When compliance software helped a dealership in Ohio catch a suspected ID thief, the incident was held up as a shining example of how software tools can help dealers protect their customers and comply with consumer-protection rules. But the data these compliance solutions pull from isn’t foolproof, as a dealer and a credit reporting agency discovered this past July.

August marked the three-year anniversary of the final compliance deadline for the Red Flags Rule, and this month marks 11 years since the U.S. Treasury deputized dealers to help prevent terrorists from accessing the banking system under statutes imposed by the Patriot Act. That law introduced the Office of Foreign Assets Control (OFAC) rules, which require dealers to check their customers against a government-supplied list of known or suspected terrorists.

But while the Red Flags Rule provides 24 ways to spot an ID thief, and the OFAC offers a long list of ways to verify a match, both rules offer little guidance on how dealerships should respond when an ID thief is spotted or their customer appears on the OFAC’s list of individuals or groups sanctioned from doing business in the United States. In the case of the Red Flags Rule, dealers are simply told to not do the deal, call law enforcement, or continue verifying the customer’s identity.

"For better or for worse, the federal government has forced dealers into the business of policing identity theft," said Thomas B. Hudson, founding partner at Hudson Cook LLP. "But any dealership that is contemplating the possibility of charging a customer with a crime or detaining a customer needs to have its lawyer on speed dial, and needs to consult with the lawyer before any action is taken."

Compliance software helped Jason Gorr confirm his suspicions about a customer posing as a car buyer from Tennessee. His actions helped law enforcement arrest the ID thief, who had bilked five dealerships in four states.

Compliance software helped Jason Gorr confirm his suspicions about a customer posing as a car buyer from Tennessee. His actions helped law enforcement arrest the ID thief, who had bilked five dealerships in four states.

On the Front Lines

Jason Gorr, general manager at Steve Rogers Ford in Waterville Township, Ohio, faced that situation back in May when a 26-year-old Lithuanian man, posing as a customer from Tennessee, attempted to purchase and finance a $61,500 Ford Mustang Cobra. Gorr would later learn that the man, Justas Laugalis, had stolen identities from people across the United States, and used their credit profiles to buy cars before selling them overseas. But his spree of theft and fraud ended at Steve Rogers Ford.

Laugalis first called the dealership about a Shelby GT 500. He then agreed to complete and submit a credit application over the Internet. That made Gorr suspicious because Laugalis’ credit report was spotless. "His credit was perfect, which was strange because most people who submit a credit app over the Internet usually don’t have great credit," Gorr told F&I and Showroom magazine.

Gorr became even more suspicious when Laugalis arrived without any means of transportation. He simply walked into the dealership and said he wanted to purchase the vehicle without a test drive. Following his dealership’s identity theft prevention program, Gorr entered the customer’s name into DealerTrack’s ExactID, which provides "out-of-wallet" questions that anyone but the actual person would have difficulty answering. Laugalis failed the test.

"The software basically confirmed my gut instinct," Gorr said. "I don’t know how people do it without it."

The general manager immediately called authorities, but he also continued working the deal with Laugalis until authorities arrived. When they did, Gorr and the officer worked together to confirm that the customer wasn’t the person he claimed to be. And they had plenty of evidence to prove it.

For starters, the photo on Laugalis’ ID looked nothing like him, said Gorr. The date of birth he provided and the date listed on the ID didn’t match either. So Gorr and the police officer had the original ID photo faxed over from the Tennessee DMV. It wasn’t him, and Laugalis was placed under arrest for theft and identity fraud.

When searched, the officer found six fake ID cards on Laugalis and notes about the people he posed as, most of whom worked in the insurance and financial services industries. Laugalis even confessed to the crimes at the scene. According to the Waterville Township Police Department, Laugalis was successful at fooling five dealerships in Illinois, Indiana, Michigan and Virginia before he ran into Gorr.

"If it wasn’t for the Red Flags Rule, we probably wouldn’t have invested in the technology," said Gorr, whose dealership began using ExactID in 2007. "I know the guy in Tennessee is better off because of the Red Flags Rule."

False Positive

Not every story about a dealer’s compliance process ends like Gorr’s. And sometimes it’s not even the process or the technology that failed, but the source of the data from which the solution is pulling. That’s what happened when Sandra Cortez walked into Denver’s Elway Subaru in March 2005.

Like any good car buyer would do, Cortez checked her credit report before traveling to the dealership. Her score was at about 760, which just about matched the score the dealership pulled from TransUnion. But unlike the credit report Cortez obtained, the report the dealership pulled contained an OFAC "advisor alert."

According to court filings, Tyler Sullivan, the F&I manager who worked with Cortez, had never seen such an alert, so he called the regional finance director for advice. He also visited the OFAC’s Specially Designated Nationals list on the U.S. Treasury Department’s website to see if he had a match. What he found was the name of purported Colombian narcoterrorist Sandra Cortes Quintera.

Cortez immediately told Sullivan that she had never been out of the country and that she was born in Chicago. Sullivan said he needed to check with the FBI and made her wait in the salesperson’s office. She stayed there for six hours without incident because the dealership had taken her keys and was holding her down payment.

Cortez was eventually allowed to leave, but was contacted by the dealership later that evening. The dealership rep told her they had determined that she "probably" was not the woman on the SDN list, and then apologized for how she was treated. She also was asked if she was still interested in purchasing the vehicle, which she was.

Elway Subaru also provided Cortez with the credit report obtained from TransUnion. Cortez eventually sued the bureau after making a number of attempts to get the OFAC alert removed. This past July she was awarded $150,000 for her troubles, but told ABC News she was still not satisfied with the OFAC and TransUnion for forcing her to sue in order to get her information corrected.

Hudson Cook’s Hudson said dealers need to prepare for such incidents and have a procedure in place when dealing with a possible false positive.

"This had nothing to do with the software the dealer was using or, for that matter, how the dealer handled the matter," Hudson says. "But detaining customers and calling authorities are serious steps that the dealers need to discuss with their lawyers. Dealers need to know what their responsibilities are and what sorts of reactions should be avoided when they encounter these types of situations."