The Fair Credit Reporting Act (“FCRA”) restricts reasons dealers may use to obtain, use, and share credit reports. In addition to these restrictions,FCRA requires dealerships to provide certain notices to consumers applying for credit. Dealerships should only obtain credit reports from consumers when they have express permission to do so. Issues arise when consumers make inquiries about obtaining financing when they are not physically present at the dealership. In these cases, it is imperative that the dealership has processes in place to obtain consumers’ written consent or otherwise show they have permission to obtain credit reports on behalf of consumers. Otherwise, consumers may claim the dealership violated FCRA by accessing the their credit reports without prior consent.
You will need to determine whether your dealership will accept credit applications from consumers that are not physically present at the dealership. There are inherent risks associated with accessing credit reports when the applicant is not at the dealership that you will need to balance with business considerations such as customer expectations, convenience, and pressure from competitors. If you choose to accept credit applications and obtain credit reports for consumers prior to them visiting the dealership, you will need to consider implementing the following safeguards in order to stay complaint with FCRA. For inquiries initiated over the internet, make sure your website requires credit applicants provide “digital authorization,” such as a box applicants check signifying they consent to the dealership accessing their credit reports. Also, you should only accept credit applications that applicants submit through an encrypted system, such as a form on your website, and not unencrypted media such as email. If the applicant submits an inquiry over the telephone, you should consider asking the applicant to make an inquiry over a secured, encrypted, form such as one located on your website. If the applicant is unable to do so, your staff should note on the credit application the date and time they received the application and ask the applicant to send a facsimile authorizing the dealership to access the credit report.
Once the applicant visits the dealership, you should have him or her compete a credit application, sign it, and retain a copy in the applicant’s file. You are required to provide adverse action notices or credit score disclosures regardless of whether the consumer initiated a credit inquiry at your dealership or remotely, and your processes regarding credit applications submitted by telephone or the internet should incorporate your dealership’s Red Flags Rule and Safeguards Rule compliance programs. Effective training and monitoring of employees’ access to consumers’ credit reports will help your dealership stay compliant with the FCRA and avoid potential lawsuits.
There’s no question that tablet computers, like Apple’s iPad and Amazon’s Kindle Fire, are extremely popular. Personally, I see more and more people using tablets each day. In fact, I’m writing this post on my Nexus 7 tablet while I wait for a train in Jamaica (in Queens, not the tropical paradise of the same name) [EDIT: While my first draft for this post was on my Nexus 7, I used my Mac to finish it]. I’ve read many articles and participated in discussions about how to best use tablets at automobile and powersport dealerships. Several manufacturers, such as Ford and Mercedes Benz, have created applications for tablets specifically for use during the sales process at their dealerships. While tablets have the potential to make your staff more efficient and offer a “wow” factor to please your customers, tablets can be potential compliance traps, exposing your dealership to potential liability. The topics below aren’t meant to be an exhaustive list of compliance issues arising from tablet usage. Instead, these are a few thought starters to consider when deploying tablets at your dealership.
First, consider how widespread deployment of tablets will impact your dealership’s compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act. The Safeguards Rule requires dealerships to maintain written plans (and implement processes) to protect nonpublic personal information collected from consumers. If you use tablets to collect nonpublic personal information or allow individuals to access this kind of data stored in your DMS or CRM through tablets, you’ll need to address potential breaches involving nonpublic personal information. Ideally, you’ll limit who can access sensitive files from tablets and monitor usage. Nonpublic personal information should not be stored on the tablet itself. The tablets themselves should be password protected and physically secured when not in use. Also, will you allow employees to use tablets from home? If so, you’ll need to determine ways to make sure employees aren’t transferring nonpublic personal information from the tablet to their own devices. These processes should be checked periodically for compliance, and you should train your employees on how to protect the data contained or accessed by tablets. Of course, whatever processes you implement will need to be documented as part of your dealership’s written compliance plan.
You’ll also need to consider how tablets will affect your Red Flags Rule compliance efforts. As part of the Red Flags Rule, dealerships must develop processes to detect identity theft and record potential or actual cases of identity theft and how your processes detected the threat or could be improved. Think of tablets as just another tool to collect data. As with your Safeguards Rule compliance efforts, your processes for Red Flags Rule compliance should include how tablets can be used to detect identity theft or prevent identity theft from occurring at the dealership.
Finally, your employee handbook and training processes should inform employees what is and what isn’t appropriate use of tablets. Don’t rely on a blanket waiver that speaks only to desktop computer use to protect your dealership. Make sure your documents are clear enough that a court would find your intent to apply the same rules pertaining to desktop computers to other kinds of devices and uphold these provisions as applied to tablets. Employees should not be allowed to store their own personal apps or information on tablets assigned to them. They also should not be allowed to access websites, applications or other things that are illegal or offensive. Nor should they be allowed to download or share copyrighted material. If employees break these rules, then you must consider appropriate discipline in order to give force to your policies.
If you use tablets at your dealership (or other kind of business), what steps do you take to stay compliant?