The Privacy Notices Require Dealer-Specific Information Related to The Dealership’s Business Practices

The automotive industry is heavily regulated and faces increased scrutiny, particularly regarding finance and insurance practices.

F&I income is very important to a dealership's profitability. It is critical, though, that a dealership can defend its practices. Heightened scrutiny of potential abusive practices such as payment packing is likely a result of the new Consumer Finance Protection Bureau (CFPB) that was created with the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Although franchised auto dealers who engage in indirect vehicle financing and leasing are exempt from the jurisdiction of the new CFPB, the bureau can create new consumer and financial protection laws with which the automotive industry will ultimately have to comply. This makes it more important than ever to operate in full compliance with state and federal consumer-protection laws.

Think about it this way: Addressing compliance is similar to repairing a car. You can go ahead and deal with the inconvenience now while the cost is minimal, or you can wait until you're forced to do it, risking exorbitant costs. Managing compliance is also like insurance– maintaining it is far less costly than being caught without it. To be prepared, you should be asking the following questions:

  • What issues and regulations should I focus on now?
  • What are some practical steps for protecting my dealership?
  • What potential issues and regulations are looming?

Where to Focus Now

Maintaining the right balance between meeting compliance requirements and running a profitable business can be difficult. It's important to know where your focus should be right now. Here are some key regulations you should be actively addressing in order to limit your exposure:

  • On January 1, 2011, the Risk-based Pricing Rule took effect. It requires dealers who use credit reports to provide a notice to consumers when they are granted materially less favorable terms than other consumers, based on data included in their credit report. Dealerships have two options to comply:
    • Provide a Risk-based Pricing Notice to consumers who apply for financing and, based on their credit report, the financing rate is less favorable than the financing rate of a substantial proportion of the dealer's customers OR
    • Provide an Exception Notice/Credit Score Disclosure to every consumer who applies for credit. Most dealers use the Exception Notice as it is easier to implement.
  • The Red Flags Rule requires dealers to implement a written theft prevention program for identifying and confirming the true identity of people with whom they conduct business. The effective enforcement date was January 1, 2011.
  • The Federal Trade Commission (FTC) Address Discrepancy Rule requires that creditors confirm the identity of consumers when the address provided by the consumer conflicts with the address in the consumer credit report. Dealers must also have a reasonable belief that the consumer report belongs to that particular consumer.
  • The USA Patriot Act requires dealers to screen all consumers, prior to any sale, against the Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, and money launderers. Every customer, cash or credit, must be checked against the list.
  • The Equal Credit Opportunity Act (ECOA) and Fair Credit Reporting Act (FCRA) require dealers to provide the consumer with a notification of adverse action when credit is denied, even when the financial institution sends a separate credit denial notification.
  • The Fair and Accurate Credit Transactions (FACT) Act amends existing regulations governing how consumer credit data must be handled. Among other things, it requires dealers to take measures to ensure they are actually dealing with the person seeking credit in situations where an extended fraud alert is placed on the consumer's credit report.
  • The FTC Credit Practices Rule requires dealers to provide a written notice to potential co-signers about their liability if the other person fails to pay, prohibits late charges in some situations, and prohibits creditors from using certain contract provisions the government has found to be unfair to consumers.
  • The Truth in Lending Act (TILA) requires dealers to provide written disclosure of important terms of the credit agreement, such as APR, total finance charges, monthly payment amount, payment due dates, total amount being financed, length of the credit agreement, and any charges for late payment. Historically, state attorneys general did not have the authority to enforce TILA. Now, since the Omnibus Appropriations Act of 2009, they can. Any dealer who uses retail installment sale contracts and consumer lease contracts is affected. Dealers should rely upon document vendors that routinely legally review these documents as dealers may incur liability should the documents be in error.

Gramm-Leach-Bliley (GLB) Privacy Act

  • The Safeguards Rule requires businesses to develop and implement processes to protect consumer information from the risk of fraud and identity theft and to confirm that vendors with whom they do business are doing the same.
  • The Privacy Rule requires dealers to give their customers privacy notices and provide opt-out procedures regarding the collection, use, and sharing of personal information.

In light of these regulations, what are some practical steps you can take to protect your business?

Steps for Reducing Risk

Addressing these regulations isn't necessarily expensive. Much of this compliance effort can be addressed in-house. Believe it or not, government agencies and the courts will be far more lenient if you make some modest effort to comply with these legal demands. Here are some practical ways to address some of the challenges you face today:

  • Support national and state dealer associations and other industry groups that are lobbying against harsh legislation.
  • Take advantage of free sources of compliance information and support, such as NADA, state dealer associations, government sources–FTC, FRB, state attorneys general, state DMVs—and their websites.
  • Designate a compliance officer on your staff (perhaps the F&I director or controller) and use a consultant to review your dealership policies and practices. It is now a legal requirement to have a compliance officer.
  • Have the designated person become AFIP-certified (Association of Finance and Insurance Professionals).
  • Make sure employees understand what practices are illegal by regularly auditing processes and conducting compliance training.
  • Implement a standard process for all deals. Use legally-reviewed and drafted documents which incorporate the current laws. Software solutions can help ensure these legally compliant documents are properly populated and taxes and fees are calculated correctly. They can also catch mistakes and missing pieces of information that could cause problems down the road. Software can help with your compliance burden by automating tasks so you can stay focused on managing your business.
  • Rely on reputable vendors that can substantiate their due diligence regarding compliance.
  • Always have a permissible purpose to pull a credit report. Most credit applications contain language where the customer agrees you can access their credit report.
  • Make sure your Privacy Notices have been updated to comply with the most recent requirements of the GLB Act. New requirements regarding language and format were effective January 1, 2011.

The Privacy Notices require dealer-specific information related to the dealership's business practices and organization to be printed on them. The type of privacy notice depends on the complexity of the dealer's business requirements and organizational structure. Rules are pretty stringent. You will most likely need legal counsel to determine what will be sufficient for your business in order to obtain safe harbor status.

The Government offers an online Forms Builder via their website:

  • Run an OFAC check on every customer. If a positive match is found, follow steps outlined on OFAC's website to determine if the match is valid. Software solutions are available for automating this process and assisting with due diligence.
  • Have a written Red Flags program in place. Keep in mind that your program should consider activities and patterns that indicate the possible existence of identity theft. Put procedures in place to detect, evaluate, and respond to Red Flags. Periodically update the program for changes in risk to customers that are detected during your dealership's daily experience and for new identity theft activity of which you become aware. A number of software solutions are available to help quickly and effectively confirm a customer's identity to minimize fraud-related losses. Dealers who are victims of identity theft are often forced to repurchase the contract from the lender and will not recover the full vehicle value.
  • Provide all customers with a Credit Score Disclosure Notice to ensure compliance with the Risk-based Pricing Rule. Most providers of credit reports automatically include this with the credit report. The Credit Score Disclosure must be delivered prior to the consummation of the credit transaction.
  • Look for conditions that would require an adverse action notice. If you take a customer's credit application but cannot find a lender who will accept the original terms of the deal at a minimum at face value, or you decide not to send the credit application to a lender because the credit score is below the threshold of the lenders you do business with, you need to provide that customer with an adverse action notice. The same is true for when you spot-deliver a vehicle and no funding source will accept the original terms of the deal or your customer rejects a counter-offer. Put procedures in place to ensure letters are sent out in a timely manner and records are maintained for the required amount of time. Also, ensure you are using the latest Adverse Action notices. New disclosure requirements were required by the Dodd-Frank Act effective July 21, 2011.
  • Create and implement an information security program. Make sure unique user names and passwords are in place and change them regularly. Consider both physical and system access security. Limit customer information access to individuals who need it in the conduct of business.
  • Follow record retention rules for various deal documents. To reduce the possibility of data theft, avoid storing customer information (both hard copy and electronic) longer than necessary.
  • Have a defensible payment quoting method such as using the same rate for the same class of buyers (new/used and prime/nonprime ).
  • Discuss all products with each and every
  • consumer. The use of an electronic menu can help with controlling the pricing of products, disclaimers, and documenting the process you followed. Establish standard pricing for your F&I products and require a signed menu for the final transaction.
  • Review deal documents and forms periodically to ensure they continue to meet the requirements of the law regarding mandated formats and disclosures.
  • Address complaints promptly with a dedicated telephone line.

An Uncertain New Age in Dealer Regulation

Dodd-Frank Act

In July 2010, this act became law. The Act creates a new federal bureau as of July 21, 2011: the Consumer Finance Protection Bureau (CFPB), with vast powers which could reshape how dealers transact vehicle sales and leases. In addition to these directives in the Act, which the CFPB must now enforce, the CFPB will also promulgate new rules which it and state authorities will see are observed. The CFPB will be larger and more powerful than the FTC. State attorneys general will be working in consort with the CFPB.

Although franchise dealers are, in theory, exempted from the direct application of the CFPB, the many partners with which dealers rely, such as banks, must subscribe to these new legal strictures. So, dealers will indirectly feel the brunt of these new legal obligations.

Failure to observe these new regulations will result in truly draconian penalties. These penalties range from $5,000 per day per violation up to $1,000,000 per day per violation.

The developments to come from the CFPB should be of concern for every type of dealer in the country.


The Dodd-Frank Act has empowered the Consumer Finance Protection Bureau to ban the use of arbitration agreements in consumer transactions. Or, the CFPB may decide to simply control how arbitration is applied. The CFPB must study this issue first before issuing its new regulations.

Federal Trade Commission

The FTC now has authority to issue rules prohibiting unfair and deceptive acts and practices concerning dealers. It may use a simpler procedure for this effort, the Administrative Procedure Act, as opposed to its previous procedures which were more involved. The FTC has hosted a series of roundtable meetings around the country to collect data for these new rule-making activities. Spot delivery has now become a major focus of the FTC.

The result could be increased potentials of liability for dealers and more regulatory challenges.


Thousands of lawsuits are filed every year against car dealers. The original complaint of the consumer, which became the basis of these legal actions, averaged just $3,000 but often ended up costing 20 to 30 times that amount in legal fees. The importance of recognizing and reducing risk is evident, and for the sake of your business, compliance is an absolute necessity.

Keep in mind that complying with the law is not an overwhelming challenge. If you haven't done so yet, make your repairs now. Don't wait and risk your business with penalties, fines, and legal challenges. The fact that the economy is difficult will not prevent lawsuits or enforcement actions. More than likely, they will increase. Regulators and consumer attorneys are not sympathetic to the plight of automotive dealers in these difficult times. But complying with these requirements can be done effectively with modest expense if you are aware of the issues.