Pub. 5 2024 Special Edition

3. Make a list of methods used to detect and evaluate if a red flag has occurred. The program should describe procedures used to verify customer information and detect when information is incorrect. Some procedures include: • Specifying acceptable forms of identifying information required of each finance customer. • Specifying procedures to verify identifying information, for example, using third-party resources to confirm identification or detect fraud. • Using a system to monitor employee compliance relative to their access and use of customer account information. 4. Describe how your dealership will respond when red flags are detected. The program must contain reasonable policies for responding to red flags detected during a transaction. This should include a procedure for escalating unresolved situations to senior management. Some appropriate responses to unresolved red flags would be to: • Not continue the transaction. • Use additional resources to verify the customer’s identity. • Notify law enforcement. • Determine that no response is warranted. 5. Document all red flag responses and keep them in the customer’s file. All red flag responses should also be kept in a dealership file to be used to maintain and update the program. 6. Detail a plan to update the program periodically. Update the program to reflect changes in risks to customers or to your dealership’s safety and security based upon: • Your experience with identity theft. • New methods of identity theft. • New methods of identity theft prevention and detection. • Changes in the types of accounts offered or maintained by your dealership. • Changes in your dealership’s business or structure such as mergers and changes in service provider arrangements. 7. Follow the Red Flags Rule guidelines in managing the program. The Rule provides for some specific administrative actions that need to take place to manage your program adequately. These include that your program must: • Be approved and implemented by your dealership’s board of directors or, if no board exists, a designated senior management team member. • Be periodically evaluated to determine if updates are necessary. • Include training for relevant staff on their obligations under the program. • Be able to ensure service providers have reasonable procedures to detect, prevent and mitigate the risk of identity theft. PENALTIES FOR VIOLATIONS Penalties for violations of these regulations are stiff. These include the following: • A “knowing” violation of the Rule is a violation of the FTC Act, which provides for a $3,500 civil penalty for each violation. • Enforcement actions by the FTC can carry penalties of up to $11,000 per violation, per day. • Dealers may also be liable under state unfair and deceptive acts, and practices law, which may include individual and class action claims. Sources 1. https://www.ftc.gov/tips-advice/business-center/guidance/fightingidentity-theft-red-flags-rule-how-guide-business Portions of this publication were taken from and used with the permission of Counselor Library LLC, publisher of “A Dealer’s Guide to the Red Flags Rule” by Michael A. Benoit of Hudson Cook LLP. vada.com 25

RkJQdWJsaXNoZXIy MTg3NDExNQ==