AdobeStock_518172232_1440x720.jpg

7 Steps to Red Flag Rule Compliance

People and WorkArticleJuly 25, 2023

Share this

The Red Flags Rule (the Rule), enforced by the Federal Trade Commission (FTC), requires automobile dealers to develop and implement a written identity theft prevention program designed to identify, detect, and respond to warning signs—known as “red flags”—that indicate that a customer or potential customer could be using stolen information to obtain an indirect or direct loan or lease at their dealership.

In other words, dealerships are required to create a program that allows them to be reasonably certain that the person entering into the credit or lease transaction is who they say they are. While you may already have systems in place to verify the identity of your dealerships’ finance and lease customers, do you know if your systems are in compliance with the more elaborate requirements of the Rule? To help ensure your dealership aligns with the regulation, Zurich recommends the following seven steps:

1. Put the program in writing.

Your program must contain reasonable policies and procedures to address four primary responsibilities under the Rule1:

  1. Identify relevant Red Flags
  2. Detect Red Flags
  3. Prevent and mitigate identity theft
  4. Update the program

The Rule also states that each program must be documented in writing. While potentially burdensome, this requirement can have obvious advantages to the dealer. It forms the basis for the employee training that is required by the Rule and makes responding to government audits, and inquiries possible.

2. Make a list of patterns, practices or specific activities that could be red flags signaling possible identity theft.

Your policies and procedures should require that you become at least reasonably certain of your customer’s buyer’s identity. The FTC groups possible red flags into the following five categories2:

  1. Alerts, notifications and warnings from a credit reporting company: Changes in a credit report or a consumer’s credit activity might signal identity theft.
  2. Suspicious documents: Documents can offer hints of identity theft.
  3. Personal identifying information: Personal identifying information can indicate identity theft.
  4. Account activity: How the account is being used can be a tip-off to identity theft.
  5. Notice from other sources: A customer, a victim of identity theft, a law enforcement authority, or someone else may be trying to tell you that an account has been opened or used fraudulently.

Note, not all possible red flags will be relevant to the way your dealership does business. In particular, unless you have accounts to which customers can make charges after origination, for example, house credit accounts, the possible red flags in category four are not likely to apply to your dealership.

You also need to guard against identity theft risks that result from employee access to account information. Employee access should already be limited as part of your overall information security program.

3. Make a list of methods used to detect and evaluate if a red flag has occurred.

The program should describe procedures used to verify customer information and detect when information is incorrect. Some procedures include:

  • Specifying acceptable forms of identifying information required of each finance customer.
  • Specifying procedures to verify identifying information, for example, using third-party resources to confirm identification or detect fraud.
  • Using a system to monitor employee compliance relative to their access and use of customer account information.

4. Describe how your dealership will respond when red flags are detected.

The program must contain reasonable policies for responding to red flags detected during a transaction. This should include a procedure for escalating unresolved situations to senior management. Some appropriate responses to unresolved red flags would be to:

  • Not continue the transaction.
  • Use additional resources to verify the customer’s identity.
  • Notify law enforcement.
  • Determine that no response is warranted.

5. Document all red flag responses and keep them in the customer file.

All red flag responses should also be kept in a dealership file to be used to maintain and update the program.

6. Detail a plan to update the program periodically.

Update the program to reflect changes in risks to customers or to your dealership’s safety and security based upon:

  • Your experience with identity theft.
  • New methods of identity theft.
  • New methods of identity theft prevention and detection.
  • Changes in the types of accounts offered or maintained by your dealership.
  • Changes in your dealership’s business or structure such as mergers and changes in service provider arrangements.

7. Follow the Red Flags Rule guidelines in managing the program.

The Rule provides for some specific administrative actions that need to take place to adequately manage your program. These include that your program must:

  • Be approved and implemented by your dealership’s Board of Directors or, if no board exists, a designated member of the senior management team.
  • Be periodically evaluated to determine if updates are necessary.
  • Include training for relevant staff on their obligations under the program.
  • Be able to ensure service providers have reasonable procedures to detect, prevent and mitigate the risk of identity theft.

Penalties for Violations

Penalties for violations of these regulations are stiff. These include the following:

  • A “knowing” violation of the Rule is a violation of the FTC Act, which provides for a $3,500 civil penalty for each violation.
  • Enforcement actions by the FTC can carry penalties of up to $11,000 per violation, per day.
  • Dealers may also be liable under state unfair and deceptive acts, and practices law, which may include individual and class action claims.

 

Portions of this publication were taken from and used with the permission of Counselor Library, LLC,  publisher of A Dealer’s Guide to the Red Flags Rule by Michael A. Benoit of Hudson Cook, LLP.

References

1. https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

2. https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

 

Downloads

Related Industries

Related products and solutions

Related Topics

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure, or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.