ComplianceCommentary & Insights

Compliance
Let The Government Be Your Customer Service Department!

By

Three super-large dealership groups are trying it!   Here’s how it’s going for them so far… Carvana lost the ability to transact in Illinois according to  Automotive News  (May 16, 2022) because, “The Secretary of State's police department opened an investigation into consumer complaints about Carvana in February, (Henry) Haupt told  Automotive News . The investigation spans about 90 signed complaints, Haupt said. He said he couldn't provide an exact date as to when Carvana might see the suspension lifted.” According to a press release from the Texas Attorney General’s Office: “Texas Attorney General Ken Paxton filed a deceptive trade practices lawsuit against the online used vehicle dealer Vroom Automotive LLC and Vroom Inc., which also sells cars to Texas consumers under the name Texas Direct Auto. The lawsuit alleges that Vroom has misrepresented and failed to disclose significant delays in transferring clear title and obtaining vehicle registrations, burdening thousands of consumers. The State also alleges that Vroom has misrepresented and failed to disclose vehicle history and condition and terms of financing and approval—all violations of the Texas Deceptive Trade Practices Consumer Protection Act. According to the lawsuit, Vroom has not managed its growth effectively, leading to inadequate systems and procedures that have harmed Texas consumers.  Over the last three years, consumers have filed over 5,000 complaints with both the Better Business Bureau and the Office of the Attorney General against Vroom and Texas Direct Auto.”  According to the Federal Trade Commission’s (FTC) Press Release dated April 1, 2022: “The Federal Trade Commission and the State of Illinois are taking  action against Napleton , a large, multistate auto dealer group based in Illinois, for sneaking illegal junk fees for unwanted “add-ons” onto customers’ bills and for discriminating against Black consumers by charging them more for financing.  Napleton will pay $10 million  to settle the lawsuit brought by the FTC and the State of Illinois, a record-setting monetary judgment for an FTC auto lending case… A survey cited in the complaint showed that 83 percent of buyers from the dealerships were charged junk fees for add-ons without authorization or as a result of deception. One consumer cited in the complaint reported that the dealership located in Arlington Heights, Ill., charged him for nearly $4,000 in add-on fees after he’d paid a similar amount in down payment.” So, from the outside looking in, it appears these three (3) organizations do not have procedures in place to handle their customer queries, issues, and problems. So, by default, by attrition, or by apathy, they are ceding control and allowing the regulators to fine them and suspend them, thereby driving the dealerships to manage their own business affairs. (Good pun, right?)                                                                                                                 In the Napleton matter, a staggering 83 percent of buyers said Napleton took advantage of them. Let’s examine that statistic even further. In order to gather the information about the 83 percent, Napleton had to allow the FTC to have access to its customer files.  The FTC must have had quite a lot of leverage for Napleton to agree to give them that access.  Further, 83 percent cannot be simply “miscommunications” or “misunderstandings.”  It’s an astonishing number which cannot be explained away. Let’s keep this simple: Handle your customers or the government will.  
Six (6) Perspectives On The New GLB Safeguard Regulations

By

The new Gramm Leach Bliley Act (GLBA) regulations aren’t going away and become effective on December 9, 2022. You don’t have to agree, but you do have to comply. If you haven’t started already, it’s time to begin the work of parsing out how you will respond. I’ve asked various industry experts to chime in on how you should focus your efforts. Here’s what they had to say: Atul Patel CEO, Orbee  “Occasionally you get a nudge to rethink what you’re doing. While it might feel like it’s more an elbow to the ribs, the FTC Safeguard Rule that is part of the Gramm-Leach-Bliley bill is forcing auto dealerships to take their customer’s data security seriously. We find this to be the biggest opportunity for dealerships to   take back control over your data that is created on  your  properties, from  your  media investments, by  your  customers. When your shoppers give you their Personal Indentifiable Information (PII), they believe it was to you. But what is more likely is that it was to a third-party such as a trade-in tool, credit form, chat, and so on. We restructure the way data is created, stored, and activated. This offers the clearest path to Safeguard Rule compliance while benefiting your customer experience.” Jim Lawrence  COO, Sensitive Data Protect, LLC “There are 5 steps dealers should take to establish a good-faith compliance effort to address general cybersecurity, the FTC's Safeguard Rules, the ongoing battle against "phishing," and ransomware attack prevention:  Perform cybersecurity testing to find gaps in consumer facing IT infrastructure and behind your firewall.  Establish the policies and procedures and trainings to address the gaps and evaluate the investment options for ongoing IT security preventative measures. Make sure to review the difference between a "bundled" approach to cybersecurity versus a piecemeal, single-point solution.    Partner with an experienced automotive service provider who knows where the sensitive consumer data hides on your DMS and the third party software applications that share your client and prospect database.   NOTE : Dealers' are now responsible for their customer data. Their liability doesn't stop at the edge of their lot, it now stretches out to your third party dealer service providers. Approach your cybersecurity insurance provider about all this "Good-faith Compliance Effort" because they value and reward dealers with lower premiums and deductibles who attend to the needs of their cybersecurity in a "bundled" more comprehensive way.    SPECIAL STEP : If you're in the buy/sell due diligence process or even considering it, show your dealership's ability to protect its operational and sales value other dealers can't with the documentation of your good faith cybersecurity effort.” Michael Tuno President, ARMD Resource Group, LLC “In October of 2021, the FTC updated the 2003 Safeguards Rule to reflect the sign of the times.  While the industry is buzzing about this update as if it is something new, it simply is a rule that is reflecting the current state of the industry and the ever-growing risk to dealers with protecting customer’s information, both paper and  digital. The term “qualified” has been added to describe the seemingly elusive role in a dealership of a “CCO”.  The need to document all the digital audits and deploy the risk mitigation steps like multifactor authentication etc. have been added.  An incident response plan to document the dealer’s plan to deal with a breach has been added.  Vendor risk management continues to be a critical task, even since the 2003 days. The FTC is going to hold third parties responsible for any customer information in a more stringent light.  At the end of the day, on December 9, 2022, dealers are advised to document all these updates to the Safeguards Rule.  If it isn’t documented, it didn’t happen!    At $43,792 per day per violation, not to mention UDAAP or UDAP, (especially if you are using the FTC boilerplate privacy policy at your store), it can get very expensive very quickly if this law’s requirements aren’t met.  Déjà vu!” Hao Nguyen General Counsel, ComplyAuto “What we've seen is that the revised federal Gramm-Leach-Bliley Act's Safeguards Rule ("Revised Rule") continues to confuse dealerships across the country on how to exactly fulfill these new obligations. Many folks are talking about it -- their attorneys, state and national trade associations, and other dealers -- but none of them provide a cost-effective solution to meet the dealers' needs.  We work closely with a dealership's IT company or third-party managed service provider ("MSP") as two halves to a pair of scissors to get the dealership fully compliant with the Revised Rule. We help create required documentation (the Information Security Program and all of the required plans that go with it), provide employee security awareness training, execute phishing simulations on employee emails, perform penetration testing and vulnerability scanning as well as risk assessments at the dealership, and help manage vendor requirements in signing Data Processing Agreements and completing vendor risk assessments. Not only will this help fulfill the Revised Rule but also potentially affect cybersecurity premiums. If your clients have not experienced it yet, dealerships across the country tell us that their quoted premiums have increased two to three hundred percent for this year. Implementing our services to bolster your data protection and cybersecurity protocols will go a long way in showing them that you place a priority on data security and will possibly reduce your cybersecurity premiums (or get coverage in the first place).” John Acosta  CEO, Vtech Dealer IT “Compliance is like a marathon. Come the end of the year; you want to be on mile 22 rather than mile 3 of the race. Some of the GLBA compliance requirements are major systems upgrades that take time to set up properly. Start planning now.”    Of course, he’s right.  Here are other GLBA considerations: Is all of your customer data encrypted? Do you have endpoint protection throughout the dealership? Do you have a data retention policy in place? Have you implemented multi-factor authentication (MFA)? Do you have a written “incident response plan?” Have you completed cyber training for all employees?  …and there’s more… To practice optimal risk mitigation, here, begin by figuring out where your biggest areas of vulnerability are and build out your program from there.  Feel free to reach out to any of these folks (including me) if we can answer any questions.  We are happy to receive your call.  Cheers!    
insurance
Do You Understand the Components of Your Garage Insurance Policy?

By

Flavor: Something we crave in our daily routine. Try this flavor-filled description: “There’s a sense of cornmeal next to sawdust, oily vanilla, and a hint of fresh honey sweetness that entices your senses. It takes on a caramel corn sweetness as the vanilla carries you towards sweeter woods and cherry fruits. The end is short and sweet with a distant wisp of orange oils next to a slight minerality.” Recently, I found this depiction in an online article on Uproxx. Do you know what’s being described? (You’ll have to read the whole article or skip to the bottom for the answer.) With an increase in the complexity of flavors, I would proffer that you discover more appreciation of the product through the layers of taste. And so it is with your garage insurance policy. The more you understand it, the more you will appreciate it and have the taste for it.  I recently studied a garage insurance policy for a client. (Try not to be jealous.) I found 107 items in the policy which were questionable and needed further investigation as they were important for the dealer. As it turned out, at least 26 were actionable. My initial review drove the premium down from $109,641 to $81,511. Based on that audit, here are eight (8) select items for you to consider: What is the total value of your land + building + used vehicle inventory (not floor planned) + parts + blue sky? Your liability umbrella should exceed that total number or the business is underinsured in the case of a catastrophic accident. Do you have enough employee crime coverage to satisfy a claim resulting from someone stealing a vehicle? Do you have an aggregate over your vehicle weather deductible to act as a “stop loss” in the event of a large loss? (For example, if you have a $1000 deductible and 600 vehicles are damaged, you are out of pocket $600,000. If you had a $250,000 aggregate, you would write a check for the $250,000 and not the $600,000.) Have you compared your vehicle physical damage coverage limits to your actual inventory to determine if you should adjust the policy up or down? Did you know this exclusion is in most policies? “Loss caused by an ‘employee’ if the ‘employee’ had also committed ‘theft’ or any other dishonest act prior to the effective date of this insurance and you or any of your partners, ‘members’, ‘managers’, officers, directors or trustees, not in collusion with the ‘employee’, learned of such ‘theft’ or dishonest act prior to the Policy Period shown in the Declarations.” How much are you paying for Med Pay coverage? Isn’t it duplicative of your basic liability coverage? If you eliminate the coverage, how much money could you save? Are you paying an extra premium for higher limits on your uninsured and underinsured drivers policy (than you are legally obligated by your state) to pay? How much will this save you? Also, have you considered a separate, higher limit to protect the owners? Are you accurately self-reporting the number of dealer tags? Getting the flavor here? Make it a priority to review your policy with someone knowledgeable who will go through it and explain everything to you. While it may be distasteful upfront, you’ll be glad you did while gaining an understanding of what provisions the policy contains. And, it’s not ice cream that was being described above.  It was bourbon!
right to repair act
Are Dealers Ready for “Telematics Right to Repair?”

By

"Right to Repair" Significantly Expanded In the November, 2020 election, voters in the Commonwealth of Massachusetts passed a ballot initiative, Question 1 , by an overwhelming margin (75% approved). Question 1 requires that OEM's make diagnostic data collected remotely -- through OEM telematics systems -- available to individual vehicle owners and to independent repair shops. The 2020 initiative expands on a "Right to Repair" initiative passed in 2013. The original initiative required OEM's to make diagnostic and repair data available to individual owners or independent repair shops. In 2013, this meant that OEM's had to provide data access to diagnostic repair tools.  In 2020, this requirement was expanded to include data collected remotely through telematics systems from vehicles that are on the road. The original "Right to Repair" was also first passed in Massachusetts, but in 2014, the Alliance of Auto Manufacturers signed a memorandum of understanding to support implementation in all 50 States and the District of Columbia. This move pre-empted "Right to Repair" initiatives in several other States that were similar to the one in Massachusetts. With the "Telematics Right to Repair" initiative of 2020, however, the Alliance is challenging the expansion of Right to Repair into data collected through telematics systems. The trial began on June 15 and is ongoing. If the Telematics expansion is allowed to proceed, however, dealers should be thinking about the implications to their service business, because this expansion might be much more significant than it at first appears. "Right to Repair" and the Connected Car On the surface, expansion of “Right to Repair” to include telematics may not seem like a big difference. But the difference has the potential to be enormous for service retention, which is why independent repair shops and service chains fought so hard for the Massachusetts initiative. With this change, customers will be enticed to set up an ongoing remote connection to their service provider of choice, putting that provider in the best position to capture and retain that customer.   Once this system is in place, a visit to the local quick lube shop, tire store, or parts store will change. As the customer wraps up an oil change, for example, the attendant will ask the customer to authorize the shop to monitor the vehicle’s diagnostics. This will allow the shop to see when the vehicle is in need of its next service and send out a text or email with a perfectly timed service reminder. Well-run shops will eventually analyze their base of connected customers to determine the optimal time to bring them in – both when the vehicle needs service and when the shop has available capacity. Service shops and chains that do this well will cement a closer relationship with their customers and increase repeat service loyalty.   Alternatively, customers may choose to authorize an intermediate service “broker” to monitor their diagnostics and manage their vehicle’s maintenance. The broker will then be in a position to act as the customer’s trusted advisor, and will route service jobs to the most competitive service provider. Dealers Should Prepare Now The Independent shops and service chains in Massachusetts clearly hope to use this new initiative to gain business from franchised dealers (or prevent current business from being lost to Dealers). In order to maintain and grow the dealers' share of the non-warranty repair and maintenance business, dealers will have to make excellent use of the telematics systems installed by their manufacturers.  Dealers start with a key advantage, which is the opportunity to start a connected service relationship with the customer from the moment the new or used vehicle is delivered. But not all dealers today do a great job activating these systems, and activation for some OEMs is very inconsistent. Dealers must be sure to activate OEM-provided systems and secure customer consent to share service and maintenance data. Dealers then have to do a great job of managing data notifications to quickly schedule customers for any needed service work. Dealers may also want to take advantage of aftermarket systems for their older inventory that lacks OEM-provided telematics. A service like Spireon’s Lojack is a good example of an effective aftermarket system. Dealers will have a very brief head start to fine-tune their use of connected car service notifications, and they will need to take full advantage. If you are a dealer considering connected service and service retention opportunities, please reach out to motormindz to hear more about how to “get” Connected.  
high risk
Dealer Risk Mitigation: Expectations & The Fountain of Youth

By

My buddy, Tom, recently visited St. Augustine, Florida and he was kind enough to bring us souvenirs. No, my fiancé and I didn’t get t-shirts. We got something a heck of a lot better than that! We were gifted tiny tourist miracles from Ponce de Leon’s THE FOUNTAIN OF YOUTH! In personalized bottles! That’s life-changing, right? Well, I thought it was awesome until I flipped over the bottle and discovered it was “Made in China.” WAIT, WHAT? Then, we were sad. Our hopes and expectations of eternal youth – dashed. This was a kitschy, little reminder that things don’t always turn out as you want them to or as advertised. Sometimes things turn out worse than you thought and sometimes, though not as often, they turn out better.   And so, when you get a regulatory letter saying the dealership has made customer or advertising mistakes requiring immediate correction, often your expectations start with dread and large dollar signs. That eventuality could happen. However, with proper care and diligence, you can settle the issue(s) quickly. Most often, these regulatory issues start one of three ways:  A customer problem An employee issue Advertising violation(s) Be vigilant on these three (3) issues. They should be front and center in keeping you out of trouble. There are plenty of risk mitigation strategies to prevent problems, covered in a subsequent article. Risk mitigation is an ongoing, everyday practice that requires continuous improvement activity.  So, when you receive a letter, administrative action, lawsuit, subpoena, or a formal request for documents, from a regulator, read the paperwork with great care. Sometimes the magic is in the wording of the allegations. Please read it and set it aside for the moment. Building the Story Next, research the problem. Interview the parties involved. Take clear notes as the nuance of the story matters. If the alleged violation is customer or advertising-based, pull the file and review it carefully. Do all of the signatures in the file look consistent? Or may someone have forged a signature? Build the story of what actually happened by reconstructing the detail, step by step, and commit to recording this for yourself to have a chronological record of what happened. Be sure to include direct quotes from the witnesses in your chronology.  Now, refer back to the original allegations to determine what holes are left in the story. Try to unearth the details relating to those holes. Re-interview as needed. Taking good notes is critical! Effective Risk Mitigation Contact your risk mitigation expert and determine if the charge could be covered by your insurance policy. Consider this carefully. Depending on the dollars involved and the nature of the complaint, insurance company adjustors can make the matter more complex and time-consuming. This is an expansive question, so this will be a future article, as well.   Most “complaints” have deadlines. Just be aware of this and ensure you are responding promptly. At this point, I advocate contacting the regulator directly and having a friendly chat. Find out what he/she is looking for. If the problem was related to a consumer or employee, resolving it may be as simple as satisfying their concerns. If it is advertising-related, I can assure you it won’t be that simple. During that call, be positive, be professional, and assure him/her that you want to resolve the issue. Ask for permission to ask questions. Grab your chronology and ask questions to try to fill in the gaps where the allegations do not make any sense. Go slowly and listen carefully as the regulator may or may not have the correct information.  If the regulator has bad information where you can prove the allegation is incorrect, gently offer up one or two incongruous tidbits at that time. Depending on the rapport you have built, you can offer a third, though I would not offer more than that on a first call. The purpose here is to sow doubt about the veracity of the complaint. Don’t overdo it.  The most critical question you should ask is if you can reach out to the upset person(s) and try to satisfy their concerns directly. Most of the time, the answer to this question is a resounding “yes.” It’s important to ask the question. It shows respect and deference.  Then, agree on a time frame when you will get back with the regulator. Keep him/her posted on your progress. It’s better to over-communicate than under-communicate.  Solving the Issue By now, I am sure you are asking yourself, “when is he going to talk about getting the lawyer involved?” The attorney may not be necessary. This is a fact-specific question and I cannot generalize to give guidance on this. Then, satisfy the aggrieved parties’ concerns. However much it costs to fix the problem, I promise it will be less than letting the regulator devise a solution. Ask them to sign a Release of Claims, which should include language like this: “Customer acknowledges that he is COMPLETELY SATISFIED with ____________ (dealership) and with the resolution of his concerns.” Then, call your regulatory contact again and walk him/her through the dynamics of what happened with the upset person(s). Explain how you resolved the concerns. If a lack of proper business practices caused the problem, it’s usually okay to acknowledge it. Thank the regulator, and, if appropriate, let him know you will change your practices, so this doesn’t happen again. (Use a lot of discretion here as this may not be necessary, and you do not want to create a problem where there isn’t one.) Provide the written document to your contact so he can close his file. Phew! Great work! Conclusion Hopefully, your expectations of dread, gloom, and doom did not come to pass. What did you learn? Is it time to change your risk mitigation strategies? If this was stressful for you, consider taking the time to install new policies and procedures to prevent these problems before they occur. You can reduce your anticipated stress level for future problems by hiring someone who can help with these difficult situations.   Temper your expectations through continuous improvement activity. Risk mitigation is not a one-time thing but is an ongoing practice. It reduces the chances of regulatory interference and catastrophic losses. Consider changing your business processes to accommodate these loss prevention techniques. Then, I’ll meet you in St. Augustine, where we can sip Chinese water from the Fountain of Youth. 
Harmful Dealership Advertising: The Lollipop 1 Model

By

Would you ever give a little child a lollipop and then take it back? Outrageous, right? This causes upset, hurt feelings, destroys trust, and creates anger.   You create this same dynamic with customers when you advertise deceptively, whether it is intentional or not. In these cases, consumer protection laws often triple damages and will require you to pay for the customer's attorney's fees when the lawsuit is filed. This means a $50,000 vehicle could easily climb to a $150,000+ resolution. I've seen it, and it happens. It's ugly.  Here is a recent tale of woe. My fiancé and I were looking for a luxury SUV for her. We narrowed it down to one sleek model, which we will hereinafter call the Lollipop 1 Model. (This is to protect the guilty.) The payment on the web advertisement on the dealer's website clearly showed $679/month for 36 months for this particular vehicle. So that we don't get too deep into the weeds, I will focus on this issue only, although other advertising trigger terms were problematic.  I called the dealership and identified myself as an automotive compliance consultant and I was interested in the Lollipop 1 for $679/month. Could I buy the one advertised on the website for $679? After some back and forth, Katherine in the DBC dictated that I could NOT buy this one, but they could GET me one for $679 with less equipment on it (aka a "base model.") Further, they did not have one in stock, and I would have to "factory order" it. This was definitely not mentioned in the original ad disclaimer. I pushed back and said the website asserted I could buy THIS one for $679/month. The DBC rep said that she would get back to me on Monday. Unsurprisingly, she did not call me back. No one likes to deal with a "problem." On Thursday of that week, I emailed once again and then called the GM, the owner's son. (Let's call him "Austin.") Austin said that he had checked with their lawyer. Hold on, there Austin, your lawyer? As a dealer, why would you call your lawyer on such a simple issue... Okay, what did the lawyer say? Austin reported the lawyer (allegedly) said that the ad was "okay" because it was being pushed by the manufacturer and the dealer could sell us a Lollipop 1 for the $679 (the base model).  Let's break this down: Even if the disclaimer had said the $679 was for the base model of the Lollipop 1, and even if it had clearly stated the sale would be a factory order, it is still a bait and switch advertising violation and triggers Unfair and Deceptive Acts & Practices (UDAP) laws. As a dealer, you cannot show pictures of one vehicle and then disclaim your way out of it. That is false advertising. A few days later, this dealer changed their websites. I understand factory special lease terms change at the beginning of the month. Got it. The original stock number I had looked at was gone, and a substantially similar vehicle had popped up with a payment of $689 for 36 months with the other terms being the same. Weeks later, the second vehicle lease deal morphed into a significantly higher payment of $1086.25.   The manufacturers' disclaimer read, "Monthly lease payment based on MSRP of $61,795 and destination charges less a suggested dealer contribution resulting in a capitalized cost of $54,989. Excludes tax, title, license, options, and dealer fees." So, the Lollipop 1 payment of $689 comes "plus options."   There are at least three (3) problems here:   First, the dealer showed photos (though factory photos) of a vehicle that a consumer could not purchase for the advertised amount.   Second, the manufacturer was pairing this disclaimer language with all of the dealer's inventory as it "pushes" that language to the dealers' website.   Third, nothing was mentioned about the factory ordering. It's false advertising through and through, no matter how you look at it. Someone at your dealership or a responsible professional third party (but not someone in the sales department!) should be monitoring your website on a monthly basis, without deviation. If not, you will find surprises on your desks from either lawyers or regulators when this occurs.   Austin's dealership has a good reputation. They are professional and courteous and owned by a lawyer. However, the fact remains you manage what you monitor. If you do not have a designated person or qualified outside party to review this information each month, you are causing yourself a problem. Even a high-quality dealership like Austin's create problems for themselves. Consider an enterprise risk operational review to help you manage unconsidered issues. When you end up with a customer and their lawyer in your office, complaining of false advertising, bring some lollipops. You'll need to give one to everyone in the room as there will be many nerves to soothe, especially yours.