ComplianceBest Practices

More than thirty (30) years ago, I made a list of what motivates people. (I’m not sure why I was motivated to make the motivation list though.) I have no recollection of where these pieces or parts may come from, but here they are: 1. Make money 2. Save money 3. Save time 4. Avoid effort 5. Get more comfortable 6. Achieve greater cleanliness 7. Attain fuller health 8. Escape physical pain 9. Gain praise 10. Be popular 11. Attract someone else 12. Conserve possessions 13. Increase enjoyment 14. Gratify curiosity 15. Protect family 16. Be in style 17. Have or hold beautiful possessions 18. Satisfy appetite 19. Emulate others 20. Avoid trouble 21. Avoid criticism 22. Be individual 23. Protect reputation 24. Take advantage of opportunities 25. Have safety in buying something 26. Make work easier It’s not a perfect list, but it’s not bad either. "Nothing happens at a dealership until something is sold." That’s what pays the bills. It’s easy to see how this list could be parlayed into motivational leverage with the goal of selling something. On the other hand, and on the “other” side from selling, in governing the business, some of motivators can be utilized to avoid problems, dodge pain, save money, protect your reputation, and avoid trouble. Where the focus is eliminating or avoiding problems, that’s called governance, risk, and compliance (GRC). Avoiding foreseeable problems (or “preventable risk”) will be the core motivation of this article. At a dealership, a robust GRC program will extinguish issues which are obvious and avoidable. Here’s a summary of the eight (8) steps involved in a dealership GRC program: 1. Identify risks and compliance obligations 2. Prioritize the work by potential catastrophic problems and willful non-compliance penalties 3. Reduce exposure by building a proactive risk transference program 4. Create your internal policies and procedures for risk and compliance 5. Evolve from reactive to proactive to ameliorate your risks 6. Assign responsibilities and accountability 7. Track progress to protect the dealer (personally) and the dealership’s assets 8. Routinely review and audit people, processes, policies, and technology to document and revise compliance and risk protocols A robust GRC program will translate into action when the dealership brings a keen focus on having a compliance program. Some dealers say they have a strong program, when, in fact, they (sadly) do not. "For example, do you have a designated compliance person at each store?" These duties do not have to be a full-time and they're exclusively focused job. Compliance duties can be a part of an employee’s other responsibilities. If no one is designated as the compliance person at each store, then you really have no program. No one is actually performing the work. Now is a great opportunity to start your GRC program as enforcement activity against dealerships is on the upswing by the Federal Trade Commission (FTC) and the state Attorneys General. In November of 2021, the FTC passed new regulations which dealers must comply as a part of the Gramm Leach Bliley Act (GLBA), originally effective on May 23, 2003. There were two (2), new deadlines for compliance: January 10, 2022 and December 9, 2022. The December 9 deadline was pushed to June 9, 2023. (The update – alone - was forty-two (42) pages of three (3) columns of type of eight (8) point, small type in the Federal Register.) Here’s a brief summary of what you need to know to be compliant on this issue: About GLBA The GLBA was born out of the need to protect customers Personally Identifiable Information (PII). It is a federal data security rule which requires dealers to keep customer information secure and protected. The original rule added the burden to the dealers of ensuring that affiliates and service provider partners of the dealership safeguard the customer data, as well. This has translated into these actionable items: Lock all doors and access to any place at the store which may have PII Disposing and/or securing unfunded deals, pay stubs, tax returns etc. Limiting access to computer applications which may house PII The overabundance of data breaches necessitated an FTC update in 2021. January 10, 2022 Deadline By January 10, 2022, the dealership was to: Develop a written Information Security Program (ISP) which contains administrative, technical, and physical safeguards “that are appropriate to your size and complexity…and the sensitivity of any customer information at issue.” The dealership’s ISP should “base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.” Risk Assessments: “You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure…or compromise of such information and reassess the sufficiency of any safeguards in place to control these risks.” Test or Monitor: “Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.” Oversee Service Providers: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue. Dealer are required to contract to implement and maintain such safeguards. Evaluate and Adjust your ISP in light of: - Testing and monitoring - Any material changes to you operation - The result of your risk assessment - Any other circumstances which may have a material impact on your Information Security Program June 9, 2023 Deadline Unfortunately, there’s more work to be done: The definition of PII has changed to include home address, email address, and cell phone number. Your ISP should be written . Data containing PII must be encrypted both: - In transit, and at rest; The dealership must have a written data retention policy and adhere to it. A qualified and designated individual to oversee, implement, and enforce the ISP. Limit and monitor who has access to PII. Oversee Services Providers (vendors) with written agreements to ensure compliance with protecting the customer data. These must be re-verified at least annually. Dealers are required to monitor and assess these vendors and audit and document the interactions. Required Change Management Procedures: - Written - If someone gets fired or quits, your program can continue through following these procedures. - Controlling the lifecycle through procedure standardization to manage the risk and minimize the disruption. The Risk Assessment must be in writing and contain: - Identified security risks - Criteria of existing controls - Description of how the risks will be mitigated - Some risk is acceptable but must be written as to “why” - Must be updated as risks suggest - Dealers must periodically perform these assessments For information technology (IT) requirements : - Must have multi-factor authentication (MFA) - Continuous monitoring of IT systems or annual penetration testing and vulnerability assessments conducted at least every six (6) months - Anti-virus software - Endpoint protection to remotely monitor and update all computers Annual employee training for all employees - Documented with signed employee acknowledgements - Mandatory - Everyone must complete training without exceptions Written Incident Response Plan - How the dealership will respond to a data breach - Who has what responsibility and can make decisions - Communications inside the store and to third parties Data encryption is the “biggie” here. All data which contains PII must be encrypted both in transit and at rest. For example, that means when someone is scheduling a service appointment through your website, that data must be encrypted between the scheduler and your service advisors. As another example, the data sitting in your CRM must be encrypted at rest. There’s a lot here to work on here. Another example, salesmen can no longer send PII to their manager through email, as typically, it is not encrypted. The GLBA impacts your relationship with most internet vendors. Consider going to your payables department and have them develop a list of any vendors which have anything to do with email or the internet. Then contact them one by one to see whether or not they are compliant with encrypting their data. There are SaaS software solutions to help keep track of this activity. "Fines for non-compliance are $50,120 per violation." The FTC can take an expansive view of what a “violation” is, depending on the circumstances, particularly if there are issues involving multiple customer records. Data breaches are real and happen every day. Currently, one dealership in northern Virginia is immersed in a class action suit over a data breach. These lawsuits are wildly expensive. Consider that good data security is also a good business practice. Do you really want to call your third (3 rd ) generation customer and tell him his data is sitting out on the dark web as a result of a breach from your store? While not part of GLBA, cyber insurance should be a consideration and a part of your GRC program in order to protect your assets. While volumes have been written about these policies, I think it is important to talk about a few niggles. To be diligent about your cyber policy, consider: Reading the exclusions. You might be surprised at what you find. If there a sublimit for ransomware or do you have coverage to the full limits? If you have business interruption coverage resulting from a breach? If you have a “cap” on the number of individuals that the policy will cover? If penalties from regulatory bodies are covered by the policy? Are “end of life” computers or software covered by the policy? The overall philosophy with the GLBA (and the rest of your GRC program) here should be: Remediate and correct Document and report Evaluate and revise If you handle the preventative risk and ameliorate these issues, you can focus on the more positive side of the twenty-six (26) items above, like increasing your enjoyment and making money! And that’s how you can stay on the black side of the ledger! Cheers! For more information: Phone Number: 757-434-7656 Email Address: tomk@bettervantagepoint.com Website: https://bettervantagepoint.com Website: https://alwaysdobetter.com/howwehelp YouTube Channel: https://www.youtube.com/channel/UC-yt ... LinkedIn Profile: https://www.linkedin.com/in/tompkline/

You have no choice but to care about whether your website is accessible for people with sight impairment because the law tells you that it must be so. If your site is configured well for assistive technology (think website readers that read text out loud or make text larger), then you're good. But say your website is not configured properly, then what happens? Simply put: You are at risk of violating the  Americans with Disabilities Act  (ADA), and that puts your dealership at risk of a lawsuit.  _______________________________________________________________________________________________________________________________________ This article was written by Adam Dennis, Principal at SurgeMetrix and Tom Kline, Lead Consultant and Founder of Better Vantage Point. _______________________________________________________________________________________________________________________________________ The Facts We like facts. Facts aren't opinions. They don't have feelings. They tell you what's up and, when used properly, inform good decisions.   As we've discussed in previous articles, we've analyzed over 35,000 dealer websites for a variety of performance issues as well as demographic and digital market data to set a context for the industry and individual dealers who want to see how they rank relative to their competitors.   In this article, we are reviewing the Accessibility of a website as per Google's algorithms. Now you might look at the data and conclude it means nothing to you, but the reality is that with Google being the dominant force in the search market and recognized authority of website performance, you can't ignore their conclusions. So let's look at the facts. Of the 35,444 dealer websites we analyzed, we could not match 5,930 of them due to a range of issues, from configuration problems to software setups that retard Google's ability to analyze certain data about a website. Consequently, our actual surveyed total was 29,514; a not-too-shabby number all by itself. When Google ranks a site for its technical Accessibility, it does on a three-part colored scale out of 100. The sweet spot you want your website to occupy is the 90-100 bracket. This rating is the best and indicates that your website is technically very well constructed for people with sight limitations to be able to read and for those people who use assistive technology, to be able to understand the website as well.   The other two ranking categories stake out in brilliant clarity those websites that do not perform well in terms of their technical configuration for meeting accessibility requirements. The yellow category covers sites with ratings from 50 to 89/100. This is a nether world where you're meeting some, but not all, of the ADA requirements. The lower you are, the greater the risk. Finally, if you are in the red zone, you are in potential trouble. Simply put, you are broadcasting to enterprising lawyers that you could be sued. The red zone covers ratings from 0 to 49. What did we learn? We found the following results with 1.8% of the websites in the Red, a whopping 76.5% in the yellow, and only 21.7% in the green.    That big yellow area was concerning, so we broke that down even further into 10% chunks giving us 50-59 for the first chunk, 60-69 for the second, and so on. We did this because we still see a risk for dealers in the yellow area, especially if they are in the lower ranges. Here is what we discovered: Would you want to be in those lower ranges with an Accessibility rating of 68 or 72? I wouldn't; I have faith in opportunistic lawyers. If I were a dealer who wanted to mitigate risk, I would ask my website vendor to improve my performance: at the very least, to the high 80s.    The Risks According to the Seyfarth law firm, ADA website accessibility lawsuits filed in federal court were up fourteen (14%) percent from 2020 to 2021. This translates to 2,895 cases, an increase of 372 actions. These numbers do not account for the following: Demand letters that were sent and/or settled; State court actions; or Mobile application lawsuits were accounted for differently Just as there are attorneys specializing in suing dealers in the automotive industry, there are plaintiff lawyers specializing in ADA lawsuits. The  Center for Disease Control (CDC)  cites these statistics: "Approximately 12 million people 40 years and over in the United States have vision impairment, including 1 million who are blind, 3 million who have vision impairment after correction, and 8 million who have vision impairment due to uncorrected refractive error. As of 2012, 4.2 million Americans aged 40 years and older suffer from uncorrectable vision impairment, out of which 1.02 million are blind; this number is predicted to more than double by 2050 to 8.96 million due to the increasing epidemics of diabetes and other chronic diseases and our rapidly aging U.S. population. Approximately 6.8% of children younger than 18 years in the United States have a diagnosed eye and vision condition. Nearly 3% of children younger than 18 years are blind or visually impaired, defined as having trouble seeing even when wearing glasses or contact lenses." These are large numbers. Unless you have addressed website ADA accessibility, you open yourself up for exposure to these enterprising lawyers who make a living from ADA-based lawsuits. As with any compliance topic, "willful non-compliance" opens you to higher settlement numbers and further unknown liabilities, and other unintended consequences.  Willful non-compliance  is a term we use to describe a situation where a business lacks a robust Governance, Risk, and Compliance (GRC) program. In short, a GRC program follows the outline of what a "prudent business person" would do in a similar situation. This entails having written (and acknowledged) policies and procedures with your employees, which are then checked by someone performing an audit function. Remember, you manage what you monitor.   Importantly, depending on how the allegations are crafted in the lawsuit, your garage insurance may not cover any of the allegations. If that is the case, settlement indemnities will come from your dealership's bank account.   What To Do This is a simple one, folks, with just three steps to get you compliant.   Step 1, have the website reviewed for accessibility compliance using a tool such as Google's  PageSpeed Insights  tool. The tool has an "Accessibility" section that, when selected, will give you the issues that will need to be addressed.   Step 2, once you understand what needs to be fixed, buy a tool to install on your website to help make it ADA compliant very quickly. We really like Userway ( www.userway.org ) as the interface is simple and clean. Its pricing starts at $490 per year for up to 100,000 website page views per month, to $3,290 per year for up to 10 million page views per month. Finally, for Step 3, test your website again with PageSpeed Insights to see if you have improved. Our experience is that most dealer websites will quickly go into the green. If not, then ask your web provider to use the PageSpeed Insights data as a guide to improving performance. It's that simple. Test, buy Userway, install it, test again to validate (and fix anything that remains), and then eliminate this risk. Don't make it easy for the attorneys.

Answers these questions honestly: Do you have a Compliance Management System (CMS) and whose responsibility is it? When was the last enterprise risk assessment to ensure all personal and dealership assets are protected? (Who has looked at the “big picture?”) Who trains the staff about compliance and how often? Has anyone ever done an analysis of your insurance policies to determine if there are any holes in your coverage?   Do you have a process at the dealership to find and fix online consumer complaints? Do employees have a channel and mechanism to bring their complaints to the attention of management?  When was the last update to the Employee Guidebook? Do employees sign a Legal Rights Agreement? Are you using arbitration to settle disputes with consumers? (In practice, do you understand why this strategy is highly ineffective?) Are you prepared for a local media story? Do your employees know what to do, what to say, or who to direct the reporter to? Who audits your websites on a monthly basis to ensure compliance with advertising laws? Who inspects your other advertising?    Does your dealership have work to do?  Any one of these issues could cost you a lot of money.   Remember, it’s not how much money you make that’s important.  What’s critical is how much money you keep! Consider the “what if.”  What if…this were to happen or that were to happen?  How would you handle it? If those ten (10) didn’t stimulate you enough, here are another ten (10): What would you do if a regulator walked into your dealership? Do you have a plan as to how you would handle that situation One very large dealership group with more than eighty (80) stores allowed the Federal Trade Commission (FTC) to survey its customers to ask them about potential dealership wrongdoing.  What would be your thinking here? How would you handle that?  Have you started your work on the new Gramm Leach Bliley regulations?  The deadline is December 9. Unfortunately, the new regulations are complicated enough that you cannot simply write a check for an “app” to be compliant.  Some of your work will require good ol’ fashioned shoe leather.  Is anyone tracking how your waste (oil, batteries, tires etc.) is being disposed of and have you ensured your vendors have the adequate insurance to protect the dealership if it’s not handled properly?  Do you have a recall policy for your used vehicles?  Whether or not the used car is “your brand,” did you know the dealership would likely be liable if a customer were in an accident as the result of an unfixed recall? Have you ever checked to see how your IRS 8300 processes are working?  Are your cashiers receipting in monies with enough detail for you to track the transactions?  (Did you know the fines for non-compliance are up to $3 million and potential jail time?)  Did you recently inspect your Red Flag compliance?  Are your F&I managers just “blowing past” that screen and selling vehicles without paying attention?  This is a critical issue which will help in your defense if you are ever taken to court for selling a vehicle to someone with a stolen identity. As a dealership, are you sending out Adverse Action Notices in compliance with the Fair Credit Reporting Act (FCRA)?  Failure to send these could result in a class action lawsuit to include punitive damages for “willful non-compliance.” Are you selling repossessed vehicles or salvage vehicles without disclosing this status? Does your staff know how to handle an Office of Foreign Asset Control (OFAC) “hit” on a potential buyer’s credit application?  Do you have a procedure in place?   These questions are but a few of the concerns for your dealership when you are thinking about your daily risk.  As one dealer friend of mine advises, “Button up!”. Another says, “Stop everyone from reaching into your pocket!” Practice your “what ifs” and prepare!   In my experience, it’s not necessarily “if,” but “when!” Watch the YouTube video here . Check out Tom Kline's YouTube Channel for relevant information which is at the forefront of sharing preventative measures and insightful actions that you can take today to protect your dealership.

Insurance! (Insert full eyeball roll here.) An October, 2021 survey by Embroker stated that just 22% fully read through their insurance policy, 56% admit to not knowing the cost of their insurance program, 34% carry a cyber policy, 20% admitted to not knowing how their insurance is handled, and 30% allow their policies to renew without making any changes. Let’s change that starting right now! If you don’t understand your insurance, then reach out to a consultant or your insurance broker and ask for a complete review of your coverage.   Understand what insurance you have, what the limits are, and importantly, what policies you do not have.   Here is a thumbnail: Garage Policy This is your main policy which you would turn to cover dealership operations.   Automobile liability, premises liability, product/completed operations liability, customer’s cars.    The type of coverage and the limits matter. Property This covers your buildings and business interruption, should you have one. Worker’s Comp This policy handles worker injuries on the job. Dealer’s Open Lot Your vehicles are covered separately under this policy. This can be covered and included in the Garage policy except in high hazard/catastrophe prone areas. Cyber If you have a breach of your data or if the bad guys ransom you. Pollution Covers your waste (used oil, antifreeze, tires, batteries etc.) and their disposal.   If your waste isn’t handled properly, you can be help personally liable for these problems. Directors and Officers (D&O) Would step in for allegations of fraud and wrong-doing which protect the owners, officers, and employees. Directors and officers (D&O) liability insurance protects the personal assets of corporate directors and officers, and their spouses, in the event they are personally sued by employees, vendors, competitors, investors, customers, regulators, or other parties, for actual or alleged wrongful acts in managing a company. Crime Employee dishonesty.   Theft of corporate assets by an employee of the corporation. Employment Practices Liability This policy handles problems which arise with employees, such as discrimination, harassment, wrongful termination etc. Unusual Options You can protect yourself from most issues.   Here are some more unusual options: Product Recall   Kidnap and Ransom Active Assailant/Workplace Violence Loss of Franchise Communicable Disease Liability Computer Systems Failure Injunction Risk Loss of Key Employee Loss of Key Customer It’s likely if you can think of it, you can insure it. I try to learn every day and here’s one thing I learned this week:   parametric insurance.   So, we are going to learn about it and think anew together.   According to the National Association of Insurance Commissioners (NAIC) “the term parametric insurance describes a type of insurance contract that insures a policyholder against the occurrence of a specific event by paying a set amount based on the magnitude of the event, as opposed to the magnitude of the losses in a traditional indemnity policy. An example is a policy that pays $100,000 if an earthquake with magnitude 5.0 or greater occurs. The amount of payment, the parameter, and a third party responsible for verifying that the parameter was triggered must all be specified in the contract. The third party will usually be a government agency, for example earthquake magnitude could be determined by the measurement issued by the National Earthquake Information Center.” Dealers who have significant weather-related concerns might benefit from this type of coverage.   One of the benefits of parametric insurance is claims are paid more quickly as once the outside entity verifies the event, the insurance company pays so the monies are deployed and in the hands of the business more quickly. My hope for this article is getting you to consider the importance of your insurance program.   I say “program” as there should be a strategy involved and a monitoring and auditing component to it. Please reach out if I can answer any questions.

Another article about COVID-19?  Ugh! Snap! And oh, my! Employers everywhere are tired with having to handle this additional burden to running their business. But, now, more than ever, it’s important to mitigate your risk by being consistent and current in how you handle COVID. Don’t let your guard down now.    In this article, we will limit our discussion to the federal perspective on COVID as each state may have its own rules or requirements.  FACT: The Equal Employment Opportunity Commission (EEOC) says you can mandate employee vaccinations for employees physically entering the workplace based on business necessity subject to reasonable accommodation requirements. In essence, if it is a threat to the safety and well-being of employees and customers, you can require vaccinates. Very few jobs at the dealership may be completed by being isolated by plexiglass or office walls. Most require daily face-to-face customer contact that cannot be eliminated. FACT: If vaccines are required, employees may claim two (2) accommodations: Because of their sincerely held religious beliefs (i.e., Title VII of the Civil Rights Act), or Because of their disability (i.e. the Americans with Disabilities Act) If an employee asserts an accommodation request, call your employment lawyer for more specifics on how to handle the situation. Each case is different based on the facts. FACT:  To protect your employees and customers, ensure you have the latest signage from the Centers for Disease Control (CDC), Occupational Safety and Health Administration (OSHA) and your state safety and health departments. For example, current CDC guidance has different masking requirements depending on whether you are in a low or medium to high-risk transmission area. Click here for more information. FACT:  As the employer, you are still required to provide personal protective equipment (PPE) and sanitizing stations. Outbreaks at the dealership? If you are having frequent positive COVID situations at the store, you may need to revisit your policies and their efficacy. If you make changes, document what you are doing. Are you required to keep a log of positive cases, or report to your state? Make sure you are doing so if required. If OSHA, or any agency, visits you, they want to know what you are doing to protect everyone. Be diligent here.  FACT:  If you sell fleet vehicles to the government, or have a federal contract, then you may be a federal contractor. If so, you must follow federal COVID mandates required by Executive Order. You may also be subject to mandatory vaccine requirements if you have 100 or more employees.  FACT:  On September 9th, President Biden signed an Executive Order requiring employees of contractors doing business with the federal government to be vaccinated which builds off a previously issued Executive Order from July. President Biden also mandated that OSHA is developing a rule requiring all businesses with more than 100 employees to ensure their employees are fully vaccinated or require workers who remain unvaccinated to produce a negative test result on at least a weekly basis before coming to work. This mandate also requires employers to provide paid time off for the time it takes workers to get vaccinated or to recover if they are under the weather post-vaccination. It is unknown if employers will have to pay for the cost of testing and/or the time associated with testing.   This situation continues to evolve. Don’t “take on” risk by being lackadaisical when it comes to COVID. Author's note: The above article is for informational purposes only and does not constitute legal advice and does not create an attorney-client relationship.

Financial statements track how you are doing financially every month. Consider measuring and benchmarking TCOR as a part of your ongoing financial statement process.   What is TCOR and why should you care about your dealership’s Total Cost of Risk (TCOR)?  Business is about keeping the money you make. Your sales and gross profits could be at record highs, but your losses might be, as well. Unless you are tracking TCOR, your money may be walking out the back door because of losses or customer problems. Consider changing the way the dealership accounts for losses at the store (TCOR).    The only way to improve in any area is to measure it and benchmark it. TCOR is a metric used to evaluate your dealership’s internal risk process. Here is how it’s calculated: Insurance premiums + self-insured losses + losses associated with lower profits and productivity + risk administrative expenses (internal & external) = Total Cost of Risk (TCOR)  Tracking this metric will help you laser focus on which parts of the dealership cost you money. Consider customizing and defining each aspect of the formula to specify the guidelines for your dealership. These guidelines will be different for every owner-operator. It’s important to be consistent in how you establish and execute the accounting at your dealership based on those guidelines. Consistency will produce accurate data leading to meaningful answers.  Here’s an example: Let’s say you sell vehicles to people who have credit challenges (secondary customers). In my experience, if you “spot” them in their vehicles, and then cannot get them financed for whatever reason, they tend to write more negative online reviews. Hopefully, you have a process at the dealership to bring them back in and try to satisfy them in some way.   (If not, start today. Most lawsuits and regulatory problems start with upset customers. In fact, a dealership in Tennessee recently had its license revoked after multiple claims of deceptive acts. Now, the owner has been convicted of twenty-one (21) felony counts. His problems all started with customer complaints. Pro Tip: After you have satisfied the customers’ concerns, ask them to “update” their review. If you ask them to “change” their review, the customers will feel manipulated, Then, it will look like the only reason you helped them was to have them update the online review.) If you tracked the personnel time and all other expenses associated with these types of issues, you would be able to determine the actual cost of taking care of these customers. This is only one aspect of TCOR. (Please refer to the formula above.) If the dealership accounts for these costs accurately, it means you can no longer hide these losses in “Other Income.” In many dealerships, “Other Income” becomes the “garbage pail” of accounts, where you charge expenses, so the managers who are paid on gross won’t complain about chargebacks.    Using the secondary customer example above - whether or not TCOR is being tracked - we can discuss which policies and procedures can be put into place to stop these types of losses. There are plenty! We will not know the effectiveness of the procedures unless the numbers are tracked accurately. Recently, I have been hearing dealers espouse a case of the “yets.”   “I haven’t been sued yet.” “I have not heard from a regulator, yet” “We haven’t had any major problems, yet.” So, I don’t need to track TCOR…  Depending on the accounting controls at the store, the losses may be bigger than you realize. Unless you are measuring these costs, it is unknowable how much money is being poured into issues at your dealership. Do you really know your risk costs? Reputational losses? Customer satisfaction charges? Please consider tracking and measuring these numbers moving forward.  I’ll bet you’ll be glad you did.