The Federal Trade Commission in October, at the 11th hour before the new “Red Flag” rules took effect, extended the deadline until May 1.
The delay gives dealerships time to comply with efforts to combat identification thefts. Did they need the extra time? Apparently some did and some didn't.
The red-flag legislation requires creditors and financial systems to follow provisions for spotting identity theft. Dealers fall under the requirements because auto loans originate at their stores.
Paul Metrey, director-regulatory affairs, National Automobile Dealers Assn., says that most dealers have made extensive efforts to comply. A conflicting estimate is that only one in three dealers is at that point of compliance.
NADA brass traveled across the country getting the word out, holding at least 40 compliance presentations for state and metro dealer associations and at industry conventions.
“We visited nearly every part of the country, and that's in addition to events such as webinars,” Metrey says. “NADA held four different Red Flag webinars. Participants signed up on a per location basis, which could have been one person up to several dozen people.”
Metrey says some state associations would pull 45-50 people into one location for a webinar. He estimates the various efforts reached thousands.
All indications point to dealers making extensive efforts to develop a compliant identity-theft prevention program, he says. “It helps not just in terms of satisfying the regulatory obligations, but also in protecting their dealerships.”
Dealerships must have reasonable procedures in place to detect and respond to identity theft. Initially, NADA opposed many of the proposed requirements on the premise they were beyond dealers' investigative skills.
“A very big part of it is having a good identity-verification protocol, knowing who it is that's sitting in front of you or that's trying to do business over the phone or Internet with you,” Metrey says.
In some ways, dealers all along have been doing what the FTC now requires of them.
Metrey says: “Dealers for a long time — because they are involved with the registration and titling process and insurance verification — frequently have had to obtain documents from a customer to verify identity. They can certainly build that into their identity-theft protection program.”
However, new requirements take it a step further. “There's a lot of analysis involved, they have to look at identity-theft risk and figure out how they'll detect those risks and indicators, or ‘red flags,’ and respond to them,” he says.
Realistically, dealers need not be overly concerned with all 26 red-flag requirements. There are about eight to 15 core ones that they should focus on, Metrey says.
“They have to keep on top of it,” he says. “And as they identify new risks, they have to change their programs to reflect the new risks and make sure their people are trained accordingly.”
The impending regulations require that a senior dealership manager oversees the process as a so-called compliance officer.
Dealership finance managers play a key role, too, Metrey says. “They're the ones that engage in the type of credit transactions that will be covered by these rules.”
Also playing a part are personnel focused on Internet credit-application activities. And the dealer principal, or general manager, needs to make sure proper oversight is in place.
Although NADA says most dealers are prepared, James Lawrence, director-dealer services for the firm Compli, says only about 33% of dealers are in compliance and “thinking about it in a serious way.”
Extending the deadline has brought “a collective sigh of relief,” says Lawrence, who puts on red-flag webinars.