Personal Data: Gramm-Leach-Bliley Act
In today’s hyper-connected world, personal information and privacy are top-of-mind issues. As a dealership, you have access to a great deal of sensitive personal and financial information, and the GLB Act is all about protecting that.
Even if you don’t intentionally share or expose customer data, not paying due diligence to security can be costly. For example, in California, a single exposed driver’s license can result in fines up to $11,000.
So how do you avoid a similar situation? First of all, know your regulations. The GLB Act contains two sections — the Gramm-Leach-Bliley Privacy Rule and the Gramm-Leach-Bliley Safeguards Rule.
The GLB Privacy Rule centers on protecting customer privacy and personal data security. Dealers are required to collect, store and share personal and financial information in an organized, secure method; inform clients what data is collected and how that data will be shared; and allow clients to opt out of sharing where possible. Take special care when it comes to third-party sharing, such as with telemarketers and other retailers.
The GLB Safeguards Rule is where taking action to keep that data secure comes in. In other words, how are you going to protect client information from unauthorized access, fraud and/or misuse? There are a few key components to factor in: a written information security plan, a comprehensive risk analysis, safeguards from affiliates, and ongoing plan implementation and monitoring.
That may sound like a mouthful, but what it all comes down to is having a secure information system and paying careful attention to customer privacy and security. You’re likely already conscientious when it comes to your clients, but taking the extra steps to make sure nothing falls through the gaps is well worth it in the long run. Find more detailed information about GLB compliance.
Identify Theft: Red Flags Rule
Do you know what an identity thief looks like? In literal terms, probably yes — like any other person. But pinpointing the warning signs of identity theft is why we have the Red Flags Rule.
This addition to the Fair Credit Reporting Act requires creditors/lenders to create a written Identity Theft Protection Plan. The exact terms and structuring of the plan are left up to dealers, but in general, a good plan of action is to establish the warning signs of identity theft, formulate a response plan, and then continue to update your plan over time. Common “red flags” include suspicious ID documents, fraud alerts in credit history, unusual account activity and undeliverable mail and email.
That might sound like a hassle, but the alternative could present a much greater headache (and cost). While penalties from the FTC can cost up to $3500 per violation, other fees and legal issues can ring up an even higher bill. Case in point: after a Georgia dealer recently financed a BMW to an identity thief, the payout added up to over $150,000 — not from fines, but from the lender’s lawsuit and vehicle’s value.
Reconsidering that protection plan? The FTC has a handy guide to help you create a solid strategy.
Financing and Insurance
Financial Transparency: Regulation Z
Also known as the Truth in Lending Act, Regulation Z mandates lenders to clearly disclose all credit terms to consumers. This sounds obvious for a conscientious dealer, right? The rule isn’t complicated, but it is significant, and it requires due diligence and attention.
This means outlining all elements of a loan offer in straightforward written form using standard terminology and rate expression; include the size of the loan, the APR, all finance charges and other fees, the payment schedule and the total amount to be paid across the lifetime of the loan. In other words, the customer should be able to easily compare different offers and face no surprises or extra costs from the loan.
Again, more paperwork — but is it worth a few million dollars? A dealer group in Arizona and New Mexico recently filed for bankruptcy after years of court battles following FTC allegations of TILA violations, including failure to inform customers of qualifying limits on offers and failure to disclose required terms in advertisements. Ultimately, the dealer’s lenders were seeking nearly $30 million in damages, and the FTC proposed a $1.3 million settlement.
Suddenly meticulous paperwork acquires a whole new look. Read up on the details of Regulation Z.
Adverse Action & Risk-Based Pricing Notices
As a dealer, you’re likely offering credit or financing to customers, which means the terms of the Fair Credit Reporting Act need to be on your radar. When it comes to credit, two elements of this act are especially crucial: adverse action and the Risk-Based Pricing Rule. In essence, if you refuse credit or offer credit on less favorable terms, you have to send a formal notice to the customer.
Adverse action is considered a denial of credit, a refusal to grant credit in the amount or terms requested or a negative change in the account terms. In this case, the dealer is required to send an adverse action letter within 30 days of the credit application.
If a dealer offers credit in “materially less favorable terms” (usually higher APR or worse terms than a substantial number of other customers) based on a credit report, a risk-based pricing notice must be sent to the client.
While the idea of more paperwork likely doesn’t thrill you, the penalties are nothing to scoff at. A recent case — confirming that car dealers qualify as “creditors” under the Equal Credit Opportunity Act and are required to send adverse action notices — ruled that courts can enact damages up to $10,000 to individual consumers and class action suits up to $500,000. In addition, the FTC can enforce ECOA violations up to $40,000 per violation.
Worth your time? You can find more detailed guidelines about adverse action and risk-based pricing notices.
Lending: Hard vs. Soft Credit Pulls
When checking customer credit, it may seem like less of a headache to do a soft credit pull, avoiding any permission or adverse action notice requirements. But wait — this is a common dealer misconception.
A consumer report is defined as any communication of information by a consumer reporting agency regarding credit worthiness. Whether you call it a hard or a soft credit pull, you’re using the credit report to determine purchasing and/or financing a vehicle — in other words, that is a consumer report.
As such, consumer report regulations apply. If you deny credit, an adverse action notice must still be sent to the customer. The FCRA requires this if the credit decision is “based in whole or in part on any information contained in a consumer report.” As tempting as it is to sidestep the extra administrivia, don’t fall into this common compliance gap.
Equal Credit Opportunity Act
As we’ve noted before, dealers are considered lenders. That means that under the Equal Credit Opportunity Act, dealers are prohibited from discrimination when providing credit.
Of course, we know you wouldn’t purposefully discriminate against a customer. However, the law doesn’t differentiate between accidental and intentional discrimination, and you want to make sure you have all your bases covered and your operations in the clear — for your business and your clients.
According to the ECOA, lenders cannot ask about or factor in race, color, religion, sex, age, marital status and/or national origin when considering credit. They are also required to inform customers of the credit decision within 30 days and must notify applicants when action is taken on their applications and explain why credit is denied or terms changed.
In short, when making credit decisions, base your analysis on the customer’s creditworthiness alone, and make sure to keep applicants clearly informed. For more detailed terms of the ECOA.
TCPA and Text Messaging
Sending a quick text is something most of us do several times a day without a second thought. Yet for businesses, overlooking this simple act could mean fines of up $500 per text. Likely not part of your cell plan, right?
Under the Telephone Consumer Protection Act (TCPA), companies are required to get written consent for all communication with customers — including text messages — and it is worth keeping a close eye on your compliance. Lithia Motors learned this the hard way in 2011 after sending out an offer text to 57,800 customers, then a follow-up to 48,000. The messages led to a $2.5 million settlement following a lawsuit that argued the texts violated the TCPA ban on unsolicited phone messages and requirement of an “opt out” option.
Luckily, there are a few key steps to make sure you’re in the clear:
- Get written consent from customers for ALL communication.
- Be very specific about the type and purpose of contact they’re agreeing to — whether it is for service communication, marketing, etc.
- Notify customers of any potential fees, such as text messaging rates.
- Allow recipients to opt out of communication at any time.
- Keep up to date on changing regulations.
Learn more about TCPA and compliance.
How many emails flood into your inbox every day? A lot, most likely. As a dealer, however, you are required to not “spam” customers’ inboxes with unsolicited or misleading emails.
Under the CAN-SPAM Act, dealers are subject to a set of rules regarding email communication with customers. Here’s a cheat sheet — messages:
- May not contain false or deceptive headers or subject lines.
- Must include an opt-out option, with requests fulfilled within 10 business days.
- Must contain the sender’s valid physical postal address.
- Must be identified as ads.
These rules apply to all commercial messages (sent to promote a product or service), even those sent by an affiliate like a marketing company. And with the FTC able to impose penalties up to $16,000 per email, in addition to potential fines from other federal and state agencies and ISPs, simple email can become a very costly business if you don’t pay appropriate care to compliance. Ensure your dealership is covered with this handy guide.
Truth in Advertising
With all the marketing in today’s commercial- and media-heavy world, you are likely aware that businesses must follow rules when it comes to accurate advertising. But do you know exactly how to ensure your dealership falls within the lines?
In broad terms, advertising must be truthful, non-deceptive, substantiated and not “unfair” (causing harm to the consumer). Vehicles must be accurately described, state the correct model, year, etc. and feature the correct images.
In addition, certain disclosures must be included — any endorsements, EPA-estimated mpg confirmation for fuel economy claims, any discount conditions and for financing, the terms of repayment, any down payments, APR and the total number, amount and due dates of payments.
Sound like a lot of boxes to check off? It is, in a way. This is one of the most common areas where dealers run into (costly) trouble, however, so it’s well worth your scrutiny. A Washington dealership was recently charged $74,000 for sending out mailers deemed “deceptive advertising,” while misrepresenting vehicle prices and failing to provide clear itemized disclosures of all costs and after-sales products/services cost four New York dealers over $2.1 million in all.
National Security: OFAC & the Specially Designated Nationals List
When you sell or lease a car to someone, the government requires you to confirm that that person is not on the nation’s “do not associate” list. The Specially Designated Nationals List is a database of people and groups the Office of Foreign Asset Controls has flagged as dangerous, usually for terrorism, drug trafficking or other illegal activity.
Generally completed with a credit application, before a cash sale and/or regularly with monthly payments, this check involves literally searching the SDN list for the client’s name. Though straightforward in concept, the penalties for non-compliance with OFAC are steep — to the tune of up to 30 years in jail and fines up to $10 million plus up to $1 million per incident.
In other words, it’s worth getting your inspection lens out for this one, and being aware of the action to take.
Reporting Payment: Form 8300
As a business dealing in large purchases, you likely see a variety of payment methods. The transaction doesn’t always end when a customer hands you payment, however. If you receive a cash payment of over $10,000, you must file a Form 8300 with the IRS within 15 days of the payment.
Attention — this applies even if the amount is not a single transaction (such as multiple installments adding up to over $10,000) or is not literally “cash” (cashier’s checks, money orders, and bank drafts also count). In such cases, the IRS — with the aim of preventing money laundering — requires you to file Form 8300, notify customers in writing of the filing, keep a copy of the form and report any suspicious activity.
Compliance is Easy with the Right Tools
If your head is spinning with acts, forms, and agencies, don’t panic. It might seem like a lot to keep track of, but with a solid awareness, your business can continue smoothly and compliance-clear. Once you’re aware of potential compliance pitfalls, a customer relationship management (CRM) system is a great strategy to explore. CRM tools can be extremely helpful in managing compliance (and operations in general), and there are even options to automate many compliance procedures. Bottom line: it’s worth your time and effort to invest in learning about and paying attention to compliance.