LAKE SUCCESS – DealerTrack is offering a $25,000 Red Flags Guarantee to current and new subscribers of its Compliance Solution, a suite of compliance tools available in the automotive retail industry.

The new Red Flags Guarantee from DealerTrack will cover associated government-issued fines up to $25,000, should a dealership be cited for non-compliance with the Red Flags Rule while using the DealerTrack Compliance Solution.

“With auto identity theft on the rise, a new era of regulatory requirements has emerged, and DealerTrack has dealers covered when it comes to compliance,” said Robert Granados, vice president and general manager, Finance Solutions, DealerTrack.

“Backed by our extensive experience navigating the compliance and regulatory landscape and years of safeguarding dealers from identity theft, we can confidently offer this guarantee. No other company delivers the breadth of compliance safeguards coupled with such a guarantee.”

The DealerTrack Compliance Solution helps protect a dealership throughout the sales and F&I process, including credit reports and Red Flags, credit application submissions, menu presentations, and document storage and retrieval.

The solution allows dealers to work all deals on one fully integrated and secure platform to streamline the process and protect their dealership and its customers.

The Red Flags Rule, which is enforced by the Federal Trade Commission (FTC), requires businesses and organizations to adopt and implement an Identity Theft Prevention Program. The program should be designed to detect, prevent and mitigate identity theft when establishing or maintaining consumer credit and certain business accounts.

The potential liability dealers could face from not complying with the rule includes, but is not limited to, $3,500 per violation under the Fair and Accurate Credit Transactions Act of 2003, up to $16,000 in penalties under the FTC Act, and potential lawsuits from the FTC and State Attorney Generals.

TEANECK – Veratad Technologies LLC, a provider of identity verification and compliance solutions, announced that its Red Flags Rule and ID verification solutions will be offered to all VisionMenu Inc. dealerships nationwide.

VisionMenu, a provider of software selling solutions to automotive and powersports dealerships, selected Veratad to provide a seamless solution delivered directly to a dealer’s menu services. This online solution, which makes verifying an identity a simple matter of a few clicks, is designed to protect dealerships against losses due to fines for non-compliance, as well as fraud and identity theft.

“The Red Flags Rule requires dealers to detect, prevent and mitigate identity theft. Dealers using online ID verification are taking an important step in meeting their compliance requirements and assuring the person presenting a verifying document is in fact who they say they are,” said John Ahrens, managing director at Veratad. “In addition to avoidance of fines for non-compliance, use of online ID verification is a way for dealers to reduce their risk of fraud and mitigate the reputational risk associated with the theft of a consumer’s identity.”

Ron Martin, CEO of Vision Menu, said “We selected Veratad because of their industry leadership and experience. We are always looking for enhancements to our solutions that will offer value to our dealership customers, and while VisionMenu is known for helping dealers sell more units, increasing F&I product sales and profitability analytics, the addition of Veratad allows us to offer our dealerships a powerful tool that protects them from fraudulent transactions and potential fines for non-compliance.”

Veratad’s Red Flags Knowledge Based Identity Verification tool is now available in VisionMenu Pro. To learn more about VisionMenu or Veratad’s Red Flags Rule special offer, contact your VisionMenu Representative or call Veratad toll free at (888) 510-7343.

KENNESAW — MicroBilt Corporation, a provider of risk management services, introduced two solutions to help dealers comply with the Risk-Based Pricing (RBP) Rule and Red Flags Rule (RFR), which became effective Jan. 1, 2011.

The RBP Rule is part of the Fair and Accurate Credit Transactions Act (FACTA). The rule requires companies that use a credit report or score in connection with a credit decision to provide a risk-based pricing notice to a consumer when the company grants credit on material terms that are not the most favorable terms offered to a substantial proportion of consumers, F&I and Showroom reported. Risk-based pricing is the practice of setting the interest rate or other terms of credit to a consumer based on the consumer’s credit report or score.

The RBP Rule provides companies with two compliance options: the RBP Notice or a Credit Score Disclosure Exception Notice. MicroBilt offers the Credit Score Disclosure Exception Notice as a standard service for all customer data contracts.

The RFR is also part of the FACTA. The RFR require credit providers to define their processes for detecting “red flags” in identity verification, such as discrepancies in address histories, fraud alerts on consumer reports, suspicious use of Social Security numbers, inactive accounts that suddenly become active, credit-freeze notifications, credit reports showing unusual patterns of activity, notices from victims of identity theft or law enforcement agencies and discrepancies between applications and third party information.

MicroBilt offers Red Shield, MicroBilt’s FACTA Red Flags solution, which is designed to eliminate some of the most difficult front-end steps in the Red Flag process. It analyzes the likelihood of identity fraud and provides a “Pass” or “Fail” grade. If a transaction passes, it is automatically guaranteed against fraud for up to $25,000. The consumer is also protected against identity-theft losses for another $25,000. If a “fail” response is returned, the client is given a range of manual options that can be used to reduce the risk of identity theft or fraud in the transaction.

MicroBilt offers a low cost, on-demand FACTA Red Flags Training course designed to meet the Red Flags training requirements and to make understanding the RFR fun, fast and easy. An online, real-time FACTA Red Flags hotline — that responds to Red Flag questions within 24 hours is available.

MicroBilt also offers an on-demand training of the Fair Credit Reporting Act which requires users of consumer reports to follow specific rules and guidelines when using private consumer data. FCRA compliance regulation responsibilities can be complex and any business that deals with consumer data must understand the basic concepts and provisions of the FCRA to ensure it adheres to the FCRA compliance regulations.

In addition, MicroBilt offers OFAC compliance by providing access to extensive anti-terrorist “watch list” searches as part of its standard credit and identity reporting. MicroBilt screens more than 60 critical “watch lists” including those maintained and mandated by the US Treasury Department’s Office of Foreign Assets Control (OFAC).

“For smaller businesses in particular, keeping up with federal regulations and their compliance with those regulations such as Risk-Based Pricing, Red Flags, FCRA, OFAC, etc. is a major challenge,” said Walt Wojciechowski, CEO of MicroBilt. “Along with the obvious business risks of non-compliance, the legal penalties associated with violations of these regulations can be devastating to the small business. With our simple compliance tools, we’re trying to help customers do more business with less risk and less confusion without having to become experts on federal regulations.”

Let’s start with a hypothetical story of a typical day in the life of an F&I manager. He’s one delivery short of glory at month’s end when a sales associate TOs a hot one: full MSRP and all the options on a $60,000 black granite Suburban, no trade. Wants to finance the car through the dealership. The F&I manager takes the customer’s credit app and accidentally drools on it – he’s a doctor with apparently more money than negotiating skills.

When the bureau comes back, it is golden – angels bear it back to the F&I manager’s office from the fax machine to the strains of Handel’s Messiah. He has a small jet, a large yacht and an 850 FICO. Spot delivery on a five-pound deal is accomplished and the doctor drives away. High fives everywhere.

Fast-forward 45 days. The GM comes into the aforementioned F&I manager’s office and asks if he remembers Dr. Suburban. The F&I manager swallows hard and says “yes.” Turns out the delivery went to someone who stole the good doctor’s identity and evidently chose not to make the payments. Now the bank that bought the RISC is pushing back the paper on the dealership – something about not following the Red Flags Rule violating the lender agreement. Oh, and there’s no insurance coverage for this loss.

We all know how this story ends. The dealership eats the $60,000 note, the thief sends the Suburban to Mexico and the F&I manager is taking down his certificates and brushing up his résumé. Had the dealership followed the Red Flags Rule, this unhappy event would never have happened – something a plaintiff’s lawyer might mention in the complaint, should things really go south.

So, then, how could adherence to the Red Flags Rule have prevented this situation? The first red flag that should have caught the attention of dealership personnel was the absence of meaningful negotiation as to price. I mean, does anyone pay MSRP these days? This is not to say that all lay-downs are identity thieves, but it stands to reason that someone who won’t be making the payments doesn’t have much incentive to drive a hard bargain.

Electronic identity authentication programs are readily available and inexpensive. These programs run the offered identity against numerous databases to confirm that the identity is indeed real and doesn’t belong to a person who is dead (and therefore unlikely to be needing a new car).

The real trick is to verify that the identity offered actually belongs to the person offering it. One way is to take care in the process of obtaining credit for the customer. Are there any gaps in the credit application? Does the applicant have poor memory about prior addresses or employment history? Those are red flags. Once identified, they need to be resolved.

One way to resolve a red flag is to ask the applicant to produce the credit cards listed on the credit report. It is unlikely that an identity thief would seek replacement cards in the victim’s name – this would create a change of address record that could alert the victim to the identity theft event. Failure to produce the actual credit cards is itself another red flag requiring resolution before a vehicle can be delivered.

A more effective means of preventing delivery of a vehicle to an identity thief is to pose out-of-wallet challenge questions. “Out-of-wallet challenge questions” are those whose answers cannot be derived from a credit report. This generally means questions that go back more than seven years in the customer’s personal history. “In what city did you live in 1987?” is an example of such a question. It is unlikely that an identity thief not related to the victim could answer this type of question.

Out-of-wallet challenge questions can be used as a means of resolving red flags that arise in the financing process, or uniformly in every finance or lease deal. For my money, the uniform approach is better. Using the same process for all non-cash customers is obviously more likely to catch a thief, and avoids the potential for discrimination claims. So you’ll have that going for you, which is nice.

Out-of-wallet challenge questions are widely available and inexpensive, and can usually be obtained from the same vendors that provide identity authentication services as a combo platter.

Of course, whatever process the dealership employs to prevent the damage resulting from an identity theft event must be a part of its written Identity Theft Prevention Program, or ITTP. Another advantage of electronic, web-based authentication and verification programs is that they create a searchable, archived
record of the dealership’s usage and, therefore, compliance with the terms of its ITPP.

Taking these steps can’t prevent theft of an identity, but it can prevent a stolen identity from being fraudulently used at a dealership. The $60,000 Suburban stays on the lot and the chargeback never comes back to bite.

Menu Providers’ Perspectives!

Full speed ahead: The Red Flags Rule is in enforcement! Yes, that’s right, the day has finally arrived! And that means the time has come to comply, comply, comply! As of Jan. 1, the FTC not only has the power to go after banks, credit unions and captive lenders that violate the rule, but it can also seek out dealerships that aren’t following protocol.

We knew this day was coming and over the course of 2010 have published several articles explaining what this rule encompasses and how it affects us. Our December issue included an article about the pros and cons of this recently implemented rule from a provider and legal expert’s perspective. One of the ways a software company can assist the dealership in complying with the Red Flags Rule is by incorporating Red Flags checks into the programs used by the dealer.

So, we decided to get the perspective of a few menu providers about the pros and cons of complying with this rule. My thanks go out to MaximTrak Technologies, Ristken Software Services and VisionMenu for providing P&A eMagazine with their perspectives.

We first asked what they feel, as software providers, are some advantages of using Red Flags checks and what advantages do these checks provide dealerships?

Ron Martin, president of VisionMenu, Inc., says, “It is a low-cost, quick-and-easy way for the dealer to ensure that the customer is who they say they are. It evaluates the name and address, age and social security number against a variety of public records to confirm the identity of the person. Now the dealership just needs to make sure that the customer in front of them is actually who they say they are. This is done by evaluating a list of out-of-pocket questions. Sure, there is room for some people to slip through the cracks, but if the process is followed completely, most identity thieves will be uncovered. We at VisionMenu have chosen to leave this process to the expert, which is why we have chosen a company’s web service that specializes in catching identity thieves. We are just facilitating ease of use to the F&I manager by allowing full integration.”

Jim Maxim, president of MaximTrak Technologies, adds that “Federal compliance issues today surrounding identity theft and protection of non-public personal information are some of the hottest topics in today’s business discussions – especially in the financial services arena. Automotive dealers today are being held as accountable for compliance with these regulations as some of the world’s largest banks. So, the risks are huge and it really demands that the dealership principals pay attention to these areas and assess their processes and overall compliance. We incorporate these services to make it quick and easy for the dealer to adopt compliance into their sales and finance processes and to save the dealership time on each and every transaction, which means more time spent selling products.”

Patrick DeMarco, president of Ristken Software Services, says “the biggest advantage is protecting the dealerships against fraudulent buyers and therefore mitigating the risk of a distressed financial situation for the dealership. By incorporating Red Flags technology directly into our menu application, it ensures the F&I managers are completing Red Flags checks at the point of sale. A simple series of questions can protect the dealership and its creditors from identity theft. Ristken does not charge additional fees in our application for Red Flags integration. We feel all of our customers should have that protection benefit in their operations.”

On the flip side, there are shortcomings, and as Jim Ganther mentioned in his December article “it can be easy to fall into the trap of believing the transactional approach is sufficient to address all of a dealership’s obligations under the rule.”

Martin agrees that the checks do tend to provide the dealer with a false sense of security and that the dealer needs to have implemented and documented, in writing, the procedures put in place to detect, prevent and mitigate identity theft. Maxim also says they often see that the shortfalls that are occurring at the dealer-level are in the training, process and policy areas.

Because these menu providers offer challenge questions within their software programs, we asked them how the questions operated within these programs. Maxim says that although some dealers incorporate the challenge questions into every transaction, many do not because it is not required, and they are only prompted with such questions when an alert is caused as a result of a credit report being pulled or something within the system being alerted during the sales process.

All of the participating menu providers provide a Red Flags identity theft prompt that upon selection opens a window that prompts the F&I manager with several challenge questions. Martin adds that based on the circumstances, it is crucial that the challenge questions be answered correctly, and although it is not a full-proof way of confirming the person’s identity, they get as close as they can.

We finally asked our menu provider participants, just as we did of Jim Ganther and Pattie Dillon last month, if they thought that Red Flags checks capabilities should be charged to the dealer. Although Ristken does not charge additional fees in their application for Red Flags integration, both VisionMenu and MaximTrak Technologies do charge for this option. However, Martin says, “Yes, there is a nominal fee. But in order to stay with our high-quality, low-cost model it is an a la carte option for customers. And all things considered, when it comes to compliance, it is money well spent.”

Maxim also notes that his company’s Red Flags service “is billed on a per authentication basis – there are no monthly minimums.” He further explains that, “a dealership that sells 500 cars per month should pay more than a dealership that only sells 50 cars per month. The very nature of the service makes it palatable for everyone and ensures that we can provide the same quality of service to every automotive dealer that wants to utilize these services to comply with the Red Flags requirements.”

In spite of the possibility that Red Flags checks can give the dealer a false sense of security, it seems that the benefits of implementing a Red Flags checks program within a menu selling system far outweigh the cons. And, to remain compliant and avoid unnecessary legal issues, it is absolutely necessary the dealer have a written program for compliance and a training program to follow through with their compliance of this rule.

Attorneys are not like normal people. When normal people wake up in the middle of the night, they think about sex, money troubles or the burritos they ate before going to bed. But not attorneys. They think about the hidden meaning of 16 CFR 681, Appendix A, Part IV. At least this one does.

Let me explain. 16 CFR 681 is commonly known as the Red Flags Rule. It applies to most financial institutions and, because most car dealerships originate financing, it applies to most dealerships. Whether or not the FTC officially begins its oft-delayed enforcement of the Rule on Jan. 1, 2011, it has been in effect since Jan. 1, 2008.

The Rule itself contains 4,074 words; I boil the Rule’s requirements down to seven:

1. Policy (an Identity Theft Prevention Program (“ITPP”), to be exact)
2. Training (staff on how to effectively implement the ITPP
3. Detect (attempts at identity theft)
4. Prevent (instances of identity theft)
5. Mitigate (the effects of identity theft)
6. Oversee (service provider agreements)
7. Ensure (that the ITPP continues to work over time)

Yeah, I know – George Carlin’s seven words were far more interesting. But these words carry legal requirements, so they deserve special attention. Today, my attention is drawn to “Mitigate.”

The Red Flags Rule clearly requires dealerships to have a policy in place that mitigates identity theft in connection with their “covered accounts.” In a dealership, “covered accounts” would mean installment sale contracts and leases. But what does “mitigate” mean?

Of all 4,074 words of the Rule, not one – not one! – is spent defining one of its seven basic requirements. Except, maybe, Appendix A, Part IV. That section is titled “Preventing and Mitigating Identity Theft.” The problem is, you can’t tell if the text that follows is addressing prevention or mitigation. And more to the point, if the dealership faithfully followed all of the suggestions in Appendix A, Part IV, no rational person would believe an identity theft event would have been effectively mitigated.

Appendix A, Part IV lists eight possible actions to prevent and mitigate identity theft (nine if you count the last one – “Do nothing”). Of the eight, only four could apply to an installment sale contract or lease: (b) Contacting the customer; (f) Closing the account; (g) Not attempting to collect on a covered account or not selling a covered account to a debt collector; and (h) Notifying law enforcement.

So the problem is, even if a dealership performs those four tasks, is an identity theft event really mitigated?

Logically speaking, by the time a criminal enters a dealership and attempts to take delivery of a vehicle in a victim’s name, an identity theft has already occurred. What is left to occur is monetary damage flowing from that identity theft. If a thief accomplishes delivery of a vehicle by getting it funded in the victim’s name, mitigation is accomplished in a narrow sense by canceling the financing.

But in a broader sense, mitigation hasn’t really occurred: the victim’s identity is still circulating and capable of being misused again and again, and the dealer now owns the paper. Ouch!

For true mitigation to even begin, at a minimum, a fraud alert must be placed on the victim’s credit file – and the dealership is not required to take that step. Curious. Mitigation would also logically imply investigating what other damage has been done using the stolen identity, and then unwinding that damage to return the identity to its pre-event status.

While the Rule does not require it, granting either every victim or every customer access to identity theft recovery service would provide a more meaningful level of mitigation, and certainly a higher level of customer satisfaction. Before we discuss this service, a couple of definitions would be helpful.

Assisted Recovery is the process of a victim attempting to restore his own identity with the advice of a professional. This advice is usually provided through a “how to” manual and, in some cases, telephone consultations. But the actual tasks necessary to restore an identity are performed by the victim.

Blanket Coverage is where ID recovery services are provided to every member of a defined group, such as every customer of a dealership. Because it is essentially group coverage, blanket coverage is less expensive than individual coverage.

Fully-managed Recovery is the restoration of a victim’s identity to its pre-event status performed by professional identity recovery advocates rather than by the victim. It is accomplished by the victim filling out and providing to the recovery advocate a limited power of attorney, which authorizes the recovery advocate to act on the victim’s behalf. Although the victim must cooperate with the process for it to be successful, the heavy lifting is done by professionals, not the victim.

In the vernacular, assisted recovery isn’t worth a 480 BEACON score in a Lexus dealership. A victim doesn’t want to be told how to fix a problem – he wants the problem solved. And the best way to do that is through a fully managed recovery.

Fully managed recovery by a reputable provider is the gold standard. But if provided after the fact, it is quite expensive. Such ex post facto remediation’s generally start in the four-digit range and can go up quickly, depending on the complexity of the case. Blanket coverage – providing the coverage to all finance or lease customers (cash customers aren’t covered by the Rule, but it’s a nice touch) – is the most economical way of providing meaningful mitigation to a dealership’s customers.

Again, this level of mitigation goes beyond the bare requirements of the Rule, but it more clearly accomplishes the Rule’s intent.

Oh, yeah – what about the dealership that had to eat the $45,000 RISC on a vehicle it delivered to the identity thief? Who mitigates that? Answer: nobody. That’s where prevention really comes into play – a good topic for next time.