The Consumer Financial Protection Bureau and the Federal Trade Commission will be knocking at the doors of powersports dealerships and finance providers, to make sure F&I operations comply with federal regulations, such as measures aimed at preventing identity theft, experts said.
“We begin to see audits happen in powersports market extensively,” said Paul Sheldon, regional manager at Protective Asset Protection – a provider of F&I products and solutions.
Among other F&I compliance issues discussed during a webinar called “F&I Compliance: What You Don’t Know CAN Hurt You,” Sheldon emphasized five simple elements necessary to create an Information Security Program, ISP, at dealerships.
The idea is to keep customers’ non-public information (NPI) secure, avoid data breaches and remain compliant with regulations.
This playbook applies to finance providers, as well as dealerships.
An employee must be designated as a compliance officer, to coordinate the company’s ISP program.
“You don’t have to hire someone full time, but you also can’t outsource this,” Sheldon said during the webinar.
Identify any foreseeable risks to customer information.
“Identity theft is climbing, it’s out of control,” Sheldon said. Any customer NPI – social security number, driver’s license, credit report, birth date, phone number or email address – which are not public otherwise, should be locked up, not simply kept in a folder on a desk, he said. Digital documents should be password-protected. “Do not take information home from the dealership, on any kind of device,” said Rich Moore, director of training at Protective Asset Protection. “Especially if you have any peer-to-peer software on your device.” Once the data is entered into a device with P2P software, it immediately becomes available to anyone on the network, Moore explained. “Once it’s out on the internet, it’ll always be there.”
Design and implement a written policy of safeguarding customer information throughout the company. Then conduct audits to monitor its effectiveness.
“Every six months or annually is probably enough to make sure everyone is in compliance,” Sheldon said. The Safeguard Rule, in place by the Federal Trade Commission, requires financial institutions to secure customer records and information. “When you have got your documentation in place and you have designated your compliance officer, if CFPB or FTC come knocking on your door, at least you have got a very dependable compliance process set for you,” Moore said.
Make sure to oversee the compliance policies of your service providers or joint marketers.
“If they are in non-compliance with protecting NPI, you’ll be liable, so make sure the service providers are in compliance,” Sheldon said.
Based on the results of the annual or semiannual audits, implement any adjustments needed.
“Having safeguards in place is not an option, it’s a law,” Sheldon said. “We have seen it imposed on auto business, and we begin to see the same happen in powersports.”
The big takeaway, Moore said, is simply to be attentive. “Really take a look around and see where the leaks might be around NPI. Make sure all of your employees have been through some sort of training and are up to date with compliance changes. Setting up Google Alerts helps too.”