Consumer Inquiries and Credit Freezes
Many consumers will be nervous about sharing personal information with dealerships. You will want to explain to them that the data breach came from Equifax, not your dealership, and that you maintain effective safeguards to protect customer non-public personal information (NPI) in both physical and electronic form (you do, don't you?). If your dealership has never suffered a data breach (or is not aware of having suffered one), assure the consumer with that fact as well.
Many consumers will put fraud alerts and security freezes on their credit files. A fraud alert requires you to contact the consumer in the manner specified by the fraud alert (you should document doing this). A security freeze locks down the customer's credit file so you can't access it without the consumer giving the credit bureau a PIN that was issued to them at the time they froze the security file. Most likely, the consumer will not have brought their PIN to the dealership.
In the past, consumers would have to contact the credit bureau and wait to be mailed a new PIN. However, as of this writing, consumers can now recover their PINs and temporarily thaw their credit files by calling the consumer affairs numbers at Trans Union (800-916-8800) and Equifax (866-349-5191) or going online to Experian at https://www.experian.com/ncaconline/freezepin. Two words of caution. There may be a long wait time for the customer to get their PIN and the credit bureaus may change these phone numbers and webpage to do so at any time. If possible, have the consumer use their personal smart phone to do this so it does not appear that your dealership took action to access a customer's PIN.
Red Flags Issues
The access of 143 million consumers' NPI is almost certain to increase the incidence of attempted identity thefts at your dealership, whether now or in the future. Identity thieves warehouse stolen personal information and may sell it on the "Dark Web" as long as years later. So this might be a good time to dust off your Red Flags program, retrain your sales and f&i people, and heighten your customer identification procedures. If an identity thief obtains and finances a vehicle from an auto dealer, you will be the ultimate loser. The creditor will in all likelihood make you repurchase the contract and the vehicle will be long gone, often sent to a "chop shop" for parts or exported out of the country. The longer it takes to discover the identity theft (the customer not making the first scheduled payment is often the initial clue), the less likely you will be able to recover the vehicle.
So what's a dealer to do? Revisit your dealership's red flags and make sure that you raise your due diligence on any discrepancies from your customer identification service (you do use a customer identification service, don't you?) to satisfy the red flags that are identified. If a customer's full identity is being used by the thief, chances are you will get a valid Social Security number, date of birth, and address. And possibly a valid driver's license number as well. One way to enhance this process is to ask the customer to provide additional information such as previous addresses and employers and see if your customer identification service can evaluate those as well.
Compare all physical documents carefully. Does the driver's license appear forged in any way or does the customer not appear to be the age of the named consumer? Does any of the information on the credit application not match what your customer identification service reports. If so, find out why and try to get documentation to support the answer. For example, if there is an address discrepancy, most utility companies have online accounts from which a customer can access an electronic utility bill. Get one and keep it in the file.
It would be prudent to ask knowledge-based authentication questions (also called out-of-wallet questions) to every credit applicant. These questions are available from your customer identification service and ask things that would not appear in a credit file such as related persons, prior addresses and their location, and vehicles the customer has owned. If the customer doesn't answer them all correctly, get another set. You may want to explain to the customer why you are doing this--to protect their identity and those of other customers and that it is not because you don't believe the customer, even if you don't.
Talk with the customer and try to get a sense of whether they may be lying. Identity thieves are typically in a rush to complete the transaction, will be amenable to paying a favorable price for the vehicle--perhaps making the deal literally too good to be true--and want to finance close to 100% of it (identity thieves don't pay in cash). They may do things like answer questions with questions, repeat themselves, give inconsistent answers, or become aggravated and flustered. Asking the customer questions that you don't know the answer to but which the customer thinks you do (where did you go to high school? what was your high school's mascot?) can also make an identity thief uncomfortable. Watch for signs and trust your instincts. Many identity thieves will just walk out rather than go through an extended questioning process.
A word about Internet sales. Now more than ever, you want the customer to come to your store so you can speak with them. An identity thief on the Web may have the real person's credit report right in front of them and it will be more difficult to establish their identity without making an in-person connection. For this reason, more identity theft transactions occur online than face-to-face. Adopt a policy of requiring the customer to come to the store even if it is only to pick up the vehicle, prior to which you can engage in your Red Flags due diligence personally with the customer.
Resolving Tough Red Flags Cases
You should involve your Red Flags Program Manager (you do have one, don't you?) in any situations where Red Flags appear and cannot be quickly resolved. The Program Manager should also speak to the customer. Remember that identity thieves, who often come in at the end of the month near the end of the day to make a quick sale, want to get in and out quickly and the longer you can speak to them and get a feeling about their legitimacy, the more likely they may just get up and leave the store. That is not a lost sale; that is a saved identity fraud transaction.
The Equifax breach may also cause larger numbers of "synthetic identity thieves." These are persons who use a valid Social Security number with a different name and address and establish a thin but current credit file (it is very easy to do). These require particular diligence. If your customer identity verification service raises any questions about the legitimacy of this customer with the Social Security number (probably the number one Red Flag), here is a way you can address it:
Every person can establish an electronic account on the Social Security Administration's website, www.ssa.gov. In fact, this is the only way you can get your Earnings Statement as the Social Security Administration doesn't mail them out any more as they did in the past unless you go on the site and request a copy to be mailed to you. Have the customer use their own device (smart phone, tablet) and not a dealer device to pull up their Social Security earnings statement and show it to you. Don't make a copy. Just look it over to see that it is legitimate for the customer. If the customer is a synthetic identity thief, they will be unable to do this and that request may cause them to leave. Credit bureaus set up many people with the same Social Security number but only the real person with the number should be able to access their account on the Social Security website. Again, use technology to smoke out or verify someone whose information suggests they may not be who they claim to be.
If you haven't done Red Flags training, now would be a good time to do so. The Equifax breach will only make the process more difficult especially with identity thieves looking to purchase and finance a vehicle. Also, the Red Flags Rule requires you to report to your Board or senior management at least once a year on the program and update your Red Flags and Identity Theft Prevention Program as well. The Equifax breach has given you cause to do both. Good luck.