Some dealers who are complying with the federal mandate say they suspect many other dealerships aren't aware of the deadline or won't meet it.
"It's gonna be a huge surprise come November 1," says Tommy Brasher, a Chevrolet and Buick dealer in Weimar, Texas. "I guess the jails will be full of us."
Joking aside, Brasher says he is completing the required plan to fight identity theft. So is John Jomehri, general manager of Metro Honda-Acura in suburban Los Angeles. But Jomehri warns, "I think you are going to have (dealers) who don't care about the rules and regulations."
That attitude could prove costly. The Federal Trade Commission, which is enforcing the "Red Flags Rules," can fine a dealership as much as $2,500 for selling a car or truck to a buyer who uses a false identity. Each subsequent violation carries a fine of as much as $11,000.
The Red Flags Rules — named after the symbol of a warning of possible trouble — are a sequel to the Safeguards Rule, issued by the FTC in 1999. The older regulation aims to prevent the theft of customers' credit data from businesses such as dealerships.
Review credit evaluation procedures; hire vendors and/or use technology to fill gaps.
Appoint one employee to take ownership of Red Flags compliance.
Update security procedures periodically.
Can-doSeveral studies estimate that identity theft costs U.S. businesses and consumers as much as $50 billion a year. A separate figure is not available for auto dealerships.
Paul Metrey, director of regulatory affairs at the National Automobile Dealers Association, said dealerships can comply with the regulation by working with their lawyers.
An NADA guide to help dealers with Red Flags compliance is available at www.nada.org/RedFlags.
The cost of obeying the rule will depend on a dealership's size and complexity, Metrey told Automotive News. "This is not a one-size-fits-all requirement," he said.
Dealer Brasher declined to estimate how much his store will spend to comply with the rule. He says he is working with ADP Dealer Services, which offers dealerships a customer data verification program. Among other things, the program identifies questionable Social Security numbers and addresses.
Metro Honda-Acura will monitor the accounts of all finance customers for red flags, as required by the rule. Metro's new program to combat identity theft also may include vendor accounts. "Dealers have some leeway" about which accounts to include, Jomehri says.
"Once a year we will review" the program, he says. "If something changes, or somebody gets by, we will adjust our rules accordingly."
A dealership should assign an employee familiar with information technology and finance issues to oversee its compliance program, says Jill Frisby, manager of privacy services at Crowe Horwath LLP, an accounting firm that works with dealerships.
"Ownership of the regulation is key," Frisby says.
Bigger is betterLarge dealership groups are better prepared than small stores to deal with the rule, says Brad Davis, executive general manager of Rick Hendrick Imports in Charlotte, N.C. The dealership sells BMW, Mini and Volvo vehicles.
Davis says Hendrick Automotive Group is developing a Red Flags program that will cover the private group's 64 dealerships.
"It's a scary situation for a single-point operator," he says. "I don't think they realize how serious the ramifications of not being on top of it are."
Tom Rudnai, president of Longo Toyota-Scion-Lexus in suburban Los Angeles, says Red Flags compliance will require only a "tightening up of checks and balances" at his dealership. He says Longo has a low incidence of identity fraud because its employees are adept are spotting potential abuses. "By the time you become a sales manager, you have a lot of training and you know how to read credit reports," he says.
DealerTrack Inc. is sponsoring Web- inars aimed at educating dealers about the Red Flags Rules, says Raj Sundaram, the company's senior vice president in charge of dealer solutions. DealerTrack also supplies a checklist of procedures that dealership employees should follow to prevent identity theft, Sundaram says.
NADA's Metrey cautions that even if a dealership buys a compliance package from a vendor, the store is ultimately responsible for its operation.