I had the discomfort of listening to a presentation by Paul Metry and Smitha Koppuzha of the National Automobile Dealers Assn.'s regulatory affairs division during a conference sponsored by my firm, Dixon Hughes.
It's not that their presentation was poor. To the contrary. They were right on target. They outlined for us not only the legal responsibility that dealerships have concerning federal regulations on identity theft and privacy issues, but the penalties for non-compliance as well.
They discussed the Fair and Accurate Credit Transactions (FACT) Act. The provisions of this one piece of legislation affecting car dealers are so far reaching that I will review it in two parts, starting this month and ending next.
Remember: With this and certain other legislation and rulings, car dealerships meet the definition of a “financial institution.”
President Bush signed the FACT Act on Dec. 4, 2003. The law amends the Fair Credit Reporting Act and continues its preemption over state law in seven areas. Fine. But the FACT Act also imposes several new duties.
Many of these aim to prevent identity theft. Others are to enhance the accuracy of consumer reports and to provide consumers greater control over the marketing solicitations they receive.
Most of these duties take effect soon, although the Federal Trade Commission (FTC) may set a later final compliance date.
The following provisions affect auto dealers:
- Fraud & Active Duty Alerts
- Truncation of Credit Card Numbers
- Procedures for Identifying ID Theft
- Information Sharing with Affiliates
- Disposal of Consumer Report Information
- Furnishing Negative Information
- Issuing Risk-Based Pricing Notices
- Reconciling Different Addresses
Let's look at the first four.
Consumers who suspect ID theft may request that the Credit Reporting Agency (CRA) place “Fraud Alert” in consumer file. An active duty military consumer may request that CRA place “Active Duty Alert” in their consumer file. A user of such consumer reports may not extend credit unless it utilizes reasonable procedures to verify the applicant's identity. The FTC proposed a rule to implement section 112 on April 28, 2004. It does not address user responsibilities.
Truncation of credit card numbers means no person who accepts credit or debit cards may print more than the last five digits of the card number or the expiration date on receipts provided to the cardholder.
This does not apply if the sole means of recording the card number is by handwriting or manually imprinting it. Effective Dates are Dec. 4, 2006 for printing devices in use before Jan. 1, 2005.
Under procedures for identifying ID theft, the Federal Trade Commission must issue “red flag” guidelines for financial institutions to use to identify patterns, practices and specific forms of activity that indicate the possible existence of identity theft. Each financial institution, including dealerships must establish reasonable policies and procedures for implementing the guidelines.
As for information sharing with affiliates, in a solicitation you only may use “consumer report” information received from an affiliate if you first clearly and conspicuously disclose this intent to the consumer and you provide the consumer with an opportunity to opt out of the solicitation.
Affiliates must have the authority to share such info before they may use it for solicitation purposes as permitted by this section.
These requirements do not apply to certain recipients, including consumers with whom you:
- Have a pre-existing business relationship
- Are responding to a communication the consumer has initiated
- Have received authorization to make solicitations
- Contact as part of services you are performing for another affiliate (provided consumer has not exercised opt-out right with that affiliate).
Opt-out elections are effective for five years. When this period expires, you must provide consumer with another opportunity to opt-out before making a solicitation.
You may combine this opt-out notice with other notices as long as these requirements are met.
Those are some of the FACTS. Next month we'll cover the rest.
Don E. Ray is a CPA with the Dixon Hughes Dealer Services Group. He's at 901-684-5643 and [email protected].