1. Put the program in writing.
Each program must be documented in writing. While the initial step of writing down a program may seem burdensome, this requirement has advantages to the dealer. It forms the basis for an employee-training program, which is another requirement auto dealers must have in place in order to be compliant with the Red Flags Rule. Having a written program to detect and prevent identity theft also makes responding to government audits possible.
2. Make a list of things (red flags) that could signal possible identity theft.
A supplement to the rule on the FTC’s Web site (www.ftc.gov) provides illustrations of 26 possible red flags that fall into the following five categories:
1. Receiving alerts, notifications or warnings from a consumer-reporting agency
2. The customer presents suspicious documents
3. The customer presents suspicious personal identifying information, such as a suspect address
4. Dealership staff notices unusual use of or suspicious activity within an existing account*
5. You receive notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with an existing account
*Not all 26 possible red flags will be relevant to the way dealerships do business. In particular, unless a dealership has accounts to which customers can make charges after origination (e.g., house credit accounts), the possible red flags in category 4 are not likely to apply in most cases.
Auto dealers also need to guard against identity theft risks that result from employee access to account information. Employee access should already be limited as part of the dealership’s information security program.
3. Make a list of methods for detection and evaluation if a red flag has occurred.
The program should describe procedures used to verify customer information and detect when information is incorrect. Some procedures include:
- Specifying acceptable forms of identifying information required of each finance customer
- Specifying procedures to verify identifying information (e.g., using third-party resources to confirm identification or detect fraud)
- Using a system to monitor employee compliance relative to their access and use of customer account information
4. Describe how the dealership will respond when red flags are detected.
The program must contain reasonable policies for responding to red flags detected during a transaction.
This should include a procedure for escalating unresolved situations to senior management.
Some appropriate responses to unresolved red flags would be to:
- Not continue the transaction
- Use additional resources to verify the customer’s identity
- Notify law enforcement
- Determine that no response is warranted
5. Document all red flag responses and keep them in the customer file.
All red flag responses should also be kept in a dealership file to be used to maintain and update the program.
6. Detail a plan to update the program periodically.
Update the program to reflect changes in risks to customers or to the dealership’s safety and security based upon:
- Dealership’s experience with identity theft
- New methods of identity theft
- New methods of identity theft prevention and detection
- Changes in the types of accounts offered or maintained by the dealership
- Changes in the dealership’s business or structure (e.g., mergers and changes in service provider arrangements)
7. Follow the Red Flags Rule guidelines in managing the dealership’s program.
To be Red Flags Rule compliant, the program must:
- Be approved and implemented by the dealership’s Board of Directors or, if no board exists, a designated member of the senior management team
- Be periodically evaluated to determine if updates are necessary
- Include training for relevant staff on their obligations under the program
- Be able to ensure service providers have reasonable procedures to detect, prevent and mitigate the risk of identity theft
Penalties for Violations
• A “known” violation of the rule is a violation of the FTC Act, which provides for a $2,500 civil penalty for each violation.
• Enforcement actions by the FTC can carry penalties of up to $11,000 per violation, per day.
• Dealers may also be liable under state unfair and deceptive acts and practices law, which may include individual and class action claims.
Zurich is committed to helping dealers comply with the federal Red Flag Rules. , contact Zurich at Zurich@AutoDealerMonthly.com.
The information in this article was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures should serve as a guideline, which you can use to create your own policies and procedures. You should consult with your attorney when developing programs, policies and procedures. Zurich does not guarantee the accuracy of this information or any results and further assume no liability for sample policies and procedures, including any information, methods or safety suggestions contained herein. The subject matter of this article is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.
Portions of this overview were taken from and used with the permission of Counselor Library, LLC, publisher of A Dealer’s Guide to the Red Flags Rule by Michael A. Benoit, Hudson Cook, LLP.
Vol 5, Issue 9