Tuesday, May 13, 2008

Waving the Caution Flag at Red Flag Solutions

Article by : JR Wilson

This entire Red Flag issue has started to consume, and confuse, many in the industry. I myself have been scratching my head wondering “what are these guys thinking” when reading about some of the so-called solutions that are now available. It really is amazing the number of red flag/compliance “experts” that have, all of a sudden, appeared out of no where touting their knowledge and promoting their wares to dealerships. But that’s a discussion for another time; let’s dissect the topic at hand.

The Red Flag Rule is 256 pages long but the portion that governs a dealership’s Identity Theft Prevention Program can be summarized in six words. Yes, six simple words. These are the requirements of the program and deciding on your compliance initiative is very simple. You either have all six of these included or you do not have a compliant program.

The six required areas for a Red Flag compliance program are:

1. Policy
2. Training
3. Detection
4. Prevention
5. Mitigation
6. Audit

Policy: The rule requires you to design and implement an Identity Theft Prevention Program that encompasses the other five areas.

Training: You must train your employees on the policy.

Detection/prevention: You must implement a process to detect and prevent identity fraud during your transaction processing. For dealerships, this means vehicle deliveries and parts/service purchases.

Mitigation: Within the policy, you must have measures that reduce the chance of 1) internal identity fraud via employee involvement and/or a customer information breach; 2) lessen the risk of fraud on any existing customer accounts (not really applicable to dealerships); and 3) minimize the possible impact on your current customers in the event of future identity fraud exposure.

Audit: You must perform a policy review, at least annually, to determine the results and make the necessary adjustments to ensure the ongoing effectiveness of the policy.

Currently, the majority of the noise about the Red Flag Rule deals with the detection and prevention requirements. A lot of people think: 1) the 26 ‘red flags’ are steadfast and written in stone, and 2) if they check these 26 ‘red flags’ they are a) compliant; b) protected; and c) have satisfied the regulation’s requirement. Neither of these could be further from the truth. Dealers that implement such programs are not to blame (except in their lack of research) as they trust solution providers to implement protective solutions. The problem lies with misinformed people designing compliance programs through either an abbreviated understanding of the law or, worse, a tainted interpretation that allows them to promote their product through the fear factor. Listening to the wrong people and implementing an incomplete program could be devastating for a dealership!

As far as detection and prevention there will be four different possibilities that arise during the vehicle delivery: 1) No red flags and the deal is not fraudulent; 2) red flags and the deal is fraudulent; 3) Red flags and the deal is not fraudulent; or 4) No red flags and the deal is fraudulent. The last two should be of the most concern when designing the detection and prevention portion of your program. How do you account for all of the possibilities (policy design) and educate (train) your employees to detect, decipher, escalate and resolve these variables while maintaining a customer friendly and expedient delivery process? The answer is you can’t. Relying on statistical analysis of imprecise indicators will result in varying levels of results. Does this sound like something you want governing your program? Words like variance, statistically, probability and imprecise should never be the underpinning structure of a compliance program.

There was a recent fraudulent vehicle purchase in Cincinnati, which is a glaring example of why the red flags will not detect identity fraud. A couple enters a dealership and the female purchases a Jaguar.

The female used a stolen identity but let’s take a closer look and see what red flags appeared on this deal:

• She looked like the picture on the driver’s license

• She filled out the credit application with the:
- Current address (matched with the bureau)
- Current phone number
- Current employer (matched with the bureau)
- Correct SSN (matched with the bureau)

• There was no fraud alert on the bureau

The real “customer” called the dealership several weeks later “in a panic,” as stated by the newspaper story. Also in the story, the dealership owner was quoted as saying, “What more could we have done?” Unfortunately, four things transpired in this transaction: 1) a car was stolen; 2) there is now a new identity fraud victim; 3) the dealership received negative press and expressed ignorance in protecting their customers; and 4) it’s been made evident that a policy of checking the ‘red flags’ would not have prevented any of the above. The only bright spot for the dealer is this deal happened before November 1, 2008 (deadline for RFR compliance). Otherwise, we would be adding 5) the dealership was found to be in violation of federal law because of its lack of effort in implementing a program to “detect, prevent and mitigate identity fraud” and has been sued by the identity victim for the damages the fraud has caused.

Carefully reviewing every possible offering that is being touted as a ‘red flag solution’ is the diligence you must take to protect your dealership. Before you decide on a solution, make sure it includes all six...and there is no deviation here...of the requirements and truly has a detection and prevention aspect that is not reliant on statistics or possibilities. You are putting your dealership’s name and reputation on the line with every delivery. You deserve definitive results, not possibilities.

J.R. Wilson is an expert on identity fraud and the president of PatriotDealer.com, which provides identity verification and compliance services to dealerships.

Excellent article. This is a way to measure a well-run automotive F&I department.


Back to blog homepage


Russ Horn said...

Here is an article with more informaiton about the new Identity Theft Red Flag rules - http://www.conetrix.com/articles/Identity-Theft-Red-Flags-the-readers-digest-version.aspx

In addition, here is a link to more resources, including a link to the final ruling and an online tool - http://www.conetrix.com/Identity-Theft-Prevention-Program.aspx

F&I Insider Admin said...

Russ posted two good Red Flags Rule resources. Cut and paste each one into a cleared browser to visit the sites.

Good stuff.