It should come as no surprise that federal and state regulations require dealerships to document all financial transactions.
Properly documenting a deal demonstrates the dealership’s compliance with various regulations. The dealership’s files now contain documentary evidence.
Simple, right? Apparently not.
As an attorney involved in dealership compliance, I have taken more than 200 cases to trial. I’m stunned when I hear the following from dealers: “Our attorney said we should not document our compliance program because a plaintiff can use that against us in a lawsuit.”
The most frightening thing about this statement is that I’ve heard it too many times.
Let’s get something straight: The statement makes no sense. It is plain wrong. If a dealership follows this advice, it likely will face the prospect of higher government fines for violations and punitive damages in civil cases brought by private individuals.
Dealerships are required, yes required, to document their various compliance efforts. For example:
The Safeguards Rule requires the dealership to develop, implement and maintain a written comprehensive information security program (ISP).
The dealership must evaluate and adjust the program through testing and ongoing risk assessments.
The Red-Flags Rule requires a dealership to implement a written identity-theft prevention program (ITPP) and update it periodically based upon assessments and changes.
Given the above, a dealership is not in compliance if it is not regularly documenting and assessing its ability to protect consumer information and detect identity theft.
It is simple for the Federal Trade Commission to check a dealership’s Privacy and Red-Flag Compliance. The agency simply asks for the ISP and ITPP. If these written compliance programs have not changed since the day the dealership first created or bought them, the dealership will fail the compliance audit.
That flawed legal advice about not documenting anything so it can’t be used against you can get a dealership in trouble for intentionally violating the regulations.
Beyond monitoring, assessing and updating the dealership’s ISP and ITPP, the dealership should document other matters to make life easier in the event unhappy customers decide to turn their wrath on the store.
Have customers sign off, saying they were made aware of notifications, then put those signed acknowledgements in the deal jacket.
If a year later Johnny Customer claims he never got privacy, risk-based pricing or adverse-action notices – or that the dealership failed to verify identity under the red-flags regulation – the store will have written evidence to the contrary.
Responding to a claim in this manner is easier and more efficient than reviewing the file, finding the finance manager who may no longer work for the dealership and asking if he or she remembers the transaction.
My experience as a litigator is that the written word is a better witness than a person trying to remember past events.
The owner and operator of dealerships should be documenting their compliance programs on an ongoing basis.
If this not being done, the dealership is not compliant. If the dealership is intentionally not documenting its compliance programs based upon someone’s so-called expert legal advice, better advice is needed.
Or maybe compliance just doesn’t matter to the dealership. If that’s the case, the dealership is all too familiar with lawsuits. Or will be.
David R. Missimer is vice president and general counsel for Automotive Compliance Consultants. He is at [email protected]
