DealerTrack 2011 Compliance Guide - Free to Auto Dealers

August 02, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

The 2011 DealerTrack Compliance Guide is a free resource of compliance information affecting an auto dealers day-to-day compliance activities.

Auto Compliance after July 21, 2011: New Rules. New Players. New Risks

August 08, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

July 21, 2011 marked an important date for auto dealers and consumer creditors generally.  It was the one-year anniversary of the signing of the Dodd-Frank Act as well as the “designated transfer date” for consumer protection law regulatory authority to be transferred to the new Consumer Financial Protection Bureau (“CFPB”).  18 different laws, including the Truth in Lending Act, Equal Credit Opportunity Act, the Fair Debt Collection Practices Act, and most of the Fair Credit Reporting Act are now subject to the CFPB’s jurisdiction to write rules and bring enforcement proceedings.  The CFPB must also issue regulations prohibiting “unfair, deceptive, or abusive practices (“UDAAPs”),” the scope of which have yet to be determined.

For auto dealers, franchised dealers will continue to be regulated by the FTC.  The FTC will act in conjunction with the CFPB for new rules the CFPB puts out, including the UDAAP rules when they are published.  However, the CFPB will not have any supervisory authority (the ability to come in and do an audit) over franchised dealers.  Independent and buy-here-pay-here dealers will be subject to both the regulatory and supervisory authority of the CFPB.  The CFPB has already established a website for consumers to file complaints against auto dealers and other creditors.

Additionally, the FTC now has streamlined authority to write regulations affecting auto dealers.  Since 1977, for the FTC to issue regulations against auto dealers for unfair or deceptive practices (“UDAPs”), the law required a multi-stage process including hearings, Congressional reports, and a written  finding that the prohibited acts were “prevalent” in the auto industry.  It took close to 7 years for the FTC to wade through the process and few such rules were written.  The Used Car Buyer’s Guide Rule is the only one that comes immediately to mind.

Now, however, the FTC can publish regulations relating to auto dealers the same way as any other federal agency issues regulations under the Administrative Procedures Act.  Simply publish proposed regulations, take comments for 60-90 days, and then issue final regulations, a process that may take about a year.  Anticipating this authority, the FTC has already held two fact-finding roundtable hearings on auto sales and financing practices to consumers.  It is expected that the FTC will use its new authority to issue regulations on practices like spot deliveries, marking up of buy rates, financing to military members, payment packing, and deceptive advertising.  Other practices may also become more tightly regulated by the FTC.

For auto dealers now, two important changes have taken effect, one relating to adverse action notices and another to dealers who give credit score disclosure notices to comply with the Risk-Based Pricing (“RBP”) Rule that took effect January 1, 2011.

For adverse action notices, the change is that new information relating to the customer’s credit score must be included on the notice if a credit score was used in any way in making the credit decision.  The new disclosures must include:

• the consumer’s credit score used;
• the date the score was created;
• the credit bureau or other entity that provided the credit score;
• the range of credit scores in the scoring model; and
• up to 4-5 “key factors” that caused the credit score to be lower than it would otherwise have been.  Up to 4 reasons must be disclosed unless one of the reasons is number of recent credit inquiries in which case up to 5 reasons must be disclosed.

The FTC also clarified which consumers must get credit score disclosure notices under the RBP Rule.  As initially written, the RBP Rule required pulling of a consumer report as the trigger for giving the notice.  Many dealers who simply send along credit apps to lenders without pulling a credit score were not required by the Rule to give a credit score disclosure notice to the consumer.

In amending the RBP Rule, the FTC made it clear that every applicant for credit must get a credit score disclosure notice unless an exception applies, even if the dealer did not pull a credit report on the customer.  The notice must be given “as soon as reasonably practicable” after the dealer gets the credit score but before the deal is closed.  FTC commentary indicated that three business days would be acceptable.  The net effect will be that certain dealers will have to buy credit scores just for the purpose of giving the consumer a credit score disclosure notice.

The most relevant exception is that if the dealer sends a customer an adverse action notice, it does not need to give the customer a credit score disclosure notice too.  But there’s a catch: You may not know early on (“as soon as reasonably practicable” after pulling the credit score) whether you will get the customer financed.  You may think not but then find a willing lender during the ensuing days or weeks.  You have up to 30 days to decision a credit application and send an adverse action notice if you can’t get the customer financed.  So if on day 20 you find a lender to finance the customer but have not given the credit score disclosure notice, you will be out of compliance with the RBP Rule because any credit score disclosure notice given then will be untimely.

A best practice is to give every credit applicant a credit score disclosure notice as soon as possible after pulling their credit score.  This will ensure compliance with the RBP Rule.  It also will create a single and simplified process for your sales and F&I staff and not require them to guess customer-by-customer whether or not to send the notice.  The easier the process, the better.  There is no legal downside to a consumer ultimately getting both the credit score disclosure notice and an adverse action notice later on.  So keep it simple and give every credit applicant a credit score disclosure notice regardless of whether you can ultimately get them financed.

If you pull your credit reports through DealerTrack, DealerTrack will give you a customized credit score disclosure notice and an adverse action notice containing all the required information for the customer with the customer’s credit report.  There is no charge for this service but it does require you pull the credit bureau through DealerTrack so we can get the necessary information.

New rules, new players, new risks.  Work on getting your processes for RBP Rule credit score disclosure notices and adverse action notices down first.  Those are in effect today.  There may be some delay before UDAAP (CFPB rule) and UDAP (FTC rules) are issued or take effect.  But be mindful that auto dealer compliance is very much on the front burner in Washington.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.

What OFAC Means to You (Part 2)

August 08, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

Randy Henrick, associate general counsel and lead regulatory and compliance Counsel for DealerTrack, discusses what OFAC means to dealers as the featured blogger for Dealer-magazine.com:

In my last blog, we discussed what an OFAC is and why you must run an OFAC on every customer you sell a vehicle to, cash and credit.  Let’s talk a bit more about OFAC compliance and how you can potentially mitigate the large civil and criminal penalties we listed if you ever do sell or finance a vehicle to someone on the OFAC list. 

Click here to view the full article.

New 2011 Compliance Initiatives May Signal Auto Dealer Scrutiny

August 22, 2011 | No Comments | share on facebook | retweet | share on LinkedIn

by Randy Henrick

The summer of 2011 has brought a dramatic increase in compliance enforcement proceedings against banks and financial institutions.  Many of the issues apply to auto dealers as well and dealers will be likely candidates as the regulators continue to drill down.

The American Banker reported on August 1 that the Obama Administration Justice Department has been making an “aggressive push” on bringing enforcement proceedings involving credit discrimination and fair lending.  The American Banker reported that:

“In part as a reaction to the financial crisis, the Obama administration has targeted banks for alleged redlining and other fair lending violations to an extent not seen since the Clinton administration.

But critics charge the effort has gone too far, claiming Justice has misused legal interpretations to bring complaints to court, alleged redlining in areas outside a bank's market area and encouraged loans to unqualified borrowers as part of expensive settlements.”

The Justice Department has used the Equal Credit Opportunity Act (ECOA) as one of its lynchpins to bring enforcement actions against banks.  ECOA applies to auto dealers as well. The Department’s Civil Rights Division received 49 referrals last year which was more than in the prior 20 years combined.  In fact, the Justice Department established a special new unit within it’s the Civil Rights Division just to handle discrimination complaints.

The FTC has also been active in the area of data security practices, bringing enforcement proceedings against entities that do not maintain adequate data security of customer and employee non-public personal information (NPI).  Two new consent decrees recently came down each involving 20 years of direct FTC oversight and mandating specific security procedure upgrades and third party security audits during the term of the consent decrees.  Both cases followed data procedure hacks in which customer or employee personal information, including Social Security numbers, was wrongfully accessed. 

One issue cited by the FTC in both cases was that the companies had promised in their privacy notices comprehensive security to protect NPI but fell well short in their security practices.  Among the poor security practices cited by the FTC that it alleged constituted an unfair trade practice under Section 5 of the FTC Act were the following:

-       Not adequately assessing the vulnerability of their Web applications and network to commonly known or reasonably foreseeable attacks such as SQL injection attacks;

-       Storing NPI in clear, readable text indefinitely on their networks without a business need for indefinite storage;

-       Failing to require periodic changes of user credentials, such as every 90 days and failing to make passwords hard to guess;

-       Failing to employ sufficient measures to detect and prevent unauthorized access to its networks such as by employing an intrusion detection system and monitoring system logs to track use by authorized and unauthorized persons; and

-       Failing to provide adequate employee training.

The programs mandated by the FTC in the consent decrees included the implementation of risk assessment programs to identify material internal and external risks to the security, confidentiality, and integrity of personal data.  The FTC also required regular monitoring and testing of a new comprehensive information security program.  Each company is required to obtain an assessment and report from a qualified, objective, independent third-party professional security firm certifying that the security program is in place and operating with sufficient effectiveness to meet the FTC’s standards.  As is typical with FTC data breach consent decrees, these third party assessments must be obtained within 180 days and every two years thereafter for a period of 20 years.  Employee data as well as customer data is required to be protected under the data security plan.  The FTC also required the companies to designate an employee to coordinate and be personally accountable for the information security program.

In earlier cases, the FTC typically determined that a business’s failure to meet their own policies and promises concerning data security constituted an unfair business practice.  It may seem obvious, but do what you promise to do and don’t do what you promise not to do.  If your privacy notices says you don’t share consumer information, don’t share it, even with affiliates.  Almost every FTC privacy consent decree has involved companies that violated non-use and non-sharing provisions of their privacy notices.

More recently, the enforcement focus of the FTC has begun to look at security practices objectively to determine whether they were reasonable in relation to the risk.  This can be classic “Monday morning quarterbacking” when a data security breach occurs. The FTC consent decrees have brought into focus what the agency expects as a baseline security program.  For example, in one case, the FTC focused on the importance of intrusion detection systems and criticized the company for failing to monitor and filter outbound traffic to block the export of secure information.  Many companies voluntarily use data loss prevention software to detect and block the transmission of sensitive personal data from their systems, such as from employee email.  But in this one case, the FTC effectively took the position that Section 5 of the FTC Act essentially requires the monitoring of outbound traffic. 

Now would be a good time to review your Safeguards plan and consider training or retraining your staff.  Limit the persons who can access personal information in both electronic and paper form.  Implement a log system of who accesses deal jackets and other customer information—both electronically and in paper. This is a critical element of an information security program.  Review the logs regularly to assess spikes in access by authorized users as well as any unauthorized users.  Monitor and restrict access by service providers as well.  Disable the exporting of NPI through USB drives, email, and other media.

The FTC has indicated data security to be a top priority and stated again its position that inadequate data security practices constitute an unfair trade practice within the meaning of Section 5 of the FTC Act.  Enforcement proceedings under Section 5 for poor customer information security typically lead to these kinds of 20-year consent decrees.  A violation of the consent decree exposes the company to possible penalties of up to $16,000 per violation.  The defense and compliance costs over 20 years can be utterly staggering and don’t think plaintiffs’ lawyers don’t take note when the FTC has done its work for them.  Making an employee personally accountable for non-compliance personalizes the risk.

Finally, the new Consumer Financial Protection Bureau (CFPB) outlined principles to work together with the National Association of Attorneys General.  The CFPB will effectively partner with State Attorneys General to share information and conduct joint or coordinated investigations and enforcement actions involving alleged violations of CFPB regulations and the consumer protection provisions of the Dodd-Frank Act.  Banking regulators had previously conducted compliance exams in secret and not shared information with state regulators.  Especially now that the CFPB has set up a consumer complaint website with links to the FTC and State Attorneys General, it is reasonable to believe there will be more coordinated action among federal and state law enforcement authorities if multiple claims are made against auto dealers and other creditors.  State Attorneys General looking for funds for state-starved coffers have frequently considered auto dealers to be the “low hanging fruit” for enforcement claims especially on subjects like advertising and deceptive trade practices.   This trend too is likely to continue.

Randy Henrick is Associate General Counsel and lead Compliance Counsel for DealerTrack, Inc.  This article is intended for information purposes only and does not constitute the giving of legal or compliance advice to any person or entity. Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on your particular situations from a knowledgeable attorney or compliance professional licensed to practice in your state.