Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

Red Flags Rule

December 22, 2010
After a number of false starts, the FTC vows that Jan. 1 will be the day compliance enforcement begins for the Red Flags Rule. Auditors will want to see every dealership's Identity Theft Prevention Program, which must be approved by the dealership's board or appropriate board committee. If the dealership does not have a board, a senior management employee must approve the ITPP.

It's all part of the Red Flags Rule, which is the Federal Trade Commission's next step following the 2003 "Safeguards Rule." The Safeguards Rule forces dealers to protect the sensitive information collected from customers, so that identity theft cannot be committed. The Red Flags Rule examines the other side of the coin: If a dealer encounters an ID thief, take steps to halt any transaction.

The new Rule forces "financial institutions" and "creditors" to comply with the Rule. Dealerships are swept up in the matter because the FTC defines dealers as creditors.

In summary, if a dealer can't form a reasonable belief under his ITPP that a credit report relates to the customer before him, the transaction must be aborted. Full details about the 256-page Rule are on the FTC's Web site,

All programs must have six distinct elements:
  • Policy A formal, written program that is signed by the officer of the corporation;
  • Training for employees-hands-on and continuous;
  • Detection and Prevention during transaction processing;
  • Mitigation measures to reduce fraud and minimize any impact on customers; and
  • Audit of the program at least annually.
A written program must include reasonable policies and procedures to identify and detect 26 Red Flags noted by the FTC, and respond appropriately when any Red Flags are detected.

Russ Radant of Automotive Compliance Consultants said one-third of all ID theft originates at dealerships. "Think about the number of people coming into your store every month," he said. "And not just on the sales side. What about repair orders?"

Radant outlined how camera phones can be used maliciously at service writer desks to record information about a customer and his vehicle from an RO. The thief then could call the customer, posing as an employee of the dealership.

"Mrs. Jones," Radant offered, "this is the dealership calling. I see that you were overcharged for service today on your Plymouth Valiant by $24.95. We can handle the overcharge three ways: I can credit your next service visit by that amount; I can arrange for a check for you-but that will take 30 to 40 days; or I can apply the credit to your charge card immediately, if you give me the account number." Choosing the third option yields to ID theft.

Examples of Red Flags that dealerships are likely to encounter include:
  • A consumer's credit report has notice of a credit freeze
  • The customer's address on the credit report does not match his other paperwork
  • Recent and significant increases in the volume of credit inquiries
  • Accounts that have been closed for cause or identified for abuse of account privileges
  • The Social Security number is listed on the death master file
  • Discrepancy between customer's date of birth and the correlating Social Security number range
  •  Locally, two or three Wisconsin addresses have been attributed to more than 500 immigrants applying for driver's licenses.
Dealers who intend to treat the Rule internally must be prepared to create, implement, manage and audit a formal program. The NADA published a comprehensive guide on the Rule, and many CATA allied members provide the service.