Understanding the
Red Flags Rule
Ryan Lane
Director, KPA Sales & Finance Compliance
Jim Radogna
Sales & Finance Compliance Consultant
Moderator
Rebecca Ward
Sr. Marketing Content Specialist
(303) 219-7802
Presenter
Ryan Lane
Director, KPA Sales & Finance Compliance
(303) 802-3095
Presenter
Jim Radogna
Sales & Finance Compliance Consultant
(303) 228-8770
Questions
If you have questions during
the presentation, please
submit them using the
“Questions” feature
Questions will be answered
at the end of the webinar
A comprehensive solution for Environmental Health & Safety, HR
Management, and Sales & Finance Compliance.
• 8/10 of the largest dealership groups in the
country count on KPA.
• KPA has been endorsed by 26 national and
state dealer associations
• Founding member of the Clean Auto Alliance.
KPA delivers Environmental Health & Safety, HR Management and Sales & Finance
Compliance programs that help our clients achieve regulatory compliance, control risk, protect
their assets and effectively manage people through a combination of innovative software,
award winning training and on-site consulting. Over 5,200 clients, including 8 out of 10 of the
largest dealership groups in the country, count on KPA for Environmental Health & Safety, HR
Management and Sales & Finance Compliance programs that save them time and save them
money.
KPA minimizes risks and maximizes profit for
5,200 dealers nationwide.
KPA
Environmental
Health &
Safety
KPA Human
Resource
Management
KPA Sales &
Finance
Compliance
Compliance
KPA Sales & Finance Compliance
KPA Sales & Finance Compliance programs offer onsite and online
training, consulting and audit services to assist clients in
compliance with state and federal regulations and developing best
practices in the following areas:
• Contract/Lease Disclosure
Requirements
• Privacy Notices
(GLBA)
• OFAC Screening
• FTC Used Car Rule
• Email Marketing
• Do Not Call Rules
• Text Message Marketing
• Ethics
• Unfair & Deceptive Acts and
Practices (UDAP)
• Vehicle History Disclosures
• Hidden Finance Charges
• Credit Applications/Credit
Reports
• Adverse Action Notices
• Risk Based Pricing Notices
• Vehicle Purchase Proposals
(write ups)
• Desking & Fair Lending
POLL #1:
Does your dealership have a written Identity
Theft Prevention Program (ITPP) as required by
the Red Flags Rule?
POLL #2:
Does your dealership have a Red Flags
Compliance Officer as required by the Red
Flags Rule?
POLL #3:
Have all sales department staff members who
interact with customers in your dealership
received Red Flags training?
What Is The Red Flags Rule?
• The RED FLAGS RULE was created by the
Federal Trade Commission. It requires dealers
to develop and implement an Identity Theft
Prevention Program (ITPP) that is designed to
detect, prevent and mitigate identity theft.
• IDENTITY THEFT means fraud committed or
attempted using the identifying information ofanother person without authority.
What Makes the Red Flags Rule Different?
Dealership personnel are required to be far more proactive than
with other regulations. Unfortunately this can slow down a
transaction.
Red Flags regulations require a dealership to not only be a good
citizen, but to be a cop as well.
Dealerships are required to have a Red Flags Compliance
Officer in-house.
All relevant dealership personnel must be trained on the Red
Flags Rue.
Risk Assessment
The Red Flags Rule requires dealers to, initially, and periodically thereafter,
determine whether they offer or maintain “covered accounts” as defined by the rule.
Accordingly, they must conduct a risk assessment of their accounts to determine
which of these accounts are “covered accounts” as defined above. In doing so, they
must take into consideration the following risk factors:
Types of accounts they maintain
Determination of the methods used to open accounts
The methods used to access accounts
Their previous experiences with identity theft
A Risk Assessment should take place individually for each account offered or
maintained on a department-by-department basis (e.g. new and used-car sales
departments, parts and service, etc.) and by customer type (e.g. consumers,
businesses, fleet businesses, vendors, employees, etc.)
Identifying Red Flags
First, the Program must identify relevant “Red Flags” for new and existing “covered accounts” and incorporate those Red Flags into the Program.
• RED FLAG means a pattern, practice or specific activity that indicates the possible existence of identity theft.
• COVERED ACCOUNT means an account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to customers of identity theft.
So… What Are Covered Accounts?
The following types of accounts are generally
considered to be “covered accounts” at dealerships:
• Vehicles purchased on credit for personal use
• Vehicles leased for personal use.
• Commercial credit sales where an individual co-signs
• Commercial leases where an individual co-signs
Identifying Red Flags At The Dealership
There are 6 typical categories of Red Flags at most dealerships:
1. ALERTS, NOTIFICATIONS AND WARNINGS FROM CREDIT REPORTING AGENCIES
OR SERVICE PROVIDERS, SUCH AS FRAUD DETECTION SERVICES:
Report of fraud accompanying a credit report
Notice or report from a credit agency of a credit freeze on a customer or applicant
Notice or report from a credit agency of an active duty alert for an applicant
Notice or report from a credit agency of an address discrepancy for an applicant
The credit report contains an alert with respect to the Social Security number used by the applicant, such as multiple Social Security numbers on file, Social Security number never issued, or a Social Security number that indicates that the individual is deceased
Identifying Red Flags At The Dealership
2. SUSPICIOUS DOCUMENTS
Identification document or card that appears to be forged, altered or
inauthentic
Identification document or card on which a person’s photograph or
physical description is not consistent with the person presenting the
document
Other document with information that is not consistent with existing
customer information (such as if a person’s signature on a check
appears forged)
Identifying Red Flags At The Dealership
3. SUSPICIOUS PERSONAL IDENTIFYING INFORMATION
Identifying information presented that is inconsistent with other
information the customer provides (example: inconsistent birth dates
between credit application and credit report)
Identifying information presented that is inconsistent with other sources
of information (for instance, an address not matching an address on the
credit report)
Identifying information presented that is consistent with fraudulent
activity (such as an invalid phone number or fictitious billing address)
A person fails to provide complete personal identifying information on
an application when reminded to do so
A person’s identifying information is not consistent with the information
that is on file for the customer
Identifying Red Flags At The Dealership
4. SUSPICIOUS ACCOUNT ACTIVITY OR UNUSUAL USE OF ACCOUNT
Account used in a way that is not consistent with prior use (example:
recent and significant increase in volume of inquiries)
An unusual amount of recently established credit accounts
An account that was closed for cause or identified for abuse of account
privileges by a creditor
A material change in the use of credit
Identifying Red Flags At The Dealership
5. ALERTS FROM OTHERS
Notice to the dealership from a customer, identity theft victim, law
enforcement or other person that it has opened or is maintaining a
fraudulent account for a person engaged in Identity Theft
6. PERSONAL BEHAVIOR RED FLAGS
Customer seems unusually nervous
Customer attempts to rush dealership personnel though the sale
process
Customer does not visit the dealership but conducts negotiations over
the phone, by email or fax
Customer seems unusually disinterested in the price of the vehicle
Detecting Red Flags
Next, the Program must set forth procedures to detect those Red Flags that
were identified and incorporated into the Program.
In order to detect any of the Red Flags identified, the dealership’s personnel should
take the following steps to obtain and verify the identity of the person opening the
account:
A credit application should be completed and signed prior to the running of a
credit report.
Credit applications should be filled out completely, including at least 5 years of
residence and employment history.
Credit applications should be compared with information provided in the credit
report for consistency in order to detect address and other discrepancies.
Credit reports should be reviewed carefully for fraud or active duty alerts, or
credit freezes.
Detecting Red Flags
All credit applications should be accompanied by acceptable
identification. Sales personnel should not be permitted to deliver a
vehicle without first collecting and verifying acceptable identification.
Acceptable identification is any one of the following:
• Unexpired, state government issued drivers license with picture
• Unexpired, state government issued identification card with picture
• Unexpired, Military identification card with picture
• Unexpired, U.S. passport with picture
The picture on the identification should be confirmed to be the same
person that is applying for credit. You should ensure the picture on the
acceptable identification bears a reasonable resemblance to the
customer.
Detecting Red Flags
You should compare the signature on the acceptable identification to the signature on the credit application and other documents.
You should check the form of identification presented by the applicant to see if it appears to be forged or altered. If you are unfamiliar with the appearance or security features of a particular form of identification, a valid reference source should be consulted for verification (e.g. lookup on line).
If there is any question as to the validity of the identification, personnel should seek approval from senior management or the Red Flags Coordinator.
Responding to Red Flags
Finally, the Program must set forth procedures to
respond appropriately to detected Red Flags to
prevent or mitigate (reduce the impact of) identity
theft.
The presence of one or more Red Flags does not
necessarily mean that the applicant is an identity thief,
however you should take additional steps to ensure that
the person attempting to purchase on credit or lease a
vehicle is not using someone else’s identity.
Responding to Red Flags
If a Red Flag is detected, you may utilize the following procedures for identity verification:
A second form of identification should be presented by the customer. Secondary forms of identification include:
State government issued driver’s license/ID card with picture Passport Vehicle title or registration US Military ID card with picture Utility bill Major credit card
Responding to Red Flags
Credit History Quiz
When a Red Flag is detected, the customer should be asked credit history
questions based upon the contents of the credit report. These “out of
wallet” questions are based on data that is probably not known by an
identity thief because a person is not likely to carry such information in his
or her wallet.
The customer must be able to answer most of the questions correctly. If
the customer cannot correctly answer the questions, the transaction can
only proceed upon approval by senior management. Examples of credit
history quiz questions are (“Out of Wallet” questions may also be
generated by automated systems, such as DealerTrack or RouteOne):
What is the approximate balance on your Visa credit card?
What is the name of your previous employer?
What is your previous address?
Responding to Red Flags
In what U.S. state/territory were you residing when you (or your
parent/guardian) applied for your social security card? *
What is the approximate balance on your Home Depot credit card?
What is the amount of your mortgage payment?
What is the name of the company that you make your mortgage
payment to?
What is the name of the company that you make your car payment to?
* To determine if customer’s response is correct, dealer personnel should
refer to the Social Security Number Allocation table at
www.socialsecurity.gov/employer/stateweb.htm.
Address Verification
This step is only necessary if any of the Red Flags identified an address
discrepancy or if there is a need to verify a delivery address for a
transaction where the customer does not visit the dealership. The
customer must produce proof of current, physical address using any of the
documents described in this section. In the event the customer cannot
provide acceptable proof of current, physical address, the transaction can
only proceed upon approval by senior management. Address can be
verified by:
Current utility bill (not mobile/wireless phone)
Current mortgage statement
Recent property tax bill
Current lease agreement
Approval or Denial of Transaction
Dealership staff should either certify completion of the
Red Flags detection process and approve the
transaction or deny the transaction. In the event the
applicant is unable to adequately respond to and/or
provide documentation for detected Red Flags, the
transaction should be denied unless a waiver is
approved by senior management. Each denial that
takes place must be submitted to the Red Flags
Coordinator for further review.
Approval or Denial of Transaction
The Red Flags Coordinator should determine which of the
following additional actions will be taken on a case-by-case
basis:
Contact applicant for additional information and/or
documentation
Refuse to deliver the vehicle to customer
Contact law enforcement
Contact the suspected or confirmed identity theft victim
Contact credit reporting agency to report that an inquiry was
bogus
Issue an adverse action notice
Determine that no further response is necessary
Red Flags Coordinator Responsibilities
The Red Flags (Program) Coordinator shall be responsible for the development,
implementation, oversight and continued administration of the Program. The
Coordinator may engage the services of an outside consultant(s) to assist in the
development and implementation of the Program.
The Program Coordinator shall put a program in place to train staff, as
necessary, to effectively implement the Program.
The Program Coordinator shall exercise appropriate and effective oversight of
service provider arrangements.
The Program Coordinator shall be responsible for assignment of specific
responsibility for implementation of the Program to other senior level managers.
The Program Coordinator will be responsible for conducting initial and periodic
risk assessments to identify potential identity theft risks, identifying relevant identity
theft Red Flags, implementing methods to detect Red Flags, creating processes to
respond appropriately when Red Flags are detected, review of reports prepared by
staff regarding compliance, approval of material changes to the Program as
necessary to address changing risks of identity theft, identification of the steps for
preventing and mitigating Identity Theft, and determining which steps of prevention
and mitigation should be taken in particular circumstances.
Red Flags Coordinator Responsibilities
The Program Coordinator shall report to the company ownership at least
annually on compliance by the organization with the Program.
The report shall address material matters related to the Program and evaluate
issues such as:
– The effectiveness of the policies and procedures in addressing the risk of identity
theft in connection with the opening of covered accounts and with respect to existing
covered accounts
– Service provider agreements
– Significant incidents involving identity theft and management’s response
– Recommendations for material changes to the Program
Automated Red Flags Programs
A Number of companies such as DealerTrack,
RouteOne and credit reporting agencies offer
automated Red Flags programs. These can
save a great deal of time.
So You Have A Red Flags Program…Now What?
• There’s some due diligence required on the part of
dealership personnel when potential “Red Flags” are
detected.
• We’ve found a number of situations during
compliance audits where the red flags program has
prompted that a “high risk has been detected” and that
“out of wallet questions are required”, but the questions
have not been asked of the customer.
• While it can certainly be uncomfortable to ask a
customer personal questions or request that they supply
additional proof of identity or address, it is important that
these steps not be avoided.
Staff Responsibilities
If an identity theft does occur and the proper steps were
not taken, it’s conceivable that the dealership’s
exposure to liability will be increased dramatically. The
same holds true in a situation where the dealer’s Red
Flags procedures are audited by a regulator. Staff
members’ proclamations that they had a ‘gut feeling’
that the customers were who they said they were will
not likely be enough to satisfy the investigators. The fact
that the employees were prompted to follow a particular
procedure and failed to do so would almost certainly
make matters much worse.
The Bottom Line
Even the best Red Flags program is not infallible.
Chances are that an experienced identity thief will
succeed despite a dealership’s best efforts. That’s
understandable. As long as the company can show that
they have performed their due diligence and did not
take any shortcuts, their exposure will likely be lessened
dramatically.
There hasn’t been a lot of enforcement action YET, but
there likely will be in the foreseeable future. And the
FTC LOVES targeting auto dealers…
Contact Information
The recorded webinar and presentation slides will be emailed to
you today including your local representative’s contact information.
www.kpaonline.com
866-228-6587