THE DANGER WITHIN: ALMOST 35% OF DATA BREACHES RESULT FROM INTERNAL EMPLOYEES AND HOW YOU CAN REDUCE YOUR RISK
Two recent cases, one in Pennsylvania, the second in Arizona, have resulted in or are seeking large monetary damages awards against dealers and their principals personally. Both involved situations in which the dealers failed to have in place a Compliance Management System (CMS). The case already resolved—the one in Pennsylvania—required the dealership to implement a Code of Conduct and CMS to avoid further damage liability.
Both cases involved patterns and practices of unlawful conduct that had been going on for years and could have been prevented by application of an effective CMS. In Pennsylvania, the dealer entered into a deferred prosecution agreement which essentially means that if it takes certain action, it will not be prosecuted further under federal criminal laws.
The Department of Justice (DOJ) sued the dealer and its principal for falsifying loan documents over a period of six years. These actions, if proven, would constitute the felony of bank fraud under federal criminal law. To stave off prosecution, the dealer agreed to pay a monetary penalty of $1.4 million and more than $737,000 in restitution to various finance companies. It also agreed to implement a substantial corporate compliance and ethics program and a vigorous monitoring and audit regime. If it fails to do so, the DOJ will prosecute for the criminal violations.
The second case in Arizona involves the FTC suing a five-store dealer group and its principals personally for falsifying customer income on credit applications and down payments on contracts. This is the first time the FTC has brought a lawsuit against an auto dealer for misrepresenting consumer income to financial institutions. If true, these activities would also violate federal criminal law and likely result in multi-million-dollar fines and penalties against the dealer. Like the dealer in Pennsylvania, the Arizona dealer had no CMS in place and that will be a contributing factor to how the lawsuit is resolved.
What is a CMS and How Do You Implement One?
A CMS begins with a Code of Conduct issued by the Board of Directors or senior management if the dealer does not have a Board. It sets the tone from the top. The first step toward implementation of a compliance program is management’s communication of their commitment and the responsibility of all employees to adhere to the Code of Conduct in all dealings.
The CMS is composed of several elements addressing risks identified by the Board and a Chief Compliance Officer who is appointed to head up the CMS. All aspects of the dealership from manufacturer relations to environmental shop risks need to be reviewed and addressed. Management of risks and controls over process are the essence of a CMS.
It is critical that the dealership establish compliance standards (policies and procedures) that prescribe the internal control framework necessary to provide reasonable assurance of compliance with applicable laws and policies, including those designed to protect consumer privacy during the conduct of dealer activities. Employees will not come forward with complaints or reports of failure to adhere to processes or procedures if they fear retaliation or do not believe their reporting will change anything. For a CMS to work effectively throughout the organization, a formal investigation process and controls must be put into place to assure that non-retaliation, privacy, and a swift change to processes necessary to effect change are implemented and publicized to the employees
Policies and Procedures
High level policies and individual processes and procedures to control compliance risks must be developed and employees need to be trained on overall policies applicable to all employees (e.g., harassment and discrimination prohibitions, complaint or compliance violation reporting and anti-retaliation policies) as well as specific policies and procedures applicable to their positions. So, for example, f & I personnel would need to be educated about Truth in Lending, the Consumer Leasing Act, unfair and deceptive practices and given procedures for the conduct of business in the f&I office such as transparently presenting products and avoiding things like payment packing, discriminating in credit terms offered to customers, and presenting products honestly and fairly to customers.
Managers are the first line of defense in monitoring employees and all required behaviors should be monitored. An example is accessing non-public customer information. Policies would limit permissions to only what an employee needs to do their job and the frequency and nature of customer information accessed would be regularly monitored using data logs and a gatekeeper for paper files. If any spikes in activity appear, the Chief Compliance Officer and appropriate staff would begin an investigation to see if the employee had been compromised or become dishonest personally in stealing customer information. Appropriate safeguards and process improvements would be promptly identified and implemented.
Compliance must be implemented in all new products and programs including by giving the Compliance Officer a “seat at the table” as they are developed. Policies and procedures for implementation follow with monitoring established to ensure compliance or remediate a failure to comply.
Education and Training
Critical to any CMS is a process of training new hires and re-training existing employees on the Code of Conduct, overall dealership policies and procedures that apply to all employees, as well as the policies and procedures that apply to their specific positions. This needs to be an ongoing interactive process. Training and compliance need to be built into performance reviews and promotional decisions. This systemizes the CMS throughout the dealership.
Auditing and Investigation
Periodic audits need to be performed by internal or external auditors of the various controls established as well as reported incidents and matters identified from monitoring. Auditing should be done regularly as well as in response to specific situations. The auditors work with the Chief Compliance Officer, identify process failures and transgressions, and make reports and recommendations to the Board or a committee of the Board for correction and improvement. A periodic review of customer deal jackets is an example of an audit process designed to identify acts or omissions that are out of compliance.
Both the auditors and Chief Compliance Officer should be independent of the business and the business units being investigated. The dealer needs to provide ample resources and access to dealer materials to enable the CMS to function effectively and assess the dealership’s compliance in all areas.
Managing Incidents of Non-Compliance
Compliance incidents, however identified, must be swiftly contained and investigated; and, appropriate corrective action taken. Upon reporting of a potential incident, the dealership must conduct compliance incident management activities by applying the relevant policy, assessing authorities, and/or legal issues, taking corrective action, and responding to the needs of the organization’s internal and external overseers. In addition, the CMS evaluation must identify the root cause and assess the impact of incidents to continuously frame the evolution of the CMS.
A ”root cause” analysis is required to correct an underlying process or failure of control that caused the event. A root cause is a factor that caused a nonconformance and should be permanently eliminated through process improvement. A root cause analysis is a collective term that describes a wide range of approaches, tools, and techniques used to uncover causes of problems.
One approach is to drill down to the root cause by asking a series of “why” questions. For example, if vehicle titles are not getting timely processed, a “why” analysis would look at the timeframes and factors that cause the delays. A solution might be to hire an external titling vendor with contractual assurances of timeliness if information is timely provided. The timely provision of information to the titling vendor would be a change in procedure and a process that could be monitored and audited to make sure titles get timely processed.
Regulators require a process for handling customer complaints as part of a dealer’s CMS.
Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite responses. How complaints are identified and defined is critical, as consumer inquiries may also highlight areas with increased risk of consumer harm and/or regulatory compliance concerns.
Complaints may indicate a compliance weakness in a process, function or department. Therefore, the Chief Compliance Officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and act to improve the institution’s business practices, as appropriate.
A procedure should also be established for handling garden-variety customer sales or service complaints. The Chief Compliance Officer or his or her staff should log the complaints pursuant to a process and either the Chief Compliance Officer or another dealer senior executive should endeavor to resolve the complaint to the customer’s satisfaction.
Do a cost-benefit analysis of not satisfying the customer in terms of legal fees, bad publicity, low CSI scores, etc. that may outweigh what even unreasonable customer requests entail. Regulators begin investigations with customer complaints, whether or not well founded. Try to resolve complaints with “funny money,” this being free or discounted goods or services. Endeavor to preserve a positive relationship with the customer, one way or another. Use arbitration and pay filing costs if a resolution is not possible as a last resort.
Oversight and Improvement
An effective CMS is a process of constant evaluation. The key is to strive for and demonstrate a process for continually improving on compliance activities and evolving your compliance program and its activities. The Chief Compliance Officer can spearhead this process, but oversight must remain with and be exercised by the Board.
Keep abreast of legal, regulatory and case law developments and change policies and procedures as appropriate. Engage with state and local dealer associations and 20 groups.
Attend compliance update training programs and subscribe to industry publications.
Risks are also not static. Annual (or more frequent) risk assessments should be conducted by Board’s risk/compliance committee and Chief Compliance Officer as business and legal risks evolve. Identify impacted areas. Change policies, procedures and training as appropriate. Enlist managers in making the changes with staff.
Continue to monitor and audit for compliance and respond accordingly even if no complaint has been reported about compliance shortfalls. Continuously improve processes and procedures.
An effective CMS could have saved the two dealerships described above millions of dollars in fines, penalties, attorney’s fees, and bad publicity. Third parties exist to help you begin or improve your CMS. An effective CMS is a factor that a regulator will consider in deciding whether to bring an enforcement action or assess fines and penalties. It is also a factor to be considered by courts under the U.S. Sentencing Guidelines. While it will involve costs and implementing procedures, the two dealerships described above certainly show the result of failing to have an effective CMS. Begin or enhance your CMS today and your dealership will be better off for doing so.
After a period of relative quiet since slapping a Texas dealer for deceptive advertising in January 2018, the FTC recently launched two aggressive actions against auto dealers. It certainly seems like the FTC has auto dealers in their headlights and is enforcing compliance on violations it has not aggressively pursued in the past.
New Used Car Guide Sweep
The first initiative was a 20 -state sweep in partnership with local law enforcement authorities for compliance with the new Used Car Rule. The FTC amended the Rule and published a new Buyer’s Guide form in November 2016. It requires the new Buyer’s Guide to be conspicuously placed on all used vehicles for sale. The mandatory compliance date was January 28, 2018.
In their sweep, the FTC and its partners conducted on site reviews of 94 dealers and found that only 14 had the new Buyer’s Guides on all their used vehicle sales inventory. That’s less than 15%. 33 had the new Guides on half of their used cars and the remaining dealers did not. Not good.
According to the FTC,
“Following the sweep, the FTC sent letters to each dealership detailing the results of the inspections and providing material to help them come into full compliance with the amended Rule. Over the coming weeks, dealerships that were not displaying the revised Buyers Guide can expect follow-up inspections to ensure they have brought themselves into compliance with the amended Rule. Under the FTC Act, dealers who fail to comply face penalties of up to $41,484 per violation. State and local law enforcement agencies also enforce the recently amended [Used Car] Rule.”
Several years ago, when the penalties were only $16,000 per violation, another sweep and follow-up led to the FTC fining an Arkansas dealer $88,000 for not displaying Used Car Buyer’s Guides on its used vehicles. Expect more sweeps and higher fines for those dealers that do not have the new Buyer’s Guides on all, or substantially all, of their used vehicles that are offered to the public for sale or lease.
The new Used Car Buyer’s Guide focuses on dealer warranties and there are two forms. One for states that permit “as is” sales disclaiming all warranties and one for states that do not permit disclaimer of implied warranties. You can find the English version of both forms at https://www.consumer.ftc.gov/articles/pdf-0083-buyers-guide.pdf
Remember that if you conduct the sale in Spanish, you must use a Spanish version of the Used Car Buyer’s Guide. You can find these at https://www.ftc.gov/es/system/files/documents/plain-language/cfr_buyers_guides_spanish_form.pdf
It is not required but it is a good idea to get the customer to sign the Buyer’s Guide acknowledging receipt. The FTC allows you to put a customer signature line on the back of the Buyer’s Guide provided it is preceded by the following words: “I hereby acknowledge receipt of the Buyer’s Guide at the closing of this sale.”
The FTC’s Initiative Against Falsifying Credit Applications and Deceptive Advertising
This past month, the FTC filed a lawsuit in a federal court in Arizona seeking injunctive and monetary relief against a four-store group. They also sued the principals of the group in their personal capacities. That alone is an important reason to take notice of this lawsuit.
The FTC had never brought an action against dealers (or their principals) who falsify credit applications such as, in this case, by inflating customer’s income and down payments to get deals funded by lenders. One of the four stores was found to have inflated income or down payment amounts 44% of the time! And it wasn’t nickel and dime stuff. One customer cited by the FTC told the dealership she had a fixed monthly income of about $1,200, but a dealer’s staffer allegedly inflated it to $5,200 in the paperwork.
The complaint also charges that the defendants often used tactics that prevented people from reviewing the documents. The dealer’s personnel allegedly rushed some consumers through the process; had them fill out forms over the phone or in places like grocery store parking lots or restaurants; or altered the documents after consumers signed them.
This behavior went on for several years until one lender that experienced a disproportionately high default rate from the dealer’s customers did an audit and uncovered the schemes.
The dealer group was also charged with false advertising. The first thing the FTC looks at in dealer advertising is whether “triggered terms” required by federal Truth in Lending (“TILA) and the Consumer Leasing Act (“CLA”) were made in the ads. In many instances, they were not and that creates another unfair or deceptive practice.
As a refresher, in credit sales, if you advertise any payment amount, the term, amount or percentage of down payment, or the amount of any finance charge, then you must include (the triggered terms) the APR or annual percentage rate using one of those terms, the down payment, and the terms of repayment.
For leases, if you advertise the amount of any payment, a statement of any capitalized cost reduction or even that no up front payment is required ($0 down), then the triggered terms you must advertise are the fact the transaction is a lease, the amount due prior to lease signing or delivery, the number, amount and due dates of payments, and whether or not a security deposit is required.
The FTC always starts by looking for triggered terms in an ad. In this case, they also found that deceptive advertising took other forms. For example, one YouTube ad claimed the featured car “can be in your driveway for only $169 per month.” In fact, consumers can’t buy that car for the advertised monthly payment. That amount applies only to a lease. What’s more, the FTC says the ad didn’t clearly disclose that to get that monthly payment, consumers must shell out $2899 plus other fees at lease signing.
Then there’s the online ad where the company touted an “incentive” discount of $5,250. But buried behind multiple hyperlinks was the fact that the discount was available only to consumers who trade in a 1995 or newer vehicle or terminate a lease from another car company 30 days before or 90 days after delivery. In addition, the lawsuit charges that the dealer’s social media posts failed to disclose required triggered terms.
These two initiatives will almost certainly result in some huge monetary penalties against select dealerships. And both initiatives show that the FTC is prepared to go into new areas and partner with State Attorneys General and other local law enforcement to assemble data against rogue dealerships. You don’t want to be one of those rogue dealerships. Here are some strategies you might want to think about using:
On May 21, 2018, President Trump signed legislation passed by Congress to repeal the Auto Finance Guidance issued by the Consumer Financial Protection Bureau (“CFPB”) in March 2013. The legislation prohibits the CFPB from issuing similar rules or regulations without first obtaining Congressional approval and is a win for auto dealers and lenders everywhere.
Randy Henrick is a leading auto industry compliance consultant. This article is not intended as legal or compliance advice due to the unique nature of a dealer's situation in each state. Randy's articles do provide issues and best practices that you may want to discuss with your attorney or compliance advisor for possible adoption in your dealership. Email Randy at AutoDealerCompliance@gmail.com