An alphabet soup of regulators — DOJ, FTC, ECOP, state AGs, and now the CFPB — have set their sights on auto dealerships. Regulatory pressure is nothing new, of course. But recent activity by the Consumer Financial Protection Bureau is increasing the level of scrutiny surrounding consumer finance.

This increased scrutiny is not the regulation du jour — it’s here to stay. And as “third parties” to financial institutions, auto dealerships must do all they can to fill the compliance gaps, because regulators are asking tougher questions and demanding that they dig deeper to prove their compliance with an ever-widening collection of obligations.

What regulators are most concerned about is whether there is a “structure” around compliance, and whether it is integrated into dealership operations. They also want to see coordination and communication about responsibilities, and they want to see that all compliance obligations are addressed. They’re also concerned about whether there is accountability, and whether there is a process for correcting identified compliance issues.

A review of recent Civil Investigative Demands (CID) by the Federal Trade Commission (FTC) and the CFPB reveals specific areas currently being scrutinized. They include the handling of customer private data, and management of a dealer’s identify-theft prevention and fair credit programs. They’re also very interested in dealers’ advertising practices.

The problem for dealers is most won’t know they have issues until an auditor points them out. The good news is that a proactive effort to address compliance obligations can mitigate the ill effects if a regulator finds a problem. Hey, there’s a lot to be said for a good faith effort. However, demonstrating good faith requires some investment of time and money.

Plugging the Compliance Holes

The best use of your compliance dollars is to embrace the CFPB’s recommendation for a compliance management system. A CMS is a formal, written program that is built into every stage of your operation, from advertising to sales to F&I and back-end processes. It includes taking four interconnected steps:

1. Executive Oversight: Your board of directors and senior management should take an active role in your compliance efforts. This sets the tone at the top and defines compliance expectations for the company as well as its service providers. If management cares about compliance, everybody else will — or at least should — care about it too.

Specifically, leadership is responsible for appointing a compliance champion, a dedicated individual or someone serving in a split role that manages the compliance mandates the board establishes. Senior management is also responsible for creating the compliance structure into which operational policies, procedures and standards are placed. They must also proactively allocate resources to compliance, as well as review periodic reports and recommend course correction on compliance matters.

2. Compliance Program: This is the nuts and bolts of a CMS. Administered by the compliance champion, the program includes approved written policies and procedures, training, monitoring and corrective action. It should give accurate information to help make informed decisions about the organization’s ongoing compliance posture and activities.
Signs of an effective compliance program include repeatable processes (operationalized), automated systems that serve as controls and influence behavior, real-time access to information and coordination of activities across functional departments.

3. Complaint Resolution Program: Even the best businesses receive customer complaints. From a compliance perspective, complaints give valuable insight into potential issues. As such, they draw the attention of regulators. By the way, the FTC noted that among the Top 10 complaint categories, auto-related grievances ranked seventh.

A consumer complaint management program is the third element of a CMS. It helps log, track, investigate and resolve complaints in a timely manner. The compliance advocate should analyze complaint data to identify and understand underlying issues and business risks. For example, maybe the disclosure process has broken down when finance terms are presented to consumers. Additional training could be in order.

4. Independent Compliance Audit: Finally, the CFPB recommends an objective audit of a company’s operations to ensure compliance with legal requirements, as well as internal policies and procedures. The word “audit” may sound scary, but it isn’t. Dealership personnel may conduct an audit; however, they must be independent to the functions being audited. This provides objectivity and eliminates conflicting self-interest.

The audit function could start small and build. Start by manually examining a random sample of 10 or 20 deal jackets each month to make sure all internal processes are being followed and the paperwork is complete. If it’s not complete or a problem is discovered, it’s time to teach or retrain employees. A written CMS could streamline the audit process and provide ongoing assurance and validation that obligations are being met.

The point of an audit is to verify effective internal controls are in place and to allow issues to be addressed promptly, including corrective action and remediation. Such corrective action and remediation should be external, with the goal of “making the consumer whole.” It should also be internal in that the underlying problem should be corrected.

The beauty of a CMS is that it can proactively address the risks relevant to your organization while meeting multiple regulatory requirements. It brings to light problems that may be symptomatic of deeper issues within a dealership. Properly administered, it can fix those issues before they explode into something more costly.

Meanwhile, management will be better prepared when regulators come knocking on the door, allowing them to minimize the typical “fire drills” that distract the organization from the business of selling cars. Finally, and most critically, a CMS prevents harm to consumers by minimizing violations of the law and helping the workforce meet its compliance obligations. And isn’t protecting and retaining customers the best reason of all for remaining compliant?

David Childers is the CEO of Compli. Patty Covington is a partner in the law firm of Hudson Cook LLP. Email them at [email protected] and [email protected]