Red Flags Rule What you really need to know JR Wilson, President

With

& Penelope Bell, Associate

Moderated by

Mike Bowers, Editorial Director, DealersEdge

JR Wilson, President PatriotDealer

J. R. Wilson is Founder and President of PatriotDealer.com, the original provider of compliance technology automation for automotive dealers. Associated with the retail automotive industry for more than 20 years; Mr. Wilson is considered an expert in areas of risk management and fraud prevention and has been called upon for numerous speaking engagements and workshops. Mr. Wilson is involved with multiple U.S. Secret Service and FBI task forces, and is frequently called upon as an expert source for industry and national publications, which often rely on Mr. Wilson to provide regular columns, articles and educational information.

Penelope Bell, Associate gvo3 & Associates

Penelope Bell is a consulting associate of gvo3 & Associates, a nationally recognized compliance audit, training and review firm that assists dealerships around the country in providing F&I and sales compliance. In addition to her consulting duties, Penelope is responsible for the gvo3 marketing initiatives. Penelope joined gvo3 & Associates following a successful career as a Senior Research Consultant at LexisNexis in Dayton, Ohio. As a Senior Research Consultant, Penelope was responsible for assisting LexisNexis subscribers with their news, financial and public records research needs, mentoring peers, training implementation, and quality control. With the research and training experience, Penelope gained knowledge of some of the important rules and regulations that surround the auto industry. Her knowledge has helped in the development of the compliance programs offered by gvo3 & Associates. Penelope received her undergraduate degree in Marketing from the University of Dayton.

Red Flags Rule

Effective: 1 January 2008 Enforced: 1 November 2008

What is a “Red Flag”? • A pattern, practice, or specific activity that indicates the possible existence of identity theft. – 16 CFR 681.2(b)(9)

What is a “Red Flag”?

Red Flags Rule “Identity Theft Prevention Program” • • • • • • •

POLICY & Procedures that: TRAIN employees DETECT attempts at identity theft PREVENT instances of identity theft MITIGATE the effects of identity theft OVERSEE service providers ENSURE the program works over time

Penny Bell Associate

Policy & Procedures (d)

Establishment of an Identity Theft Prevention Program.

(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. - 16 CFR 681.2(d)

Policy & Procedures (e) Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must: (1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; (2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program. - 16 CFR 681.2(e)

Policy & Procedures (f) Guidelines. Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix A of this part and include in its Program those guidelines that are appropriate. - 16 CFR 681.2(f)

Policy & Procedures Policy must: • Be in writing • Developed by Board

– What if you don’t have one?

• Consider (at least) the Appendix A guidelines • Approved by the Board • Implemented/administered by the Board

Policy & Procedures Who Should Policy Cover? • “Covered Accounts” • Financed customers? YES • Lease customers? YES • Cash customers? (qualified) YES

– RFR may establish “duty” – How about protecting the dealership?

Policy & Procedures Good Ideas: • Put someone in charge (answers to Board) • Confirm valid ID and valid user • Check red flags for everybody • Do what you can electronically • Record every step taken at the time it is taken • USE COMMON SENSE!

Policy & Procedures Common Sense: • Know SSN structure • Look hard(er) at lay-downs • Always copy driver license • Scrutinize consumer reports – – – –

Multiple recent address changes? Fraud alert? Credit freeze? Numerous new accounts?

Policy & Procedures • Beware of customers in a hurry • Don’t do anything over the phone or internet you wouldn’t do in person • Beware of customers paying by check – Verifying cash in account is not enough – Run RFR verification program/challenge questions – Ask for credit application • •

RFR probably NOT sufficient reason to pull a bureau Try for signed application

Policy & Procedures Building your Policy: • Use available templates • Tie policy to what you can and will do • Only needs to be reasonable • Policy should protect the dealership, too

Policy & Procedures The Three Last Things: 1. Reality check – you need to live with what’s written. 2. Review by competent counsel 3. Formal written adoption by Board of Directors (minutes/resolution of adoption in corporate records)

Train Program must… (3)Train staff, as necessary, to effectively implement the Program. - 16 CFR 681.2(e)

Train Training aimed at implementing Program • must track Program, not Rule • may/should address Rule as well

Train Who needs training? • “Staff as necessary” • Those who “implement the Program” • All managers • All salespeople • All F&I personnel • All business office staff • Board of Directors

Train Training should be: • Consistent with Policy • Verifiable • Recurring • Beginning with orientation of appropriate staff • Effective – Oral exam could be cross-examination!

Oversee Service Providers (c) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

Oversee Service Providers For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. - 16 CFR 681, Appendix A (VII)(c)

Oversee Service Providers

You are a service provider to: • Financing sources • F&I product providers • Merchant processing companies Your service providers include: • Pre-approved lead companies • Outsourced BDC • Contract sale event companies

Oversee Service Providers Question to ask yourself:

“Do the actions of this service provider require Red Flags Rule oversight or FTC Safeguards oversight?”

What gvo3 & Associates can do for you •

•

Assist with the development and implementation of policies and procedures program – Working with policy templates, create a policy that includes: • Background of the rule • Identification of and response to relevant Red Flag that are applicable to your business • Incident reports templates with instructions on how to complete reports with corrective actions Assist with the creation and implementation of employee training – Evaluate which is more feasible; online training or manual training – Creation of training based on policy and procedure manual – Ensure training is recurring and the appropriate employees are being trained

J. R. Wilson President

Detect Red Flags Rule …requires each financial institution and creditor to develop and provide for the continued administration of a written Program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. II. Identifying Relevant Red Flags a) Risk Factors…consider the following factors in identifying relevant Red Flags… 4) Its previous experiences with identity theft b) Sources of Red Flags…should incorporate relevant Red Flags from sources such as: 1) Incidents of identity theft that the financial institution or creditor has experienced; 2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks;

Detect Why the ‘Rule’ • Financial Fraud

– The unauthorized use of a financial instrument for personal gain

• Identity Fraud

– The unauthorized use of personal information by someone else

• Identity Assumption

– Creating false identification documents using someone’s information

• 9.9 million victims in 2007 • $58 billion in losses • Only 1 in 700 cases investigated

Appendix A 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy.

Appendix A

4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Appendix A 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.

9.

Appendix A

An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.

Appendix A

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

Appendix A 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Hint: Use challenge questions whenever feasible!

Appendix A 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Detect Four Possibilities on Every Deal No Red Flags

Red Flags

Legitimate Deal

Fraudulent Deal

Red Flags

No Red Flags

Legitimate Deal

Fraudulent Deal

Detect Red Flags Rule Too much reliance on easily obtainable information leads to fraud.

Detect

Where is the identity verification? CREDIT APP

DL COPY

BUYER’S ORDER

Crime is 10% motivation and 90% opportunity. How much opportunity is in your process?

Detect People, Process and Technology •

Manual or automated ‘checklist’ approach • • • • •

•

Fraud scoring software • • • •

•

Requires policy that plans for every conceivable possibility Requires manual evaluation of listed ‘red flags’ Requires manual escalation/resolution of each ‘red flag’ Requires complex training, management and oversight Adds time and complexity to every delivery Requires policy that plans for every conceivable possibility Requires manual evaluation depending on the ‘score’ and the ‘red flag’ Requires complex training, management and oversight Adds time and complexity to 40-60% of deliveries

Challenge questions • • • •

Simple policy structure Manual escalation only when answers are incorrect Easier to train, implement and manage Standardizes compliance regardless of employee

Detect Three Approaches to Detection Checklist

Fraud Scoring

Challenge Questions

Cheapest

Cheaper

Not as cheap

Time consuming

Yes

Yes

No

Confusing

Yes

Yes

No

Heavy

Heavy

Light

Control over result

No

No

Yes

Time to complete

10 min. – 2 hrs.

2 min. – 2 hrs.

2 min.

Detects fraud

No

No

Yes

Escalation %

100%

30-40%

3-5%

Price

Training

Detect Ramifications of an incorrect program • • • •

Charge backs from lending institutions Damaged lender relationships Compliance audits from regulatory agencies Lawsuits

• • •

Negative community reputation Lower CSI scores Lower F&I penetration

Prevent Only when you correctly DETECT Can you successfully PREVENT

What PatriotDealer can do for you • •



•

Six years compliance and fraud prevention expertise Best in class fraud detection with SmartID ‘Out of wallet’ challenge questions Detects fraud at the core Simplifies RFR policy thru technology Lower rate of manual ‘Red Flags’ resolution Assistance in developing correct risk management policies • Supported by automotive & fraud prevention experts

Mitigate (2) Elements of the Program. The Program must include reasonable policies and procedures to: *** (iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft. - 16 CFR 681.2(d)

Mitigate MITIGATING Identity Theft with an appropriate response to Red Flags detected, based on level of risk: – Remediation Services – Determine when you would not conclude financing – Notifying law enforcement – No response

Mitigate “Duty to Inform” • Unless there is a “reasonable basis for determining that there is no risk of identity theft” you must notify the consumer • Contact competent counsel first • Contact law enforcement second • Contact customers third, per instructions from law enforcement

Mitigate Identity Theft Recovery • Covers customer and immediate family • Fully-managed service • Covers ID theft wherever and however it occurs (no family or other exclusions) • Covers criminal and medical uses of victim’s identity

Mitigate Mitigation options for exposed consumers • Credit bureau monitoring • Identity theft recovery services • Must be provided by the dealership

Mitigate Important Points: • Rule does not require a specific approach – Requires “mitigation” – Doesn’t go into much detail or define it

• Protects dealership by protecting customers • Courts could read such a requirement into the Rule if it is “reasonable”

Penny Bell Associate

Ensure (iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. - 16 CFR 681.2(e)

• • • • • •

Conducting a Periodic Red Flags Rule Audit

Compliance Officer documentation Deal jackets Incident reports Training logs Sample Red Flags Annual report

Periodic Red Flags Rule Audit Compliance Officer Documentation • Current policy and procedure manual • All current employees trained • Documentation of incident reports and corrective actions

Periodic Red Flags Rule Audit Deal Jacket Review

• Select a random sampling of deal jackets – Every tenth deal from prior three months

• Verify that Red Flags identified in policy were reacted to and documented • Confirm government issued identification – Current and legible

• ID verification software print out

• • • •

Periodic Red Flags Rule Audit Incident Reports

Documented incident Actions taken Modifications to policy implemented Include in annual report to owner

Periodic Red Flags Rule Audit Training Logs

• All employees trained in RFR policy • Logs (electronic or manual) current

What gvo3 & Associates can do for you

• Review the Compliance Officer’s documentation • Conduct periodic audits to verify Red Flags identified in policy were reacted to and documented • Review incident reports to verify any identity theft incidents were documented, corrective action was taken and modifications were made to policy • Review training logs to verify all appropriate staff is being trained when necessary • The delivery of an annual, written report on the program’s sufficiency to the owner(s) of the business.

Red Flags Rule “Identity Theft Prevention Program” • • • • • • •

POLICY & Procedures that: TRAIN employees DETECT attempts at identity theft PREVENT instances of identity theft MITIGATE the effects of identity theft OVERSEE service providers ENSURE the program works over time

Red Flags Rule Vendor Evaluation • Do they satisfy all RFR requirements? • • • • •

–

If not, what do I have to handle?

What is their compliance competence? How long have they been serving dealers? What is their support structure? What is the overall TCO of their offering? Will they be here tomorrow?

What ComplianceGuard can do for you • • • •

Turn-key compliance solution Fulfill all Red Flags Rule requirements Complete federal policy and training FTC Safeguards & RFR audit and risk management assessment • AFIP Certification for all F&I Mgrs.

Presenter Q & A

Penelope Bell Associate gvo3 & Associates

JR Wilson President PatriotDealer