The checks are part of Sonic's Red Flags Rule policies. Weeks says Sonic tried making its own manual identity checks before getting the automated system, but the effort wasn't effective. Sonic ranks No. 3 on Automotive News' list of the top 125 U.S. dealership groups with retail sales of 132,136 new vehicles in 2012.
Weeks explained the group's identity check procedures to Automotive News Staff Reporter Jim Henry last week.
Do you check all IDs or just suspicious ones?
We use it in all our stores. We built it into our Red Flags policies and procedures. The way we set it up with RouteOne is anytime there's a finance or lease transaction, when you pull a credit bureau [report], the system automatically pulls an ID check.
Then it's a matter of training, of teaching it in the stores.
How does it work? Does the system scan the driver's license?
We enter the information. It gets entered into RouteOne by the finance manager. We get the information from the credit application. When we request the credit history -- with the name, address, Social [Security number] and date of birth -- then it garners the ID check.
How do you decide what level of security is secure enough?
We customized ours, but there are low-, medium- and high-security scenarios. The difference is when you choose the higher security, they put the information against more flags that are proved in their model. It's like when you choose low, medium or high for your e-mail blocker. If you set it high, you're going to block a lot of good e-mails as well as bad ones. If you set it low, some bad ones may get through. In this case, you could be missing some frauds.
Do individual stores choose their own settings?
We have a standard solution. I am the administrator and I can tweak it depending on the local market and their experience if they've experienced a lot of fraud.
I believe throughout the industry, most stores probably start on a medium strategy. If they find they are missing frauds, they can change over to a high strategy. ... But at Sonic, we control that from a corporate perspective.
How often do you catch someone?
We just stopped one last night. We've been on the program three years, and we prevented 81 bona fide frauds. I keep track of this, and we potentially saved the company, on loans that didn't get made, just shy of $3 million.
So you are liable for the amount if it's fraudulent?
Right. If we put those loans on the books of our lenders, then we may be requested to repurchase those loans. In addition to not having to buy those loans back, that's also $3 million worth of bad loans that didn't get on our lenders' books, which serves to protect our rates, programs, purchase policies, things like that.
RouteOne and other vendors say that if an ID is flagged as suspicious, automated systems prompt questions that only the true identity holder could answer. How often does that happen?
It's right around 11 percent of our deals. I've seen it as high as 15 percent and as low as 8 percent. ... But just typing stuff into a system, there are going to be times when you misskey a name, a Social or the address. That's probably 2 to 3 percent of it right there.
Do cases of genuine fraud have anything in common? For example, are the vehicles involved more likely to be luxury or nonluxury, import or domestic? Is fraud more likely in urban or rural areas?
We have a high concentration of luxury brands, and you might think you would see it in luxury areas in metro markets. But the fact is we see it everywhere. However, it does seem like Southern California is a very, very strong hotbed for us for fraud. At one time or another, probably 35 to 40 percent of our fraud cases come out of Southern California alone.
But, really, it's all brands, all makes, all models, all dollar amounts. It's all over the map. We stopped one in Columbus, Ohio, that was on a 100,000-mile, 10-year-old used car.
Is there a particular kind of fraud you see most often? Straw buyers, perhaps, or maybe fake IDs?
The one we see the most is a true identity thief -- taking over someone's identity. In the last 18 months I would say the one we see the most is a Social [Security number] takeover fraud. The way that usually works is I use all my correct information, except I use somebody else's Social. … [Thieves] have found a way to start running credit. They get a small credit card or a wireless phone and make payments to start getting some credit history going. It's a real name, a real address, but with someone else's Social.
How do you catch that? I've heard Social Security numbers are coded: If you know the codes, you can tell where someone was born.
For older numbers, that's true, but not any more. There are ways you can tell there's a high probability a Social belongs to somebody else. ... Like you can see when the Social was issued. The one we prevented last night, we got the customer's ID and that said the date of birth was 1973. But the Social was issued in 1960. Obviously, it could never have belonged to this particular person.
Can a trained person tell just by looking?
Red Flags didn't get enforced [by the Federal Trade Commission] until 2010, but we started our program back in 2008 and 2009 when Red Flags was created. It was a manual process. We did training around a few things to look for, but they were manual verifications. ... That takes a lot of time, and it's a manual, arduous task. So the F&I managers didn't really follow it. Certainly, we didn't catch a lot of frauds in 2008 and 2009.
How often do you call the police?
We have called a few times. It depends on the situation. A lot of times they get delayed, and the people leave the dealership, never to come back. Sometimes we call the police and -- I don't know, maybe it's not a priority sometimes -- the police show up two hours later. But we have called the police on several occasions, and a few people have been arrested.