2019 CRYSTAL BALL FOR AUTO DEALER SALES AND F&I

​2018 was a year marked by increased compliance enforcement by the Federal Trade Commission (“FTC”) and State Attorneys General (State AGs”). 
The fines imposed the past two years have increased substantially from those in earlier years.  For example, the FTC fined a California dealer group $3.4 million in 2017 for a variety of unfair and deceptive practices, including its first foray into “yo-yo” (spot delivery) practices.  In 2018, the FTC conducted a field investigation of over 90 dealers in 22 geographic areas and found that only 7% had displayed the correct new form Used Car Buyer’s Guides on their used vehicles in inventory.  Recalls also continue to be a problem for dealers as 2018 set a record for vehicles recalled by manufacturers.  The FTC fined dealerships for selling “certified” used vehicles without either fixing or informing the customers of open recalls.  Advertising fines and penalties are now well up into the six figures as well.
What can we expect in sales and f&I compliance in 2019? Here’s a crystal ball of some issues at the top of regulator agendas that may ripen into enforcement actions and lawsuits in the coming year.
 1.  New Unfair and Deceptive Acts and Practices (UDAPs)  -  The FTC and State AGs imposed fines in excess of $1 million for “yo-yo” financing; fraudulently submitting or changing customer information on credit apps or deal stips; and advertising vehicle specials for which the dealer should have known most customers in its geographic area could not qualify.  These were new first-time UDAP practices for the FTC and were coupled with payment packing, misrepresentations, and some of the past UDAP practices to fine dealers or enter into 20-year consent decrees. In 2019, look for the FTC to continue to regulate by enforcement (declaring practices to be UDAPs that had not been previously prosecuted or prohibited by FTC-issued regulations).  The FTC is partnering with local law enforcement agencies as it did with the missing Used Car Buyer’s Guide investigation.  Look for more “on the ground” enforcement activity as the FTC in conjunction with AGs, DMV representatives and local law enforcement come out of the ivory tower and enforce dealer misbehavior in the real world.  Mystery shoppers and agents in the field will be a large part of 2019 compliance enforcement.
State AGs will continue to pick up auto dealer enforcement activity.  Since 2015, the New York Attorney General has obtained more than $17 million in restitution and penalties as part of his office’s crackdown on the practice of ‘jamming,’ or payment packing.”   State AGs in Arizona, Connecticut, Illinois, Massachusetts, Virginia and Florida, among others, have been particularly aggressive.
 2.  Data Security Breaches and Safeguards Rule Violations  -  2018 was another record year for data security breaches both in the number of breaches and the number of records compromised.  I recently attended a data security program in which the speaker stated that data is the new oil, and he is right.  Hackers and their like are compiling dossiers on millions of individual U.S. persons from both publicly available information (like motor vehicle registration records) and personal information readily for sale on the dark Web, like information from the 2017 Equifax breach that affected nearly 145 million U.S. consumers.  The 2018 Verizon Data Breach Investigations Report found that 58% of data breach victims globally are small and mid-size businesses (“SMBs”). Many SMBs report doing very little to protect themselves because they lack the required resources, capabilities, and knowledge.    A Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached Dealers, whose data security tends to be quite lax when compared to larger companies, are a treasure trove for personal information including Social Security numbers, driver’s licenses, employment and income information, and other data that facilitates identity theft (also on track to be a record in 2018).  Expect more major data breaches and more FTC and State AG action in looking at dealer Safeguards Programs.  In California, a new Consumer Privacy Act was passed that provides more protections for consumer data, penalties for breaches, and, for many uses, requires “opt-ins” instead of “opt-outs” when it comes to sharing or using data.
The FTC entered into a 20-year consent decree in 2018 with a dealer for an inadequate Data Safeguards Program.  Expect more of the same in 2019.
2a.  Breach of Vehicle-Communicated Data  -  As the industry moves to experiment with driverless vehicles and as data points are exchanged among vehicles on the road today as part of Internet of Things connected devices (“IoT-connected devices”)., the security of the data being transmitted becomes an expanding risk for hackers or criminal enterprises.  Most vehicle data being communicated is not encrypted and can easily be hacked by someone wanting to cause damage to the vehicle’s operation, questioning of the prospect of driverless cars, or stealing the technology as has occurred in many other industries.  This is an IoT-connected devices issue that needs to be followed as if and when hacking of this type happens, it will throw the auto industry into a crisis.  Less a dealer issue than a manufacturer technology issue but remember, you sold the IoT-connected vehicle that had its data compromised and abused. 
3. Aftermarket Products  -  Regulators know that dealer profits are largely generated from the back-end sale of aftermarket products.  The CFPB and FTC are not big fans of aftermarket products believing most are overpriced and deliver questionable value to consumers.  The CFPB ordered a national auto finance company to refund $9 million to consumers and pay a $2.5 million fine for making claims about their GAP policy’s protection features while failing to inform consumers that its GAP policy was capped at 125% of the vehicle’s value at the time of loss. Recent enforcement actions have also begun to look at the value of aftermarket products relative to their cost as well as the amount of the dealer’s markup to sell the product at retail. States are also looking more closely at refund issues.  
Payment packing or front-loading an aftermarket product is always unlawful.  All optional aftermarket products should be presented fully and honestly using an easily-understood menu and the customer should initial all products accepted and rejected.  Parity in pricing products, or at least in bundles of products, is another best practice.  Expect to see aftermarket products in an FTC enforcement action in 2019.
4.  Military Lending Act  -  Due to the Department of Defense’s December 2017 interpretation of the Military Lending Act (“MLA”) (an interpretation that I think will be repealed some time in 2019), sale of GAP or credit insurance to MLA covered persons (broader than service people and their families) requires compliance with the MLA.  Most dealers and financial institutions are not set up to comply with the MLA in terms of calculating a separate Military APR, making written and oral disclosures to MLA covered persons, eliminating arbitration clauses and making other changes from a standard credit sale. A dealer is prohibited by the MLA from taking a security interest in a vehicle as well and only a regulated financial institution can directly do so.  A standard RISC will not contain the necessary disclosures and the penalties for non-compliance are significant including a customer’s right to void the RISC from inception meaning a consumer could possibly return the car and be entitled to all payments made as well as the amount of any allowance given for their trade-in.  Remember that service people are a preferred group at the CFPB and that filters to other regulators as well.
5.     Spot Deliveries  -   By adopting the term “yo-yo financing” in its 2017 $3.4 million fine of a California dealership group, the FTC laid out its leanings on an issue the plaintiff’s bar has had at the top of its agenda for years, spot deliveries.  What percentage of your spot delivery deals are unwound?  If it is more than a small number, you run the risk of a bait-and-switch UDAP practice, one the FTC and many State AGs are examining in response to a growing number of consumer complaints.  Make sure your conditional delivery agreement is mutual and fair and be prepared to show you had a reasonable belief that one of your finance companies would purchase the original contract based on its past conduct.
In view of the high dollar stakes of enforcement actions and the growing aggression of the FTC and certain State AGs against auto dealers, now would be a good time to review your Compliance Management System and your compliance policies, especially privacy and Safeguards policies. Make any necessary changes based on testing such as a vulnerability test of your system to hacking.  Train and test your people too.  Frequently.  On data safeguards, people are your biggest risk and an untrained employee is your worst nightmare.  Emphasize warnings about phishing schemes, complex passwords, and avoiding other schemes criminals use to compromise a user’s credentials and enter your system.