(267) 481-5636
    Randy Henrick & Associates, L.L.C.
    • Home
    • Services
    • Special Offers
    • About Us/Contact
    • Blog

    ​

    Blogs

    EEOC On the Aggressive Against Dealers for Discrimination

    10/15/2019

    0 Comments

     
    ​Among the regulatory compliance actions we have seen in just the past few months are increased interest by the Equal Employment Opportunity Commission (EEOC) in dealer and automobile industry workplace discrimination.

    Most recently, the EEOC has filed actions for age, disability, and sex discrimination against dealers.  Several private sexual harassment and sex discrimination lawsuits have also been filed against dealers seeking six and seven figure damages awards.


    Age Discrimination


    The EEOC’s most recent action was filed against a dealer group in Cleveland.  The EEOC accused the dealer of intentionally subjecting older workers to age discrimination.  According to the suit, the dealer discriminated against a former employee by refusing to re-hire her because of her age (52), and for terminating two sales employees because of their ages (67 and 70).


    As a result of these practices, the EEOC brought a lawsuit alleging the dealer violated the Age Discrimination in Employment Act (ADEA), which prohibits age discrimination in employment against people who are age 40 or older, according to the lawsuit. The lawsuit seeks monetary relief, including back pay and liquidated damages for the three former employees, plus attorney’s fees. The suit also seeks injunctive relief to prevent future age discrimination, including an order for the dealer to institute policies, practices and procedures that conform to the requirements of federal law.


    Disability Discrimination


    In another recent case, The Ford Motor Company's Kentucky Truck Plant in Louisville, Ky., will pay up to $537,760 and furnish other relief to resolve a disability discrimination charge by the EEOC.
    The EEOC's investigation found reasonable cause to believe that the Kentucky Truck Plant failed to hire applicants due to their disabilities. This also included screening out applicants based on criteria not shown to be job-related and consistent with business necessity, and failing to use the results of post-offer, pre-employment medical examination in accordance with the requirements of the Americans with Disabilities Act (ADA). Ford chose to voluntarily resolve the matter with the EEOC, without an admission of liability, to avoid an extended dispute.


    The conciliation agreement provides relief to 12 individuals in addition to the person who filed a charge with the EEOC, and the EEOC retains discretion to distribute some of the funds to individuals it has yet to identify. The agreement also calls for the Kentucky Truck Plant to provide additional written guidance and training to employees involved in the pre-employment, post-conditional offer medical exam process, along with one-hour training on the ADA to the facility labor relations staff.


    In a disability discrimination suit against a dealer, the dealer agreed to pay $27,100 to a former employee as part of the settlement of a lawsuit brought by the EEOC.



    According to the EEOC's lawsuit, the company refused to provide a medical leave of absence as an accommodation to an employee who suffered from anxiety and depression and then fired her because of her disability.

    In addition to paying the former employee $2,100 in back pay, the dealer will also pay $25,000 in compensatory damages. Further, the dealer agreed to:


    ·         review and revise its written policy prohibiting disability discrimination, to ensure that the policy specifically explains the process by which an employee requests a reasonable accommodation;
    ·         disseminate a copy of the policy to all employees;
    ·         within 90 days of entry of the decree, have all employees sign and acknowledge receipt of the revised policy; and
    ·         train all managers at its corporate office and at its dealerships on disability discrimination and reasonable accommodations.


    Sex Discrimination


    Sex discrimination and sexual harassment or retaliation are probably the most likely legal actions a dealer will face.


    Recently, the EEOC brought a lawsuit against a dealer in St. Louis claiming it violated federal law when it refused to hire a female salesperson.  


    According to the suit, the owners bought an existing car dealership in 2017. After the purchase, they hired all the prior owner’s staff except one, the sole female salesperson, despite her successful sales record and previous customer service award. At the time, an executive told another manager, "This is not a lady's job yet."


    Such alleged conduct violates Title VII of the Civil Rights Act of 1964 ("Title VII") which prohibits discrimination in employment based on race, color, national origin, sex, and religion. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit in U.S.  District Court for the Western District of Oklahoma where the dealership group has its headquarters. The agency seeks monetary damages, training on anti-discrimination laws, posting of anti-discrimination notices at the worksite, and other injunctive relief.


    "Federal law has guaranteed equal employment opportunity for women for over 50 years, but some employers still say, 'not yet'," said Andrea G. Baran, the EEOC's regional attorney in St. Louis.  "We are committed to ensuring that the millions of women who work in male-dominated industries every day are judged solely on their abilities, not their gender."


    In another suit in Reno, Nevada, the EEOC sued a dealer for quid pro quo and hostile work environment sexual harassment and sex discrimination.


     According to the EEOC's lawsuit, a female car salesperson hired into an all-male sales department was denied access to online training, sales opportunities, and payroll advances routinely available to her male counterparts. Her male co-workers frequently refused to assist her, despite readily helping each other. Frequently, her deals were overly scrutinized and rejected without justification. In addition, on an almost daily basis, she endured offensive comments about her sex, appearance and weight, and negative comments about women working in car sales. Although the discriminatory conditions were reported to management by both the saleswoman as well as a manager, the company took no action. Finally, the saleswoman was forced to quit to escape the abuse, the EEOC said.


    Such alleged conduct violates Title VII. After first attempting to reach a pre-litigation settlement through its conciliation process, the EEOC filed the lawsuit  in U.S. District Court for the District of Nevada and seeks monetary damages on behalf of the saleswoman, training on anti-discrimination laws, posting of notices at the worksite, and other injunctive relief.


    "Our investigation found that sex-based discrimination was very open and flagrant - the saleswoman was warned during her interview that the all-male staff did not want women around, and that certainly turned out to be true," said William Tamayo, director of the EEOC's San Francisco District Office. "When an employer knows its workplace is infected with discriminatory attitudes, the employer is required by law to take steps to prevent and halt a hostile work environment. Instead, [the dealer] did nothing, and forced a valuable employee to quit to escape unacceptable abuse."


    Race and National Origin Discrimination


    The EEOC sued a dealership when the general manager at a Wheaton, Md. store repeatedly made derogatory comments to a sales consultant, who is of South Asian origin and is dark-skinned. Although the sales consultant objected, the comments persisted, sometimes in the presence of others. In addition to the demeaning names, the general manager even threw things at him. On one occasion, the general manager groped the sales consultant while calling him a "serial killer" and "creepy brown person." The general manager asked the sales consultant who he was going to kill and where the bodies were buried, the EEOC charges.


    The sales consultant felt traumatized by the groping incident and as a result took leave. He complained to the dealership’s human resources director who, after a purported investigation, told the sales consultant he either would have to continue reporting to the general manager or transfer to another dealership an hour away. The EEOC says that the sales consultant was forced to resign based on the dealership’s inadequate response to the unlawful harassment.   


    The EEOC filed suit in the U.S. District Court for the District of Maryland, Greenbelt Division, after first attempting to reach a pre-litigation settlement through its conciliation process.


    What’s a Dealer to Do?


    This aggressive enforcement policy of the EEOC means that now is a good time to review your anti-discrimination and anti-harassment policies and schedule training for all your employees.


    All such policies should contain a clear anti-retaliation provision ensuring that employees can and should report violations either through an internal escalation process, directly to a senior officer, or through a third-party whistleblower hotline.  The third-party approach is probably most palatable to aggrieved employees and best to preserve confidentiality to the extent it can be preserved.


    Studies have shown that the two biggest obstacles to employees reporting workplace wrongdoing are a fear of retaliation or a belief that nothing will change.  Both fears must be displaced by senior management’s buy in and making visible changes in the workplace such as disciplining or terminating the offenders.  Your dealership must be committed to a zero-tolerance policy for workplace discrimination or any form of harassment. 


    Harassment outside of the workplace can also be imputed to the dealer.  This occurs when, for example, a manager takes subordinates out for drinks after work or at an office holiday party.  Your dealership should also have a policy on office fraternization and dating.  These situations are also ripe for sexual harassment and retaliation claims.  Under no circumstances should managers be permitted to seek to date their subordinates and managers must show exemplary behavior as the models for the workplace.


    If claims are reported, you must have a process in place to investigate and address the allegations quickly and completely.  An external employment lawyer can be a good resource to help you establish such a process and possibly serve as a resource in the investigation team which can enable certain communications to be privileged.


    Finally, do not forget to review employment hiring processes and make certain they are covered by your policies as well.  Periodically look at your workforce and promote diversity in hiring.  An all-male, all-white sales force was a catalyst for several of the EEOC’s actions described above.  Don’t be the next victim.
    0 Comments

    The Need for a Compliance Management System in Your Dealership

    8/16/2019

    1 Comment

     
    I don’t have to tell you that auto dealers are among the most heavily regulated businesses in the U.S.  Federal, state and local laws and regulations from sales and f & I to environmental and OSHA are just the beginning.  It is important to have a master compliance system for coordinating all the dealership policies as well as laying out for employees expectations for behavior both in the workplace and with customers.  Hence a Compliance Management System (CMS).
     
    There is no “one size fits all” CMS although there are basic things it should include.  A dealership’s Code of Ethics and Code of Conduct signed off on by the Board is an important place to start because these touch everything the dealer does.  They also establish the corporate “culture of compliance” which is something any regulator investigating the dealership will want to see and know.
     
    Both the Code of Ethics and Code of Conduct need to be ingrained in every employee and vendor working at the dealership.  It is also important to get third party buy in from remote vendors working on your business.  IT vendors, security vendors, DMS providers, agencies producing material or providing temporary staffing.  The list goes on.  All must acknowledge and commit to the Code of Ethics and Code of Conduct for all dealer-related activities.
     
    Risk-Based Analysis of Issues Applicable to the Dealer
     
    Before appointing a Chief Compliance Officer and adopting substantive policies that compose the CMS, the Board or its representatives must do a risk-based analysis of issues and risks the dealer faces in everyday affairs.  This includes things like sexual harassment (the issue that drives the majority of lawsuits a dealer will encounter); data privacy and Safeguards; wholesale vehicle acquisition; complying with laws and regulations for pulling credit bureaus, taking credit apps, telemarketing, and prospecting; aftermarket product selling; fair lending; OSHA and workplace safety; environmental issues; insurance issues; licensing and periodic regulatory audits; resolving customer disputes; manufacturer relations; customer identity verification procedures (the FTC Red Flags Rule); and other issues.  A consumer complaint process is a necessary component of a CMS.
     
    From this risk assessment, the Board will determine its risk tolerance in the various areas identified and begin the process of issuing compliance procedures to meet the risks.  The nuts and bolts of the CMS policies will be drafted by the Chief Compliance Officer in conjunction with counsel but the Board prioritizes risk and indicates the areas where attention and process must be focused.
     
    Ultimately it is the Board or senior management that is responsible for the CMS and through its practices, statements, audits and periodic meetings with the CCO, the Board must exercise its oversight of dealership compliance.  A CCO should report to the Board or, if the dealer has no Board, the Chief Executive Officer.
     
    Appointment of Chief Compliance Officer and Preparing Policies
     
    The appointment of a Chief Compliance Officer (CCO) is necessary as the CMS is developed and processes and procedures are developed for managing risk and reporting deviations from behavior.  The CCO should be “at the table” as new products and procedures are developed by the dealership.  He or she must make sure the Board is informed and the Board must make available resources to the CCO so that all processes and procedures can be followed, tested, audited and refined.
     
    For example, customer data Safeguards is a policy required by the Federal Trade Commission (FTC).  The Board should assess the risk of data being compromised in both paper and electronic format and work with the CCO to adopt permissions; track each individual access to non-public personal information by each user; establish a standard for unusual use that will be flagged and require further investigation; have a security incident response committee consisting of senior management, the CCO, legal counsel, an IT or forensics specialist, a breach response firm and PR firm, and other internal and external resources to investigate the incident and manage a breach.  A data breach is your biggest single risk of being financially put out of business and the policies and procedures to track data and manage its use is a critical element of a Safeguards Policy and CMS.
     
    Having a periodic system vulnerability analysis by “white hat” hackers who attempt to break into your system and doing penetration tests on authorized devices is a must in today’s environment.  A CCO must keep the Board informed on new security issues and obtain the approval and resources to test the system and make necessary changes.
     
    Policies and Procedures
     
    A policy sets forth a higher-level standard about what the law, regulations and dealership require and establishes a procedure for prospective violations and how they are to be handled and addressed.  Procedures take the broad sweep of a policy and provide specific details to each position in the organization that the policy touches.
     
    It is important for line managers to be the first level of defense by assessing the compliance behavior of their direct and indirect reports.  If an incident or pattern of non-compliance is detected, the line manager meets with the CCO to begin implementation of the process described in the policy for potential violations.  Depending on the seriousness of the violation, senior management or the Board may also need to be involved.
     
    A good example is a sexual harassment policy.  The policy should make clear that even the appearance of sexual harassment or a hostile work environment are triggers for corrective action.  Employees must feel they can report misconduct without retaliation and the use of a third party reporting company may make employees less fearful than reporting a possible violation internally.  Anonymity must be preserved but not guaranteed as in the course of a disciplinary proceeding or investigation, the reporting person’s identity is likely to come out.  This is why a non-retaliation policy is critical.  The reporting procedures and non-retaliation policy should be publicized to all employees by training, posters in the lunchroom, and other visible assurance.
     
    Reporting and Audits
     
    Any CMS must have reporting procedures and procedures for internal as well as external audits of compliance.  This can be anything from periodic inspection of deal jackets by the CCO to ensure documentation is being handled properly to a financial audit to an OSHA audit.  The CCO will not do all the audits but will work with the subject matter auditing teams (internal or external) to make sure that identified discrepancies are quickly addressed and policies and procedures changed accordingly, as necessary. 
     
    Training, the Employee Handbook, and Updates
     
    Ongoing training of all employees is a critical element of a CMS and is required periodically by some states such as New York and California for sexual harassment and other subjects.  Generally, there is no required format for training although state law may require a live trainer for certain subjects.  Check with your local counsel.
     
    The Employee Handbook should include the Code of Ethics and Code of Conduct in their entirety and link to the other policies as well as constitute a basis for Human Resources topics such as paid time off, disability and other benefits.  It is best to have the Employee Handbook done electronically with each page dated so that as revisions are made, they can be identified.  It does not have to be a long document but all employees should read the Employee Handbook and link to the policies and procedures applicable to their jobs.  A test on the Employee Handbook once a year is another good practice to supplement training.
     
    Updates come from many different places.  Changes in law, case law decisions, new regulations, audit findings, and employee feedback are main examples.  But patterns of behavior that don’t rise to the level of a violation can also create the need for changes.  Security is a constantly evolving area and employees should be reminded of best Internet practices and perhaps subjected to a mock phishing drill where a fake phishing email is sent out to all employees to track who clicks on the link.  Behavioral testing has been shown to be more productive generally than simple book training.  Again, consider your risk options and what procedures work best for your dealership.
     
    Summary
     
    A CMS is the lifeline of a dealership.  If done properly, it will establish the culture of compliance and bring employees into the culture by providing the process and procedures they need to do their jobs compliantly.  Systems will be in place to require managers to report potential incidents, systematic procedures will track access to customer information, and auditing will identify issues that can be corrected or better performed.  The evolving nature of a CMS will require ongoing training but it can be customized to each employee’s position so everyone doesn’t have to learn everything. 
     
    Regulators have expressed a strong desire for a CMS and if broken down into the pieces discussed in this article, involving the Board and appointing a knowledgeable Chief Compliance Officer, the process should not be daunting.  Especially if input is sought from employees or managers in developing the process and procedures so they have an ownership interest as well.  Good luck with your CMS process and seek help from your outside counsel or compliance resource as necessary.

    1 Comment

    FTC Safeguards Consent Order for the Auto Dealer Industry

    6/21/2019

    0 Comments

     

     
    The FTC recently entered into a 20-year consent decree with an auto dealer management system (“DMS”) provider having approximately 180 auto dealer clients.  The consent decree related to deficiencies in its Safeguards process and security system that permitted a hacker to access its unsecured backup database that contained the unencrypted nonpublic personal information (“NPI”) of approximately 12.5 million consumers, stored by 130 of its dealer customers.  The entire customer files and all NPI of five dealers were accessed through an open port on the DMS provider’s backup storage unit.

    The complaint is the first FTC Safeguards action involving data breaches in the auto industry.  It effectively lays out the FTC’s requirements for meeting the Safeguards Rule with respect to auto dealers.  In this case, the auto dealers outsourced their data storage to the DMS provider and failed to take steps to monitor or investigate the DMS provider’s security until it was too late.  The breach was uncovered when one dealer found all of its customers’ NPI for sale on the Internet.

    The Security Failures of the DMS Provider

    Here are the shortfalls in the DMS provider’s Safeguards program.  These are shortfalls you should consider in your annual Safeguards review and your Safeguards policy updates.
    • Failing to conduct periodic risk assessments or perform vulnerability and penetration testing of the network  -  Data security is a moving target as new threats emerge daily.  An IT Professional can run tests attempting to hack into your system as well as doing tests on individual workstations to see if any have been compromised.  Running mock phishing tests on employees and seeing how many click on the mock link is another good idea.  This should be done at least annually and any system deficiencies or compromised workstations immediately corrected and any attackers who have gotten in must be immediately quarantined and disabled.  ​
    • Failure to use readily available security measures to monitor its systems and assets at discrete intervals to identify data security events and the effectiveness of security measures -  You need your IT officer to map the normal workings of your system and identify irregular patterns of activity that may indicate someone has hacked in.  Examples would be irregular patterns of access to NPI by or through system users or administrative privileges being exercised by unauthorized persons.  This requires that every access to NPI be tracked and evaluated in relation to normal business activity.  Irregular behavior should be quickly investigated and addressed with the user.  
    • Failing to impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access NPI databases  -  You should establish a “white list” of permitted third party Internet sites for both entry to your system and access from your system with entry from and access to other sites, including all Web-based email, prohibited.  If a user wants to access a non-white listed site, they should have to obtain permission from your IT officer who will check the safety of the site.  Authentication controls such as passwords, tokens, or biometric features should also be in place to access NPI.  
    • Failing to encrypt NPI at rest and in motion  -  The DMS provider’s back up system contained all of the customer NPI in plain text in an unsecured storage device without any access controls or authentication protections, such as passwords or tokens.  It was accessible to anyone through an open port.  None of it was encrypted.  All customer NPI should be encrypted both when being transmitted and in storage.  Failing to do so violates the Safeguards Rule.
    • Failing to have a reasonable process to select, install, secure, and inventory devices with access to personal information  -  As noted, the DMS provider did not inventory any of its devices or install anti-virus or anti-malware security software.  When inventorying and securing devices, you need to include any personal devices that employees or vendors use to access your system.  Your IT officer should have the ability to cut off access from any device at any time.  
    The FTC’s Conclusion and Response

    The FTC concluded that the DMS provider’s ‘failures to provide reasonable security for the sensitive personal information about dealership consumers and employees, and business financial information, "has caused or is likely to cause substantial injury to consumers and small businesses in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.”
     
    The DMS provider agreed to a 20-year consent decree to settle the FTC’s finding of  unfair data security practices and Safeguards Rule violation claims.  It includes requiring the DMS provider to establish a comprehensive information security program with the following minimum components:
    • written documentation of the program;
    • submission of the documentation to its board of directors annually;
    • have an independent third party assess its security twice-yearly;
    • designation of a responsible employee to maintain the program;
    • annual risk assessments;
    • annual training of employees
    • implementation of adequate security controls;
    • an annual assessment of the adequacy of those security controls;
    • annual penetration testing of all devices capable of accessing the system;
    • system vulnerability testing every four months;
    • vendor and service provider management with contractual requirements;
    • regular program maintenance and changes based on reviews;
    • certify its compliance with the consent order to the FTC annually;
    • report data security incidents within 10 days;
    • create records for 20 years; and
    • permit the FTC to request additional information or interview anyone affiliated with the DMS provider in order to ensure compliance. 

    The FTC also required the DMS provider to adopt specific security controls, network and system monitoring, data access controls, encryption of data, and device inventories. Although these controls address the specific issues that led to the DMS provider’s security incident, dealers should take notice that these are the Safeguards protections that the FTC expects to be adopted in connection with a consumer auto finance business.

    As a final penalty, the FTC forced the DMS provider to agree that “[n]o documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney client privilege, statutory exemption, or similar claim.”

    Summary and What It Means for You

    The FTC has now spoken on what specific things it requires an auto industry Safeguards program to include.  Now would be a good time to look at your Safeguards program to determine which of these specific protections you are lacking and begin to implement them into your program.  The compliance burden of the FTC is only the beginning of problems this DMS provider will have to face as dealer and consumer lawsuits, actions by state regulators, and further investigations and audits will impose great costs and diversion of business time.  A study by Verizon found that three out of five small businesses that suffered a security breach went out of business within six months.  Doing your best to prevent being the next one is time and money well spent compared to the alternative.



    0 Comments

    State Attorneys General Cracking Down on Dealer Advertising

    4/22/2019

    1 Comment

     
    State Attorneys General (“AGs”) are being very aggressive in going after auto dealer advertising.  State unfair and deceptive practice (“UDAP”) laws as well as Section 5 of the FTC Act allow for the recovery of damages, attorney’s fees, and restitution for wrongful conduct.  Let’s take a look at some of the activity from this year.

    Indiana

    We’ve all seen them and most of us have probably used them to attract customers.  Mailing pieces to consumers indicating that if a scratch-off number on the mailing matches a prize number on the mailing (and they all do), they have won a sweepstakes.  Large photos of prizes such as a new vehicle, a large amount of cash, a big screen color TV, and the like are blasted across the top.  All the customer has to do is come to the dealership to match their prize number against a board at the dealership to see what they have won.

    Only in small mouse type, frequently not on the same page, does the mailing indicate that no purchase is necessary and the odds of winning the prizes.  One of these pieces that I reviewed recently gave the odds of winning the vehicle and other displayed prizes at 1,000,00:1.  The odds of winning a $5 gas gift card were 1:999,996 meaning only four people in a million would win a large prize and all others the gift card.  Unclaimed prizes were not awarded and were deemed to be forfeited.   By making everyone a “winner” of a prize, I was told the sweepstakes eliminated the element of chance and thus was not an illegal lottery.   But that is not the end of the story.

    The Indiana AG recently saw a similar piece and apparently was not amused.

    Instead of suing individual dealers (over 56 of whom sent these pieces to over 2.1 million Indiana consumers), the AG sued the promotional advertising agency that designed the pieces.  The AG alleged an unfair trade practice under Indiana law which has the same standard for an unfair trade practice as does a violation of Section 5 of the FTC Act.

    The complaint alleges that all the mailings contained game pieces purporting to determine whether recipients had won prizes – which included such valuable items as vehicles, TVs or $1,000 in cash. Each mailing, however, contained identical game pieces with winning numbers. Thus, each mailing allegedly communicated to all recipients that they had won significant prizes when they had not. Recipients who went to dealerships to claim winnings were awarded “prizes” much less valuable than those advertised – typically such items as a $5 Walmart gift card, a scratch-off lottery ticket, a cheap MP3 player or a mail-in rebate coupon for $10 off the purchase of a turkey.

    The Indiana AG seeks a permanent injunction; $500 per consumer who was mailed a piece and went to a dealership; civil penalties under Indiana law; and reimbursement of the AG’s investigative and other costs.

    Pennsylvania

    Pennsylvania has established a mini-Consumer Financial Protection Bureau in its AG’s office and the Bureau of Consumer Protection has been taking dead aim on dealer advertising.

    In a recent action, the AG sued 20 dealers as part of an advertising sweep that targeted auto dealers and their salespeople who advertised vehicles for sale without disclosing that the sale was being conducted by a dealer, as is required under Pennsylvania law. All auto dealers in this sweep advertised on Craigslist as individual sellers, rather than as dealers, providing insufficient information to consumers viewing their postings.

    The Office of Attorney General has so far collected more than $10,500.00 in civil penalties and costs for the illegal advertisement of at least 178 vehicles to Pennsylvania consumers.  A few the lawsuits remain outstanding.

    New Jersey

    Another state that is establishing its own mini-Consumer Financial Protection Bureau sued (and put out of business) two buy-here-pay-here dealers and their owner personally for deceptive and unconscionable business practices which included deceptive advertising.

    Violations alleged that defendants sold high-mileage, used autos at grossly inflated prices with excessive down payments; financed the sales through in-house loans with high interest rates and “draconian” terms that created a high risk of default; and then repossessed and resold the vehicles over and over again to different consumers in a practice they refer to as “churning.”

    The AG also alleged that defendants engaged in deceptive advertising, failed to disclose the damage and/or required substantial repair and bodywork required for used motor vehicles, and failed to provide consumers with complete copies of signed sales documents, including financing agreements. 

    In addition to significant civil money penalties, the State is seeking to permanently close the two subject car dealerships and ban the owner from ever operating a car dealership again.  The case also seeks restitution for affected consumers.

    Ohio

    The Ohio AG felt it necessary to issue guidance to auto dealers describing advertising requirements under Ohio law and warning about the consequences of deceptive advertising.  Ohio also allows consumers to sue auto dealers under a private right of action for triple their damages and their attorneys’ fees.

    Among other things, an advertised purchase price must include the total amount that a consumer is required to pay the dealer pursuant to the contract. Only tax, title, and registration fees and documentary service changes may be excluded, and the exclusions must be referenced in a disclosure. If a rebate, discount, or price reduction is not available to all consumers, the amount may not be subtracted to arrive at an advertised price.

    Massachusetts and Delaware

    These two states jointly settled an action with Exeter Finance for unfair trade practices in providing subprime auto financing to dealer customers.  Exeter was fined $6 million, $5.5 million by the Massachusetts AG and $500,000 by the Delaware AG.  As part of the settlement, Exeter will waive deficiency balances and other post-default charges on some of its loans and ask major credit reporting agencies to delete trade lines associated with the accounts of affected borrowers.

    Exeter, a subprime lender, was accused of facilitating the origination of auto financing in Massachusetts and Delaware that the company knew or should have known were unfair and in violation of the state consumer protection laws. Officials explained courts have held that lending is unlawful under the state UDAP statutes if finance companies do not have a basis for believing that borrowers will be able to repay their loans in normal course. 

    Previously, the Massachusetts AG settled with Santander Bank in the sum of $22 million for similar conduct.

    While directed at the lender, the allegations of putting customers into financing a reasonable dealer knows they cannot afford (an example being an unwound spot deal with worse credit terms for the customer) could apply to dealers as well.

    What This Means for Auto  Dealers

    These are not the only states that have shown aggressive policing of dealer ads.  Many states are establishing watchdog groups focusing on dealer ads that in the past may have been on the bubble such as the sweepstakes ads.  And the FTC too has identified auto dealer advertising as a priority for 2019.

    Here are ten best practices for all dealer ads:

    • Make sure your ads contain all triggered terms required by federal Regulations Z (credit sales) and Regulation M (leases);
     
    • Make sure your ads are accurate and for the advertised price, omit only tax, title, registration and the document fee permitted by your state’s law.  Indicate in a conspicuous disclosure that those items are extra;
     
    • Don’t advertise terms that most of your customer base will not qualify for such as price reductions or low APRs for customers with high credit scores;
     
    • Make sure you have enough of the advertised vehicles to meet the reasonably anticipated consumer demand.  If not, give the exact number available.  A very low number of such vehicles may be interpreted as a “bait and switch” ad;
     
    • Many states require you to give the advertised price to any qualified customer even if the customer has not seen the ad;
     
    • Don’t stack rebates especially unconditional rebates (available to everyone) with conditional rebates (available only to certain groups like recent graduates, military or first responders, or returning customers), Itemize the rebates you want to advertise;
     
    • Don’t put disclosures in mouse type, text that bleeds into the background, or are not in proximity to the headine the disclosure explains.  Putting a disclosure on a different page from the headline is not recommended;
     
    • Be careful with sweepstakes ads.  They are easily shown to be come-ons designed to get the customer into the showroom with no real possibility of winning a meaningful prize.  See Indiana above;
     
    • For Internet ads, place the disclosures in close proximity to the headline, don’t use pop-up disclosures unless absolutely necessary, make disclosures clear and conspicuous and put an expiration date on every Internet ad; and
     
    • Don’t bury Internet disclosures in long columns of text and be sure the disclosures are optimized to be clear and conspicuous on any device that can access them.

    Expect more regulatory enforcement actions and more lawsuits involving dealer advertising.

    1 Comment

    CFPB Finds Unfair and Deceptive Practices in Not Crediting Consumers with Ancillary Products Rebates

    4/5/2019

    1 Comment

     
    The Consumer Financial Protection Bureau ("CFPB")  indicated in recent Supervisory Highlights that is examining “unfair and deceptive practices” regarding rebates for certain ancillary products after examining the behavior by at least one captive finance company.

    The CFPB found that vehicle buyers sometimes also finance the purchase of ancillary products such as an extended service contract when they enter into a retail installment sales contract for a vehicle. Then as finance companies know, if the contract holder later experiences a total loss or repossession, the servicer or contract holder may cancel the ancillary products in order to obtain pro-rated rebates of the premium amounts for the unused portion of the products.


    In these situations, the Bureau acknowledged the rebate is payable first to the servicer to cover any deficiency balance and then to the borrower.
     
    “Generally, the servicer contractually reserves the right to request the rebate without the borrower’s participation, although it does not obligate itself to do so. The borrower also retains a right to request the rebate,” the CFPB said.


    During its examinations of extended warranty products and policies used by this unnamed captive, the CFPB found the amount of a potential rebate for the products depended on the number of miles driven. The Bureau said its examiners observed instances where one or more servicers used the wrong mileage amounts to calculate the rebate for extended service contract cancellations.
    “For some borrowers who financed used vehicles, the servicers applied the total number of miles the car had been driven to calculate rebates,” the CFPB said. “However, the servicer(s) should have applied the net number of miles driven since the borrower purchased the automobile.”


    The CFPB concluded that “The miscalculation reduced the rebate available to certain borrowers and led to deficiency balances that were higher by hundreds of dollars. The servicer(s) then attempted to collect the deficiency balances.”


    The CFPB stated that “One or more examinations found that servicer attempts to collect miscalculated deficiency balances were unfair   Collecting inaccurately inflated deficiency balances caused or was likely to cause substantial injury to consumers. And these borrowers could not reasonably have avoided collection attempts on inaccurate balances because they were uninvolved in the servicer’s calculation process.”  These findings are the predicate for an unfair and deceptive practices action.


    The CFPB concluded that the injury of this activity is not outweighed by  countervailing benefits to consumers or competition. For example, officials emphasized the additional expense the servicers would incur to train staff or service providers to make certain that refund calculations are correct would not outweigh the substantial injury to consumers.


    In response to its findings, the CFPB said the finance companies conducted reviews to identify and remediate affected consumers based on the mileage they drove before the repossession or total loss of their vehicles. The Bureau added that the finance companies also began to verify mileage calculations directly with the issuers of the products subject to rebate.


    Additionally, the CFPB indicated its examiners observed instances where one or more servicers did not request rebates for eligible ancillary products after a repossession or a total loss. The finance company then sent these consumers deficiency notices listing a final deficiency balance claiming to net out available “total credits/rebates,” including insurance and other rebates. The notices also stated that future additional rebates may affect the amount of the surplus or deficiency, but that “at this time, we are not aware of any such charges.”  This behavior too resulted in overstating deficiencies.


    The CFPB said that the servicers’ records contained information that it had not sought the eligible rebates. Examinations showed that the average unclaimed rebate was roughly $1,700.


    “One or more examinations identified these communications as a deceptive act or practice. The deficiency notices misled borrowers because it created the net impression that the deficiency balance reflected a setoff of all eligible ancillary-product rebates, when in fact, the servicers’ systems showed that it had not sought one or more eligible rebates,” the CFPB said.


    The CFPB further concluded that “It was reasonable for consumers to interpret this deficiency balance as reflecting any eligible rebates because the servicers were both contractually entitled and financially incentivized to seek and apply eligible rebates to the deficiency balance. And the misrepresentation was material to consumers because they may have pursued rebates on their own had the servicers not represented that there were not additional rebates available.”


    “In response to these findings, the servicers conducted reviews to identify and remediate affected borrowers. The servicers also changed deficiency notices to clarify the status of eligible ancillary product rebates,” the CFPB concluded.


    It is critical that consumer deficiencies first take into consideration rebates from ancillary products based on the net mileage driven by the consumer at the time of repossession or total loss.  Failing to credit the consumer with the net rebates can lead to an unfair and deceptive trade practice by the CFPB or FTC.    
     

    1 Comment

    A Way for Dealers to Sell GAP to MLA-covered Borrowers

    3/11/2019

    0 Comments

     

    On December 14, 2017, the Department of Defense (“DOD”) issued a regulation concerning the exemption from the Military Lending Act (“MLA”) for purchase money auto financing credit secured by the vehicle. The MLA is a law passed in 2006 protecting service members and their families by requiring extensive disclosures and prohibiting certain contract provisions.  Purchase money vehicle financing is exempt and it was believed that this exemption included all aftermarket products sold with the vehicle in the transaction as well.

    DOD’s new interpretation said that a transaction is exempt from the MLA “that finances the [vehicle] itself and any costs expressly related to that [vehicle]. . . provided it does not also finance any credit-related product or service.”  This means if the auto financing transaction includes GAP or credit insurance, the whole transaction is arguably outside of the exemption and subject to the MLA. 

    As a result, auto dealers cannot sell and finance GAP in indirect auto finance without running afoul of MLA penalties which include the inability to take a security interest in the vehicle.  Other penalties can include voiding of contracts from inception; civil liability of actual damages or $500 statutory damages recoverable in class actions; punitive damages; costs and attorney’s fees, along with possible criminal liability. 

    Possible Actions in Response to the DOD's December 2017 Interpretation
    Trade associations and dealer groups have been lobbying the DOD to revoke the December 2017 interpretation.  They were apparently close to doing so in June 2018 but a change in DOD and other agency personnel delayed and politicized the issue.  The timing of the revocation of the DOD interpretation is now uncertain.

    The main result is dealers should not offer credit insurance or GAP to MLA-covered borrowers in indirect auto finance transactions.  This means you will have to check every customer to see if they are an MLA-covered borrower using one of the "safe harbors" for doing so --these being either a DOD MLA website or a credit report indicating the person's MLA status-- before selling them GAP or credit insurance.  Do this at the time the consumer submits a credit application or within 30 days earlier if, for example, you are doing a pre-screen mailing.  Document your doing so in the deal jacket.

    But it’s not so easy.  At least 11 states have military anti-discrimination statutes.  Each state interprets its law differently.  In response to a claim of military discrimination for not selling GAP to MLA covered borrowers, the dealer could argue that the federal MLA and DOD interpretation preempts their state’s anti-discrimination law  Consult your local attorney or compliance professional on the law in your state to get a sense of whether a the courts will recognize federal pre-emption as a defense to an alleged credit discrimination against protected military members under your state's law.

    A Solution for Dealers to Enable MLA Borrowers to Finance GAP
    There is another solution making its way around the industry.  The prohibition on taking a security interest in a vehicle on a compliant MLA contract does not apply to banks, credit unions, or savings associations (collectively “banks”).  A number of banks—principally credit unions--are preparing compliant MLA loan agreements (not an easy task with all the disclosures and computing an alternative MLA APR) that permit a vehicle security interest.  Reportedly, several large banks are also exploring this alternative.

    If an MLA-covered borrower wants to purchase GAP, the solution for dealers is to contract to become an agent of one of these banks and engage in “direct” or “two-party” financing where you act as an agent of the bank in contracting for a direct loan from the bank to the consumer instead of the more-familiar three-party indirect credit sale of the vehicle.   The proceeds of the loan are directed to the dealer and the bank is named as the original creditor on the loan agreement.  The dealer gets a service fee for handling the paperwork for the bank.  For MLA-covered borrowers who want GAP or credit insurance, this solution should work.
    ​
    Most industry experts believe the DOD December, 2017 regulation will be revoked or repealed at some point, probably later this year.  But there is no guarantee.  Trade associations are also working the legislative front with the Congress.  But until one of these approaches leads to a repeal, contract with a bank that offers compliant MLA loan agreements to establish a two-party lending relationship so your MLA-covered borrowers can finance GAP like everyone else. 

    0 Comments

    BE CAREFUL WITH OUT-OF-STATE DELIVERIES AS MANY RISKS APPLY

    2/25/2019

    0 Comments

     

    The Internet has become a way of life in selling vehicles.  It enables customers to contact dealers and obtain information more readily and can be a source of selling.  But it comes with real dangers of identity fraud that can leave a dealer required to repurchase an agreement and with little, if any, hope of recovering the vehicle.
     
    Since 2010, Customs Agents have seized over 3,500 stolen vehicles in U.S. ports bound for other countries. Many of those cars were headed to Africa or Eastern Europe, or other areas where they can be sold for great profit.  The vast majority of these vehicles were stolen by financial identity fraud perpetrated on dealers who delivered the vehicles to an out-of-state identity thief.
     
    Dr. Stephen Coggeshall, ID Analytics’ chief analytics and science officer and a respected identity theft expert, described the problem of identity fraud with out-of-state deliveries as follows:
     
    “Any transaction that takes place in a faceless environment online has a lot higher potential for fraudsters for a number of reasons. It’s much easier to misrepresent yourself — who you are — in a faceless transaction. But also, the odds of you getting caught are a lot smaller. You’re not physically at a dealership.”
     
    A Red Flags program will have difficulty identifying the theft due to the effectiveness of “synthetic” identity theft.  A fraudster creates a synthetic identity by making up a Social Security number (since 2011, Social Security numbers are no longer linked to states of residence but are issued randomly), adds false personally identifying information to it and establishes a credit file. 
     
    Dr. Coggeshall says that using synthetic identities is now “the dominant mode of identity fraud,” overtaking other methods like identity theft and identity manipulation.  Particularly when it comes to remote auto fraud.

    Synthetic identities are incredibly difficult to trace, because they don’t lead back to a real person. Fraudsters use a combination of elements such as a fabricated Social Security number, name, date of birth, address or phone number, and then establish that identity by applying for credit cards or a cellphone.  Credit bureaus establish upwards of 40 people on the same Social Security number.

    “It’s actually not that hard to establish the validity of a synthetic identity,” Dr. Coggeshall says. “And once you’ve done that, you can start doing all sorts of things.”  Hence the rise in motor vehicle identity fraud.  Every time you ship a vehicle out of state instead of making the customer come to the dealership, you run the risk of that person being an identity thief waiting to ship the vehicle overseas or sell it to a chop shop.  It doesn’t take more than a few of those transactions to negatively impact your bottom line.

    In a related sense, straw purchases are also more readily accomplished via out of state shipments to Internet sales.  These lead to repurchase requests too.

    Out-of-state deliveries produce practical issues as well.  Titling vehicles can become problematic if you are not familiar with the idiosyncrasies of the remote state’s title office and you don’t want dealer plates in far-away locations.  Disputes with the buyer may inadvertently wind up being litigated or arbitrated in the buyer’s home state as well, even if your Buyer’s Order says otherwise.  Obviously, repossession rights upon default will be subject to a group of laws and requirements different from those in your state.  “Home town”: justice could easily come into play in the buyer’s favor in any dispute.
    ​
    Do enough deliveries into the remote state and their tax authorities might claim you are “doing business” there and want to tax you.  This is another risk.

    0 Comments

    2019 CRYSTAL BALL FOR AUTO DEALER SALES AND F&I

    1/1/2019

    0 Comments

     

    ​2018 was a year marked by increased compliance enforcement by the Federal Trade Commission (“FTC”) and State Attorneys General (State AGs”). 
    The fines imposed the past two years have increased substantially from those in earlier years.  For example, the FTC fined a California dealer group $3.4 million in 2017 for a variety of unfair and deceptive practices, including its first foray into “yo-yo” (spot delivery) practices.  In 2018, the FTC conducted a field investigation of over 90 dealers in 22 geographic areas and found that only 7% had displayed the correct new form Used Car Buyer’s Guides on their used vehicles in inventory.  Recalls also continue to be a problem for dealers as 2018 set a record for vehicles recalled by manufacturers.  The FTC fined dealerships for selling “certified” used vehicles without either fixing or informing the customers of open recalls.  Advertising fines and penalties are now well up into the six figures as well.
    What can we expect in sales and f&I compliance in 2019? Here’s a crystal ball of some issues at the top of regulator agendas that may ripen into enforcement actions and lawsuits in the coming year.
     1.  New Unfair and Deceptive Acts and Practices (UDAPs)  -  The FTC and State AGs imposed fines in excess of $1 million for “yo-yo” financing; fraudulently submitting or changing customer information on credit apps or deal stips; and advertising vehicle specials for which the dealer should have known most customers in its geographic area could not qualify.  These were new first-time UDAP practices for the FTC and were coupled with payment packing, misrepresentations, and some of the past UDAP practices to fine dealers or enter into 20-year consent decrees. In 2019, look for the FTC to continue to regulate by enforcement (declaring practices to be UDAPs that had not been previously prosecuted or prohibited by FTC-issued regulations).  The FTC is partnering with local law enforcement agencies as it did with the missing Used Car Buyer’s Guide investigation.  Look for more “on the ground” enforcement activity as the FTC in conjunction with AGs, DMV representatives and local law enforcement come out of the ivory tower and enforce dealer misbehavior in the real world.  Mystery shoppers and agents in the field will be a large part of 2019 compliance enforcement.
    State AGs will continue to pick up auto dealer enforcement activity.  Since 2015, the New York Attorney General has obtained more than $17 million in restitution and penalties as part of his office’s crackdown on the practice of ‘jamming,’ or payment packing.”   State AGs in Arizona, Connecticut, Illinois, Massachusetts, Virginia and Florida, among others, have been particularly aggressive.
     2.  Data Security Breaches and Safeguards Rule Violations  -  2018 was another record year for data security breaches both in the number of breaches and the number of records compromised.  I recently attended a data security program in which the speaker stated that data is the new oil, and he is right.  Hackers and their like are compiling dossiers on millions of individual U.S. persons from both publicly available information (like motor vehicle registration records) and personal information readily for sale on the dark Web, like information from the 2017 Equifax breach that affected nearly 145 million U.S. consumers.  The 2018 Verizon Data Breach Investigations Report found that 58% of data breach victims globally are small and mid-size businesses (“SMBs”). Many SMBs report doing very little to protect themselves because they lack the required resources, capabilities, and knowledge.    A Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached Dealers, whose data security tends to be quite lax when compared to larger companies, are a treasure trove for personal information including Social Security numbers, driver’s licenses, employment and income information, and other data that facilitates identity theft (also on track to be a record in 2018).  Expect more major data breaches and more FTC and State AG action in looking at dealer Safeguards Programs.  In California, a new Consumer Privacy Act was passed that provides more protections for consumer data, penalties for breaches, and, for many uses, requires “opt-ins” instead of “opt-outs” when it comes to sharing or using data.
    The FTC entered into a 20-year consent decree in 2018 with a dealer for an inadequate Data Safeguards Program.  Expect more of the same in 2019.
    2a.  Breach of Vehicle-Communicated Data  -  As the industry moves to experiment with driverless vehicles and as data points are exchanged among vehicles on the road today as part of Internet of Things connected devices (“IoT-connected devices”)., the security of the data being transmitted becomes an expanding risk for hackers or criminal enterprises.  Most vehicle data being communicated is not encrypted and can easily be hacked by someone wanting to cause damage to the vehicle’s operation, questioning of the prospect of driverless cars, or stealing the technology as has occurred in many other industries.  This is an IoT-connected devices issue that needs to be followed as if and when hacking of this type happens, it will throw the auto industry into a crisis.  Less a dealer issue than a manufacturer technology issue but remember, you sold the IoT-connected vehicle that had its data compromised and abused. 
    3. Aftermarket Products  -  Regulators know that dealer profits are largely generated from the back-end sale of aftermarket products.  The CFPB and FTC are not big fans of aftermarket products believing most are overpriced and deliver questionable value to consumers.  The CFPB ordered a national auto finance company to refund $9 million to consumers and pay a $2.5 million fine for making claims about their GAP policy’s protection features while failing to inform consumers that its GAP policy was capped at 125% of the vehicle’s value at the time of loss. Recent enforcement actions have also begun to look at the value of aftermarket products relative to their cost as well as the amount of the dealer’s markup to sell the product at retail. States are also looking more closely at refund issues.  
    Payment packing or front-loading an aftermarket product is always unlawful.  All optional aftermarket products should be presented fully and honestly using an easily-understood menu and the customer should initial all products accepted and rejected.  Parity in pricing products, or at least in bundles of products, is another best practice.  Expect to see aftermarket products in an FTC enforcement action in 2019.
    4.  Military Lending Act  -  Due to the Department of Defense’s December 2017 interpretation of the Military Lending Act (“MLA”) (an interpretation that I think will be repealed some time in 2019), sale of GAP or credit insurance to MLA covered persons (broader than service people and their families) requires compliance with the MLA.  Most dealers and financial institutions are not set up to comply with the MLA in terms of calculating a separate Military APR, making written and oral disclosures to MLA covered persons, eliminating arbitration clauses and making other changes from a standard credit sale. A dealer is prohibited by the MLA from taking a security interest in a vehicle as well and only a regulated financial institution can directly do so.  A standard RISC will not contain the necessary disclosures and the penalties for non-compliance are significant including a customer’s right to void the RISC from inception meaning a consumer could possibly return the car and be entitled to all payments made as well as the amount of any allowance given for their trade-in.  Remember that service people are a preferred group at the CFPB and that filters to other regulators as well.
    5.     Spot Deliveries  -   By adopting the term “yo-yo financing” in its 2017 $3.4 million fine of a California dealership group, the FTC laid out its leanings on an issue the plaintiff’s bar has had at the top of its agenda for years, spot deliveries.  What percentage of your spot delivery deals are unwound?  If it is more than a small number, you run the risk of a bait-and-switch UDAP practice, one the FTC and many State AGs are examining in response to a growing number of consumer complaints.  Make sure your conditional delivery agreement is mutual and fair and be prepared to show you had a reasonable belief that one of your finance companies would purchase the original contract based on its past conduct.
    In view of the high dollar stakes of enforcement actions and the growing aggression of the FTC and certain State AGs against auto dealers, now would be a good time to review your Compliance Management System and your compliance policies, especially privacy and Safeguards policies. Make any necessary changes based on testing such as a vulnerability test of your system to hacking.  Train and test your people too.  Frequently.  On data safeguards, people are your biggest risk and an untrained employee is your worst nightmare.  Emphasize warnings about phishing schemes, complex passwords, and avoiding other schemes criminals use to compromise a user’s credentials and enter your system.  

    0 Comments

    THE DANGER WITHIN: ALMOST 35% OF DATA BREACHES RESULT FROM INTERNAL EMPLOYEES AND HOW YOU CAN REDUCE YOUR RISK

    11/15/2018

    0 Comments

     

    A total of 3,676 breaches involving over 3.6 billion records were reported in the first nine months of this year alone, according to Risk Based Security, which analyzes data pertaining to breaches gathered from public sources, through automated and proprietary processes, and other means.
     
    As has been the case for several years, a recent study by Risk Based Security found insiders posed the biggest threat to data. Fraud — a term that Risk Based Security uses to describe any sort of malicious insider activity or no-technical methods of illegally accessing data — accounted for nearly 36% of the records compromised.
     
    The reasons for such internal misbehavior vary from the obvious profit motive to a desire to cause harm to the dealership and its customers.  Many criminal elements approach auto dealer employees with a proposal to pilfer consumer non-public personal information (“NPI”) in exchange for cash payments or other benefits.  To some employees, the risk is worth taking
     
    What’s a Dealer to Do?
    To address the problem of insider misbehavior, there are a number of steps you can and should  be taking.
     
    It begins with the hiring process.  Unless prohibited by law, a criminal background check should be undertaken for any candidate who if employed will have access to NPI.  An investigative consumer credit report is another good step to take although you will have to notify the employee that you are doing so and, if asked, give the general information learned in such a report.  But you don’t want questionable and potentially unreliable people in your dealership especially if they will have access to your most valuable resource of NPI.
     
    Another thing you need to do is limit access permissions.  How many employees in your stores can access NPI even though it may be unrelated to their positions?  I bet it is a lot.   Limit employee access to only that NPI they need to do their jobs and no more.  This alone will reduce your risk.
     
    The next step is that you must educate them and monitor their activity.  Most electronic record-keeping systems and DMS systems have the ability to create access logs on who did what and when on the system.  Maintain and review access logs of how often individual employees access NPI and watch carefully for spikes in activity.  Do this with paper records as well.  Appoint a gatekeeper or librarian who records the persons who access paper files with NPI and watch for spikes in that activity as well.  An increase in file access may indicate the employee has been compromised by a hacker but may also indicate the employee has decided to go over to the dark side.
     
    Your Employee Handbook should be clear that accessing NPI without a legitimate business purpose is cause for immediate termination in the sole discretion of management.
     
    Another step you can take is to prohibit the downloading of NPI onto any external storage device like a USB, an external hard drive, or other electronic media.  Access to NPI should be “read only” with no ability to download or transmit any of the information to any person not authorized by senior management.
     
    Protect your NPI by putting it on a separate server not connected to the Internet.  Use two factor authentication (a password and a code sent to the real user’s device are examples)  to enable access and access only to the extent of the employee’s permissions.  In one New Jersey case, a salesperson from a large dealer had resigned to go to a smaller competitor.  Before doing so, the employee copied the large dealer’s DMS system onto a USB drive.  No doubt similar activity goes on elsewhere.  Pay careful attention to an employee’s access logs for about a month before and at all times after they give notice and prior to leaving the building.  Watch their incidence of copying physical papers as well.  This may be when you are most at risk.
     
    Finally, make clear in employee training that anyone who suspects a colleague of taking NPI for non-company purposes is obligated to report that suspicion to the Chief Compliance Officer, anonymously if necessary.  And let the employees know that not only will immediate termination follow but that the dealership is prepared to swear out a criminal complaint for  any such behavior.
     
    A little prevention like the type described in this blog can prevent your dealership from being the next victim of a safeguards breach.  And that is a good thing too.  A 2016 Verizon study found that among small to mid-size businesses that experienced a data security breach, three out of five went out of business within six months.  Exercise diligence and hopefully you can mitigate at least this 36% of your safeguards risk.

    0 Comments

    TWO RECENT CASES SHOW NEED FOR A COMPLIANCE MANAGEMENT SYSTEM

    10/1/2018

    0 Comments

     
    Two recent cases, one in Pennsylvania, the second in Arizona, have resulted in or are seeking large monetary damages awards against dealers and their principals personally.  Both involved situations in which the dealers failed to have in place a Compliance Management System (CMS).  The case already resolved—the one in Pennsylvania—required the dealership to implement a Code of Conduct and CMS to avoid further damage liability.
     
    Both cases involved patterns and practices of unlawful conduct that had been going on for years and could have been prevented by application of an effective CMS.  In Pennsylvania, the dealer entered into a deferred prosecution agreement which essentially means that if it takes certain action, it will not be prosecuted further under federal criminal laws.
     
    The Department of Justice (DOJ) sued the dealer and its principal for falsifying loan documents over a period of six years.  These actions, if proven, would constitute the felony of bank fraud under federal criminal law.  To stave off prosecution, the dealer agreed to pay a monetary penalty of $1.4 million and more than $737,000 in restitution to various finance companies.  It also agreed to implement a substantial corporate compliance and ethics program and a vigorous monitoring and audit regime.  If it fails to do so, the DOJ will prosecute for the criminal violations.
     
    The second case in Arizona involves the FTC suing a five-store dealer group and its principals personally for falsifying customer income on credit applications and down payments on contracts.  This is the first time the FTC has brought a lawsuit against an auto dealer for misrepresenting consumer income to financial institutions.  If true, these activities would also violate federal criminal law and likely result in multi-million-dollar fines and penalties against the dealer.  Like the dealer in Pennsylvania, the Arizona dealer had no CMS in place and that will be a contributing factor to how the lawsuit is resolved.
     
    What is a CMS and How Do You Implement One?
     
    A CMS begins with a Code of Conduct issued by the Board of Directors or senior management if the dealer does not have a Board.  It sets the tone from the top.   The first step toward implementation of a compliance program is management’s communication of their commitment and the responsibility of all employees to adhere to the Code of Conduct in all dealings.
     
    The CMS is composed of several elements addressing risks identified by the Board and a Chief Compliance Officer who is appointed to head up the CMS.  All aspects of the dealership from manufacturer relations to environmental shop risks need to be reviewed and addressed.  Management of risks and controls over process are the essence of a CMS.
     
    It is critical that the dealership establish compliance standards (policies and procedures) that prescribe the internal control framework necessary to provide reasonable assurance of compliance with applicable laws and policies, including those designed to protect consumer privacy during the conduct of dealer activities.  Employees will not come forward with complaints or reports of failure to adhere to processes or procedures if they fear retaliation or do not believe their reporting will change anything.  For a CMS to work effectively throughout the organization, a formal investigation process and controls must be put into place to assure that non-retaliation, privacy, and a swift change to processes necessary to effect change are implemented and publicized to the employees
     
    Policies and Procedures
     
    High level policies and individual processes and procedures to control compliance risks must be developed and employees need to be trained on overall policies applicable to all employees (e.g., harassment and discrimination prohibitions, complaint or compliance violation reporting and anti-retaliation policies) as well as specific policies and procedures applicable to their positions.  So, for example, f & I personnel would need to be educated about Truth in Lending, the Consumer Leasing Act, unfair and deceptive practices and given procedures for the conduct of business in the f&I office such as transparently presenting products and avoiding things like payment packing, discriminating in credit terms offered to customers, and presenting products honestly and fairly to customers.
     
    Managers are the first line of defense in monitoring employees and all required behaviors should be monitored.  An example is accessing non-public customer information.  Policies would limit permissions to only what an employee needs to do their job and the frequency and nature of customer information accessed would be regularly monitored using data logs and a gatekeeper for paper files.  If any spikes in activity appear, the Chief Compliance Officer and appropriate staff would begin an investigation to see if the employee had been compromised or become dishonest personally in stealing customer information.  Appropriate safeguards and process improvements would be promptly identified and implemented.
     
    Compliance must be implemented in all new products and programs including by giving the Compliance Officer a “seat at the table” as they are developed.  Policies and procedures for implementation follow with monitoring established to ensure compliance or remediate a failure to comply.
     
    Education and Training
     
    Critical to any CMS is a process of training new hires and re-training existing employees on the Code of Conduct, overall dealership policies and procedures that apply to all employees, as well as the policies and procedures that apply to their specific positions.  This needs to be an ongoing interactive process.  Training and compliance need to be built into performance reviews and promotional decisions.  This systemizes the CMS throughout the dealership.
     
    Auditing and Investigation
     
    Periodic audits need to be performed by internal or external auditors of the various controls established as well as reported incidents and matters identified from monitoring.  Auditing should be done regularly as well as in response to specific situations.  The auditors work with the Chief Compliance Officer, identify process failures and transgressions, and make reports and recommendations to the Board or a committee of the Board for correction and improvement.  A periodic review of customer deal jackets is an example of an audit process designed to identify acts or omissions that are out of compliance.
     
    Both the auditors and Chief Compliance Officer should be independent of the business and the business units being investigated.  The dealer needs to provide ample resources and access to dealer materials to enable the CMS to function effectively and assess the dealership’s compliance in all areas.
     
    Managing Incidents of Non-Compliance
     
    Compliance incidents, however identified, must be swiftly contained and investigated; and, appropriate corrective action taken. Upon reporting of a potential incident, the dealership must conduct compliance incident management activities by applying the relevant policy, assessing authorities, and/or legal issues, taking corrective action, and responding to the needs of the organization’s internal and external overseers. In addition, the CMS evaluation must identify the root cause and assess the impact of incidents to continuously frame the evolution of the CMS.
     
    A ”root cause” analysis is required to correct an underlying process or failure of control that caused the event.  A root cause is a factor that caused a nonconformance and should be permanently eliminated through process improvement.  A root cause analysis is a collective term that describes a wide range of approaches, tools, and techniques used to uncover causes of problems. 
     
    One approach is to drill down to the root cause by asking a series of “why” questions.  For example, if vehicle titles are not getting timely processed, a “why” analysis would look at the timeframes and factors that cause the delays. A solution might be to hire an external titling vendor with contractual assurances of timeliness if information is timely provided.  The timely provision of information to the titling vendor would be a change in procedure and a process that could be monitored and audited to make sure titles get timely processed.
     
    Customer Complaints
     
    Regulators require a process for handling customer complaints as part of a dealer’s CMS.
     
    Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite responses. How complaints are identified and defined is critical, as consumer inquiries may also highlight areas with increased risk of consumer harm and/or regulatory compliance concerns.
     
    Complaints may indicate a compliance weakness in a process, function or department. Therefore, the Chief Compliance Officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and act to improve the institution’s business practices, as appropriate.
     
    A procedure should also be established for handling garden-variety customer sales or service complaints.  The Chief Compliance Officer or his or her staff should log the complaints pursuant to a process and either the Chief Compliance Officer or another dealer senior executive should endeavor to resolve the complaint to the customer’s satisfaction.
     
    Do a cost-benefit analysis of not satisfying the customer in terms of legal fees, bad publicity, low CSI scores, etc. that may outweigh what even unreasonable customer requests entail.  Regulators begin investigations with customer complaints, whether or not well founded. Try to resolve complaints with “funny money,” this being free or discounted goods or services.  Endeavor to preserve a positive relationship with the customer, one way or another.  Use arbitration and pay filing costs if a resolution is not possible as a last resort.
     
    Oversight and Improvement
     
    An effective CMS is a process of constant evaluation. The key is to strive for and demonstrate a process for continually improving on compliance activities and evolving your compliance program and its activities.  The Chief Compliance Officer can spearhead this process, but oversight must remain with and be exercised by the Board.
     
    Keep abreast of legal, regulatory and case law developments and change policies and procedures as appropriate.  Engage with state and local dealer associations and 20 groups.
    Attend compliance update training programs and subscribe to industry publications.
     
    Risks are also not static.  Annual (or more frequent) risk assessments should be conducted by Board’s risk/compliance committee and Chief Compliance Officer as business and legal risks evolve.  Identify impacted areas.  Change policies, procedures and training as appropriate.  Enlist managers in making the changes with staff.
     
    Continue to monitor and audit for compliance and respond accordingly even if no complaint has been reported about compliance shortfalls.  Continuously improve processes and procedures.
     
    Summary
     
    An effective CMS could have saved the two dealerships described above millions of dollars in fines, penalties, attorney’s fees, and bad publicity.  Third parties exist to help you begin or improve your CMS.  An effective CMS is a factor that a regulator will consider in deciding whether to bring an enforcement action or assess fines and penalties.  It is also a factor to be considered by courts under the U.S. Sentencing Guidelines.  While it will involve costs and implementing procedures, the two dealerships described above certainly show the result of failing to have an effective CMS.  Begin or enhance your CMS today and your dealership will be better off for doing so.

    0 Comments
    <<Previous
    Forward>>

      Author

      Randy Henrick is a leading auto industry compliance consultant. This article is not intended as legal or compliance advice due to the unique nature of a dealer's situation in each state. Randy's articles do provide issues and best practices that you may want to discuss with your attorney or compliance advisor for possible adoption in your dealership. Email Randy at AutoDealerCompliance@gmail.com
      Follow us on Twitter @randyh44

      Archives

      January 2021
      August 2020
      July 2020
      May 2020
      March 2020
      January 2020
      December 2019
      October 2019
      August 2019
      June 2019
      April 2019
      March 2019
      February 2019
      January 2019
      November 2018
      October 2018
      August 2018
      June 2018
      May 2018
      February 2018
      December 2017
      October 2017
      September 2017
      July 2017
      May 2017
      March 2017
      January 2017
      December 2016
      November 2016
      October 2016
      September 2016
      August 2016
      June 2016
      May 2016
      April 2016

      RSS Feed

    © 2018 Randy Henrick & Associates, L.L.C.
    Back to top