerability scans and penetration tests on its network several times per year; contractually requiring service providers to safeguard information; submitting to an annual third-party assessment of its security practices; and reporting to the FTC.
     
    The FTC also issued proposed regulations to amend the Safeguards Rule.  The Rule, since it was passed in 2002, has required dealers and other covered persons to implement security procedures reasonably related to their risk assessment.  The Safeguards Rule does not require any specific security practices.
     
    But the proposed amendment would, among other things, require all dealers to:
    - designate a senior officer as the Chief Information Security Officer responsible for managing compliance with the dealer’s Safeguards Plan;
    ​
    - encrypt customer non-public personal information at rest and in motion;
    - create and periodically test an incident response plan to consist of a committee of internal officers and external professionals to respond to an actual or suspected security breach;
    - place access controls on information systems, require two-factor authentication (a password and a biometric or one-time code), and permit access only to individuals who need consumer information to do their job;
    - adopt audit controls of who accesses customer information and when;
    - conduct annual penetration testing and biannual vulnerability assessments of your system;
    - oversee service providers on information security and train employees at least once a year on best security practices; and
    - develop secure procedures for destruction of information when no longer needed.
     
     Americans with Disabilities Act (“ADA”) Website Compliance  -  A number of courts have ruled that websites are “places of public accommodation” under Title 3 of the ADA.  This means dealers need to make their websites accessible to people with disabilities such as people who are sight-challenged or hard of hearing.  Lawyers have been holding dealers up with settlement demands where the dealer site is not ADA-compliant.  Attorneys have filed hundreds of ADA suits when they have been unable to extort settlements.  

    There are no federal standards to clarify what compliance is but there are industry standards such as the Web Content Accessibility Guidelines (WCAG). WCAG 2.0 AA is frequently referenced by courts.
     
    Your best action is to take affirmative steps to attempt to make your website accessible to disabled individuals.  You have flexibility in meeting the ADA and a good faith effort to do so may be enough to dissuade the lawyers from making you the next target.  Here are some elements you should include:
     
    Start by adding alt text to every meaningful page on your site.  All video-only and audio-only content needs a text transcript. Transcripts should be clearly labeled and linked below the media.  All video with sound should contain accurate closed captioning.  Any live video presentations must have closed captions.  Audio descriptions of video and images should also be included.
    Use proper markup techniques to structure your website’s content (e.g. use correct heading tags and HTML for ordered and unordered lists).  Present content in a meaningful order and sequence so that it reads properly.  When providing detailed instructions, make it so they aren’t reliant on a single sensory ability.

    There must be a color contrast ratio of at least 4.5:1 between all text and background.  Text must be able to be resized up to 200% without negatively affecting the ability to read content or use functions.

    All content and functions on a website must be accessible by keyboard only (i.e. no mouse).  Keyboard-only users must never get stuck on any part of the website; they must be able to navigate forwards and backwards. If there any time limits on a website or content that blinks, scrolls, or moves, users should have the ability to turn it off, pause it, stop it, adjust it, or extend it. 

    Your website also must be predictable and understandable.  Sections 4 and 5 of WCAG v 2.0 A describe procedures to accomplish this as well.

    3.     Criminal Prosecutions of Dealer Principals  -  The past two years have shown an increase in federal and state authorities seeking criminal convictions of dealer principals as well as sales and f & i employees for wrongful acts at the dealership.  The wrongful acts include payment packing, misrepresenting income and other fields on credit applications, misstating down payments on retail installment sales contracts and lease agreements, and other bad acts.

    The Department of Justice (DOJ) has used laws against bank fraud and wire fraud as the lynchpins for these prosecutions.

    Bank fraud covers any “scheme or artifice” intended to “defraud a financial institution,” or the use of deceptive means to obtain something of value that a financial institution owns or controls. A conviction under the federal law can result in up to 30 years in prison, a fine of up to $1 million, or a combination of the two. 

    The essential elements of wire fraud are: (1) a scheme to defraud; and (2) the use of, or causing the use of, interstate wire communications to execute the scheme. 
     
    So, dealer acts that misstate a customer’s income to obtain credit or that “front end” optional aftermarket products that result in a bank being undersecured or making an unsafe or unsound credit decision will qualify.  The DOJ has used both these parameters to seek and obtain criminal prosecutions against dealer principals and the sales and f & i managers who committed the wrongful acts.
     
    State AGs are also using the criminal law against dealer principals.  AGs in Pennsylvania, Massachusetts, California, New York, and New Jersey have been particularly active.
     
    Internet Advertising  -  The FTC has issued guidelines for Internet advertising and most of its advertising enforcement actions now address websites and social media.  Google “FTC Advertising and Marketing on the Internet: Rules of the Road”  

    The same rules that apply to print and television advertising apply to Internet advertising.  Triggering terms require inclusion of triggered terms under Truth in Lending and the Consumer Leasing Act.  “Clear and conspicuous” disclosures must be placed close to the headline and not buried in scrolling text paragraphs.  Hyperlinks can be used but not for any disclosure that is “an integral part of the claim.”
     
    Social media advertising generally involves many moving images and sounds.  This can distract from required disclosures especially if they are not located on the same page or require the customer to move around the page to find them.

    The FTC’s requirements for clear and conspicuous disclosures on social media in particular require that ads considered as a whole be honest, straightforward, and disclosures be clear and conspicuous given consumer reading habits on the Web.  Consider your own reading habits of scrolling paragraphs and understand that the disclosures must be at the top and not buried in the middle of rambling text.  The FTC guidelines describe additional online advertising requirements such as making the disclosures clear and conspicuous in any device on which they can be seen and not using media that does not have capacity for necessary disclosures.
     
    Military Lending Act  (“MLA”) -  Since December 2017, Department of Defense rules have effectively prohibited the sale of GAP and credit insurance to MLA covered persons.  Your credit bureau will typically identify whether a consumer is an MLA covered person when it provides you with a credit report.  Until the rule is repealed (hopefully some time in 2020), make sure you check a consumer’s status under the MLA before you sell them GAP, credit insurance, or give them an option of taking cash out of a financing.  

    Other Issues  -  Other issues include the FTC’s field tests of dealers’ use of Used Car Buyers Guides on all used vehicles offered for sale; new federal laws prohibiting use of paid reviews on websites without disclosing the reviews are paid testimonials and prohibiting use of prohibitions against posting negative comments about the dealership online; FTC scrutiny of “spot deliveries” or “yo-yo financing” as the FTC has termed the practice in consent orders with dealers; Equal Credit Opportunity Commission (EEOC) actions against auto dealers for sexual harassment and sex discrimination; and battles with DMS providers and state laws as to who owns and can use dealer data.  

    Other and new issues will also emerge.  Keep up with ongoing developments by reading publications, attending compliance programs, and working with your state dealer associations. 

    ​ And have a Happy New Year!

    0 Comments

    EEOC On the Aggressive Against Dealers for Discrimination

    10/15/2019

    0 Comments

     
    ​Among the regulatory compliance actions we have seen in just the past few months are increased interest by the Equal Employment Opportunity Commission (EEOC) in dealer and automobile industry workplace discrimination.

    Most recently, the EEOC has filed actions for age, disability, and sex discrimination against dealers.  Several private sexual harassment and sex discrimination lawsuits have also been filed against dealers seeking six and seven figure damages awards.

    Age Discrimination

    The EEOC’s most recent action was filed against a dealer group in Cleveland.  The EEOC accused the dealer of intentionally subjecting older workers to age discrimination.  According to the suit, the dealer discriminated against a former employee by refusing to re-hire her because of her age (52), and for terminating two sales employees because of their ages (67 and 70).

    As a result of these practices, the EEOC brought a lawsuit alleging the dealer violated the Age Discrimination in Employment Act (ADEA), which prohibits age discrimination in employment against people who are age 40 or older, according to the lawsuit. The lawsuit seeks monetary relief, including back pay and liquidated damages for the three former employees, plus attorney’s fees. The suit also seeks injunctive relief to prevent future age discrimination, including an order for the dealer to institute policies, practices and procedures that conform to the requirements of federal law.

    Disability Discrimination

    In another recent case, The Ford Motor Company's Kentucky Truck Plant in Louisville, Ky., will pay up to $537,760 and furnish other relief to resolve a disability discrimination charge by the EEOC.
    The EEOC's investigation found reasonable cause to believe that the Kentucky Truck Plant failed to hire applicants due to their disabilities. This also included screening out applicants based on criteria not shown to be job-related and consistent with business necessity, and failing to use the results of post-offer, pre-employment medical examination in accordance with the requirements of the Americans with Disabilities Act (ADA). Ford chose to voluntarily resolve the matter with the EEOC, without an admission of liability, to avoid an extended dispute.

    The conciliation agreement provides relief to 12 individuals in addition to the person who filed a charge with the EEOC, and the EEOC retains discretion to distribute some of the funds to individuals it has yet to identify. The agreement also calls for the Kentucky Truck Plant to provide additional written guidance and training to employees involved in the pre-employment, post-conditional offer medical exam process, along with one-hour training on the ADA to the facility labor relations staff.

    In a disability discrimination suit against a dealer, the dealer agreed to pay $27,100 to a former employee as part of the settlement of a lawsuit brought by the EEOC.


    According to the EEOC's lawsuit, the company refused to provide a medical leave of absence as an accommodation to an employee who suffered from anxiety and depression and then fired her because of her disability.

    In addition to paying the former employee $2,100 in back pay, the dealer will also pay $25,000 in compensatory damages. Further, the dealer agreed to:

    ·         review and revise its written policy prohibiting disability discrimination, to ensure that the policy specifically explains the process by which an employee requests a reasonable accommodation;
    ·         disseminate a copy of the policy to all employees;
    ·         within 90 days of entry of the decree, have all employees sign and acknowledge receipt of the revised policy; and
    ·         train all managers at its corporate office and at its dealerships on disability discrimination and reasonable accommodations.

    Sex Discrimination

    Sex discrimination and sexual harassment or retaliation are probably the most likely legal actions a dealer will face.

    Recently, the EEOC brought a lawsuit against a dealer in St. Louis claiming it violated federal law when it refused to hire a female salesperson.  

    According to the suit, the owners bought an existing car dealership in 2017. After the purchase, they hired all the prior owner’s staff except one, the sole female salesperson, despite her successful sales record and previous customer service award. At the time, an executive told another manager, "This is not a lady's job yet."

    Such alleged conduct violates Title VII of the Civil Rights Act of 1964 ("Title VII") which prohibits discrimination in employment based on race, color, national origin, sex, and religion. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit in U.S.  District Court for the Western District of Oklahoma where the dealership group has its headquarters. The agency seeks monetary damages, training on anti-discrimination laws, posting of anti-discrimination notices at the worksite, and other injunctive relief.

    "Federal law has guaranteed equal employment opportunity for women for over 50 years, but some employers still say, 'not yet'," said Andrea G. Baran, the EEOC's regional attorney in St. Louis.  "We are committed to ensuring that the millions of women who work in male-dominated industries every day are judged solely on their abilities, not their gender."

    In another suit in Reno, Nevada, the EEOC sued a dealer for quid pro quo and hostile work environment sexual harassment and sex discrimination.

     According to the EEOC's lawsuit, a female car salesperson hired into an all-male sales department was denied access to online training, sales opportunities, and payroll advances routinely available to her male counterparts. Her male co-workers frequently refused to assist her, despite readily helping each other. Frequently, her deals were overly scrutinized and rejected without justification. In addition, on an almost daily basis, she endured offensive comments about her sex, appearance and weight, and negative comments about women working in car sales. Although the discriminatory conditions were reported to management by both the saleswoman as well as a manager, the company took no action. Finally, the saleswoman was forced to quit to escape the abuse, the EEOC said.

    Such alleged conduct violates Title VII. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit  in U.S. District Court for the District of Nevada and seeks monetary damages on behalf of the saleswoman, training on anti-discrimination laws, posting of notices at the worksite, and other injunctive relief.

    "Our investigation found that sex-based discrimination was very open and flagrant - the saleswoman was warned during her interview that the all-male staff did not want women around, and that certainly turned out to be true," said William Tamayo, director of the EEOC's San Francisco District Office. "When an employer knows its workplace is infected with discriminatory attitudes, the employer is required by law to take steps to prevent and halt a hostile work environment. Instead, [the dealer] did nothing, and forced a valuable employee to quit to escape unacceptable abuse."

    Race and National Origin Discrimination

    The EEOC sued a dealership when the general manager at a Wheaton, Md. store repeatedly made derogatory comments to a sales consultant, who is of South Asian origin and is dark-skinned. Although the sales consultant objected, the comments persisted, sometimes in the presence of others. In addition to the demeaning names, the general manager even threw things at him. On one occasion, the general manager groped the sales consultant while calling him a "serial killer" and "creepy brown person." The general manager asked the sales consultant who he was going to kill and where the bodies were buried, the EEOC charges.

    The sales consultant felt traumatized by the groping incident and as a result took leave. He complained to the dealership’s human resources director who, after a purported investigation, told the sales consultant he either would have to continue reporting to the general manager or transfer to another dealership an hour away. The EEOC says that the sales consultant was forced to resign based on the dealership’s inadequate response to the unlawful harassment.   

    The EEOC filed suit in the U.S. District Court for the District of Maryland, Greenbelt Division, after first attempting to reach a pre-litigation settlement through its conciliation process.

    What’s a Dealer to Do?

    This aggressive enforcement policy of the EEOC means that now is a good time to review your anti-discrimination and anti-harassment policies and schedule training for all your employees.

    All such policies should contain a clear anti-retaliation provision ensuring that employees can and should report violations either through an internal escalation process, directly to a senior officer, or through a third-party whistleblower hotline.  The third-party approach is probably most palatable to aggrieved employees and best to preserve confidentiality to the extent it can be preserved.

    Studies have shown that the two biggest obstacles to employees reporting workplace wrongdoing are a fear of retaliation or a belief that nothing will change.  Both fears must be displaced by senior management’s buy in and making visible changes in the workplace such as disciplining or terminating the offenders.  Your dealership must be committed to a zero-tolerance policy for workplace discrimination or any form of harassment. 

    Harassment outside of the workplace can also be imputed to the dealer.  This occurs when, for example, a manager takes subordinates out for drinks after work or at an office holiday party.  Your dealership should also have a policy on office fraternization and dating.  These situations are also ripe for sexual harassment and retaliation claims.  Under no circumstances should managers be permitted to seek to date their subordinates and managers must show exemplary behavior as the models for the workplace.

    If claims are reported, you must have a process in place to investigate and address the allegations quickly and completely.  An external employment lawyer can be a good resource to help you establish such a process and possibly serve as a resource in the investigation team which can enable certain communications to be privileged.

    Finally, do not forget to review employment hiring processes and make certain they are covered by your policies as well.  Periodically look at your workforce and promote diversity in hiring.  An all-male, all-white sales force was a catalyst for several of the EEOC’s actions described above.  Don’t be the next victim.
    0 Comments

    The Need for a Compliance Management System in Your Dealership

    8/16/2019

    1 Comment

     
    I don’t have to tell you that auto dealers are among the most heavily regulated businesses in the U.S.  Federal, state and local laws and regulations from sales and f & I to environmental and OSHA are just the beginning.  It is important to have a master compliance system for coordinating all the dealership policies as well as laying out for employees expectations for behavior both in the workplace and with customers.  Hence a Compliance Management System (CMS).
     
    There is no “one size fits all” CMS although there are basic things it should include.  A dealership’s Code of Ethics and Code of Conduct signed off on by the Board is an important place to start because these touch everything the dealer does.  They also establish the corporate “culture of compliance” which is something any regulator investigating the dealership will want to see and know.
     
    Both the Code of Ethics and Code of Conduct need to be ingrained in every employee and vendor working at the dealership.  It is also important to get third party buy in from remote vendors working on your business.  IT vendors, security vendors, DMS providers, agencies producing material or providing temporary staffing.  The list goes on.  All must acknowledge and commit to the Code of Ethics and Code of Conduct for all dealer-related activities.
     
    Risk-Based Analysis of Issues Applicable to the Dealer
     
    Before appointing a Chief Compliance Officer and adopting substantive policies that compose the CMS, the Board or its representatives must do a risk-based analysis of issues and risks the dealer faces in everyday affairs.  This includes things like sexual harassment (the issue that drives the majority of lawsuits a dealer will encounter); data privacy and Safeguards; wholesale vehicle acquisition; complying with laws and regulations for pulling credit bureaus, taking credit apps, telemarketing, and prospecting; aftermarket product selling; fair lending; OSHA and workplace safety; environmental issues; insurance issues; licensing and periodic regulatory audits; resolving customer disputes; manufacturer relations; customer identity verification procedures (the FTC Red Flags Rule); and other issues.  A consumer complaint process is a necessary component of a CMS.
     
    From this risk assessment, the Board will determine its risk tolerance in the various areas identified and begin the process of issuing compliance procedures to meet the risks.  The nuts and bolts of the CMS policies will be drafted by the Chief Compliance Officer in conjunction with counsel but the Board prioritizes risk and indicates the areas where attention and process must be focused.
     
    Ultimately it is the Board or senior management that is responsible for the CMS and through its practices, statements, audits and periodic meetings with the CCO, the Board must exercise its oversight of dealership compliance.  A CCO should report to the Board or, if the dealer has no Board, the Chief Executive Officer.
     
    Appointment of Chief Compliance Officer and Preparing Policies
     
    The appointment of a Chief Compliance Officer (CCO) is necessary as the CMS is developed and processes and procedures are developed for managing risk and reporting deviations from behavior.  The CCO should be “at the table” as new products and procedures are developed by the dealership.  He or she must make sure the Board is informed and the Board must make available resources to the CCO so that all processes and procedures can be followed, tested, audited and refined.
     
    For example, customer data Safeguards is a policy required by the Federal Trade Commission (FTC).  The Board should assess the risk of data being compromised in both paper and electronic format and work with the CCO to adopt permissions; track each individual access to non-public personal information by each user; establish a standard for unusual use that will be flagged and require further investigation; have a security incident response committee consisting of senior management, the CCO, legal counsel, an IT or forensics specialist, a breach response firm and PR firm, and other internal and external resources to investigate the incident and manage a breach.  A data breach is your biggest single risk of being financially put out of business and the policies and procedures to track data and manage its use is a critical element of a Safeguards Policy and CMS.
     
    Having a periodic system vulnerability analysis by “white hat” hackers who attempt to break into your system and doing penetration tests on authorized devices is a must in today’s environment.  A CCO must keep the Board informed on new security issues and obtain the approval and resources to test the system and make necessary changes.
     
    Policies and Procedures
     
    A policy sets forth a higher-level standard about what the law, regulations and dealership require and establishes a procedure for prospective violations and how they are to be handled and addressed.  Procedures take the broad sweep of a policy and provide specific details to each position in the organization that the policy touches.
     
    It is important for line managers to be the first level of defense by assessing the compliance behavior of their direct and indirect reports.  If an incident or pattern of non-compliance is detected, the line manager meets with the CCO to begin implementation of the process described in the policy for potential violations.  Depending on the seriousness of the violation, senior management or the Board may also need to be involved.
     
    A good example is a sexual harassment policy.  The policy should make clear that even the appearance of sexual harassment or a hostile work environment are triggers for corrective action.  Employees must feel they can report misconduct without retaliation and the use of a third party reporting company may make employees less fearful than reporting a possible violation internally.  Anonymity must be preserved but not guaranteed as in the course of a disciplinary proceeding or investigation, the reporting person’s identity is likely to come out.  This is why a non-retaliation policy is critical.  The reporting procedures and non-retaliation policy should be publicized to all employees by training, posters in the lunchroom, and other visible assurance.
     
    Reporting and Audits
     
    Any CMS must have reporting procedures and procedures for internal as well as external audits of compliance.  This can be anything from periodic inspection of deal jackets by the CCO to ensure documentation is being handled properly to a financial audit to an OSHA audit.  The CCO will not do all the audits but will work with the subject matter auditing teams (internal or external) to make sure that identified discrepancies are quickly addressed and policies and procedures changed accordingly, as necessary. 
     
    Training, the Employee Handbook, and Updates
     
    Ongoing training of all employees is a critical element of a CMS and is required periodically by some states such as New York and California for sexual harassment and other subjects.  Generally, there is no required format for training although state law may require a live trainer for certain subjects.  Check with your local counsel.
     
    The Employee Handbook should include the Code of Ethics and Code of Conduct in their entirety and link to the other policies as well as constitute a basis for Human Resources topics such as paid time off, disability and other benefits.  It is best to have the Employee Handbook done electronically with each page dated so that as revisions are made, they can be identified.  It does not have to be a long document but all employees should read the Employee Handbook and link to the policies and procedures applicable to their jobs.  A test on the Employee Handbook once a year is another good practice to supplement training.
     
    Updates come from many different places.  Changes in law, case law decisions, new regulations, audit findings, and employee feedback are main examples.  But patterns of behavior that don’t rise to the level of a violation can also create the need for changes.  Security is a constantly evolving area and employees should be reminded of best Internet practices and perhaps subjected to a mock phishing drill where a fake phishing email is sent out to all employees to track who clicks on the link.  Behavioral testing has been shown to be more productive generally than simple book training.  Again, consider your risk options and what procedures work best for your dealership.
     
    Summary
     
    A CMS is the lifeline of a dealership.  If done properly, it will establish the culture of compliance and bring employees into the culture by providing the process and procedures they need to do their jobs compliantly.  Systems will be in place to require managers to report potential incidents, systematic procedures will track access to customer information, and auditing will identify issues that can be corrected or better performed.  The evolving nature of a CMS will require ongoing training but it can be customized to each employee’s position so everyone doesn’t have to learn everything. 
     
    Regulators have expressed a strong desire for a CMS and if broken down into the pieces discussed in this article, involving the Board and appointing a knowledgeable Chief Compliance Officer, the process should not be daunting.  Especially if input is sought from employees or managers in developing the process and procedures so they have an ownership interest as well.  Good luck with your CMS process and seek help from your outside counsel or compliance resource as necessary.
    1 Comment

    FTC Safeguards Consent Order for the Auto Dealer Industry

    6/21/2019

    0 Comments

     

     
    The FTC recently entered into a 20-year consent decree with an auto dealer management system (“DMS”) provider having approximately 180 auto dealer clients.  The consent decree related to deficiencies in its Safeguards process and security system that permitted a hacker to access its unsecured backup database that contained the unencrypted nonpublic personal information (“NPI”) of approximately 12.5 million consumers, stored by 130 of its dealer customers.  The entire customer files and all NPI of five dealers were accessed through an open port on the DMS provider’s backup storage unit.

    The complaint is the first FTC Safeguards action involving data breaches in the auto industry.  It effectively lays out the FTC’s requirements for meeting the Safeguards Rule with respect to auto dealers.  In this case, the auto dealers outsourced their data storage to the DMS provider and failed to take steps to monitor or investigate the DMS provider’s security until it was too late.  The breach was uncovered when one dealer found all of its customers’ NPI for sale on the Internet.

    The Security Failures of the DMS Provider

    Here are the shortfalls in the DMS provider’s Safeguards program.  These are shortfalls you should consider in your annual Safeguards review and your Safeguards policy updates.
    • Failing to conduct periodic risk assessments or perform vulnerability and penetration testing of the network  -  Data security is a moving target as new threats emerge daily.  An IT Professional can run tests attempting to hack into your system as well as doing tests on individual workstations to see if any have been compromised.  Running mock phishing tests on employees and seeing how many click on the mock link is another good idea.  This should be done at least annually and any system deficiencies or compromised workstations immediately corrected and any attackers who have gotten in must be immediately quarantined and disabled.  ​
    • Failure to use readily available security measures to monitor its systems and assets at discrete intervals to identify data security events and the effectiveness of security measures -  You need your IT officer to map the normal workings of your system and identify irregular patterns of activity that may indicate someone has hacked in.  Examples would be irregular patterns of access to NPI by or through system users or administrative privileges being exercised by unauthorized persons.  This requires that every access to NPI be tracked and evaluated in relation to normal business activity.  Irregular behavior should be quickly investigated and addressed with the user.  
    • Failing to impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access NPI databases  -  You should establish a “white list” of permitted third party Internet sites for both entry to your system and access from your system with entry from and access to other sites, including all Web-based email, prohibited.  If a user wants to access a non-white listed site, they should have to obtain permission from your IT officer who will check the safety of the site.  Authentication controls such as passwords, tokens, or biometric features should also be in place to access NPI.  
    • Failing to encrypt NPI at rest and in motion  -  The DMS provider’s back up system contained all of the customer NPI in plain text in an unsecured storage device without any access controls or authentication protections, such as passwords or tokens.  It was accessible to anyone through an open port.  None of it was encrypted.  All customer NPI should be encrypted both when being transmitted and in storage.  Failing to do so violates the Safeguards Rule.
    • Failing to have a reasonable process to select, install, secure, and inventory devices with access to personal information  -  As noted, the DMS provider did not inventory any of its devices or install anti-virus or anti-malware security software.  When inventorying and securing devices, you need to include any personal devices that employees or vendors use to access your system.  Your IT officer should have the ability to cut off access from any device at any time.  
    The FTC’s Conclusion and Response

    The FTC concluded that the DMS provider’s ‘failures to provide reasonable security for the sensitive personal information about dealership consumers and employees, and business financial information, "has caused or is likely to cause substantial injury to consumers and small businesses in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.”
     
    The DMS provider agreed to a 20-year consent decree to settle the FTC’s finding of  unfair data security practices and Safeguards Rule violation claims.  It includes requiring the DMS provider to establish a comprehensive information security program with the following minimum components:
    • written documentation of the program;
    • submission of the documentation to its board of directors annually;
    • have an independent third party assess its security twice-yearly;
    • designation of a responsible employee to maintain the program;
    • annual risk assessments;
    • annual training of employees
    • implementation of adequate security controls;
    • an annual assessment of the adequacy of those security controls;
    • annual penetration testing of all devices capable of accessing the system;
    • system vulnerability testing every four months;
    • vendor and service provider management with contractual requirements;
    • regular program maintenance and changes based on reviews;
    • certify its compliance with the consent order to the FTC annually;
    • report data security incidents within 10 days;
    • create records for 20 years; and
    • permit the FTC to request additional information or interview anyone affiliated with the DMS provider in order to ensure compliance. 

    The FTC also required the DMS provider to adopt specific security controls, network and system monitoring, data access controls, encryption of data, and device inventories. Although these controls address the specific issues that led to the DMS provider’s security incident, dealers should take notice that these are the Safeguards protections that the FTC expects to be adopted in connection with a consumer auto finance business.

    As a final penalty, the FTC forced the DMS provider to agree that “[n]o documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or similar claim.”

    Summary and What It Means for You

    The FTC has now spoken on what specific things it requires an auto industry Safeguards program to include.  Now would be a good time to look at your Safeguards program to determine which of these specific protections you are lacking and begin to implement them into your program.  The compliance burden of the FTC is only the beginning of problems this DMS provider will have to face as dealer and consumer lawsuits, actions by state regulators, and further investigations and audits will impose great costs and diversion of business time.  A study by Verizon found that three out of five small businesses that suffered a security breach went out of business within six months.  Doing your best to prevent being the next one is time and money well spent compared to the alternative.


    0 Comments
    <<Previous

      Author

      Randy Henrick is a leading auto industry compliance consultant. This article is not intended as legal or compliance advice due to the unique nature of a dealer's situation in each state. Randy's articles do provide issues and best practices that you may want to discuss with your attorney or compliance advisor for possible adoption in your dealership. Email Randy at AutoDealerCompliance@gmail.com
      Follow us on Twitter @randyh44

      Archives

      May 2020
      March 2020
      January 2020
      December 2019
      October 2019
      August 2019
      June 2019
      April 2019
      March 2019
      February 2019
      January 2019
      November 2018
      October 2018
      August 2018
      June 2018
      May 2018
      February 2018
      December 2017
      October 2017
      September 2017
      July 2017
      May 2017
      March 2017
      January 2017
      December 2016
      November 2016
      October 2016
      September 2016
      August 2016
      June 2016
      May 2016
      April 2016

      RSS Feed

    © 2018 Randy Henrick & Associates, L.L.C.
    Back to top