Amid the Identity Theft Crisis, Dealerships Should Review and Test their Red Flags Programs
Friday, March 23, 2012 - Mark Thaw, CPA/ABV/CFF & Ana Larias, CPA
Identity theft has become a financial epidemic, and the Federal Trade Commission (FTC) has a mandate for automobile dealerships to combat it. The requirement is in the Red Flags rules that the FTC has been enforcing since the start of last year.
So, more than ever, you should be asking yourself: "How good is our dealership's anti-identity theft program, and what are we doing to update and test it and to train our employees to detect and prevent attempts to steal customers' identities?"
The answer to the first part of the question had better be "excellent," considering the extent of the problem and the potential consequences to a customer and to your business if an identity theft occurs as a result of a sale or other activity at your dealership. Recent reports from the FTC and the IRS contain some alarming information about the number of identity theft cases and the methods that identity thieves are using to gain access to consumers' financial information.
Meanwhile, it seems that every time you turn on a TV news program you find another story about an identity theft scam. In fact, the FTC estimates that every year about nine million Americans have their identities stolen.
In addition to its long-established role of assisting victims of identity theft, the FTC since January 1, 2011 has been enforcing its Red Flags rules. Details of the "red flags" suspicious activities that dealerships must look for are provided later in this article.
The rules require automobile dealers and other designated "creditors" that are involved in the extension and approval of credit to develop and implement written identity theft prevention programs. Those programs must help a dealership identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
The extension of credit under the Red Flags rules includes loans that are made by banks and auto finance companies and are approved by dealerships for customers to purchase vehicles.
The FTC can seek monetary and civil penalties and injunctive relief for violations, with a maximum civil penalty of $3,500 per violation. It can conduct audits of businesses' identity theft programs, where it might find violations. It also can investigate when a consumer files a complaint alleging that an action or inaction by a business resulted in an identity theft.
The identity theft programs that dealerships are required to establish must be managed by a dealership's board of directors or senior employees. In addition, dealerships must provide appropriate staff training and oversight of any service providers.
With FTC enforcement in place for the past year, it is timely and vital for dealerships to review and update their programs for detecting, deterring and preventing identity theft. Dealerships should provide training to technical and operational staffs, and test the program and its controls. As they manage their own security procedures, dealerships should also ensure that banks and other service providers have effective identity theft programs in place.
Our accountants and consultants at MBAF can advise dealerships on monitoring, testing and upgrading of identity theft programs. We can build on top of the dealership's customer information safeguards program and policies to help it maintain an efficient process for preventing identity theft.
Data on Identity Theft
On February 28 the FTC released its annual report on consumer complaints for 2011, with identity theft ranking first in the number of complaints for the 12th consecutive year. It received 279,156 complaints on stolen identities last year, a 12 percent increase over 250,854 in 2010.
Some identity theft numbers in the report for 2011 are eye-opening for dealerships in Florida and several other markets where our firm has offices, and where we can provide advice on maintaining and improving identity theft programs. Below are some key facts from the report:
- Florida was first in per capita complaints, with 178 per 100,000 in population.
- New York, New Jersey, Maryland and Colorado ranked in the top 11 in per capita complaints--all with at least 83 complaints per 100,000.
- Miami-Fort Lauderdale-Pompano Beach was first among Metropolitan Statistical Areas with a troublesome 324 complaints per 100,000.
On February 16, the IRS put identity theft at the top of its list of "Dirty Dozen" tax scams for 2012.
The IRS said that there has been an increase in identity thieves looking for ways to use a legitimate taxpayer's identity and personal information to file a tax return and claim a fraudulent refund. An IRS notice informing a taxpayer that more than one return was filed in the taxpayer's name or that the taxpayer received wages from an unknown employer may be the first tip off that the individual receives indicating that he or she has been victimized.
Dealerships should be aware that a person who has stolen a tax refund might use the money and stolen identity in an attempt to purchase a vehicle.
Red Flags Details
The FTC Web site has a section on Frequently Asked Questions on the Red Flags rules and Identity Theft Protection Programs. In addition, a list of the FTC's 25 Red Flags can be found on the next-to-last page of the full regulation that the FTC issued in 2007.
The red flags are not a checklist, but instead are examples that dealerships may use in developing programs to determine if a transaction involves a stolen identity. The red flags fall into five categories:
- Alerts, notifications or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of or suspicious activity related to a checking account, credit card or other account
- Notices from customers, identity theft victims, law enforcement or other businesses about possible identity theft in connection with an account
Dealerships with questions may contact the FTC at firstname.lastname@example.org.
In addition to following the FTC rules, dealerships are subject to federal and state laws regarding the sharing of customers' information and other privacy issues that are part of identity theft programs.
Dealerships should consider contacting their insurance agents about the availability of identity theft insurance policies. Those policies can help cover legal liability damages and defense costs in situations where identity theft victims maintain that the theft resulted from negligence by a business or its employees.
The purpose of an identity theft program is to make sure that the sales person, the sales manager, the staff members in the finance department or someone else at the dealership does not deliberately or inadvertently let information about a buyer's financial records fall into the hands of people who should not have it.
In addition to safeguards that center around your computer systems, you can use some standard common sense.
For example, make sure that when employees leave for the day they do not leave a prospective customer's information about credit history or bank accounts on a desk where it is visible. Another employee or a member of the cleaning crew who finds that paperwork could use it to begin stealing an identity.
By having identity theft programs that are in compliance with FTC rules, and by taking other precautions, you can have added assurance that the next happy buyer who drives out of your dealership's lot in a new vehicle is indeed the person he or she claims to be.
The purpose of this newsletter is to provide general information on tax, audit and other issues related to the automobile dealership industry. The information contained herein may not apply to all businesses or organizations and their specific circumstances. Dealerships are encouraged to consult directly with an accounting expert before making tax and accounting decisions.