HOT TOPICS
2017
MEMBERSHIP
DIRECTORY
127
in-law) can help determine the legitimacy of the customer’s identity. Out-of-wallet questions are available
from electronic identity verification services and are critical for Internet customers whom you will never meet
personally at your dealership store (although it is always a good idea to try to get the customer to come to the
dealership to pick up the vehicle).
The third step requires your ITPP to have measures to take when you identify red flags in customer transactions
but cannot adequately clear them with the customer, such as by the customer providing additional documents or
information such as a passport, Social Security earnings statement, or original utility bills. Out-of-wallet questions
also provide a way to gain comfort with the customer’s identity if red flags are uncovered. Escalate any unresolved
red flags to the Program Manager. In August 2009, a dealer in Colorado was suspicious of a customer and
questioned him during a test drive. The dealer declined to do business with the customer, who was later arrested
in NewYork City for possessing bomb-making materials and charged with planning a terrorist attack in NewYork.
Identity thieves like fast, easy transactions and will often come to a dealership late at night before closing on a
weekend. If they encounter a diligent ITPP and are faced with appropriate questions and requests to document
their identity when red flags are present, many will just leave and go to another dealer who is not as diligent.
For the fourth and final step, you must update your ITPP periodically (but not less often than once per year)
based upon your dealership’s own experiences and new information concerning identity theft from regulators,
law enforcement, and industry experts. An ITPP is a dynamic program and should be re-evaluated continually.
For example, one new wrinkle on identity theft and safeguards involves thieves contacting overnight delivery
couriers to request a change of delivery address for a package containing a customer’s personal deal documents
and misrouting them to the criminal. It is a good practice to instruct any overnight courier service you deal with
not to permit any re-routing of deliveries for packages you send out to customers.
Employees who perform program functions should prepare annual reports to the Program Manager concerning
the ITPP’s effectiveness and make suggestions for improvement. The Program Manager should then use these
reports and other identity theft resources to make an annual report to your Board or senior management detailing
the effectiveness of the ITPP and proposing material changes. Training of employees and strict oversight of ITPP
service providers who have access to your customers’ data are also critical tasks that the Red Flags Rule requires.
Document everything you do and keep copies of all identity-related documents (e.g., the report of the electronic
identity verification service and anything the consumer gives you to prove their identity) in the deal jacket in case
you are audited. Apply your ITPP to every customer unless you know them personally.
As noted above, identity theft fraud to finance autos is on the rise. In 2007, only 4% of reported finance-related
identity theft fraud involved auto financing. In 2008, the figure rose to 22%; in 2009 auto credit identity fraud was
up to 29% of reported incidents. (Source: Identity Theft Resources Center). A government report issued in 2009
found that only 50% of attempted identity fraud in auto finance was detected prior to funding. And new identity
fraud credit accounts increased by over 20% in each of 2010 and 2011. In 2014, the National Insurance Crime
Bureau uncovered an identity theft ring in Detroit that fraudulently leased five cars worth more than $300,000.
The thieves altered the VINs and planned to sell the vehicles to unsuspecting consumers. In addition, many garage
policies no longer cover identity theft losses, or charge a substantial incremental premium to do so.
The FTC Address Discrepancy Rule
The FTC Identity Theft Address Discrepancy Rule (“Address Discrepancy Rule”) is a companion rule to the Red Flags
Rule. It requires users of consumer reports who receive a notice of address discrepancy from a consumer reporting