Is your Red Flags Program up to date?

Published on

On June 12, 2013, the FTC issued a revised business guide on the Red Flags Identity Theft Rule. Recently, the California New Car Dealers Association issued a reminder about the importance of updating your Red Flags Identity Theft Program.

The FTC and the CNCDA identify four parts to Red Flags Rule compliance. Those four parts really have eight components, as follows:

  1. Appoint a Red Flags Administrator;
  2. Conduct a Risk Assessment;
  3. Create a written Red Flags Program;
  4. Have the Board of Directors approve the Red Flags Program;
  5. Train appropriate dealership personnel;
  6. Monitor service providers;
  7. Update the program annually; and
  8. Periodically report to the Board of Directors.

I'm not going to be reiterate the advice provided by both the FTC and the CNCDA, as you can get that advice by clicking on the embedded links above. Instead, this post identifies practical issues dealers should be aware of in updating their Red Flags Compliance Programs. The following comments are born of pitfalls I've seen in dealer Red Flags Programs.

First, choose the right person to implement, administer and update your program. Too often, dealers simply drop this role onto the HR Manager, the Business Manager or the CFO of the dealership where it is treated as an ugly step-child, not worthy of the time and attention of that already over-burdened manager. By law, however, the Board, or a senior management employee it designates, must assign specific responsibility for the program’s implementation, review staff reports about compliance with the Rule, and approve important changes to your program. Accordingly, the role of administrator should be given to someone who treats the Red Flags Program as seriously and conscientiously as any of his or her other responsibilities and who has the background necessary to understand the issues.

A good candidate for this person is each dealership’s Finance Director, because the Red Flags Administrator will be required to communicate with auto finance companies, which are often the drivers of Red Flags Rule compliance. The Finance Director has likely been involved and various times in his or her career with ID theft issues and should know a bit about the way ID theft occurs and the flaws in dealership processes that allowed it to happen. A checklist of responsibilities for the Red Flags Administrator along with an acceptance of those responsibilities and approval by the Board of Directors is helpful.

Second, the Rule requires that you train relevant staff. The nature and extent of that training differs, but the training has to have a correlation to the way the dealership does business; it is generally not a "one size fits all" approach. Time and effort should be put into determining the nature of the training the Red Flags Administrator and other staff should receive. Some computerized compliance software programs provide basic Red Flags Program modules, but these should be customized and tailored to each dealership before they can be relied on for compliance.

Third, determine which types of accounts are subject to the Red Flags Rule. Consumer credit and lease transactions are always covered. This assessment is aimed at identifying all business and commercial credit and lease transaction practices (including business and fleet parts and service accounts) to determine whether these transactions can predictably result in vehicles, parts, or services being sold on credit or leased to an identity thief. Ultimately, this is a judgment call. But additional procedures must be laid out for each type of transaction. It is a good idea to have a checklist and certification form.

Fourth, the Red Flags Program should be customized, based on each type of covered account or transaction that your dealership has and your particular experiences with ID theft in the past. It should identify your specific risk factors and sources of red flags. Too often, I see Red Flags Programs that are generalized and have not been updated to reflect recent experiences with ID theft.

With the FTC's recent interest in the Red Flags Rule, it is more important than ever to have an effective, customized and updated Red Flags Program. Speak to your knowledgeable dealer attorney to find out how to craft an updated program.