First, a little history. In July of 2010, Don Larsen’s article “Call to Action: Inspectors Need Certification to Improve Credibility” appeared in this publication. Then, in November of 2010, L’Tonya Carr picked up on this topic and contributed “Where Have the Good Inspectors Gone and Who is Filling Their Shoes?”

Between those two articles, P&A readers responded with a total of 17 substantive comments. And these weren’t just “Great job!” comments – no, they were lengthy, detailed, and passionate. Clearly, Don and L’Tonya had struck a nerve.

Managing Editor Diana Jacobi noted this strong reaction in April of 2011 with her article “A Certification Program – Boom or Bust?” As if to confirm that this topic would not go away, that article generated another 12 substantive comments on the P&A website. In fact, the total length of the comments exceeded the length of the articles themselves. In the publishing world, this is remarkable.

The trio of articles and the comments they spawned raised a number of questions in need of answers, including:

• Who will administer the certification program?
• What will certification require?
• How will training and testing be handled?
• How much will it cost?
• Who will pay for it?

Let’s answer those questions.

Who will administer the certification program?

The recently-formed F&I Providers and Administrators Association (FIPAA) will ride point on this effort. In fact, the desire for independent inspector certification was the primary unifying topic in the pre-history of FIPAA. At times, it seemed this was the only thing everyone in the room (or on the phone) agreed on!

The significance of this cannot be overstressed. FIPAA, by its very nature, is focused on Providers and Administrators – those who depend on accurate and reliable inspections and ultimately pay the bills.

The vast majority of the comments to Don Larsen’s and L’Tonya Carr’s articles were written by independent inspectors. This could lead to the assumption that they are the only constituency that sees a problem and desires a solution. FIPAA taking the lead on this issue proves that isn’t necessarily so.

What will certification require?

In the immortal words of Shakespeare, “Ay, there’s the rub.” What level of education and experience should be necessary to achieve certification? Are there any other requirements that should be considered?

The inspectors themselves have suggested several. First and foremost is technical knowledge, objectively measured. The obvious measure of knowledge is ASE certification or, more accurately, certifications (plural).

The National Institute for Automotive Service Excellence (bet you didn’t know that was what ASE stood for!) has curricula and certification programs in over 40 substantive areas. Of greatest relevance to independent inspectors would be the Automotive & Light Truck Certifications. The distinct certifications under that rubric are:

A1 – Engine Repair
A2 – Automatic Transmission/Transaxle
A3 – Manual Drive Train & Axels
A4 – Suspension & Steering
A5 – Brakes
A6 – Electrical/Electronic Systems
A7 – Heating & Air Conditioning
A8 – Engine Performance
A9 – Light Vehicle Diesel Engines

Achieving the first eight of those ASE certifications earns the lucky candidate Certified Master Automobile Technician status. For inspectors, of course, that would be overkill. It is not an inspector’s role to diagnose the problem, much less fix it. Rather, it is for the inspector to confirm the technician’s diagnosis. To do this competently, A1 – 4, 6 and 7 would seem appropriate.

But technical knowledge alone is not sufficient. What about relevant work experience? Here again, ASE provides some useful guidance. To earn ASE certification, a candidate must prove at least two years of relevant, full-time, hands-on work experience. While one could argue an inspector should not require as much experience as the technician actually doing the repair work, two years seems a reasonable minimum. And requiring more experience than a technician is probably excessive.

Finally, are there any subjective factors that should be required? Those who responded to the three earlier articles consistently harped on “people skills.” But how does one measure something that squishy?

One approach would be to include levels of customer service that are expected of professional inspectors in the certification training and test on those points. This would allow one to at least objectively prove the candidate knew what kind of behavior is expected in the field. Whether the candidate lives up to those expectations is a separate matter.

But that matter can be addressed. What if FIPAA created a short, standardized feedback form for repair facilities and Administrators to complete and return to FIPAA in connection with a candidate’s application? FIPAA could take responsibility for calling the reviewers to confirm the accuracy of the forms. Some minimum number of positive reviews, or ratio of positive to negative, would be required before certification is awarded. Other suggestions are, of course, welcome.

At the end of the day, the industry would profit from some degree of standardized processes, forms, expectations and understanding. Such standards are currently lacking. As L’Tonya Carr put it, inspector standards “depend on which inspection company is utilized, and believe me the ‘standard’ varies significantly. Even when the same inspector is used by multiple inspection companies, the inspector’s work quality can differ.”

How will training and testing be handled?

Online, mostly. In order to make the program affordable, a web-based delivery is pretty much a must. The candidate would access a Learning Management System, or “LMS,” through the FIPAA website and enter a unique username and password. Material would be offered in short, digestible chunks of multimedia presentations. After each module is completed, a test covering that material would be presented. The LMS would track usage and test results.

After all required modules are completed, candidates would take a comprehensive final exam. Upon completion and verification of experience and performance (via the reviews), certification is conferred. A recertification test (shorter than the comprehensive certification test) could be offered every other year to maintain currency.

Recall that I said “mostly.” In discussion is the prospect of holding the initial certification review and test live and in-person in conjunction with the F&I Conference in Las Vegas this coming September. Watch this space for details as they become available.

How much will it cost?

Well, that depends. FIPAA’s Inspection Certification Working Group is in the earliest stages of its work, and much needs to be done before this program launches. But it is understood that for the program to gain traction, its value must exceed its cost by a wide margin.

So I ask the inspectors out there, what do you think the value of certification is, in dollars and cents? And understand that the infrastructure (LMS, bandwidth, development of curricula, staffing, fulfillment, etc.) is going to cost something. Certification is a good idea, but not a good enough idea to lose money on.

Who will pay for it?

In the first instance, the inspectors themselves will. But before you assault my home with pitchforks and torches, consider that it is in best interest of Providers and Administrators to engage certified inspectors. Isn’t that worth something to the P&A community? Of course it is. Should the P&A community pay some premium for a certified inspector? Justice and logic suggest the answer is affirmative. How much will the market bear? That remains to be seen, of course, but the certification program should allow independent inspectors a rationale for their first meaningful pay raise in years.

Jon Anderson, Vice President of Sales and Marketing for American Guardian Warranty Services, confirms the value of such certification. “Training and consistency are always things that help us all do our jobs more efficiently. The inspector is our eyes and ears at the dealership. The better equipped he (or she) is to do that job, the better we are able to serve our customers.” Certification obviously serves that end.

Final Thoughts

Previous articles in this publication and the reader response they triggered proves there is strong grassroots support amongst inspectors for a certification program. And the support of FIPAA indicates agreement within the P&A community. Now comes the hard work: making it a reality.

To that end, I encourage reader response on this topic with as much specificity as you dare. You may safely assume all such comments will make their way to the attention of the FIPAA working group that is charged with turning wishes into reality. This is your chance to shape policy and the future of the inspection market. We welcome your input, and look forward to incorporating it into the independent inspectors certification program.

Bringing the F&I Providers and Administrators Association (FIPAA) into being was a little like mating elephants: things happened at a very high level, there was a lot of grunting and snorting, and it took two years to get results. But on September 27, 2011 FIPAA was born in Las Vegas, weighing in at a healthy 2,917 pounds. Actually, that is the cumulative weight of the Advisory Council, which is a fine place to begin this story.

The Advisory Council is the body that steers the Association and advises the Board of Directors. The Council met for the first time during the Industry Summit at the invitation of the Board of Directors – David Gesualdo, Adam Kimber, and me. The members of the Advisory Council and the companies they represent are:

Clearly, this is a serious group, and demonstrates the breadth of support for the organization. Pete Biscardi was unanimously elected Chairman of the Advisory Council. Pete states, “The enthusiasm of the working group and the members of the council clearly indicates a commitment to the industry from the highest levels. The efforts of all those involved demonstrates a bi-partisan willingness to create high standards of excellence for our industry.”

Pete agreed to head this working group to address those issues. The first order of business in Las Vegas was to define the scope of membership and dues structure. Without those variables settled, the Association could not move forward.

In the months since the kick-off meeting, Pete’s committee (Brent Allen, Steve Amos, Chris Kerby, and Kelly Price) came to a consensus as to membership levels and dues:

Membership Levels

1. Provider and Administrator (“P&A”) Members
   • Actual F&I product providers (VSC, GAP, etc.)
     • Bright line test: if your company provides a product sold in F&I, you qualify for this level of membership
   • Underwriters of F&I products
2. Industry Members
• Companies that provide services that directly support the business of P&A Members
• Examples would include:
  • Integration providers
  • Menu providers
  • DMS companies
  • Bi-Monthly payment plans
  • Roadside assistance
3. Allied Members
• Companies that touch the F&I function indirectly
• Examples would include:
  • Inspection companies
  • Consultants
  • Lenders

Dues

• P&A Members: $2,000/year
• Industry Members: $1,500/year
• Allied Members: $1,000/year

All companies and individuals that join before the end of the Agent Summit in March will be designated “Founding Members.”

Registration forms are available. Click Here.

Next on the agenda was clarifying goals for the first year of FIPPA’s existence. The initiatives deemed of highest immediate priority were:

Industry Certification Program

Despite everyone’s best efforts, this initiative continues to be called the “Good Housekeeping Seal of Approval.” A more appropriate title will come in time, but the concept is clear: we want to create clear and objective set of criteria that distinguish reputable providers from the fly-by-nights. Suggested requirements for certification include underwriting by companies rated “A-” or better, a certain Better Business Bureau rating, and absence of negative regulatory action. Whatever criteria are decided, certification must be free, or very close to it – we don’t want to create the impression the certification is for sale, or only available to those who are willing to pay for it.

Independent Inspector Training and Certification

Having an objective training curriculum and certification of ability for inspectors is a high priority for the providers that use inspectors in the claims process. Creating the curriculum and a web-based delivery system will easily take a year to complete, but is seen as a natural and important function of FIPAA.

Industry Education and Certification Program

Not everyone is born knowing the difference between Stated and Exclusionary Coverage. And yet there is an immense body of knowledge within the members of the Advisory Council and the companies they represent. Web-based instruction and testing related to industry knowledge was considered a benefit to the industry as a whole, and would provide standardized training of new hires. This training could extend to independent agents in the field, with an additional emphasis on legal compliance – all providers and administrators have a vested interest in having the agents selling their products doing so in a legally compliant manner.

FIPAA Website

It goes without saying that the organization needs a robust website that can facilitate communication and provide “the reputable voice of the industry” to those consumers who seek information about the value of F&I products. Sponsored by P&A Magazine, www.fipaa.org will launch in conjunction with the next board meeting being held at the Agent Summit in Las Vegas, March 12-14.

Two years ago, a number of thought leaders in the F&I industry had the notion of creating an association. FIPAA represents the birth of that notion.

What do teenage girls have to do with the Telemarketing Sales Rule? More than you might think. I’m a lawyer with five daughters 18 years old and under, so I know of what I speak.

As you may recall, the Telemarketing Sales Rule (TSR) went into effect in 2003 to both implement the Telemarketing and Consumer Fraud and Abuse Prevention Act and preserve the Holy Golden Silence. For Boomers like me, the Holy Golden Silence was that period between approximately 5:00 and 7:00 p.m. when nuclear families sat down together to eat dinners lovingly prepared by mothers wearing pearls. Polite people simply did not call other polite people during the Holy Golden Silence. Desecration of the Holy Golden Silence elicited scorn from my father and energetic violations of the Second Commandment.

Telemarketers, of course, are not polite people. They specialized in calling during the Holy Golden Silence precisely because they knew Boomers and their spawn would be sitting near a wall-mounted telephone whose handset was attached to its base via an actual cord.

And this is where teenage girls enter the equation. My daughters have never seen a functional wall-mounted telephone in their lives. Honest. Helping one such daughter with her homework recently, I was actually asked which was invented first, the fax machine or fire? (Answer: Fire. Your grandfather invented it). They live in a wireless world.

So when we sit together to eat dinner, a tradition still staunchly defended at das Gantherhof, a ringing telephone is not the issue. Rather, it is text messaging, to which my daughters are all addicted. During our Holy Golden Silence, I need to banish the iPhones. They text their friends from under the table. They text “pls ps the btr” to their sisters. They may transmit mutant thumbs to my grandchildren.

In short, technology has overcome the TSR. No one calls anymore – or so it seems. If our landline phone rings, we know it’s not someone we want to talk to – people we want to talk to have our cell numbers.

But not all dealerships are technology forward. Some are still rumored to use fax machines. So for those that still use telephone marketing, a brief overview of the Rule may be in order. Here goes.

The Federal Trade Commission (FTC) gives consumers a choice about whether they want to receive most telemarketing calls. Consumers are able to put their phone numbers on a national “Do Not Call” registry. It is illegal for most telemarketers or sellers to call a number listed on the registry. Because a dealership may want to call actual or prospective customers, it is important to know when one may or may not do so.

The TSR – often called the Do Not Call Rule – applies to any effort to sell goods or services through interstate phone calls. This includes dealerships that solicit consumers. It also includes outside telemarketers who solicit sales on behalf of dealerships.

Dealerships and the telemarketers they use are required to search the Do Not Call registry at least quarterly and drop from their call lists the phone numbers of consumers who have registered. The FTC maintains a website that provides this information: https://telemarketing.donotcall.gov/.

A consumer who receives a telemarketing call despite being on the registry will be able to file a complaint with the FTC, either online or by calling a toll-free number. Violators could be fined up to $11,000 per incident.

Fortunately, there are some important exceptions to the TSR. In fact, if it is a dealership’s policy to only contact consumers that fall within an exception to the Rule, the dealership may never need to actually compare a consumer’s name to the names on the Do Not Call registry.

A dealership or telemarketer may call a consumer with whom it has an established business relationship for up to 18 months after the consumer’s last purchase, delivery, or payment – even if the consumer’s number is on the Do Not Call registry. This means that dealerships are free to call a customer for 18 months following delivery of a vehicle in a cash transaction, or for 18 months after the last payment in a financed or lease transaction.

This 18 month period resets every time a customer makes another purchase or payment. Thus, if a customer made his last car payment 19 months ago and he is listed on the Do Not Call registry, a dealership cannot make an unsolicited sales call to that person. But if he gets his transmission replaced at that dealership, a new 18 month period is established.

In addition, a dealership may call a consumer for up to three months after the consumer makes an inquiry or submits an application to the dealership. What this means is that a dealership is free to call a potential customer for up to three months after a sales visit to that dealership, or after taking a test drive. And if a consumer has given a dealership written permission, that dealership may call the consumer even if the consumer’s number is on the Do Not Call registry.

But beware: if a consumer asks a dealership not to call, the dealership may not call, even if there is an established business relationship. Indeed, a dealership or its telemarketers may not call a consumer – regardless of whether the consumer’s number is on the registry – if the consumer has asked to be put on the dealership’s internal Do Not Call list.

Some states have their own Do Not Call registries, so a dealership would do well to check with its local counsel to determine if these laws increase its obligations with respect to calling customers.

Dealerships and their telemarketers are required to transmit their telephone number, and if possible, their name, to consumers’ caller ID services where it is technologically possible. Transmission of callers’ ID information allows consumers to know who is calling (and, presumably, ignore the call).

The following provisions of the Telemarketing Sales Rule also apply to dealerships:

• Dealerships and telemarketers may only call consumers between 8 a.m. and 9 p.m., local time.
• Dealerships and telemarketers must promptly identify themselves as a seller and explain that they’re making a sales call before pitching a product or service.
• Dealerships and telemarketers still must disclose all material information about the goods or services they are offering and the terms of the sale. Misrepresenting any terms or conditions of the sale is prohibited.

To be safe, a dealership should assume that every person who visits or does business with the dealership has signed up for the Do Not Call registry. Then, only call those people if they fall within one of the exceptions to the Do Not Call regulations. If you aren’t sure that an exception applies, you should compare the consumer’s name to those on the Do Not Call registry.

Finally, remember that the Telemarketing Sales Rule primarily applies to sales calls. A dealership is never prohibited from contacting customers to inform them, for example, of recall or other safety-related information.

But to return to our point of departure, technology is moving past telephone solicitations. My daughters and their generation are immune to its fading charms. The real issue for the younger set addresses e-mail and text solicitations: The CAN-SPAM Act.

Yeah, I think I smell another article…

We’ve all heard the expression “Don’t be that guy,” but do you know what it means? In normal life, it means the buffoon who is completely unaware of the fact he is being a buffoon.

True story: I was in London one year on the Fourth of July, along with a bunch of other American expats. We thought we should celebrate the American Independence Day with a pub crawl, so crawl we did. Late in the evening, we were refused admittance to the Hard Rock Café because it was about one minute to closing time. The Yank at the front of the line loudly exclaimed, “You’ve got to let us in! We’re Americans!”

I somehow escaped that evening with most of my teeth. As for the Ugly American, apparently no one told him that demanding special privileges abroad because one is an American is tacky at best. He was that guy.

In the world of service contract administrators, that guy means something different: it is the fly-by-night service contract company that attracts bad press, plaintiff’s attorneys, and government investigators. In fact, the Federal Trade Commission has weighed in with its publication How to Steer Clear of Auto Warranty Scams.

That publication urges consumers to be skeptical of mail and phone calls warning that the warranty on the consumer’s car is about to expire. The companies behind the calls or mail may try to give the impression that they work for the manufacturer or dealership. Mailings can sound official and dire, with phrases like “Notice of Warranty Interruption” or “Final Notice for Warranty Extension” on the envelope in red ink.

What is being pitched, of course, is not a warranty at all, but a service contract. The consumer who picks up the phone or responds to the mailing is likely to be subjected to a high-pressure sales pitch, dripping with urgency. And if the consumer pulls the trigger and buys the service contract, he may discover the company selling it isn’t around when it comes time to claim benefits. Remember US Fidelis?

The FTC gives consumers concrete advice about how to avoid being scammed, which I paraphrase here:

• If you receive mail or phone calls about “renewing” a vehicle’s warranty, be skeptical. The warranty may still be in force, or may have already expired. Check the owner’s manual first, or call the selling dealership to confirm actual coverage.
• Beware of fast talkers! Most legitimate businesses allow a consumer time to make an informed decision.
• Never give out personal, financial, or other sensitive information unless you are sure who you’re dealing with. There is no reason to give out your Social Security number or bank account numbers to buy a service contract. And letting such information out the door can expose the consumer to yet more fraud.
• Be particularly skeptical of unsolicited sales calls that are pre-recorded, or if your phone number is on the National Do Not Call Registry. If your number is on the National Do Not Call Registry, you should only get calls from companies you’ve bought something from in the previous 18 months, asked for information from in the past three months, or if you have agreed to accept calls from the company the sales person works for.
• To report a violation of the National Do Not Call Registry, or to register a number, visit www.DoNotCall.gov, or call 888.382.1222.

Why consider all this in such detail? Well, by reviewing what the FTC defines as suspect behavior and avoiding, an administrator can reduce its exposure to consumer complaints and government attention (not to mention those pesky plaintiff’s attorneys).

Put positively, advice on how to conduct direct-to-consumer business might look something like this:

• If your company contacts consumers whose factory warranties are soon to expire, be sure your information is correct. Don’t assume, and don’t lie.
• Do not employ fast talkers or high-pressure sales tactics! Truthfully explain features, benefits, coverage and costs. Provide written documentation before a sale is made.
• Do not ask for any nonpublic personal information (“NPI”) that is not absolutely necessary for the transaction, and only when it becomes necessary for the transaction. In the first place, reputable companies don’t solicit such information unnecessarily. And even reputable companies shoulder a significant responsibility to safeguard such NPI. Generally, the less taken the better.
• Follow the Telemarketing Sales Rule. That’s actually pretty involved, and may require a future article.

By avoiding the practices the FTC identifies as marking the unethical or criminal company and taking the opposite steps, your company can avoid being that guy.

Let’s start with a hypothetical story of a typical day in the life of an F&I manager. He’s one delivery short of glory at month’s end when a sales associate TOs a hot one: full MSRP and all the options on a $60,000 black granite Suburban, no trade. Wants to finance the car through the dealership. The F&I manager takes the customer’s credit app and accidentally drools on it – he’s a doctor with apparently more money than negotiating skills.

When the bureau comes back, it is golden – angels bear it back to the F&I manager’s office from the fax machine to the strains of Handel’s Messiah. He has a small jet, a large yacht and an 850 FICO. Spot delivery on a five-pound deal is accomplished and the doctor drives away. High fives everywhere.

Fast-forward 45 days. The GM comes into the aforementioned F&I manager’s office and asks if he remembers Dr. Suburban. The F&I manager swallows hard and says “yes.” Turns out the delivery went to someone who stole the good doctor’s identity and evidently chose not to make the payments. Now the bank that bought the RISC is pushing back the paper on the dealership – something about not following the Red Flags Rule violating the lender agreement. Oh, and there’s no insurance coverage for this loss.

We all know how this story ends. The dealership eats the $60,000 note, the thief sends the Suburban to Mexico and the F&I manager is taking down his certificates and brushing up his résumé. Had the dealership followed the Red Flags Rule, this unhappy event would never have happened – something a plaintiff’s lawyer might mention in the complaint, should things really go south.

So, then, how could adherence to the Red Flags Rule have prevented this situation? The first red flag that should have caught the attention of dealership personnel was the absence of meaningful negotiation as to price. I mean, does anyone pay MSRP these days? This is not to say that all lay-downs are identity thieves, but it stands to reason that someone who won’t be making the payments doesn’t have much incentive to drive a hard bargain.

Electronic identity authentication programs are readily available and inexpensive. These programs run the offered identity against numerous databases to confirm that the identity is indeed real and doesn’t belong to a person who is dead (and therefore unlikely to be needing a new car).

The real trick is to verify that the identity offered actually belongs to the person offering it. One way is to take care in the process of obtaining credit for the customer. Are there any gaps in the credit application? Does the applicant have poor memory about prior addresses or employment history? Those are red flags. Once identified, they need to be resolved.

One way to resolve a red flag is to ask the applicant to produce the credit cards listed on the credit report. It is unlikely that an identity thief would seek replacement cards in the victim’s name – this would create a change of address record that could alert the victim to the identity theft event. Failure to produce the actual credit cards is itself another red flag requiring resolution before a vehicle can be delivered.

A more effective means of preventing delivery of a vehicle to an identity thief is to pose out-of-wallet challenge questions. “Out-of-wallet challenge questions” are those whose answers cannot be derived from a credit report. This generally means questions that go back more than seven years in the customer’s personal history. “In what city did you live in 1987?” is an example of such a question. It is unlikely that an identity thief not related to the victim could answer this type of question.

Out-of-wallet challenge questions can be used as a means of resolving red flags that arise in the financing process, or uniformly in every finance or lease deal. For my money, the uniform approach is better. Using the same process for all non-cash customers is obviously more likely to catch a thief, and avoids the potential for discrimination claims. So you’ll have that going for you, which is nice.

Out-of-wallet challenge questions are widely available and inexpensive, and can usually be obtained from the same vendors that provide identity authentication services as a combo platter.

Of course, whatever process the dealership employs to prevent the damage resulting from an identity theft event must be a part of its written Identity Theft Prevention Program, or ITTP. Another advantage of electronic, web-based authentication and verification programs is that they create a searchable, archived
record of the dealership’s usage and, therefore, compliance with the terms of its ITPP.

Taking these steps can’t prevent theft of an identity, but it can prevent a stolen identity from being fraudulently used at a dealership. The $60,000 Suburban stays on the lot and the chargeback never comes back to bite.

Attorneys are not like normal people. When normal people wake up in the middle of the night, they think about sex, money troubles or the burritos they ate before going to bed. But not attorneys. They think about the hidden meaning of 16 CFR 681, Appendix A, Part IV. At least this one does.

Let me explain. 16 CFR 681 is commonly known as the Red Flags Rule. It applies to most financial institutions and, because most car dealerships originate financing, it applies to most dealerships. Whether or not the FTC officially begins its oft-delayed enforcement of the Rule on Jan. 1, 2011, it has been in effect since Jan. 1, 2008.

The Rule itself contains 4,074 words; I boil the Rule’s requirements down to seven:

1. Policy (an Identity Theft Prevention Program (“ITPP”), to be exact)
2. Training (staff on how to effectively implement the ITPP
3. Detect (attempts at identity theft)
4. Prevent (instances of identity theft)
5. Mitigate (the effects of identity theft)
6. Oversee (service provider agreements)
7. Ensure (that the ITPP continues to work over time)

Yeah, I know – George Carlin’s seven words were far more interesting. But these words carry legal requirements, so they deserve special attention. Today, my attention is drawn to “Mitigate.”

The Red Flags Rule clearly requires dealerships to have a policy in place that mitigates identity theft in connection with their “covered accounts.” In a dealership, “covered accounts” would mean installment sale contracts and leases. But what does “mitigate” mean?

Of all 4,074 words of the Rule, not one – not one! – is spent defining one of its seven basic requirements. Except, maybe, Appendix A, Part IV. That section is titled “Preventing and Mitigating Identity Theft.” The problem is, you can’t tell if the text that follows is addressing prevention or mitigation. And more to the point, if the dealership faithfully followed all of the suggestions in Appendix A, Part IV, no rational person would believe an identity theft event would have been effectively mitigated.

Appendix A, Part IV lists eight possible actions to prevent and mitigate identity theft (nine if you count the last one – “Do nothing”). Of the eight, only four could apply to an installment sale contract or lease: (b) Contacting the customer; (f) Closing the account; (g) Not attempting to collect on a covered account or not selling a covered account to a debt collector; and (h) Notifying law enforcement.

So the problem is, even if a dealership performs those four tasks, is an identity theft event really mitigated?

Logically speaking, by the time a criminal enters a dealership and attempts to take delivery of a vehicle in a victim’s name, an identity theft has already occurred. What is left to occur is monetary damage flowing from that identity theft. If a thief accomplishes delivery of a vehicle by getting it funded in the victim’s name, mitigation is accomplished in a narrow sense by canceling the financing.

But in a broader sense, mitigation hasn’t really occurred: the victim’s identity is still circulating and capable of being misused again and again, and the dealer now owns the paper. Ouch!

For true mitigation to even begin, at a minimum, a fraud alert must be placed on the victim’s credit file – and the dealership is not required to take that step. Curious. Mitigation would also logically imply investigating what other damage has been done using the stolen identity, and then unwinding that damage to return the identity to its pre-event status.

While the Rule does not require it, granting either every victim or every customer access to identity theft recovery service would provide a more meaningful level of mitigation, and certainly a higher level of customer satisfaction. Before we discuss this service, a couple of definitions would be helpful.

Assisted Recovery is the process of a victim attempting to restore his own identity with the advice of a professional. This advice is usually provided through a “how to” manual and, in some cases, telephone consultations. But the actual tasks necessary to restore an identity are performed by the victim.

Blanket Coverage is where ID recovery services are provided to every member of a defined group, such as every customer of a dealership. Because it is essentially group coverage, blanket coverage is less expensive than individual coverage.

Fully-managed Recovery is the restoration of a victim’s identity to its pre-event status performed by professional identity recovery advocates rather than by the victim. It is accomplished by the victim filling out and providing to the recovery advocate a limited power of attorney, which authorizes the recovery advocate to act on the victim’s behalf. Although the victim must cooperate with the process for it to be successful, the heavy lifting is done by professionals, not the victim.

In the vernacular, assisted recovery isn’t worth a 480 BEACON score in a Lexus dealership. A victim doesn’t want to be told how to fix a problem – he wants the problem solved. And the best way to do that is through a fully managed recovery.

Fully managed recovery by a reputable provider is the gold standard. But if provided after the fact, it is quite expensive. Such ex post facto remediation’s generally start in the four-digit range and can go up quickly, depending on the complexity of the case. Blanket coverage – providing the coverage to all finance or lease customers (cash customers aren’t covered by the Rule, but it’s a nice touch) – is the most economical way of providing meaningful mitigation to a dealership’s customers.

Again, this level of mitigation goes beyond the bare requirements of the Rule, but it more clearly accomplishes the Rule’s intent.

Oh, yeah – what about the dealership that had to eat the $45,000 RISC on a vehicle it delivered to the identity thief? Who mitigates that? Answer: nobody. That’s where prevention really comes into play – a good topic for next time.