Dealership Compliance under the Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act of 1999, or “GLB” as it is more commonly called, is the law with the biggest impact on the dealership community since the Truth in Lending Act was passed in 1968. From GLB flow at least two major rules that affect every dealership in America: the Privacy Rule and the Safeguards Rule. And because of those rules’ emphasis on protecting nonpublic personal information (“NPI”), the Red Flags Rule (authorized under the Fair and Accurate Credit Transactions Act (“FACTA”) of 2003), which treats identity theft, is often lumped together with them when considering the protection of customer data.

All three of those rules were discussed at the inaugural Compliance Summit by a panel comprised of Doug Fusco,CEO of DealerSafeGuardSolutionS, Becky Barrows, HR and compliance director for KeyRoyal Financial Services, and Michael Tuno, president of World Class Dealer Services.

It is worth noting that none of the panelists are attorneys, and none of their companies are law firms. Rather, they all serve in one way or another the dealership market, and the services of each have grown to address compliance issues dealerships face. That highlights a key take-away from the panel session, everybody who has a piece of the dealership industry can have a piece of the compliance function. If every vendor included a compliance feature that addressed its core services, dealerships would have much of their compliance needs addressed in the ordinary course of doing business. But that happy state has yet to arrive, so the panel spoke both to what can be done and what they are doing.

Becky Barrows affirmed that outside vendors are well-positioned to help with compliance issues. “Dealers are in the business of selling and repairing cars, so compliance can be a bit outside their wheelhouse. This represents a huge business opportunity for outside experts who can provide what dealers aren’t good at doing themselves.”

The first GLB area where a little knowledge and advice could be helpful to dealers is the Privacy Rule. Asked if the Privacy Rule is widely understood and followed by dealers, Michael Tuno responded, “No and no. No to all of the above!” He went on to explain that there is a disconnect between the language of a statute or rule and a dealer’s understanding of it. Using the Privacy Rule as an example, Tuno said that dealers were aware of the rule at the time it was issued, but had no idea what to do about it. Even the FTC’s online model form generator wasn’t much help – dealers were confused by the options they faced on the screen. It was as if the rule and the Government guidance were written by lawyers for lawyers, and most dealers aren’t lawyers!

What Tuno was able to do as an F&I partner for his dealerships was develop an understanding of the Privacy Rule and the FTC forms generator and walk his dealer clients through the process. You don’t need to be a lawyer to do that.

With respect to the Safeguards Rule, Tuno takes the same approach. As he put it, “The first thing I do for a dealer is ask if they’ve appointed a compliance officer, which the Safeguards Rule requires. If the answer is ‘no,’ I know we’ve got to help them understand the rule’s requirements and meet them. It isn’t hard – it’s mostly a process of education.”

Doug Fusco’s company develops compliance monitoring software and related business processes. From his perspective, GLB compliance is driven by “creating verifiable patterns and practices. Show that you have something in place and execute against it so you can defend yourself by making a greater than ‘check the box’ effort to comply.”

Fusco also endorsed the use of a compliance survey to help educate dealers about GLB and other legal requirements. A simple form that asks yes/no questions addressing all of the major requirements of GLB/FACTA creates a good road map, identifying both what is being done and what needs to be done.

“Simple” was a word Michael Tuno latched onto. “What we’ve found works the best is keeping it simple. Start there. You don’t want to get too complicated. Start with policies and procedures and then move on to training on those policies and procedures. And then audit the process to make sure it’s having the intended effect. The audit serves a huge function to keep the ship on the right path.”

The panelists agreed that GLB is all about protecting NPI. Becky Barrows explained what could constitute NPI in the dealership environment: “Anything that’s not available to the public. So we’re not talking about phone numbers. But checking account numbers and driver license numbers would be NPI. Like Michael’s company, we conduct audits to see how dealer’s actually protect NPI. And the number one offense is deal jackets lying around unprotected. Deal jackets are full of NPI, and if they’re not protected, the dealership has a real problem.”

Tuno followed up with his version of the Golden Rule as the sum and substance of GLB compliance. “Don’t leave unprotected any data you wouldn’t want other people to see. If you don’t want the world to see your credit report, don’t treat someone else’s credit report casually.”

The panel was asked to relate real-life GLB horror stories (careful to keep secret the offending dealers’ identities, of course). Doug Fusco told a common tale. “I was visiting a dealership that was a part of a fairly large dealership group. There was paperwork everywhere, and no effort made to keep it secure. I brought this to the attention of the General Manager, who shrugged and said, ‘yeah, but we lock it all up at night.’ So I conducted an audit – at 7:30 in the morning. Needless to say, there was no evidence anything had been locked up. I calculated $23 million in potential fines before I reported back to the General Manager. The big fines come from knowingly violating the law, and they knew. Needless to say, that got his attention.”

So how do you battle GLB and other compliance violations? Fusco offered his “3 E’s” – Education, Enablement, and Enforcement. Those vendors that are in the dealership are in a position to offer training, the tools that enable behavior consistent with that training, and the audits that enforce the process. This is not limited to “compliance companies.” F&I partners, HR services, income development specialists – anyone who has a dog in the fight can bring in the 3 E’s if the will is there to do it.

One valuable lesson that the panel provided was that reasonable minds can disagree about what documents actually contain NPI – but all agreed that this very uncertainty makes protecting all customer data the best possible practice. As Michael Tuno put it, “We don’t want F&I managers making decisions on a document-by-document basis, ‘protect this/don’t protect that.’ Protect everything and you’ll be good.” That’s the best practice.”

That is probably the simplest approach to GLB compliance, and the ultimate conclusion of the panel: protect everything and you’ll be OK. Vendors that serve the dealership community have a role to play in that effort. The future may well belong to those that do.