CREATING AN ID THEFT PREVENTION PROGRAM
By Joe Bartolone
Before you start searching for the finalized document on the Red Flag Rule, understand that it's 256 pages. Below is an outline to help you get started with your identity theft program. Just remember, there is a lot to consider with this newest regulation. That's why it's highly recommended that you seek legal advice. You should also seek out industry associations, as well as your lender partners.
1. Developing a Written Program
What might be the biggest headache for dealers is developing a written program to combat identity theft. Just remember the program must contain "reasonable policies and procedures for detecting, preventing and mitigating identity theft." The first step under this heading is to identify areas that pose a risk to the business. So when it comes to F&I, dealers will need to identify the following:
- The types of accounts offered or maintained
- The methods it provides to open its covered accounts
- The methods it provides to access its covered accounts
- Previous experiences with identity theft
Dealerships will also have to determine sources of red flags relevant to their operation. Much of this can come from past experiences the dealership has had with identity theft. Dealer associations and legal advisors can also help identify other sources of red flags.
Dealerships will also need to identify when a red flag should be raised. This includes alerts, notifications or other warnings received from a consumer-reporting agency or a service provider, such as a fraud detection service. This also refers to suspicious documents (i.e., suspicious address change notice or personal identification documents) the dealership receives from a customer.
Notices from customers, identity theft victims or law enforcement are also indicators of a red flag.
2. Detecting Red Flags
Dealerships will also have to formulate policies and procedures F&I managers must adhere to on every transaction, which basically means an F&I manager doing his or her due diligence to verify the customer's identity. This will include such steps as collecting identifying information or verifying the validity of an address change notice.
3. Prevent and Mitigate Identity Theft
The program policies and procedures should also provide appropriate responses based on the risk posed when a red flag is raised. Responses could include contacting the customer, not completing a transaction and notifying law enforcement.
4. Program Updates
Dealerships will need to periodically update their program to reflect any new sources, trends or methods of identity theft. This means dealers will need to note how their program held up each time the dealership faced a red flag.
Dealers will also need to update their program to reflect any new procedures instituted at the dealership. And again, it's a good idea for dealers to remain in constant contact with their legal counsel, as well as state and local dealer associations to stay updated with any new developments related to identity theft.
5. Methods for Administering the Program
Aside from implementing the written program, dealerships will also need to designate an individual (typically someone at the senior management level) to oversee the program's development, implementation and administration. In fact, this could be the first thing a dealership does.
This individual is who dealership personnel will refer to whenever a situation related to the program arises. This is the person who will make the final call. He or she will also collect reports from staff about all matters related to the dealership's identity-theft program.
This person will also be required to collect reports from employees on the effectiveness of the program. This could include how the program addresses the risk of identity theft, service provider arrangements, significant incidents involving identity theft and management responses. This person will also be responsible for recommending and implementing changes to the program.
6. Other Legal Requirements
A dealership's written program will also need to include requirements for extending credit to a customer despite the detection of a fraud or active duty alert. This is important for dealers operating in areas housing military personnel. Dealerships will also need to implement any requirements for sending consumer reporting agencies corrected or updated information about a customer