Know the law. “If you are doing financing, you are technically a lender,” Kelly noted. So all the lending regulations created in the past decade also apply to dealers, she said.
Consider the Red Flags Rules. Federal regulation says that all American businesses must check to see whether the names of everybody with whom they do business (customers, employees, vendors) are on a list of wanted people maintained by the Office of Foreign Asset Control (OFAC), which is governed by the Treasury Department. “You need a written process in your dealership that says this is how we check everybody,” Kelly said.
Some software can check names against the OFAC list as long as social security numbers are available. Without them, dealers must manually log on to the Treasury Department’s website and type in the person’s name into a search box. If there is no match, compliant dealers capture a screenshot, print it and file it away, according to Kelly. If there is a match, dealers must call an 800 number to speak with the feds.
Dealers who fail to comply with the Red Flags Rules could face 30 years in prison and a fine of $10 million. “The federal government, if they audit you, is not going to be kind,” Kelly said.
Now consider Adverse Action Notices, templates of which can be found in Regulation B of the Equal Credit Opportunity Act (ECOA). If a credit app is declined or approved conditionally, dealers must send an Adverse Action Notice to the consumer within 30 days. “These letters are written in a specific way,” Kelly said. “All you do is put in the name of the person, check the reason, and put in the name and address of the credit bureau you used. Don’t get creative with the letters.”
Dealers must keep copies of the notices on file for five years.
Next up: the Risk-Based Pricing Rule, which is relatively new and addresses the final two pages of the credit report containing the customer’s score, reasons for the score, and what he or she can do to improve the score. The Risk-Based Pricing Rule section also shows customers where they are on a national average. It should have a place for the customer to sign. If not, the F&I manager should make a note on the method of delivery to the customer: by hand or by mail. The dealership keeps a copy and gives the customer one copy.
“The Fair Risk Pricing Rule, while being a part of the credit bureau, is not the credit report,” Kelly clarified. “The dealership should never provide the customer with a copy of the credit report.”
What about dealers who accept credit applications over their websites? First, they need a privacy policy on the Web, said Kelly, adding: “After you pull the credit, make a copy of the two Fair Risk Base Pricing forms and then stick them in an envelope and mail them to the consumer with the privacy policy.”
Finally, there are the Safeguards Rules. Dealers must have policies, in print, about safeguarding people’s “nonpublished information,” which includes things like social security numbers and copies of driver’s licenses. “It could be as simple as a numerical lock on the finance office,” Kelly said.
Dealers also must have at least an annual meeting with their employees to review those policies.
Fines for noncompliance are in the tens of thousands of dollars, and an audit can take months. “The federal guys are going to start auditing, and they fine people,” Kelly said. “Take the time to write out your policies and educate your people. This is not an option."
