The change of seasons also brings light to the task of updating a dealership’s compliance policies and procedure manual. Some still have not completed the task of creating a manual that is germane to the size and scope of its operation. Some have only one manual at the corporate office and not at every location.
Procrastinating completion of the manual only invites federal audits and business disruptions, plus multiple fines. I have spoken to some who tell me that they have done great at the cash reporting audit, or the Department of Motor Vehicles (DMV) audit, or even the Occupational Safety & Health Administration (OSHA) audit. How will you fair in an audit that encompasses the Safeguards Rule, the Red Flags Rule, the Office of Foreign Asset Control (OFAC) rule, the Disposal Rule, the fair risk-based pricing and privacy notice regulations, in addition to the adverse action notice part of the Equal Credit Opportunity Act (Regulation B)?
All of these regulations require a written risk assessment, written policies and procedures for employees to follow, designated managers to have compliance duties incorporated within job descriptions and annual self-audits to test your policies and procedures.
Only the Facts
Your policies must be reviewed at least annually and be adjusted to reflect any changes in procedures and personnel, in addition to any breaches of security either electronically or physically. Document what happened, how you discovered it, what was done, and the corrective measures taken. I refer to this as an incident report. Do you have an incident report? As Detective Friday on the old Dragnet series used to say, “Only the facts, Mr./Ms. ____.”
Incidents reports will be completed if they are only one page and easy to fill out. Make them electronic and place a printed copy in the compliance manual. This will make annual reporting much easier.
The Red Flags Rule and the new Safeguards Rule require an annual report on the performance of the policies and procedures. This report must be signed off by the dealership’s president or CEO and placed into the corporate minutes. Are you doing this?
Many of you reading this article will think, “I have a small dealership; we are running under the federal auditor’s radar. No need to worry. We will get around to doing something about this later.” Does this sound familiar to you?
The problem is that nothing ever gets done. The dealership personnel do not know where to start. The senior managers do not want the expense of having anyone come into the store and complete the documentation.
Then one day, out of the blue, the Federal Trade Commission (FTC) agents arrive on the property and ask to chat with the compliance officer, and no one knows who they are asking for. Customer files are in a wall rack in the finance office or sales manager’s office, and the doors are wide open with no one in the office.
The alphabet group – the FTC, DMV, IRS, FBI, CIA, or NSA – can disrupt your business for months by doing an audit and, if they find something –anything – they invite other agencies to join them. Audits can be spurred by an unhappy customer, by an unhappy employee or by any attorney walking around looking for anyone to sue for the good of humanity.
Think about the times we live in. The environment is ripe for audits, fines and added revenue for the federal government.
The new cybersecurity part of the Safeguards Rule had a deadline of Oct. 31, 2022. Were you prepared? Did you meet this deadline? Do you have your compliance manual updated and the cybersecurity protocols added to the list of compliance issues?
Do you have annual compliance meetings with your employees? These meetings should be documented: What is covered and who was in attendance? Also, the agenda and notes should go into the compliance manual under employee education.
Protect Your Business
Many hands make light work. All the managers have a role in the compliance web. Just as the dealership has a chain of command, so does do compliance protocols. We have the employees reporting to their managers or team leaders; the managers/team leaders who report to the general manager or facility compliance officer; and the general manager who reports to the owner or corporate compliance officer.
Take care of the documents in your dealership. What items might be found lying about that can be used to steal anyone’s identity, such as credit applications, copies of driver’s licenses or insurance policy numbers? I have seen credit card numbers written on worksheets used by the sales department in negotiating the figures for a sale. I have seen old employment applications thrown into the trash.
Some dealerships are still using ribbon shredders in lieu of confetti or have a secure recycle box with a shred service coming by to do a mass shredding of files they are no longer required to maintain.
All of these things are huge red flags for any auditor. The goal should never be to strangle business or make things so tight that employees are afraid to breathe and enjoy their job. But start with the minimum and tighten up things as you need to.
The goal is to be respectful of everyone’s non-published information. While doing business try to do what you can to protect any information exchanged and prevent identity theft from occurring at your place of business.
The key is to document how you are going to achieve that goal. What protocols are you going to put into place? Do all the employees who work with the sensitive information know what you expect from them in protecting the information?
Before you think, “Identity, theft cannot occur here,” know that identity theft can and does happen everywhere. Hopefully, not at your place of business.
I am not an attorney, so this article is not meant as legal advice. It is meant solely for educational purposes.