So the big news in the compliance space last quarter was the settlements reached by the Federal Trade Commission with three operators of websites offering fake pay stubs, fake tax returns, and even doctor’s excuses. Heck, one individual even operated a site that sold job verification services in case a fake pay stub his other site sold was questioned.
Interestingly, the FTC never mentioned the positive impact its announcement would have on the auto finance business or dealerships who are often the recipients of these fake documents. Instead, the FTC dedicated an entire paragraph to identify theft.
"Call it a hunch, but I think these settlements should serve as a warning: You had better have your identity theft-prevention program up to date, a compliance management system in place, managers trained on the proper clearing actions if a red flag should arise, and proof that your policy is applied to every transaction."
“Identity theft was the second biggest category of consumer complaints reported to the FTC in 2017 — accounting for nearly 14% of all the consumer complaints made last year,” the paragraph reads. “Credit card fraud was the most common type of identity theft reported by consumers in 2017, followed by tax fraud.”
Well, I reached out to the FTC’s office of public affairs to find out why that is. I had hoped for a phone interview, but I got an email response instead.
I first asked what spurred the investigation into these sites. “The FTC initiates investigations for a number of reasons, such as surveys of market practices, consumer complaints, and news articles,” my contact responded.
I then asked what every F&I manager wonders about: How are these sites allowed to operate? “Some document-printing sites offer legitimate services to small businesses and individuals,” my contact wrote. “But, as these cases show, sites that sell fake documents to facilitate fraud run afoul of the FTC Act.”
In fact, one of the sites listed the following uses for its pay stubs: “… to replace the lost original of documents, to double-check the accuracy of original documents, to prove self-employment, for novelty, for privacy. (You don’t want everyone knowing where you work.)”
I then asked if stopping identity theft was the sole driver of the FTC’s investigations into these sites. “Combating identity theft has been and will continue to be an important priority for the FTC,” my contact responded.
“In 2015, we launched a website (identitytheft.gov) that offers important resources for identity theft victims and others,” my contact continued. “We also offer updated guidance on a regular basis through our consumer education and through workshops, such as a conference we held in May 2017 that examined how identity theft has evolved in recent years.”
My contact failed to mention the Red Flags Rule, which the FTC created along with other government agencies. If you recall, the rule was passed in January 2008 and was set to go live that November. But due to pushback from industries like ours, the FTC delayed enforcement of the rule until Dec. 31, 2010.
Call it a hunch, but I think these settlements should serve as a warning: You had better have your identity theft-prevention program up to date, a compliance management system in place, managers trained on the proper clearing actions if a red flag should arise, and proof that your policy is applied to every transaction.
No, contracting with a software provider to vet customers against a Red Flags algorithm isn’t enough. The FTC will look fondly on that investment, but there’s more to complying with this rule than simply clearing a red flag.
Considering the Red Flags Rule has been in place for almost a decade, you might wonder where this sense of urgency is coming from. I’ll give you three reasons: First, in June, Hudson Cook LLP attorney Eric Johnson speculated that the FTC would have a renewed focus on data security, data breaches, data access, and other privacy concerns. He also noted that the FTC now has a fully staffed commission for the first time in many years, as well as an extremely sharp new director of its Bureau of Consumer Protection in Andrew Smith.
Then there was the reminder the FTC issued on Sept. 24 — six days after announcing the settlements with the operators of those pay-stub sites — that consumers who are concerned about identity theft or data breaches can freeze their credit and put in place a year of fraud alerts for free under the new Economic Growth, Regulatory Relief, and Consumer Protection Act.
Lastly, if you look back a couple of paragraphs, you’ll see that my FTC contact mentioned that the regulator initiates investigations for a number of reasons, one of them being news articles. Well, 12 days before the FTC announced those settlements, New Jersey Attorney General Gurbir Grewal announced that his office reached its own settlement with CRM provider Lightyear Dealer Technology, which does business as DealerBuilt, for exposing the personally identifiable information of customers and employees of more than 100 dealerships nationwide.
See all comments