The Federal Trade Commission (FTC)’s unexpected move on Oct. 22 to delay its planned enforcement deadline for the Red Flags Rule to May 1, 2009, was a welcomed announcement for powersports dealers. But it’s clear much is needed to get the industry’s dealers compliant with a rule aimed at combating the No. 1 complaint received by the FTC — identity theft.
The enforcement deadline was originally set for Nov. 1. However, after realizing the amount of confusion that existed among major industries, the FTC decided an extension was needed.
“Given the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the Nov. 1 compliance date, the commission believes that immediate enforcement of the rule on Nov. 1 would be neither equitable for the covered entities nor beneficial to the public.”
The Red Flags simply requires that you develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft at your store. And remember, this is not a one-size-fits-all rule, as your program must be appropriate to the size and complexity of your dealership.
The initial program you develop must be approved by your organization’s board of directors or top management team. You also need to appoint a senior management officer as the senior program manager. He or she would be in charge of developing and overseeing the program. This person will also be responsible for monitoring the effectiveness of the program and reporting his or her findings and recommendations to the board at least once a year.
Complying with the new rule will also require ongoing employee training and oversight of any compliance software providers. It’s also important that you monitor your own employees, as almost one-third of identity theft originates from people the victim knows or someone who steals information from their employers.
So let’s review the four steps you need to take to get compliant with the Red Flags Rule.
Step 1. Identify Your Red Flag Threats
To help businesses under its jurisdiction, the FTC published 26 red flags or examples of identity theft. Not all 26 examples pertain to the powersports business, which is why it’s important that you review all 26 guidelines to see which apply to your dealership. Pay special attention to guidelines 1-18, 20, 21, 22, and 25.
Dealers should also review their stores past experiences with identity theft. The rule even states that the best source for identifying threats is your own dealership. What you need to do is review any past instances of identity theft and any clues used to uncover the thief.
Additionally, you will need to review best practices for verifying your customer’s identity when he or she is not present during the transaction. This includes customers attained through Internet leads or customers who call into the dealership. This part of your program is critical, as these transactions present the greatest risk of identity theft.
In completing this step, it is also recommended that you talk to other dealers in your area to discuss their experiences with identity theft. You should also consult with your state and national associations, as well as your lenders. Remember, the FTC’s extension only applies to businesses under its jurisdiction, which means banks and financing institutions have already implemented their identity theft program by Nov. 1.
[PAGEBREAK]
Step 2. Implement a Process to Detect a Red Flag
Here are four ways to create a process for detecting a red flag:
Carefully inspect the customer’s identification documents, including his or her driver’s license. Are there any irregularities? Are there any signs of forgery or alterations? If you scan the license, does the information in the bar code or magnetic strip match the information on the front? If the customer presents a form of ID that is not familiar to you, ask for a different form of identification.
Get the customer’s credit report once you have an acceptable reason to pull it. When reviewing the report, does it show any address discrepancies? (Remember, the address discrepancy rule passed in conjunction with the Red Flags Rule is in play as of Nov. 1. According to the rule, it’s up to the dealership to resolve a discrepancy.) Does the report show a “fraud alert,” which is a consumer’s statement that he or she may be subject to identity theft? Does the credit report show a recent pattern of unusual activity, such as a high number of recent credit inquiries or a sudden use of previously dormant credit card accounts?
Compare the customer’s information on his or her credit application and identification documents to other information that might suggest identity theft. This may require an identity theft verification service, which can compare the customer’s information to databases of fraudulent information and invalid or misused Social Security numbers.
Talk to the customer. Ask them to explain any red flags you’ve identified. Some red flags will be innocuous and easy to resolve. It’s also important that your employees fill out a customer investigation report whenever a red flag is raised. This report should contain what the employee did, what red flags were detected, how they were resolved, and explanations for anything that remained unresolved. Remember to keep a copy of the report and all notes related to a customer investigation in the deal jacket.
[PAGEBREAK]
Step 3. Procedures for Handling Unresolved Red Flags
It’s important that you have procedures for handling red flags you can’t resolve. One of the best ways to do this is to use out-of-wallet or challenge questions. These questions ask the customer about things they cannot readily obtain through a stolen wallet or credit report. Asking customers from whom they purchased their last home is a good example of a challenge question. You might even want to show a list of the real customer’s last four residential addresses and ask the customer to name the county in which each address is located.
If the customer can’t answer any of the challenge questions or you still feel uncomfortable with the customer, escalate the matter to your senior program officer. If there are unresolved issues, your senior program officer should have the chance to review the customer investigation report and take whatever additional steps he or she believes is necessary before making the final call.
Remember, the rule doesn’t mandate that you always get it right. It only requires that you have reasonable procedures in place and apply them consistently. For most customers, the process should take less than five minutes.
Step 4. Update Your Program Periodically
Remember, the Red Flags Rule is a moving target, which means your program will need to be updated periodically and no less than once a year. It’s also a good idea to update your program as new identity theft information comes to your attention. However, personnel should also provide qualitative reports to the senior program officer. These reports should contain information on what procedures worked and which didn’t. This report should also contain any program recommendations.
The senior officer will use these reports to create a master report to present to the board. This master report will also include the senior officer’s assessment of the program’s effectiveness, service provider evaluations, and any new information from the FTC, law enforcement and other sources.
Randy Henrick is the associate general counsel and lead compliance counsel for DealerTrack Inc. He can be reached be e-mail at randy.henrick@bobit.com.
