Thursday, June 5, 2008

Vetting your Red Flags rule provider

by: Gil Van Over

They are everywhere, providing Red Flags Rule solutions.

Complying with the Red Flags Rule can be broken down into seven words: policy, train, detect, prevent, mitigate, oversight and ensure.

Before you sign up with a provider and believe you are fully covered, you need to ask seven questions.

The final rules and guidelines of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 were issued by several federal regulatory agencies late last year. Dealers are required to have a program in place by November 1, 2008.

The PDF version I have of the final rules is 125 pages long. About 13 pages apply to car dealerships. Seven words summarize dealership requirements.

When you are approached by a vendor who claims to have a Red Flag Rules (RFR) solution, ask the vendor how its solution helps the dealer in these seven areas.


The RFR requires that the dealer have a written policy that outlines the program and the processes within the dealership.

Ask the vendor, “Show me the template you are using to help me develop a dealership specific RFR policy.”


You are required to train your employees in your program and the processes within your program. To protect yourself, you should keep track of which employees were trained and when the training was administered.

Ask the vendor, “How do my employees receive training in the RFR program with your solution and how do you keep track of which employees were trained and the date they were trained?”


The RFR provides a list of potential Red Flags. While the rule does not require that a dealer develop a program that incorporates the detection of each of these potential red flags, try explaining why you didn’t if it would have flagged a transaction.

Ask the vendor, “How does your solution help me to detect the potential red flags identified in my program, both electronic and manual red flags?”


Here the agencies are ambiguous. They simply require a dealer to have processes in place to help prevent identity theft from occurring in a transaction at your dealership. Most ID theft experts agree that asking out-of-wallet questions provides a higher degree of prevention than simply comparing application data to credit bureau data.

Ask the vendor, “Does your solution require that consumers answer out-of-wallet questions as a way of protecting both the consumer and my dealership from identity theft?”

Ask the vendor, “Does your solution guarantee that my customers’ identities will not be stolen?” (If the vendor will give you a guarantee, get it in writing)


If a security breach happens at your dealership, you will be required to mitigate the damage to the consumer.

Ask the vendor, “Even with a solid program in place and conscientious, trained employees, I know you can’t guarantee that a consumer’s identity can’t be stolen. What steps does your program offer to mitigate the effects of identity theft on my customer?”


The owner, or Board of Directors, is required to approve the initial program, ensure oversight of the development, implementation and administration of the program, training staff and overseeing service provider agreements.

Ask the vendor, “How does your solution help me with the oversight requirements under the RFR?”


Another way to say audit. The rule requires that dealers ensure the program is updated periodically, the program is tested for sufficiency and an annual written report is provided to the owner of the dealership on an annual basis.

Ask the vendor, “Does your solution provide the program audits, update my program as needed and write the annual written report to me (or my owners)?”

Only when these seven questions are answered to your satisfaction should you be comfortable with a RFR provider.

Gil Van Over is the President and founder of gvo3 & Associates, a nationally recognized F&I, Sales and Red Flag Rule compliance consulting and training firm (

Link to Source Dealer F&I Article:

Back to blog homepage

No comments: