“When all you have is a hammer,” goes the old saying, “everything looks like a nail.” This is certainly true in the tool shed of compliance. Many companies boast of having “the strongest compliance tools in the business,” but those tools invariably address only the narrow scope of the sponsor’s interest. A menu company may have great disclosure features or a finance portal may track adverse actions like a champ, but do either help protect a dealership from a sexual harassment lawsuit or a hazardous materials violation?

While such tools may be good, they are not complete. What is necessary is a compliance program that addresses not just a few discrete areas of potential liability, but all of them. What dealers need is the Full Monty.
So, why do dealers accept partial solutions? While there are probably as many answers as dealers, I suspect the answer lies in the fact most dealers and general managers rose through the ranks of sales and F&I, not the service drive or HR. Thus, the average dealer is more likely to be attuned to consumer lawsuits than violations related to the federal Occupational Safety and Health Administration (OSHA). But risk surrounds the entire dealership, which means the Full Monty needs to surround the dealership, too.

Navigating the Compliance Maze
The amount of regulations that impact dealerships is well documented in the National Automobile Dealers Association’s annual update on federal regulations, The Regulatory Maze. But if you really want to lose some sleep, check out the NADA & ATA Federal Regulatory Compliance Chart (download a copy at www.nada.org). Both of these pieces make clear there are numerous legal requirements dealerships must meet, but a certain subset requires objectively verifiable actions such as written policy documents and training programs.

So, does your dealership have the Full Monty?  If you have policies and procedures in place to address all of the following areas, it might.

1. Environmental, Health & Safety
Let’s start in the back of the store. Although this topic embraces every square inch of a dealership, its greatest impact is felt in the service department. Simply put, there are more ways to get hurt or killed in the service department than in the break room. Addressing all that potential mayhem are the following regulatory initiatives that absolutely, positively must be followed throughout the dealership:

Initiative No. 1: Written Plans and Programs
• Hazard communication program
• Emergency response program
• Respiratory assessment
• Respiratory program (if indicated by the assessment)
• Personal protective equipment program assessment
• Personal protective equipment program
• Bloodborne pathogen policy/program
• Ergonomics program
• Asbestos handling program
Initiative No. 2: Documentation
• Material safety data sheets collected and available
• Training records
• Accident records
• Chemical inventory list
• Musculoskeletal disorder signs/symptom records
Initiative No. 3: Activities
• Employee training
    • Right to know
    • Fire extinguisher
    • Personal protective equipment (including respirator)
    • Emergency response
    • Ergonomic action triggers
    • Asbestos handling (wet method)
• Medically evaluate respirator wearers
• Label non-original containers of regulated chemicals
• Inspect non-original containers of regulated chemicals
• Discipline those who violate safety policies

All of these requirements come courtesy of the OSHA, but there are other regulations that need to be followed as well. And they all contain written policy, training and activity requirements — you either have them and do them or you don’t. The good news is all of this is what you call “low hanging fruit,” as these requirements are easily identified and enforced regulations that, if not followed, pretty much guarantee the dealership is missing the boat with all the rest.

2. Operational Procedures
The Red Flags Rule, which is chock-full of verifiable requirements, is a good example of how compliance mixes with operational procedures. First, you need an Identity Theft Prevention Plan (ITPP). By the time an identity thief walks onto the showroom floor, the identity theft has already occurred. So, if an investigator or plaintiff’s lawyer asks to see a copy of your ITPP, can you hand it over?

The Red Flags Rule also requires that dealers train employees on the dealership’s Red Flags policy, which must cover the dealership’s processes to detect and mitigate identity theft. So, is that training happening? And how can you prove who took it, and if they understood the training?

Additionally, the rule’s requirement for dealerships to oversee their service providers by contractually requiring them to follow the rule to the extent applicable to their duties suggests the appropriate language must be in those service providers’ contracts. Is it?

Finally, the requirement to periodically review and update the ITPP and report (at least annually) to the board of directors concerning the dealership’s identity theft experience means there must be a paper trail of those activities. So, is there?


Compliance Training
There are literally dozens of federal and state regulations governing every facet of a dealership’s operations. So, do your employees know what they are? Do they know the requirements that flow from those laws? Do they understand and agree to follow those requirements?

If you can’t answer all of those questions in the affirmative, your dealership is vulnerable.  

Compliance training also extends beyond the obvious. For instance, does your F&I personnel know all of the features, benefits and limitations of the products they sell, because there is a risk of misstating what’s covered to customers. Plaintiff’s lawyers like to call that “fraudulent misrepresentation.” So, a verifiable system of training, demonstrating what you taught, who took the training and their level of understanding is a desirable feature of the Full Monty.

Deployment Verification
Every dealership has — or should have — an employee handbook setting forth the dealership’s internal policies and procedures. A dealership may even have specialized, job-specific policy manuals (F&I, sales, etc.). Tracking who received these manuals is difficult; proving who actually read and understood them is even harder.

On the other hand, putting such manuals on a dealership website and creating quizzes to verify understanding and consent to their terms is easy. It is the 21st century; HR needs to catch up.

Audits and Paper Trails
Another rule requiring a written compliance program is the Safeguards Rule, which requires that dealerships develop a written Information Security Program (ISP). Like the Red Flags Rule, the Safeguards Rule requires a risk assessment, oversight of service providers, and regular reviews of the ISP’s effectiveness. All of those things create a paper trail. So, does your dealership have such a trail? More importantly, does your dealership perform regular audits to take advantage of those paper trails?

Like the cliché goes, you can’t expect what you can’t inspect. And audits — especially third-party audits — can both tell you what has happened and what hasn’t happened. A process of regular third-party audits completes the Full Monty; no compliance program is complete without it.

Dealerships can conduct audits in-house, but third-party audits are preferred. And if conducted annually, the audits can include gathering the facts necessary to complete your required Red Flags’ and Safeguards’ reviews and written reports.

Complete the Task
If all that sounds like a lot, it is. The Full Monty needs to be a coherent, integrated program that touches every department at the dealership. Many current vendors provide important parts of the Full Monty. But despite their claims in their ads, they do not by themselves make for a complete program.
No dealership’s Full Monty will ever be perfect. But being able todemonstrate you’ve addressed each of these issues in a coordinated fashion will insulate your dealership from the worst consequences of failing to do so. So don’t settle for anything less than the Full Monty — that would be like going naked.

Jim Ganther is the president and CEO of Mosaic Interactive, a company created by dealership attorneys to create web-based legal compliance and training tools for auto, RV, motorcycle and marine dealerships. E-mail him at [email protected]