The latest statistics from the feds suggest that at least one-quarter of Americans have been a victim of identity theft. That percentage would likely be higher if some of the victims were aware that their identity had been compromised.
ID thieves use a victim’s information in different ways. Some file fraudulent tax returns. Others pursue bogus medical claims. Still others look to open credit accounts in the victim’s name with no intent to ever repay the obligation.
Under the Federal Trade Commission (FTC)’s Red Flags Rule, dealers have an obligation to have an identity theft-prevention program (ITPP) in place to help diminish the likelihood that an identity thief can use a victim’s information to purchase or lease a vehicle.
The Red Flags Rule was the second FTC rule that required a dealer to employ a compliance management system (CMS) approach, the Safeguards rule being the first. Once the ITPP is in place, the dealer’s primary responsibility becomes to apply the policy to every financed or leased transaction.
Most dealers use a software provider to vet the customer against the vendor’s Red Flags algorithm. If the customer fails to pass the test, then the vendor notifies the dealer of the failure and provides direction on how to clear the Red Flags. Some dealers, however, fall short of their obligation to comply.
For example, the vendor’s response may alert the dealer that the address the dealer provided is different than the address the vendor’s databases report for the customer. This is an obvious Red Flag: The thief wants to keep the theft secret for as long as possible and wants to avoid any compromising mail going to the victim.
To properly clear this Red Flag, the dealer should obtain valid proof of residence from the customer to confirm the customer is not a thief. With a properly vetted proof of residence, the dealer should then document the file or the steps taken to clear the Red Flag.
Similar steps should be taken if the Social Security number the customer provided doesn’t match what’s in the compliance vendor’s databases or belongs to a deceased person. Obtain a copy of the Social Security card or a letter from the Social Security Administration. To check for forgeries, a quick Google search on Social Security cards will provide you with legitimate examples to compare with the date of issue. Remember, Social Security cards change and morph over time.
There is a wrong way to execute this process. For instance, some vendors have a mechanism to document that the Red Flag was cleared and retains that documentation in its archives. Unfortunately, “clearing” the Red Flag can be as simple as the F&I manager clicking on a button in the software, even if all the steps have not been followed according to the dealer’s procedure.
Or, if the dealer has a manual process to clear Red Flags, the F&I manager may just ignore the address discrepancy in the customer’s credit bureau report and sell the vehicle. Either approach is fraught with the risk of selling a vehicle to an identity thief.
The correct approach to documenting that the dealership conducted its due diligence and properly vetted the transaction is to treat a Red Flag like you treat a subprime stip.
Many dealers use a structured approach to clearing and submitting subprime stips, and with good reason. Some dealers have seen deals become subject to recourse from some subprime finance sources after the deal defaulted. The reasons vary, but can sometimes be addressed by the stips provided at funding. Unfortunately, if the dealer did not obtain, vet, copy and submit the stips, the dealer does not have the documentation to fight the claim.
Same goes for documenting the clearance of potential Red Flags: Obtain the clearing documentation, vet it for legitimacy and authenticity, copy it for your file, and then document the clearing action in your vendor’s system.
You now have proof that, to the best of your knowledge, you properly cleared the Red Flags and can proceed with the sale. Good luck and good selling!
Gil Van Over is the executive director of Automotive Compliance Education (ACE) and the founder and president of gvo3 & Associates. Email him at [email protected]