The Red Flags Rule requires a dealership to perform a risk analysis to develop and implement a written Identity Theft Prevention Program (ITPP) to detect, prevent, and mitigate identity theft. It is not a “one size fits all” rule. A dealer’s ITPP must be appropriate to the size and complexity of the dealership and the nature of its operations.
The Red Flags Rule requires lenders to monitor accounts in their portfolio (along with written-off accounts) for evidence of identity theft to attempt to detect and mitigate further identity theft. So, more lenders are examining delinquencies and written-off accounts for identity theft, even accounts that may have paid for substantial periods of time. Instead of just writing these accounts off as credit losses as they did in the past, lenders are now forcing dealers to repurchase accounts they identify as identity theft accounts, even if the identity thief has made payments for a period of time. This “back end” repurchase risk presents perhaps your biggest financial risk from identity theft. A good ITPP program will protect you, the dealer, more than anyone else.
The dealer’s Board of Directors (or its highest governing authority) must approve the initial ITPP and take responsibility for it. A senior officer must be appointed to be the ITPP program manager (Program Manager), responsible for developing, overseeing, implementing, training, updating, and administering the ITPP, but the final responsibility will rest with the Board of Directors or the senior management team.
The ITPP has four basic elements. First, identify potential “red flags” that might occur in your business. Red flags are patterns, practices, or specific activities that indicate the possible existence of identity theft. The Red Flags Rule lists 26 potential red flags that you must consider for your ITPP, including the receipt of an address discrepancy alert (discussed below), although not all will apply to your business. One type of red flag is where a consumer provides an ID that does not appear genuine.
The second step of the ITPP is to employ procedures to detect any identified red flags in your processes and transactions. An electronic identity verification service such as Dealertrack Red Flags can help you compare the customer’s reported information to fraudulent databases and stolen Social Security numbers, among other red flags. Following the example of a red flag related to IDs, your ITPP would set out different processes for identity verification in person versus other methods of application. For in person, for example, you would include a practice of examining every customer’s IDs (front and back) for tampering or counterfeiting. For online applications, you could leverage a third party’s solution to validate the consumer’s identity through a series of knowledge-based questions and answers.
The third step requires your ITPP to have measures to prevent and mitigate identity theft when you identify a red flag. In the ongoing example, it could be as simple as asking the customer for additional verification documents or, if necessary, declining to open the account. Your ITPP should have processes where significant and/or unresolved red flags are escalated to the Program Manager.
For the fourth and final step, you must update your ITPP periodically (but not less often than once per year) based upon your dealership’s own experiences and new information concerning identity theft from regulators, law enforcement, and industry experts. An ITPP is a dynamic program and should be re-evaluated continually.
Employees who perform program functions should prepare annual reports to the Program Manager concerning the ITPP’s effectiveness and make suggestions for improvement. The Program Manager should then use these reports and other identity theft resources to make an annual report to your Board or senior management detailing the effectiveness of the ITPP and proposing material changes. Training of employees and strict oversight of ITPP service providers who have access to your customers’ data are also critical tasks that the Red Flags Rule requires. Document everything you do and keep copies of all identity-related documents (e.g., the report of the electronic identity verification service and anything the consumer gives you to prove their identity) in the deal jacket in case you are audited. Apply your ITPP to every customer.
Note that while the Red Flags Rule does not apply to cash sales, the requirements provide a wealth of information for dealers to use broadly in their business to help avoid identity theft issues and losses.