Providers’ Responsibility for Dealer Compliance
Providers’ Responsibility for Dealer Compliance

I was in the office of a large and successful F&I agent not long ago, and he bemoaned the need to take on duties related to dealer compliance. “I know I have to do it because all of my competitors are doing it. I need to do it to compete. But when did it become my job?”

A good question, and one deserving an answer. And more to the point for readers of this particular magazine, do providers and administrators have a responsibility for dealer compliance?

The answer, I believe, is yes, for at least three reasons: There is a legal responsibility, a moral responsibility, and a prudential responsibility. I will address each in turn. Stick around for the last reason — it’s where things get really interesting.

The Legal Responsibility

What is the basis of a legal responsibility for providers and administrators to ensure the legal compliance of their dealership clients? Put another way, how could a provider get sued by a dealer or an end user of the provider’s products?

One way is to fail to meet existing legal obligations. For example, providers and administrators receive, use and store customers’ nonpublic personal information (NPI). That makes those entities “service providers” under both the Safeguards Rule and the Red Flags Rule. This means that providers and administrators must protect that NPI and comply with the Red Flags Rule to the extent it applies to their duties.

Beyond the statutory requirements of those two rules, providers and administrators must avoid negligence in their dealings with dealers. For example, if the provider offers F&I training, that training must be accurate. I have seen F&I training that advocated what, in my opinion, constituted bank fraud. A provider would do well to have its training materials reviewed by an attorney familiar with car law every now and then.

Beyond that, providers need to be aware that plaintiffs’ lawyers are always on the prowl for “deep pockets,” and providers probably count as such. Whoever profits from an alleged fraud can reasonably expect to be in the chain of liability. Knowing this, what elements of dealer compliance should a provider be concerned about? Certainly the content of training, but also the proper use of F&I menus and the paper trail surrounding the sale of their products.

This, in turn, suggests the desirability of periodic deal jacket audits, but that’s a big topic (maybe next issue).

The Moral Responsibility

You don’t have to go to law school to understand the concept of moral responsibility. It’s the notion of doing the right thing. If you make money from a dealer’s F&I department, you have some moral obligation to make sure your products are being sold in a legally compliant manner. That implies honesty, accuracy, and transparency.

The process of training and audit described above apply here as well, not because Uncle Sam or the plaintiffs’ bar say so, but because it is the right thing to do.

The Prudential Responsibility

As promised, this is where things really get interesting. The two prior bases for responsibility for dealer compliance arise in some measure from the notions that you either <ital>gotta<ital> or you <ital>oughta<ital>. Some sense of compulsion underlies them both, and as human beings, we don’t like being told what to do.

A prudential basis for responsibility for dealer compliance is more appealing, for it reduces to enlightened self-interest, and we’re all good at that.

A simple thought exercise illustrates this point. Imagine a dealer surrounded by four providers eager to earn his business. The dealer’s pants catch fire. Three providers try to outshout each other with the same message: “Your pants are on fire!”

The fourth pulls out a fire extinguisher and puts out the fire.

Whose products will the dealer sell?

There are at least three fires that are certain to impact dealers in the near- to mid-term. Why am I so certain? For that, let us turn to novelist Tom Clancy.

In his 1991 bestseller, “The Sum of All Fears,” Clancy spins the tale of our worst collective nightmare: Islamic terrorists obtain and detonate a nuclear weapon. On Pages 615–619 of my copy, Clancy painstakingly describes the carefully choreographed series of events that must transpire within a weapons package to initiate a nuclear reaction. All of them take place, in order. He then sums up the result:

"As yet no perceptible physical effects had even left the bombcase, much less the truck. The steel case remained largely intact, though that would rapidly change. Gamma radiation had already escaped, along with X-rays, but these were invisible. Visible light had not yet emerged from the plasma cloud that had only three “shakes” before been over a thousand pounds of exquisitely designed hardware … and yet, everything that was to happen had already taken place. All that remained now was the distribution of the energy already released by natural laws which neither knew nor cared about the purposes of their manipulators."

In other words, the bomb blast and mushroom cloud that we all associate with a nuclear explosion are not really the explosion. They’re just the natural and visible results of the nuclear reaction. If you know the elements of the detonation took place, predicting the bomb blast and the mushroom cloud is no great trick.

The elements of at least three such “explosions” have occurred, or are occurring. Predicting their result is no great trick, either.

The first is data security or, more properly, consumer awareness of data security as a risk that impacts them in a very real way. The recent Equifax breach impacted approximately 145 million Americans, myself included. (To find out if you were affected, go to and follow the instructions there.) Friends who were also impacted by the Equifax breach have already had their bank accounts drained, and they are angry.

Dealers have a ton of their customers’ nonpublic personal information in their paper files and, more to the point, in their computer network. If a major credit reporting agency can’t protect such data, what are the odds the average car dealer will? Exactly.

The first obligation of a dealer intent on protecting customer NPI is to conduct a network vulnerability assessment, or “NVA.” The NVA is the first step in determining what vulnerabilities exist within a network that could make an unauthorized loss of data more likely. If your firewalls aren’t properly configured, or if you lack intrusion detection software, the NVA will let you know and lead to corrective recommendations.

Conducting an NVA is not an optional extra; it is an express requirement of the Safeguards Rule. And while this falls outside of the provider’s “zone of compliance,” a prudent provider would be wise to find a reliable vendor or vendors for this service, use its volume potential to negotiate a reasonable cost, and make that service (and discount) available to its dealers.

Along those same lines is identity theft recovery service. The Red Flags Rule requires dealers to mitigate the impact of identity theft, but it doesn’t say what “mitigate” means. Identity theft recovery service, by definition, should help satisfy that requirement. And since identity theft recovery can (in most states) be provided as a blanket benefit to customers and additional years upsold in F&I, this is actually a product that fits neatly into the provider’s wheelhouse. Compliance is a lot more fun when you make money promoting it.

The second detonation is still in progress, but if all of the steps take place, the results will be game-changing. This one also involves data, but instead of security the operative concept is usage.

Right now, a dealer might have a desking program, an F&I menu program, and a finance portal, all of which operate on top of a proprietary dealership management system (DMS) but don’t talk to one another.

But what if they could, at an affordable price? Then the dealer could require the first pencil to be based on a standard APR; the final pencil could be based on the customer’s actual credit score (and not generated until the bureau had been pulled, after actual authorization had been obtained and recorded); the final pencil would flow into the top of the F&I menu; all products would be consistently offered; the results of the menu negotiation process would be documented and signed; those results would flow into the buyer’s order and installment sale contract; and all of the chosen products would be backed up by signed contracts with matching prices.

In short, much of the room for deceptive trade practices could be made impossible. And when a consumer protection like that becomes possible, it will soon become mandatory. The prudent provider will anticipate that development and have the software ready when the dealer asks.

The third reality generating a predictable reaction is the consolidation trend in the F&I industry. This is certainly obvious amongst agents and agencies. As first-generation F&I agents want to retire, they need to sell their agencies. These are being gobbled up by providers seeking to lock up their distribution or by other agencies growing in order to survive.

As the number of agencies declines, the size of those that remain must increase. And as they increase, they must demonstrate benefits to their dealers of that scale. Big for its own sake is not a winning value proposition.

And so we see providers and larger agencies expanding their service offerings. In addition to products and training, we see the innovative providing HR/recruiting assistance, reinsurance consulting, marketing/branding campaigns and — you guessed it — compliance services. Providers literally from A to Z already provide such services to their dealers at no cost or at deep discounts. One less reason to change providers.

Not long ago, former studio head Harvey Weinstein was exposed for being a Hollywood sexual predator and all-around creep for at least three decades. The real story, however, was that everyone seemed to know — especially those who profited from Weinstein’s business activities. Whether for legal, moral or prudential reasons, providers and administrators need to take an interest in the compliance of their dealers’ operations. Weinstein demonstrated the price we can pay for looking the other way.