F&I Compliance Tip: Red Flags Rule

Designed to prevent your dealership from becoming a victim of identity fraud, the “Red Flags Rule” requires your dealership to develop and implement a written Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft. This is not a “one size fits all” rule – your ITPP must be appropriate to the size and complexity of your dealership, and the nature and scope of its activities. The Red Flags Rule lists 26 potential indicators that you should consider for your ITPP, as appropriate for dealerships.

Why it Matters

Your dealership’s highest governing authority must approve the initial ITPP, and take responsibility for it. A senior officer must be appointed to be the ITPP program manager, responsible for developing, overseeing, implementing, training, updating, and administering the ITPP. Employees who perform ITPP functions should prepare annual reports to the program manager concerning its effectiveness and improvement suggestions. The program manager should then use these reports and other identity theft resources to make an annual report to your Board or senior management detailing the effectiveness of the ITPP.

The Red Flags Rule also requires training of employees and strict oversight of ITPP service providers who have access to your customers’ data. Document everything you do and keep copies of all identity-related documents in the deal jacket in case you are audited, and be sure to apply your ITPP to every customer. Automate the process so that verification happens for every deal – and doesn’t cause delays.

How it Works

The Red Flags Rule requires a four-step compliance process:

1. Identify: Look for appropriate patterns, practices, or specific activities – “red flags” – that indicate the possible existence of identity theft. This includes checkpoints during the deal.
2. Detect: Employ procedures to detect the presence of any of your identified red flags and be sure to cross-check customer identities against multiple databases.
3. Respond: Prescribe ways to respond when you identify red flags in customer transactions but cannot adequately clear them with the customer.
4. Update: Change your ITPP periodically, based upon your dealership’s own experiences and new information concerning identity theft from regulators, law enforcement, and industry experts.

The FTC has identified Red Flags as a priority area for the auto industry. To learn more about the Red Flags Rule, gain access to the free 2016 Dealertrack Compliance Guide by clicking here.