|Thursday, April 17, 2014|
Red Flags Rule FAQs
The FTC Red Flags Rule has a mandatory compliance date of November 1, 2008. According to NADA’s publication, A Dealer Guide to the FTC Red Flags and Address Discrepancy Rules, the Red Flags Rule "generally requires each dealer who offers or maintains consumer credit, such as installment sale contracts and vehicle leases, and business credit where a reasonably foreseeable risk of identity theft exists to the dealer or its customers, to do three things:
Dealers must develop, adopt, and implement a written [Identify Theft Prevention Program] ITPP that contains these policies and procedures no later than November 1, 2008."
Following is a selection of the Frequently Asked Questions from NADA’s publication:
What dealers are subject to the Red Flags Rule?
The Rule casts an extremely wide net that brings within its coverage a very large share of the nation’s business economy. Not only are financial institutions subject to the Rule, but so are creditors. In that sense, virtually all dealers are covered by the Red Flags Rule because virtually all dealers are creditors. In fact, the Red Flags Rule specifically identifies automobile dealers in its list of creditors. However, the requirement to develop and implement an ITPP only applies to financial institutions or creditors that open or maintain "covered accounts." As discussed under "Identifying Covered Accounts," [in the guide] this includes multiple-payment transactions with consumers, such as retail installment sale contracts and lease agreements (even if they are immediately assigned to a third-party finance source), and also includes other accounts where there is a reasonably foreseeable risk to customers or to the dealership from identity theft.
Application to Commercial Truck Dealers: Medium- and heavy-duty truck dealers that engage solely in business-to-business transactions may determine that they do not offer or maintain any covered accounts and thus do not need to develop and implement an ITPP. If this determination is correct, the dealer nonetheless must conduct an initial Risk Assessment to verify that it does not offer or maintain any covered accounts, and the dealer must conduct periodic Risk Assessments thereafter to determine if any changes to the accounts it offers or maintains or new identity theft risks elevate any of its accounts to the status of a covered account (which would then require the dealer to develop and implement an ITPP). In addition, . . . the dealer still must comply with the Address Discrepancy Rule if it orders consumer credit reports . . .
What are the penalties for violating the Red Flags or Address Discrepancy Rules?
There is no federal private right of action for violating either the Red Flags Rule or the Address Discrepancy Rule. Enforcement falls to the FTC as the agency responsible for interpreting and enforcing the Rules as they pertain to dealers. All enforcement matters begin with an investigation. When the facts point to law violations, these investigations can lead to administrative settlements. These settlements can include both injunctions that require the company to comply with the Rule, other reporting obligations, and civil penalties of up to $2,500 for each “knowing” violation of the Rule(s). If the dealer fails to comply with that order, the FTC could file a federal lawsuit seeking fines of up to $11,000 for each future violation, injunctive relief, and/or a long-term consent decree. Keep in mind that the civil penalties (up to $2,500) that may be required to resolve the investigation could apply to past violations, while fines stemming from a lawsuit apply only to future violations. If the parties do not reach a settlement, the FTC can bring an action in Federal district court for civil penalties and injunctive relief. In addition, it is also possible that violations of these Rules could subject a dealer to state law claims (including class action claims) under state “unfair and deceptive acts and practices” (UDAP) statutes. These laws typically permit actual and punitive damages as well as attorneys' fees and costs.
Do these Rules mean that we cannot conduct transactions with persons who never come to the dealership, such as someone in another state who contacts us by phone after visiting our Web site?
No. The Rules do not in any way prohibit telephone, on-line, or interstate transactions. However, a dealer that enters into installment sale contracts or leases with customers who never come to the dealership or meet dealership employees in person will require an ITPP that takes that method of opening an account into consideration in identifying, detecting, and responding to relevant Red Flags. For example, for accounts opened remotely and without meeting the customer in person, the dealer may determine that additional Red Flags and/or customer identification methods are necessary due to the inability to physically inspect identification documents and determine, for example, if the customer's appearance matches the photograph on the identification documents. As noted in our discussion of "Substantive Elements of the ITPP," the [Customer Information Program] CIP rules contain examples of "nondocumentary" identity verification procedures that allow verification of identity without reliance on identification cards and other documents.
[The above excerpts are from the NADA Management Education publication, A Dealer Guide to the FTC Red Flags and Address Discrepancy Rules: Protecting Against Identity Theft. The publication may be ordered on-line at http://eseries.nada.org/scriptcontent/ProductDetail.cfm?pc=MEDPRL50E or by calling NADA Management Education at
|Return To Top|
|NHADA: P.O. Box
2337, 507 South Street, Concord, NH 03302-2337
Phone: 1-800-852-3372 | FAX: (603)225-4895
© 2003-2011 NHADA, All Rights Reserved | Hosted by NimbleUser.