Digital Compliance, Part 1

Research and my own experience have shown that (a drum roll, please)… dealers are cheap. And I don’t mean that in a negative way. Rather, in the past few years of tightening car sales and constipated margins, the best dealers have trimmed their expenses to the extent possible. Lazy brothers-in-law got laid off. Jets went up for sale.

Against this backdrop, dealers understand that, while they need effective and verifiable compliance solutions, they are hesitant to spend hard dollars for services that can’t prove ROI. Fortunately, effective and verifiable web-based solutions are readily available. And they can be cheap.

Compliance topics that lend themselves to digital solutions include:

• OFAC
• Safeguards Rule
• Red Flags Rule
• F&I Menus
• Dodd Frank/Adverse Action Notices
• Environmental, Health & Safety
• Human Resources
• Compliance Training
• Product Training
• Deceptive Trade Practices
• Audit & Review

Let’s examine how web-based technologies can contribute to compliance in those areas, affordably. We’ll look at the first four this time, and hit the remainder in the next issue or two.

OFAC

Complying with the requirements of the Office of Foreign Asset Control (OFAC) is perhaps the easiest and cheapest digital solution of all. OFAC prohibits businesses from dealing with any person or entity on its list of Specially Designated Nationals, popularly referred to as the “bad guy list.” Interestingly, there is no minimum dollar level for OFAC compliance so, technically, you should be subject to an OFAC check just before hearing “Want fries with that?”

One free way of running an online OFAC check is to go to www.treasury.gov and clicking until you get to the bad guy list, then searching for your customer’s name. But while free, this is cumbersome and only as reliable as the operator – who will only get paid if the deal goes through. And even under the best of circumstances, this free approach does not automatically create and archive a record of the effort. In the world of compliance, that is a serious deficiency – if it isn’t documented, it didn’t happen.

Most credit reporting agencies have an inexpensive online OFAC check function. For a quarter or so, you can run the customer’s name against the bad guy list and create a record of your having done so. Now that’s value!

Other popular sources of OFAC checks include RouteOne (www.routeone.com), ProCredit Express (www.procreditexpress.com), and Veratad (www.veratad.com).

Whichever solution you use, beware of one common pitfall: OFAC requires a check of every customer, not just every finance customer. This means you need a process in place to catch cash customers. All of the solutions mentioned above can be used in connection with a cash transaction. The real trick is remembering to do so.

Safeguards Rule

The Federal Trade Commission Safeguards Rule is intended to make financial institutions (as dealerships are considered under the Rule) protect consumers’ nonpublic personal information (NPI). The Rule requires dealerships to:

1. Designate a Program Coordinator;
2. Conduct a risk assessment;
3. Design and implement safeguards to control the risks identified by the assessment;
4. Oversee its service providers; and
5. Periodically reevaluate the program and amend it as necessary.

Items 1, 2, 4, and 5 are labor-intensive and not well served by online tools. But item 3 – the nuts and bolts of the Rule – is a problem with a digital solution. Several, in fact.

The two great risks to NPI at a dealership are paper files and computer data. Consider that a deal jacket almost certainly contains enough NPI to steal an identity. Credit applications are the Holy Grail for identity thieves. And computer files – the dealership’s DMS – contain the NPI of all of their customers. Clearly, these must be protected.

To address the risk that paper files present, some dealerships electronically scan the entire deal jacket and then shred the original paper files. If there are no paper files, there are no paper files to steal. Iron Mountain has a robust document management solution (www.ironmountain.com), as does DealerTrack (www.dealertrack.com). The former is more generic; the latter tailored to the automotive market. Lazy Days RV Center, the largest RV dealership in the world, has been taking this approach for almost a decade. “In all that time,” says Harold Oehler, Lazy Days’ general counsel, “we’ve never had a problem finding a document. It was the paper documents that were more likely to go missing.”

To protect computer files, it should go without saying that strong firewalls should be in place. But don’t put an exaggerated level of trust in firewalls alone. Firewalls merely limit the number of open ports through which data may be stolen. Preventing such theft is the real job. To accomplish this, dealers should invest in up-to-date anti-virus, anti-malware, and anti-phishing programs.

Furthermore, almost every organization should have an intrusion detection system (ISP). ISPs detect unauthorized attempts to access a computer network, or internal attempts to violate network policies (such as the entire customer database being downloaded from a workstation in the service department – true story).

To learn more about ISPs, check out Intrusion, Inc. (www.intrusion.com) or, for a free solution, try Sourcefire’s Snort at www.snort.org.

Red Flags Rule

The gist of the Red Flags Rule can be summed up in just seven words:

1. Policy
2. Training
3. Detect
4. Prevent
5. Mitigate
6. Oversee
7. Ensure

To string those words together, the Rule requires financial institutions (again, including dealerships) to have an identity theft prevention program (ITPP) that is, the policy, train its employees on that policy, to detect, prevent and mitigate the effects of identity theft at or through the dealership. The dealership must oversee its service providers so that they comply with the Rule to the extent applicable to their operations, and ensure that the ITPP continues to work over time.

To a greater or lesser degree, all seven of those requirements have an electronic solution. The most significant involve the requirements of detection, prevention, and mitigation.

Many vendors have tools to detect attempts of identity thieves to steal cars by using another person’s identity. For example, ADP Dealer Services (www.adpdealerservices.com) offers a Red Flags solution that goes a long way towards detecting attempts at identity theft and, as important, documenting those efforts. So does DealerTrack, ProCredit Express, and others. These solutions focus on elements of the transaction to determine the likelihood of fraud. If that likelihood is strong enough, knowledge-based authentication (out-of-wallet challenge questions) can be applied. This is both simple and effective. And best of all, cheap.

Mitigation is a bit more tricky. The only meaningful form of mitigation I can think of is identity theft recovery and monitoring service. This service scans the internet (both the legitimate and “Black” internet) 24/7, looking for misuse or sale of a customer’s NPI. If identity theft occurs, trained recovery specialists restore the victim’s identity to its pre-event status. Some dealers give away a year of this service with every car delivered, then upsell additional years in F&I to create a profit center. For more information, contact… me. My company provides this service, and I’ve got three kids in college!

One word of warning: many companies provide Red Flags compliance tools and almost all of them claim to be “complete” or “turnkey” solutions. But given that there are seven significant requirements, and most solutions address two or three at best, these claims should be taken with a grain of salt.

F&I Menus

When F&I menus first came on the scene, they were novel, clever, and paper. Then along came PC-based menus – a great improvement. Now they come in web-enabled versions, and I am a big fan. Properly used, these selling tools are compliance tools as well.

By consistently presenting all products to all customers, F&I menus can reduce the risk of discrimination claims. Archived menus provide proof, if ever needed, of the pricing put in front of a customer. Written disclaimers can be clearly presented. A clear paper trail connecting the desking tool, buyer’s order, and installment sale contract is created. In short, a properly used electronic F&I menu can be a dealership’s (and its counsel’s) best friend.

Such menus are easy to find. Check out IAS, LP (www.iasdirect.com), The Impact Group, Inc. (www.theimpactgroup.com), or MaximTrak (www.maximtrak.com).

That’s just a sampling of the digital solutions available to enhance dealerships’ compliance efforts on the cheap. We’ll discuss more in the coming issues, and conclude with a checklist dealers can consult to evaluate how they’re doing in these important areas.