Pros and Cons of Red Flags Rule Compliance

Many of the menu companies that our P&A readership use provide identity verification transactional checks to prevent identity theft and help satisfy the provisions for the Red Flags Rule. But how effective is the identity verification tool in thwarting identity theft and reducing liabilities?

On Jan. 1, 2011, sections 114 and 315 of the Fair and Accurate Credit Transactions Act, known to many as the Red Flags Rule, is scheduled to be enforced by the FTC. Due to the importance of this law and all the publicity that it has received over the past few years, we decided to take a look at the Rule from the perspective of both an identity verification solution provider and a legal professional. We were specifically interested in whether the automated identity verification transactional checks help to effectively satisfy the law’s requirements and what else may be necessary to comply under the Red Flags Rule.

What are the pros and cons of transaction-based Red Flags checks?

Jim Ganther, president of Mosaic: “One of the greatest 'pros' of a transaction-based Red Flags check is that it addresses the Rule where it hits the road: the creation of covered accounts. In the automotive space, the creation of covered accounts means the establishment of a finance or lease contract. Another pro is that such an approach can be inexpensive and relatively easy to accomplish. For example, there are services available that can run swift electronic verification programs to confirm that the identity being offered is, in fact, a genuine identity.“

Transaction-based Red Flags solutions automatically create searchable, archived records of compliance. When it comes to legal compliance, if you don’t record it, it didn’t happen. And any program that doesn’t require an F&I manager to create a record by hand is a good thing.

On the “con” side of the equation, it can be easy to fall into the trap of believing the transactional approach is sufficient to address all of a dealership’s obligations under the Rule.

Pattie Dillon, president of Veratad: “The Red Flags Rule requires dealers to “detect, prevent and mitigate identity theft.” Dealers using online ID verification, as a process to help detect Red Flags and prevent identity theft, in conjunction with conventional methods of paper verification, are taking an important step to assure that the person presenting a verifying document is in fact who they say they are. For example, online verification can reveal if a name and address are sufficiently associated or if a person’s name appears on the deceased list in public records. In addition to address, age and social security number discrepancies, verification can provide an immediate check of OFAC as required by the USA PATRIOT Act. As an added layer of security and at the dealer’s option, they can present non-credit related “knowledge-based challenge questions”; the answers to which, should only be know by that person being checked. In addition to avoidance of fines for non-compliance, use of online ID verification is a way for dealers to reduce their risk of fraud and mitigate the reputational risk associated with the theft of a consumer’s identity.”

What is the area in which they fall most short of addressing the law? Do they mislead the dealership by giving them a false sense of security?

Ganther: There are services available that can run swift electronic verification programs to confirm that the identity being offered is, in fact, a genuine identity. This is not sufficient to satisfy the Rule, however. The dealership must then confirm that the person offering the identity is actually the person represented by the identity, not an identity thief. But not to worry: the same programs that verify the authenticity of an identity can usually generate out-of-wallet challenge questions to confirm that the person presenting the identity is the real McCoy. Out-of-wallet challenge questions, by the way, are questions generated from literally billions of public records that are over seven years old. The reason for the age of the questions is that lots of this information can could be found on a credit report if seven years old or less. And once an identity thief has your name, DOB and SSN, he can run a bureau on the victim and the ID verification process becomes an open-book test."

Ganther further explains that there is a trap of believing the “transactional approach is sufficient to address all of a dealership’s obligations under the Rule. It is not. A dealership must have a written Identity Theft Prevention Program (ITPP) in place, approved in writing by its Board of Directors or senior management. It must have a training program that addresses and implements the ITPP. It must detect, prevent and mitigate identity theft. It must oversee its service providers to ensure they are following the Rule, as applicable. And finally, the dealership must ensure that the ITPP continues to work over time. This means, at a minimum, an annual audit of the program and its effectiveness, and a written annual report to the Board of Directors or senior management.”

Dillon: “No, online identity verification should not be used as the sole source of validating a consumer’s identity or addressing the Red Flags Rule; it should be used in the context of common sense and as part of the dealer’s overall due diligence in detecting, preventing and mitigating identity theft. For example, Veratad’s Online Identity Verification IDMatch+PLUS can be used to augment inspection of government-issued ID presented by a customer. The online process does this by establishing that a person is who they say they are (either in advance or after submission of personal information to credit bureaus) with challenge questions; however, dealers still need to look for other red flags such as inconsistencies when comparing photo ID, age, gender, etc. with the physical appearance of the customer.

Dealerships can avoid a false sense of security by assessing their risk of identity theft and implementing a plan to detect, prevent and mitigate it based on the size and complexity of their dealership. By following the Red Flags Rule guidelines and verifying the identity of their customers before a vehicle leaves the dealership, dealers are taking an important step in avoiding any false sense of security pitfalls.”

If a dealer uses a transaction-based check to help prevent identity theft, what more do they need to do?

Ganther: “At best, it can address the requirements to 'detect and prevent' identity theft. The other five require additional, and significant, effort. To tell the FTC (or, more likely, the plaintiff’s law firm) that you run a transaction-based identity verification program but nothing else is to admit you are intentionally violating the Red Flags Rule. That is not a good place to be.

One final note: the Rule requires dealerships (and all other 'financial institutions') to 'prevent' identity theft. But this is impossible. By the time an identity thief shows up in F&I to take delivery of a vehicle he will never pay for, the identity theft has, by definition, already occurred. Actually preventing an identity from being stolen at or through the dealership is covered by the Safeguards Rule. What the dealership can really do when an actual identity thief tries to take delivery of a vehicle is to prevent further damage flowing from the identity theft."

Dillon: “All dealerships are required to assess the risk of identity theft for their organization(s) and create a Red Flags Identity Theft Prevention Program based on that risk assessment. Senior management must approve the program and it must be reviewed, at a minimum, annually. In addition, employees must be trained to detect and respond to red flags and the dealership is responsible to assure that all service providers having access to the dealerships 'covered accounts' are also compliant. It is important for dealers to consult their attorney to assure compliance.”

Do you think a menu company should charge for this service?

Ganther: “Of course a menu company should charge for this service! It costs hard dollars to obtain these services and integrate them into the menu system, which makes their use easier for the dealership personnel. Menu companies place themselves in the line of liability should the system fail to detect an identity thief, or cause a legitimate buyer to be denied a vehicle. No one should be asked to work for free!"

Dillon: “Veratad’s menu company clients providing Red Flags Rule related services, such as identity verification, usually provide that service as an integrated offering within their menu software. Dealers use the ID verification process as an opportunity to show customers they are serious about protecting their personal information.

It is generally believed that the finance professional responsible for reviewing menu options with a customer before delivery is in a perfect position to assist the dealership with that part of its compliance obligation to detect and prevent identity theft. Performing online identity verification with OFAC before vehicle delivery not only protects consumers but also protects the dealership from fraudulent transactions.

Menu companies integrate Veratad’s IDMatch+PLUS so the verification becomes a seamless part of the F&I process. The service is priced so the menu company can include the service at no cost to dealers (as a market differentiation) or alternatively, they can charge the dealership a per transaction fee with a modest mark-up to cover the menu company’s costs associated with implementation and ongoing support. In either case, having IDMatch+PLUS built in to the menu provides a convenient verification at a cost usually less than $1 per car.”

In our January issue we will be taking a look at the pros and cons of the red flags compliance from a menu provider perspective by revealing similar questions asked and answers furnished from a few menu providers who incorporate red flags compliance within their software.