The Red Flags Rule requires that dealers develop and implement an Identity Theft Prevention Program (ITPP) to detect potential identity theft and take appropriate steps to confirm the applicant’s identity before proceeding with the close of the transaction. Every dealer we work with engages a vendor to uncover potential red flags.
We look at the dealer’s Red Flags compliance as part of our compliance review. The red flags audit results fall into one of three buckets: the dealership managers don’t give a hoot about red flags; the management team is properly managing the Red Flags process on each transaction; or potential red flags are manually overridden after delivery with little or no documentation so the Red Flags report looks clean.
Manager Doesn’t Give a Hoot
A dealership sold and financed a vehicle to an identity thief even though there were seven red flags identified in the vendor’s red flag report. There wasn’t any documentation that the sales manager attempted to clear any of the red flags. The victim found out about the theft of his identity, filed a police report, and the finance source required the dealer to pay off the account.
Six months later, the same thief, using the same victim’s identity returned to the same salesperson at the same dealership and financed another vehicle with a different finance source. This time there were 10 red flags in the vendor’s red flags report. The dealer became involved in litigation after paying off the second deal.
Managing the Report
Some dealers regularly review the compliance scorecards available in the vendors compliance dashboard and expect to see a perfect score in all the categories. We often find that managers quickly figure out that they can manually override a potential red flag to clean up the report without truly vetting those that are identified during the transaction.
Managing the Process
Truly managing the process means that a red flags report is run, and any potential red flags are vetted and cleared with acceptable documentation before delivering the vehicle. Potential red flags generally fall into one of four categories: address discrepancy, social security number discrepancy, alerts, and freezes. The clearing process is not as simple as running out-of-wallet questions. A manager must review and understand the type of red flags alert the vendor’s report is providing and react accordingly. Let’s get into the weeds.
The first clearing action we recommend is to confirm that the manager did not fat finger the input information. If there was a typo in the name, address, or social security, then retype the information correctly and rerun the Red Flags report. If this clears the red flags previously reported, move forward with the transaction.
I also recently reviewed an attempted identity theft at a dealer group in the Southwest. One of its dealers received an inquiry from a consumer in Michigan with a Michigan driver’s license. The manager was astute enough to recognize the fraudulent driver’s license and stopped the transaction. The next day, another dealership fielded an out-of-area request from a consumer in Pennsylvania. The picture on both driver’s licenses were the same, the consumer information was different. Both driver’s licenses were the enhanced versions, complete with the star.
Because of these examples, a customer’s driver’s license or insurance card are never sufficient by themselves to clear any red flag.
- Address discrepancy – The red flag occurs when the address information provided is not consistent with the consumer’s address in the credit report and/or other databases. An address discrepancy is best cleared with proof of residence, such as a utility or communication bill, bank statement, mortgage statement, or the like.
- Social Security Number discrepancy – The appropriate clearing action is a copy of the social security card or award letter.
- Alert – The consumer has placed an alert on its credit report. The accepted clearing action is to respond to the action requested (i.e., call me at this number) and successfully clear the out of wallet questions.
- Freeze – The consumer must thaw the freeze, then rerun the bureau and red flags request. Any new red flag that pops up after rerunning the report must be appropriately cleared.
Once you’ve taken the steps to properly clear the red flag(s), manually update the report in your vendor’s software and retain a copy of the clearing documentation in the deal file.
As always, stay safe, good luck, and good selling.
Gil Van Over is the executive director of Automotive Compliance Education (ACE), the founder and president of gvo3 & Associates, and author of Automotive Compliance in a Digital World.