Starting Jan. 1, 2008, dealers will have 305 days to comply with the “Red Flag Rules” approved by Federal regulators in late October. Legal analysts say automotive dealers are already ahead of the game, and say the guidelines are a lot more flexible than first proposed.

Compliance will require a combination of dealer-created procedures, legal counsel and technology. Legal analysts advise dealers to view the 26 Red Flag Rules as more of a roadmap to formalizing an identity verification process, and not as strict rules to which dealers must adhere.

“We’re not looking for perfection, we’re looking for reasonable efforts in implementing procedures,” says Naomi Lefkovitz, attorney for the Federal Trade Commission (FTC). “The guidelines track all the components of the regulation itself, and they provide more guidance as to how each entity should implement those components.”

Several items of the Red Flag Rules have changed since they were first proposed in July 2006, with regulators compromising with concerns expressed by credit industries during the public comment period that followed. The Federal Deposit Insurance Corp. (FDIC) received a total of 128 comments. Some comments requested that regulators grant flexibility in how banks and creditors develop a program for preventing identity theft. Others asked for clearer, more structured guidance in how these compliance programs should be constructed.

The rules were first finalized on Oct. 16 by the FDIC Board of Directors. Banking and thrift regulators followed suit later that month. Aside from adding more flexibility on how institutions comply with the regulation, regulators decreased the number of Red Flags from 31 to 26. The question now is whether the November 2008 deadline provides dealers with enough time to comply.

Originally, regulators proposed a nine-month implementation schedule. However, after concerns were raised by credit industries — which pushed for 18 months — regulators decided to give businesses one year to comply.

“What regulators are going through is a balancing act with the timing of the effective date and giving people time to comply. On the other hand, this is a consumer protection tool and they want to get it into play as soon as they can,” says Michael Goodman, an attorney with Hudson Cook LLP. “And from what was proposed in 2006, this regulation isn’t the worst-case scenario.”

Under the finalized rules, Goodman says regulators sought to clarify how their list of sample Red Flag activities should be used. He adds that many credit industries feared that to comply, they would have to adhere to all Red Flag Rules, which is not the case.

Goodman also adds that regulators narrowed the scope of what kind of accounts are subject to the rule. The biggest change, he says, was in regards to business accounts. Referring to automotive fleet dealers, Goodman says dealers need to address that segment if there is a reasonable fear of ID theft. However, he warns, that could change if there is a spike in ID theft for business-to-business transactions.

“Regulators knew it would be way too burdensome to comply with all the Red Flags,” Goodman adds. “All they want you to do is make sure that whatever you’re doing is appropriate for the size of your business. The 26 rules are simply a list of examples. They are not a check list.”

Currently, there is no private right of action under the Red Flag Rules, which will be enforced by the FTC. However, compliance will provide dealerships with a layer of protection against consumer lawsuits.


“If my identity was used to buy a car that was later wrecked and my credit report is negatively affected by that, which prevents me from buying something, I might want to sue that dealer,” says Randy Henrick, associate general counsel for DealerTrack. “And failure to have an accurate program would fall under the FTC Act for unfair and deceptive trade practices.”

Dealers also need to remember that the guidelines will be a moving target, which means they will be updated as new trends and risks arise. As a result, dealers will need to update their programs periodically and conduct their own internal reporting each year.

Identity Theft a Growing Concern

One of two remaining components left over from the implementation of the Fair and Accurate Credit Transaction (FACT) Act of 2003, the Red Flag Rules were regulators’ response to what is the fastest-growing crime in the United States. Identity theft currently accounts for more than 42 percent of all complaints filed with the FTC.

The F&I industry has also been warning dealers that ID thieves are now targeting dealerships and are moving away from credit cards. According to an analysis by the Center for Identity Management and Protection of 517 U.S. Secret Service identity-theft cases closed between 2000 and 2006, a business was the point of compromise 50 percent of the time. It also reports the most frequent type of employment from which personal information was stolen was retail stores (43 percent), such as car dealerships, gas stations, casinos and restaurants.

A recent poll conducted by Harris Poll also supports the finalization of the Red Flag Rules. It reports that 60 percent of Americans say they will not support a store with questionable privacy protections.

“I think it’s going to increase CSI tremendously, and I think many dealers are already well on their way to complying,” says Henrick. “And if it helps you sell one less car to ID thieves, it already paid for itself. This is not going to be hard to do.”

Complying With the Red Flags

The first step for dealers is to audit their current methods for spotting ID theft, including a full review of how the dealership handled past incidents. The dealership will then have to create a company-wide procedure on how to identify when a Red Flag is raised and what the employee should do thereafter.

“Think of this as a menu process. Identify the issues and set up the processes from there,” Henrick says. “You don’t want the employee to think; he should just execute the steps.”

The last step for dealers is to appoint someone who will supervise the program and provide guidance on what the dealership should do once a Red Flag is raised. Henrick says a dealer’s response to an incident will fall into place on its own. However, putting the responsibility on dealers as to how to respond is what has some industry insiders concerned.

“Remember, the rules aren’t saying that a dealership won’t be hit by an ID thief,” Henrick explains. “All regulators want is for dealers to have a reasonable process in place to mitigate the situation.”


Some examples of appropriate responses listed in the guidelines are contacting the customer or law enforcement. Others relate to how credit accounts are opened and accessed by customers. Another appropriate response, Goodman adds, is for the dealer to conduct further investigation.

“Not opening a new account is just one of several responses that a dealer can consider,” he says. “While a dealer may decide to discuss this with legal counsel, it is not a dealer’s only option. The key is for the dealer to think about the incident at issue to gauge the risk of identity theft associated with the red flag, and to respond accordingly based on the risk.”

A good starting point is the 26 rules, which are broken up into five sections of identity theft patterns. Henrick says there are at least five or six rules that don’t pertain to dealerships.

Goodman adds that dealers shouldn’t forget about the other component regulators passed under the FACT Act, which is a completely separate requirement from the Red Flag Rules. It focuses on how users of consumer reports respond to address discrepancies. Both Goodman and Henrick say this is a big concern with regulators, especially since multiple addresses can be recorded under one Social Security Number.

Dealers will also have to wrestle with how to handle transactions done over the phone or via the Internet. They will probably need to do a little more investigation and ask more questions, and not accept photocopied documents and identification cards. Legal advisors warn against relying on credit reports to verify a customer’s identity, as the potential ID thief might already have the credit report with him or her.

“Ask things you can’t get from a stolen wallet,” recommended Henrick. “There will be services where they’ll be able to tell you who sold the person’s last house, which is a perfect question to ask. Just be prepared to verify things not on the credit report.”

Compliance Creates Industries

While the road to compliance is simple to map out, the costs associated are still unknown. Training and retraining will definitely be part of the added costs, especially when it comes to employee turnover. Legal fees will also have to be considered. Another cost to factor in is technology.

“There will be electronic solutions, but the regulations specifically say you can’t outsource your entire program,” said DealerTrack’s Henrick, whose company expects to introduce its solution at the National Automobile Dealers Association (NADA)’s February show.

Many compliance software and technology providers have been monitoring the movement of the Red Flags since they were first proposed. Some, like First Advantage CREDCO, have been prepping dealers for the regulation since early last year. Its product will integrate Red Flag alerts into a credit report a dealer orders through its service.

“This past summer, we ran a promotion between June 1 and Sept. 18 where we gave away our BuyerID Index free to dealers nationwide,” said David Woodruff, company spokesperson. “It was an awareness program to help dealers understand and prepare for the proposed Red Flag Ruling. Our position was, ‘Hey, this is coming. You may not be taking this seriously, but we are.’”

Other companies looking to help dealers comply are PatriotDealer, 700Credit, Firewall Dealer Solutions and Compli, which will be working with the attorneys at Hudson Cook on a program that will be integrated into its Dealership Compliance Management System. Expect several more companies to announce technology and software solutions at NADA.

“Undoubtedly, the new Red Flag regulation will result in many different compliance offerings from various providers,” said J.R. Wilson, president of PatriotDealer, Alpharetta, Ga. “And as with any solution, whether CRM, inventory control or F&I delivery, it will take a combination of process, people and technology to become compliant. And this is what dealers need to keep in mind.”