Stay Safe: Your Choice of Service Providers Matters
Stay Safe: Your Choice of Service Providers Matters

Service, service providers and lip service are all connected. Starting with service, we all know the importance of service to our businesses. What are the qualities of good service? Value, trustworthiness, integrity and respect are good touchpoints. What is meant by the term “service provider”? Well, if you are a finance source, this is defined as “Any party that is permitted to access a financial institution’s customer information through the provision of services directly to the institution.”

Customer information is generally defined as any record containing nonpublic personal information (NPI), which means personally identifiable financial information (PIFI) and any list derived using PIFI. Does your dealership have any vendors who can access customer records containing NPI or any list derived from the use of NPI?

In a traditional dealership, the relationship looks like this:

Finance source <--------->Dealer (service provider)

Dealers, in turn, have vendors of their own, which are service providers’ service providers (SPSP):

Finance Source--------->Dealer (service provider)------------>Dealer vendors (SPSP)

Some common dealer vendors (SPSPs) would include:

  • DMS
  • CMS
  • IT/cloud
  • Menu
  • Marketing (mailers/email)
  • TPA
  • Copiers

Each of these SPSPs most likely has access to the financial institution’s “customer information.” Under the Gramm-Leach-Bliley Act (GLB), finance sources are required to secure customer information through administrative, procedural and technical safeguards. If you look at the typical finance source contract that you signed, you will find some sort of compliance clause. They usually require you (the dealership) to comply with all applicable laws because the finance source can be liable if you (the dealership) fail to comply with the law. There are plenty of examples of this in the CFPB, FTC, class actions and even in state court actions brought by local attorneys general. So what can you do to protect yourself?

First, you should have a compliance management system (CMS) in place and, as part of that CMS, you should have written policies and procedures. What do your policies and procedures say about NPI? Is there a clear expectation for dealership personnel regarding privacy, passwords and securing desktops and computer screens? What due diligence have you performed in selecting your dealership vendors? For instance, do they have written cyber security policies, do they restrict access to NPI, do they have an incident response plan? Where is the hosted server which has the NPI stored? Is the physical facility secured? Does your contract with your dealership vendor set forth compliance expectations and penalties for noncompliance?

So the takeaway here is that there is much risk and it is up to you to manage that risk. Are you taking affirmative steps to safeguard your customer’s NPI, or are you merely giving lip service to say you have protections in place? Henry Ford once said, “Most people spend more time and energy going around problems than in trying to solve them.” What time and energy have you spent to safeguard your customer’s NPI in your shop and in your dealership vendor’s shops? If you don’t care about your client, why should your client care about you? Remember, if you don’t take care of your customers, someone else will!