The Fair Credit Reporting Act (“FCRA”) restricts reasons dealers may use to obtain, use, and share credit reports. In addition to these restrictions,FCRA requires dealerships to provide certain notices to consumers applying for credit. Dealerships should only obtain credit reports from consumers when they have express permission to do so. Issues arise when consumers make inquiries about obtaining financing when they are not physically present at the dealership. In these cases, it is imperative that the dealership has processes in place to obtain consumers’ written consent or otherwise show they have permission to obtain credit reports on behalf of consumers. Otherwise, consumers may claim the dealership violated FCRA by accessing the their credit reports without prior consent.
You will need to determine whether your dealership will accept credit applications from consumers that are not physically present at the dealership. There are inherent risks associated with accessing credit reports when the applicant is not at the dealership that you will need to balance with business considerations such as customer expectations, convenience, and pressure from competitors. If you choose to accept credit applications and obtain credit reports for consumers prior to them visiting the dealership, you will need to consider implementing the following safeguards in order to stay complaint with FCRA. For inquiries initiated over the internet, make sure your website requires credit applicants provide “digital authorization,” such as a box applicants check signifying they consent to the dealership accessing their credit reports. Also, you should only accept credit applications that applicants submit through an encrypted system, such as a form on your website, and not unencrypted media such as email. If the applicant submits an inquiry over the telephone, you should consider asking the applicant to make an inquiry over a secured, encrypted, form such as one located on your website. If the applicant is unable to do so, your staff should note on the credit application the date and time they received the application and ask the applicant to send a facsimile authorizing the dealership to access the credit report.
Once the applicant visits the dealership, you should have him or her compete a credit application, sign it, and retain a copy in the applicant’s file. You are required to provide adverse action notices or credit score disclosures regardless of whether the consumer initiated a credit inquiry at your dealership or remotely, and your processes regarding credit applications submitted by telephone or the internet should incorporate your dealership’s Red Flags Rule and Safeguards Rule compliance programs. Effective training and monitoring of employees’ access to consumers’ credit reports will help your dealership stay compliant with the FCRA and avoid potential lawsuits.
A few days ago I reblogged a post from Naked Security about an enforcement action by the Massachusetts Attorney General’s Office against doctors in Massachusetts that unlawfully disposed of patient records. You can read the original post here. In summary, the doctors allegedly violated the Health Insurance Portability and Accountability Act (or “HIPAA“) by throwing out documents that contained the nonpublic personal information of their patients. If “nonpublic personal information” has triggered thoughts about your compliance programs at your dealership then you’re off to a good start today (or you spend a lot of time thinking about compliance, which is a good thing). The Safeguards Rule of the Gramm-Leach-Bliley Act obligates your dealership to create and maintain processes that protect nonpublic personal information. Piggybacking off of the Safeguards Rule is the Disposal Rule, which, like HIPAA does for health care professionals, requires dealers to maintain processes that effectively destroy documents that contain nonpublic personal information. With fines up to $1000 per violation, as well as allowing plaintiffs to recover their legal fees , the Disposal Rule is something your staff should not ignore.
Gone are the days when a dealership employee could simply throw a completed credit application or “dead deal” folders full of deal paperwork in a garbage can. Now, if dealers have any documents that contain nonpublic personal information, such as social security numbers, customers’ date of birth and so on, they must dispose of the documents in a way compliant with the Disposal Rule. The Disposal Rule requires dealerships to maintain “disposal practices that are reasonable to prevent the unauthorized use, or access to, information in a consumer report.” Suggested practices include burning, pulverizing or shredding hard copies containing nonpublic personal information, or, if the information is stored electronically, appropriate erasure or destruction procedures. If you contract with third parties to handle document document disposal, your dealership may be liable for their failures to comply with the Disposal Rule. You can find a summary of the Disposal Rule and examples of what compliant processes contain here.
In the case cited by Naked Security, a photographer for the Boston Globe discovered the documents discarded by the doctors while dumping his own garbage. Apparently the doctors’ offices shared a community dumpster with the photographer. The photographer then referred the matter to the Attorney General’s office, who later brought suit against the parties. It is easy to image similar discoveries made by employees or customers at a dealership that fails to comply with the Disposal Rule. A disgruntled employee could report the dealership to the proper authorities or a consumer could see intact documents in a waste bin and file a complaint. Compliant Safeguards Rule processes include processes that comply with the Disposal Rule. Protect your dealership against similar suits by developing processes and training that addresses how your employees will dispose of information in accordance with the Disposal Rule.
Via: Naked Security
Image Courtesy of Paper Shredding Review
There’s no question that tablet computers, like Apple’s iPad and Amazon’s Kindle Fire, are extremely popular. Personally, I see more and more people using tablets each day. In fact, I’m writing this post on my Nexus 7 tablet while I wait for a train in Jamaica (in Queens, not the tropical paradise of the same name) [EDIT: While my first draft for this post was on my Nexus 7, I used my Mac to finish it]. I’ve read many articles and participated in discussions about how to best use tablets at automobile and powersport dealerships. Several manufacturers, such as Ford and Mercedes Benz, have created applications for tablets specifically for use during the sales process at their dealerships. While tablets have the potential to make your staff more efficient and offer a “wow” factor to please your customers, tablets can be potential compliance traps, exposing your dealership to potential liability. The topics below aren’t meant to be an exhaustive list of compliance issues arising from tablet usage. Instead, these are a few thought starters to consider when deploying tablets at your dealership.
First, consider how widespread deployment of tablets will impact your dealership’s compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act. The Safeguards Rule requires dealerships to maintain written plans (and implement processes) to protect nonpublic personal information collected from consumers. If you use tablets to collect nonpublic personal information or allow individuals to access this kind of data stored in your DMS or CRM through tablets, you’ll need to address potential breaches involving nonpublic personal information. Ideally, you’ll limit who can access sensitive files from tablets and monitor usage. Nonpublic personal information should not be stored on the tablet itself. The tablets themselves should be password protected and physically secured when not in use. Also, will you allow employees to use tablets from home? If so, you’ll need to determine ways to make sure employees aren’t transferring nonpublic personal information from the tablet to their own devices. These processes should be checked periodically for compliance, and you should train your employees on how to protect the data contained or accessed by tablets. Of course, whatever processes you implement will need to be documented as part of your dealership’s written compliance plan.
You’ll also need to consider how tablets will affect your Red Flags Rule compliance efforts. As part of the Red Flags Rule, dealerships must develop processes to detect identity theft and record potential or actual cases of identity theft and how your processes detected the threat or could be improved. Think of tablets as just another tool to collect data. As with your Safeguards Rule compliance efforts, your processes for Red Flags Rule compliance should include how tablets can be used to detect identity theft or prevent identity theft from occurring at the dealership.
Finally, your employee handbook and training processes should inform employees what is and what isn’t appropriate use of tablets. Don’t rely on a blanket waiver that speaks only to desktop computer use to protect your dealership. Make sure your documents are clear enough that a court would find your intent to apply the same rules pertaining to desktop computers to other kinds of devices and uphold these provisions as applied to tablets. Employees should not be allowed to store their own personal apps or information on tablets assigned to them. They also should not be allowed to access websites, applications or other things that are illegal or offensive. Nor should they be allowed to download or share copyrighted material. If employees break these rules, then you must consider appropriate discipline in order to give force to your policies.
If you use tablets at your dealership (or other kind of business), what steps do you take to stay compliant?
Imagine you’re sitting in your office at the dealership, going through the mail. You notice an envelope with an attorney’s return address. You open it immediately and start reading the letter. According to the letter, your dealership ran a credit bureau on Granny Smith and attempted to obtain financing in order for her to purchase a vehicle. Problem is, according to the letter, Granny Smith never gave your staff permission to do so. After wading through the legal threats, your hands begin to shake and your mind races. You vaguely remember Granny Smith coming to the dealership months ago to purchase a vehicle, but she didn’t agree to the terms of the loan your F&I manager obtained for her. You run to your sales manager and ask him where’s the file for Granny Smith. He shrugs. The next call you make is to your attorney.
Many dealerships accumulate vast amounts of nonpublic personal information during the course of operating each day. Paperwork for deals that result in a sale are often kept in the dealership’s accounting office. However, the gaping hole many dealers face in their compliance efforts comes from how they maintain “dead deal” paperwork. For our purposes here, a dead deal is any deal that does not result in a sale. A deal can die for a variety of reasons. One could be that particular consumer purchased a vehicle from another dealership while other deals die when your dealership cannot obtain favorable financing for the consumer. Either way, dead deals often contain nonpublic personal information that the dealership collected during the sale process. This triggers obligations under the Safeguards Rule of the Gramm-Leach-Bliley Act. The Safeguards Rule applies whether you complete the transaction or not. Furthermore, because of the dealership collected this information to obtain financing for the consumer, dealerships often have obligations to provide adverse action notices.
So, what should you do to minimize the risks described above? Here are some best practices for maintaining dead deal paperwork:
- You should maintain your dead deal paperwork for at least five years, unless state law mandates longer retention.
- Your filing system should be in a secure location, like a locked office, desk of file cabinet depending on the volume of files. Take similar precautions to safeguard electronic formats of these records.
- You should limit access to dead deals to authorized personnel, and log removal and return of dead deal paperwork.
- Your filing system should be easy enough for authorized employees to find relevant dead deal paperwork quickly, in order to respond to demands by consumers or attorneys.
- Provide adverse action notices where appropriate. This topic is vast enough for its own blog post, so I recommend discussing this matter with local counsel to make sure your practices are compliant.
- Submit 100% of customers who fill out credit applications for approval/denial. This is a big deal. Suppose your sales associate fills out a credit application with a consumer only to hear the F&I manager say there’s no possible way the consumer will obtain financing. The F&I manager just made an adverse credit decision, triggering notice obligations. Instead, submit all credit applications, no matter how bad the consumer’s finances may be, to your dealership’s lending partners. That way you can better track whether the consumer received the adverse action notice.
- Reconcile reports provided by credit reporting agencies with your physical files. You should periodically audit reports provided by credit reporting agencies/vendors to make sure you have a signed credit application for each inquiry. Doing so will alert you to possible problems early and also help you detect illicit credit inquiries submitted by employees.
The views of the author and the commentary provided in this post do not constitute legal advice or the establishment of an attorney/client relationship. The author is not an attorney licensed to practice law in any state, and he recommends that the reader seek legal advice prior to taking any action related to the topic of this article.