Red Flags Rule Basics

In 2007, in conjunction with the FTC, a large committee passed final legislation for the Fair and Accurate Credit Transactions Act of 2003, also known as the Identity Theft Red Flags and Notices of Address Discrepancy, or “Red Flags Rule.” The Rule requires that all organizations subject to legislation must develop and implement a formal, written and revisable “Identity Theft Prevention Program.” The purpose is to detect, prevent and mitigate identity theft. The original November 1, 2008 enforcement date for the Rule was previously postponed to May 1, 2009, and is now slated for August 1, 2009. The FTC’s delay on this Rule shows the ongoing debate and controversy regarding whether Congress wrote the Red Flags provision too broadly and will allow them further time for consideration.

A car dealership is considered a “creditor” under the Red Flags Rule. Even if all financing is assigned to a third party or outside lender, the dealer is involved as they are the party that “opens” the account. This means that even if your dealership doesn’t carry any contracts, it must still comply with the Rule. Basic requirements of the Rule include:

1. Identify relevant Red Flags for covered accounts and incorporate them into your Red Flags program.

2. Detect Red Flags that have been incorporated into your program.

3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.

4. Ensure your program is updated periodically to reflect changes in risks to customers or the safety and soundness of the financial institution or creditor.

5. Ensure that employees are properly trained to identify Red Flags.

There is a lot of confusion on the Red Flags Rule, but basically, you need to complete some simple steps to create an effective program and cover your dealership:

1. Create a Red Flags Rule task force. This can be a board of directors, a committee or an appropriate senior management employee.

2. Perform a risk assessment.

3. Develop policies.

4. Approve your program.

5. Educate/Train.

Many quality companies have turnkey Red Flags Rule programs ready for your dealership to implement. You can check with your state association to see if it recommends a provider, or a quick Google search will reveal many companies that can help your dealership comply. My recommendation is to utilize one of these sources, as there is no reason to re-invent the wheel. Since the Rule has created quite a stir in the dealership world, creating your own plan could be a cumbersome process on your own.

The big complaint from dealers about the Rule is, why ask all the questions and put all the policies in place if the lender is doing it already? Some experts have anticipated that to follow all the process 100 percent correctly, it will add four hours onto the time it takes to prepare a deal. Fortunately, many of the systems and vendors on the market today utilize software to minimize the time and hassle required to comply.

One question often asked is, “If my dealership already has risk policies in place, I should be OK, right?” The answer to this is no. The Rule requires a separate ID Theft Prevention Program. It takes the general concept of an organizational risk plan further and mandates that a formal, written and revisable plan be implemented that is scalable to the organization’s size and complexity, as well as the nature and scope of its activities.

Basically, in my humble opinion, the Rule was a good idea. Identity theft is a real problem and the fastest-growing crime in America, but the Rule has had its share of issues before enforcement has actually begun. I’m sure the industry will continue to tweak and improve the systems and processes they have developed. Rumor even has it that the FTC is going to come out with a template for each industry to help ease the burden of implementing the Rule. In the meantime, good selling and stay compliant!


Vol. 3, Issue 4