New Red Flags Rule Worries Dealers

During a Q&A session, some conference participants criticize aspects of the federal initiative, citing a perceived indistinctiveness to it all.

Steve Finlay, Contributing Editor

October 8, 2009

5 Min Read
WardsAuto logo in a gray background | WardsAuto

manas-mohapatra0_0.jpg

ORLANDO, FL – After three deadline extensions, the Federal Trade Commission’s Red Flags Rule is slated to take effect Nov. 1, and the agency is trying to calm the nerves of affected parties.

That includes auto dealers who express anxiety about the new regulations intended to combat identity theft in the marketplace.

“It isn’t something to make you panic,” FTC attorney Manas Mohapatra tells dealers at the 2009 F&I Management and Technology conference here. “Complying with the rules should be fairly simple.”

Still, during a Q&A session, some conference participants criticize aspects of the federal initiative, citing a perceived indistinctiveness to it all.

“The rules are vague,” says Jeremy Addis, an F&I manager at Tom Ahl Chrysler in Lima, OH. “Tell us X, Y and Z so we know exactly what we are supposed to do Otherwise, we could end up in a tight spot.”

It’s not meant to be vague, Mohapatra says, explaining the FTC wanted to avoid becoming too explicit because different businesses face different risks. “Some will need high-risk programs, others low-risk,” he says.

The congressionally mandated rules require creditors to take steps to combat identity fraud. The FTC considers dealers as creditors of sorts because they handle credit applications and arrange financing for many of their customers.

The law requires them and others to develop, implement and administer ID-theft prevention programs. Many dealerships already do that as a general business precaution, Mohapatra says.

The Red Flags effort is intended to protect the public from ID thieves and put detection responsibilities more on businesses, rather than on just their customers, he says.

Don’t panic, says FTC’s Manas Mohapatra.

“But it also prevents your business from providing products and services to people who aren’t going to pay for them,” Mohapatra tells dealers.

Seeing such an upside for dealerships is Melinda Zabritski, director of automotive credit for Experian Automotive, a firm that tracks loan performances and credit histories.

“The simplest ID verifications protect you from having some con artist driving off the lot in a $70,000 car,” she says.

Precautions range from running credit checks with an eye out for discrepancies, to being suspicious if a driver’s license photo doesn’t match what the person proffering it actually looks like, or if a 6-ft. 3-in. (190 cm) person shows a license of someone listed as 5 ft. 2 ins (157 cm).

Still, some business people are leery of added government requirements. One of them is Scott Butler of Auto Services Co. Inc., a warranty-services provider.

“There are always unintended consequences when dealing with regulations,” he tells Mohapatra. “Please keep in mind when going through the process that we’re trying to make it work, too. The government track record is not always good when it involves regulations.”

The FTC calls for affected businesses to take “reasonable” actions. Some conference attendees wonder what that means.

“You’ve used ‘reasonable’ 10 times, but if I ask 10 people what reasonable means, I’ll get 10 different answers,” an attendee tells Mohapatra.

He responds: “We’re trying to cover as many entities as possible. We go for the ‘reasonable’ standard because it’s more flexible.

“If you are allowing people to apply for high-value loans and you don’t really know who they are, that’s unreasonable.”

Businesses must put their anti-theft programs in writing. The FTC avoids spelling out how specific they must be. “One hundred pages may be overkill, (writing a plan on) a napkin may not be enough,” Mohapatra says.

Dealers needn’t fear they are expected to become quasi-investigators assigned to wipe out crime – or else.

“The Red Flags Rule doesn’t assume it’s going to eliminate ID theft completely,” Mohapatra says. “If ID theft does occur, though, a dealership may want to go back and ask, ‘What did we miss?’”

The series of deadline extensions has been to clarify confusion before the regulations took effect. Moreover, the FTC discovered some entities, such as hospitals, didn’t realize the program applied to them, too.

The government will assess a penalty of $3,500 for each failure to comply with the regulations. That’s up from $2,500 when the program was first announced two years ago.

Heavy-handed governmental enforcement seems unlikely.

“It’s not like we are hiding in the bushes waiting to get you,” says Mohapatra, who was a litigator at a private law firm before joining the FTC’s privacy and identity-protection division.

“You don’t have to be perfect with Red Flags as long as you are doing something in a constructive manner, and that can be a defense,” says Terrence J. O’Loughlin, compliance director for Reynolds & Reynolds, an information company for car dealers.

ID thievery has become a massive problem. Every 79 seconds an identity is stolen and every two hours someone tries to use one to buy a car, says O’Loughlin, a former investigator for the Florida Attorney General’s office.

Methamphetamine addicts are among the most active ID thieves, says Gil Van Over, president of gvo3 and Associates, a consulting firm that helps dealerships comply with government regulations.

“Meth heads love ID theft because it is a non-violent crime and they can do it from home,” he says, warning that dealerships’ online credit-application functions can be particularly vulnerable.

Susceptible, too, are accounts opened remotely by telephone or the Internet, Mohapatra says.

Despite his efforts to explain the Red Flags program to dealers, uncertainty persists.

“The most confusing issue facing the auto retailing industry is: How far do you have to go to be in compliance with Red Flags?” Van Over says.

There are four basics, Mohapatra says. They are:

  • Reasonable policies and procedures to spot identity theft that may be encountered in day-to-day operations. An ID that looks forged or information on a credit report that conflicts with information on a piece of identification “indicates a crook is using someone else’s ID,” he says.

  • The program must be designed to detect the red flags a business has identified. For instance, if a dealership has denoted fake IDs as a red flag, the store must have procedures to deal with that.

  • The program must spell out appropriate actions to take if a red flag has been detected. Such actions could include contacting local law enforcement. The FTC doesn’t specify what actions to take but says they must be reasonable.

  • Because identity theft is an ever-changing crime, programs must be updated and staffers kept informed. “The written program is not something you put in a drawer and forget about,” Mohapatra says.

[email protected]

About the Author

Steve Finlay

Contributing Editor

Steve Finlay is a former longtime editor for WardsAuto. He writes about a range of topics including automotive dealers and issues that impact their business.

Subscribe to a WardsAuto newsletter today!
Get the latest automotive news delivered daily or weekly. With 6 newsletters to choose from, each curated by our Editors, you can decide what matters to you most.

You May Also Like