The automotive finance industry will have some flexibility when it comes to meeting the Nov. 1, 2008, deadline to comply with the “red flag rules,” which regulators finalized last week. But some industry insiders say the wiggle room may be harmful to an industry that is already bound by rules aimed at making it more transparent.
Last Tuesday, The Federal Deposit Insurance Corp. (FDIC)’s board of directors approved the final two rules left over from the implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003. One aimed to restrict marketing solicitation by companies that use credit information provided by an affiliate. The second, which was proposed last July, will require creditors to develop systems for identifying 31 patterns — referred to as “red flags” — that a customer’s identity is at risk of being stolen.
“All 31 components revolve around the issue of a dealer needing to take responsibility for the process of preventing identity theft,” said Mark O’Neil, CEO of DealerTrack. “The complication from our perspective is that you have to identify anomalies in an individual’s credit report. Is a finance guy set up to identify an anomaly? There’s a lot of judgment in our estimation.”
During the public comment period that closed on Sept. 18, 2006, the FDIC received 38 comments, including 27 from financial institutions, seven from trade associations, three from other business entities, and one from an intellectual property task force. Some comments requested that regulators grant flexibility in how banks and creditors develop programs for preventing identity theft. Others asked for clearer, more structured guidance in how these compliance programs should be constructed.
Although both rules — which are expected to be approved soon by the other banking and thrift regulators — remained largely unchanged from the original proposal, regulators did allow for some latitude.
“While an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its program, the program must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rules,” the rule says.
“The guidelines track all of the components of the regulation itself, and they provide more guidance as to how each entity should implement those components. But they’re not mandatory, so they provide flexibility,” explained Naomi Lefkovitz, spokesperson for the Federal Trade Commission. “So for larger institutions that already have sophisticated fraud detection programs, they need to meet the requirements of the regulation, but they don’t necessarily have to implement them in the exact way that the guidelines say; they can use that as a guide. And for smaller businesses that aren’t sure what to do, it actually helps to provide good guidance for them.”
The concern now involves the effective date of the two new rules.
Originally, the agencies planned a nine-month implementation schedule. Some comments received did push for 18 months. The agencies, however, settled on a one-year implementation schedule. And while several banks and creditors may be challenged in trying to coordinate marketing notices with the annual privacy notice required by the Gramm-Leach-Bliley Act, an even bigger challenge may be getting automotive dealerships ready for the November deadline.
“We’re not looking for perfection, we’re looking for reasonable efforts in implementing procedures,” said the FTC’s Lefkovitz. “If you need to have a written program, that would be the start: have a written program. Then after that it would be that you’re reasonably tried to reach the objective, which is to ultimately detect identity theft.”
Some software providers, such as DealerTrack and Compli, are already maneuvering to get their software up-to-date with the new rules.
“We plan on working with Hudson Cook on a complete national ‘red flags’ program within the Compli Dealership Compliance Management System,” said Compli’s Jim Lawrence, who expects the program to be ready by February 2008. “Its adoption and monitoring is supported by our enterprise-class reporting engine that provides a simple red/yellow/green visual Executive Dashboard that can drill to trouble spots quickly.”
DealerTrack’s Strati Papgeorge, director of management solutions, added: “DealerTrack is committed to helping dealers with all of their compliance needs, specifically in curbing identity theft through our ID verification and OFAC tool, ExactID, and our password protection and data encryption systems. While the mandatory compliance date for the Red Flag rules is Nov. 1, 2008, the rules are expected to take effect on Jan. 1. DealerTrack will be ready to assist dealers with resources to develop their mandatory red flags Identity Theft Prevention Program and automate as much of the verification processes as possible with existing and new compliance solutions.”