The Industry's Leading Source For F&I, Sales And Technology

Red Flags

Regulators and the Red Flag Rule

December 2007, F&I and Showroom - Feature

by Gregory Arroyo - Also by this author

Starting Jan. 1, 2008, dealers will have 305 days to comply with the “Red Flag Rules” approved by Federal regulators in late October. Legal analysts say automotive dealers are already ahead of the game, and say the guidelines are a lot more flexible than first proposed.

Compliance will require a combination of dealer-created procedures, legal counsel and technology. Legal analysts advise dealers to view the 26 Red Flag Rules as more of a roadmap to formalizing an identity verification process, and not as strict rules to which dealers must adhere.

“We’re not looking for perfection, we’re looking for reasonable efforts in implementing procedures,” says Naomi Lefkovitz, attorney for the Federal Trade Commission (FTC). “The guidelines track all the components of the regulation itself, and they provide more guidance as to how each entity should implement those components.”

Several items of the Red Flag Rules have changed since they were first proposed in July 2006, with regulators compromising with concerns expressed by credit industries during the public comment period that followed. The Federal Deposit Insurance Corp. (FDIC) received a total of 128 comments. Some comments requested that regulators grant flexibility in how banks and creditors develop a program for preventing identity theft. Others asked for clearer, more structured guidance in how these compliance programs should be constructed.

The rules were first finalized on Oct. 16 by the FDIC Board of Directors. Banking and thrift regulators followed suit later that month. Aside from adding more flexibility on how institutions comply with the regulation, regulators decreased the number of Red Flags from 31 to 26. The question now is whether the November 2008 deadline provides dealers with enough time to comply.

Originally, regulators proposed a nine-month implementation schedule. However, after concerns were raised by credit industries — which pushed for 18 months — regulators decided to give businesses one year to comply.

“What regulators are going through is a balancing act with the timing of the effective date and giving people time to comply. On the other hand, this is a consumer protection tool and they want to get it into play as soon as they can,” says Michael Goodman, an attorney with Hudson Cook LLP. “And from what was proposed in 2006, this regulation isn’t the worst-case scenario.”

Under the finalized rules, Goodman says regulators sought to clarify how their list of sample Red Flag activities should be used. He adds that many credit industries feared that to comply, they would have to adhere to all Red Flag Rules, which is not the case.

Goodman also adds that regulators narrowed the scope of what kind of accounts are subject to the rule. The biggest change, he says, was in regards to business accounts. Referring to automotive fleet dealers, Goodman says dealers need to address that segment if there is a reasonable fear of ID theft. However, he warns, that could change if there is a spike in ID theft for business-to-business transactions.

“Regulators knew it would be way too burdensome to comply with all the Red Flags,” Goodman adds. “All they want you to do is make sure that whatever you’re doing is appropriate for the size of your business. The 26 rules are simply a list of examples. They are not a check list.”

Currently, there is no private right of action under the Red Flag Rules, which will be enforced by the FTC. However, compliance will provide dealerships with a layer of protection against consumer lawsuits.

Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email: