ComplianceCommentary & Insights

If you are a dealer, when you get up and place your feet on the floor in the morning, you put your assets on the line, expecting a return or profit. It’s called “risk.” How you craft and hone your business practices and transact business daily, is what makes you different. Let’s talk about your daily risk because they are certainly “present,” even if you don’t think about them or see them. Risk is the degree of hazard you are willing to tolerate. How you handle risk determines your potential exposure to losses. There are three (3) kinds of risk: Preventable risk: These are risks that are controllable and should be able to be avoided or eliminated completely. External risk: These arise from events outside your dealership and beyond your control. Strategic risk: This is where your entrepreneurial spirit comes into play. A strategic risk is a venture which you embrace, in anticipation of a profit, with your taking on certain duties or responsibilities in order to accomplish your business plan. Said differently, this is a risk for you to earn profits and/or market share. You can control 2 of the 3 risk categories. For this article, let’s consider preventable risk where you can prevent problems at the store. What I see in my consulting business is dealerships could do a much better job handling customer complaints and disgruntled employees. How would you rate these the risk of upset customers and unhappy employees? Minor Moderate Major Severe Catastrophic Most dealers consider these as “minor” risks. My experience is different. To me, they can be “severe” or even “catastrophic” and should be treated as such. Let me explain. I’ve seen class action lawsuits against a dealership start with 2 women chatting in church. Unsatisfied and unhappy customers go to regulators, who end up finding problems and setting fines. Recently, these penalties range from $800,000 up to $27 million, including forced store closings. Unhappy customers can easily head over to the Motor Vehicle Dealer Board, who can vote to shut down the dealership resulting from 1 single complaint. If or when this happens, you risk the loss of your franchise. Inside the Sales and Service Agreements, most OEMs have clauses that indicate if a dealership closes for a (set) consecutive number of days, it is a clear default under the contract. What’s the “blue sky” value of your dealership today, and is that risk really worth taking? “It won’t happen to me” isn’t a business plan any more than if you are using “hope” to accomplish a goal. The “wait and see” approach is also reactive and lacks organizational structure. Being proactive is key. Consider installing more controls and monitoring mechanisms based on how you feel each identified risk corresponds to the 1-5 scale listed above. Triage the risks according to the most severe first. Assessing and controlling risk is a continuous process. (Insert attached graphic.) Outside of customer and employee problems, dealerships experience large risks in these 2 preventable areas, which we will use for illustration purposes: Unintentional advertising issues: Most dealers have mistakes on their websites. When was the last time you mystery-shopped your own website for advertising violations? Do you have a way to accomplish this? When customers feel “jerked around” by your advertising, they get upset. When they get upset, they go to lawyers and regulators. When lawyers and regulators get involved, they will inspect your business practices, including your website is absolutely low-hanging fruit for them. Here are two (2) biggest mistakes: 1. In your state, county, or city, are you allowed to have a “processing fee” or a “doc fee?” Which one? Does your disclaimer have the correct nomenclature? One or the other is provided by code, and you want to ensure you are using that terminology. 2. Do you have an asterisk (or equivalent) to tie your “sales price” to your disclaimer? If not, how is a consumer supposed to know that taxes, tags, and licensing fees are in addition to the sales price? Without the notation, federal advertising laws would dictate those fees are considered included in your sales price. While these 2 may appear nitpicky, they create potential class action exposure for your dealership and further regulatory concerns. Digital risk: 1. How tight are your infrastructure and your IT policies? There’s a dealer in northern Virginia facing a class action lawsuit right now over a large data breach. 2. The new Gramm Leach Bliley Act (GLBA) rules and regulations are onerous and require a concerted effort to be in compliance. Have you started your work here? The January 10, 2022 deadline has passed, and June 9, 2023, is coming up fast. (This topic is explained in another article.) As examples of preventable risk, a lack of forethought here makes your dealership vulnerable. These types of uncertainties can manifest themselves into real problems and potentially destabilize your dealership.  Consider a risk mitigation plan which covers these issues (and more) to ensure the continuity of your business and smooth daily operations. Risk mitigation is part of a robust governance, risk, and compliance (GRC) program.  Done well, this should contribute to the growth, profitability, and sustainability of the dealership. Thanks for seeing things from a Better Vantage Point.

I'll be in trouble with my wife if she finds out I told you this.  Do you have a strategy for getting the best space in the parking deck? From my personal observations, most folks tend to drive onto the lower decks and try to (maybe) find that perfect space as close to the door/stairway as possible. They will circle and circle (like airplanes waiting to land) trying to get the best space. It takes a while to find, they end up disappointed, and proceed to the next level up. Then, they do it again. (Rince, wash, repeat.) Perhaps, just maybe, there’s a better way? Consider this. Instead of trying to cram your way into the last space on Level 2, why not just drive higher to the top or the second to the top level?   You can get there quickly. You can get yourself pretty close to your preferred entrance door. (Some alleged “pros” have told me you never want to park on the top deck because of the blazing sun on your vehicle and potential to get wet if it rains.) Ha!  I’ll buy the rain argument, but unless you’ve spent as much time as I do at airports, I am going to waive you off the flight pattern with that sun related philosophy.  The added driving, elevator, or stair time is minimal compared to circling the lot like a shark.  It’s less stressful, you’re done, and on to your next task.  AmIright?  Sometimes, you just need a different perspective. Same task, same outcome, better process.   Let’s discuss the insurance renewal at your dealership. Does this sound familiar: Once a year, your insurance agent comes to visit and to deliver this year’s bad news. Your premium is going up on every single policy. Without question, they arrive in your office one (1) week ahead of your renewal so there isn’t any time to maneuver or negotiate. You’re irritated. “This isn’t right,” you say to yourself. Then, you swallow hard and tell him to renew everything and (almost) throw him out of your office – banished for another year. Sound familiar?  Here’s a different perspective and a better way. First, spread your insurance renewals throughout the year.  Don’t have all of them renew at once. Second, require your agent to bring you the quotes thirty (30) days ahead of the renewal date. In the case of the garage renewal, because of its complexity, I suggest ninety (90) days.  This accomplishes multiple things: You’ve created an opportunity to review and renew each policy calmly, carefully, and without stress.   You’ve given yourself the option of having enough time to review the actual policy forms. This allows you to consider where your vulnerabilities lie and determine if there are ways for you to cover these through the insurance policies. By requiring your agent to give you the new numbers ahead of time, you’ve opened up the option of your negotiating with the insurance company about either (1) the policy form itself or (2) the premium. You will be less aggravated. For certain, you will be able to exercise control over your policies. Maybe you will send the agent to get prices from another carrier? Maybe you will ask the carrier to come visit you or you go to their offices to talk about the policy and renewal? Perhaps, you can discuss how claims are handled and how that effects your renewal premium?  In short, you gain control. I would proffer that’s a better way. By the way, if I find our favorite parking spot on Level 7 of the Norfolk, Virginia airport parking lot blocked, I’m going to be in trouble with my wife. Please be gentle with me!   

Three super-large dealership groups are trying it!   Here’s how it’s going for them so far… Carvana lost the ability to transact in Illinois according to  Automotive News  (May 16, 2022) because, “The Secretary of State's police department opened an investigation into consumer complaints about Carvana in February, (Henry) Haupt told  Automotive News . The investigation spans about 90 signed complaints, Haupt said. He said he couldn't provide an exact date as to when Carvana might see the suspension lifted.” According to a press release from the Texas Attorney General’s Office: “Texas Attorney General Ken Paxton filed a deceptive trade practices lawsuit against the online used vehicle dealer Vroom Automotive LLC and Vroom Inc., which also sells cars to Texas consumers under the name Texas Direct Auto. The lawsuit alleges that Vroom has misrepresented and failed to disclose significant delays in transferring clear title and obtaining vehicle registrations, burdening thousands of consumers. The State also alleges that Vroom has misrepresented and failed to disclose vehicle history and condition and terms of financing and approval—all violations of the Texas Deceptive Trade Practices Consumer Protection Act. According to the lawsuit, Vroom has not managed its growth effectively, leading to inadequate systems and procedures that have harmed Texas consumers.  Over the last three years, consumers have filed over 5,000 complaints with both the Better Business Bureau and the Office of the Attorney General against Vroom and Texas Direct Auto.”  According to the Federal Trade Commission’s (FTC) Press Release dated April 1, 2022: “The Federal Trade Commission and the State of Illinois are taking  action against Napleton , a large, multistate auto dealer group based in Illinois, for sneaking illegal junk fees for unwanted “add-ons” onto customers’ bills and for discriminating against Black consumers by charging them more for financing.  Napleton will pay $10 million  to settle the lawsuit brought by the FTC and the State of Illinois, a record-setting monetary judgment for an FTC auto lending case… A survey cited in the complaint showed that 83 percent of buyers from the dealerships were charged junk fees for add-ons without authorization or as a result of deception. One consumer cited in the complaint reported that the dealership located in Arlington Heights, Ill., charged him for nearly $4,000 in add-on fees after he’d paid a similar amount in down payment.” So, from the outside looking in, it appears these three (3) organizations do not have procedures in place to handle their customer queries, issues, and problems. So, by default, by attrition, or by apathy, they are ceding control and allowing the regulators to fine them and suspend them, thereby driving the dealerships to manage their own business affairs. (Good pun, right?)                                                                                                                 In the Napleton matter, a staggering 83 percent of buyers said Napleton took advantage of them. Let’s examine that statistic even further. In order to gather the information about the 83 percent, Napleton had to allow the FTC to have access to its customer files.  The FTC must have had quite a lot of leverage for Napleton to agree to give them that access.  Further, 83 percent cannot be simply “miscommunications” or “misunderstandings.”  It’s an astonishing number which cannot be explained away. Let’s keep this simple: Handle your customers or the government will.  

The new Gramm Leach Bliley Act (GLBA) regulations aren’t going away and become effective on December 9, 2022. You don’t have to agree, but you do have to comply. If you haven’t started already, it’s time to begin the work of parsing out how you will respond. I’ve asked various industry experts to chime in on how you should focus your efforts. Here’s what they had to say: Atul Patel CEO, Orbee  “Occasionally you get a nudge to rethink what you’re doing. While it might feel like it’s more an elbow to the ribs, the FTC Safeguard Rule that is part of the Gramm-Leach-Bliley bill is forcing auto dealerships to take their customer’s data security seriously. We find this to be the biggest opportunity for dealerships to   take back control over your data that is created on  your  properties, from  your  media investments, by  your  customers. When your shoppers give you their Personal Indentifiable Information (PII), they believe it was to you. But what is more likely is that it was to a third-party such as a trade-in tool, credit form, chat, and so on. We restructure the way data is created, stored, and activated. This offers the clearest path to Safeguard Rule compliance while benefiting your customer experience.” Jim Lawrence  COO, Sensitive Data Protect, LLC “There are 5 steps dealers should take to establish a good-faith compliance effort to address general cybersecurity, the FTC's Safeguard Rules, the ongoing battle against "phishing," and ransomware attack prevention:  Perform cybersecurity testing to find gaps in consumer facing IT infrastructure and behind your firewall.  Establish the policies and procedures and trainings to address the gaps and evaluate the investment options for ongoing IT security preventative measures. Make sure to review the difference between a "bundled" approach to cybersecurity versus a piecemeal, single-point solution.    Partner with an experienced automotive service provider who knows where the sensitive consumer data hides on your DMS and the third party software applications that share your client and prospect database.   NOTE : Dealers' are now responsible for their customer data. Their liability doesn't stop at the edge of their lot, it now stretches out to your third party dealer service providers. Approach your cybersecurity insurance provider about all this "Good-faith Compliance Effort" because they value and reward dealers with lower premiums and deductibles who attend to the needs of their cybersecurity in a "bundled" more comprehensive way.    SPECIAL STEP : If you're in the buy/sell due diligence process or even considering it, show your dealership's ability to protect its operational and sales value other dealers can't with the documentation of your good faith cybersecurity effort.” Michael Tuno President, ARMD Resource Group, LLC “In October of 2021, the FTC updated the 2003 Safeguards Rule to reflect the sign of the times.  While the industry is buzzing about this update as if it is something new, it simply is a rule that is reflecting the current state of the industry and the ever-growing risk to dealers with protecting customer’s information, both paper and  digital. The term “qualified” has been added to describe the seemingly elusive role in a dealership of a “CCO”.  The need to document all the digital audits and deploy the risk mitigation steps like multifactor authentication etc. have been added.  An incident response plan to document the dealer’s plan to deal with a breach has been added.  Vendor risk management continues to be a critical task, even since the 2003 days. The FTC is going to hold third parties responsible for any customer information in a more stringent light.  At the end of the day, on December 9, 2022, dealers are advised to document all these updates to the Safeguards Rule.  If it isn’t documented, it didn’t happen!    At $43,792 per day per violation, not to mention UDAAP or UDAP, (especially if you are using the FTC boilerplate privacy policy at your store), it can get very expensive very quickly if this law’s requirements aren’t met.  Déjà vu!” Hao Nguyen General Counsel, ComplyAuto “What we've seen is that the revised federal Gramm-Leach-Bliley Act's Safeguards Rule ("Revised Rule") continues to confuse dealerships across the country on how to exactly fulfill these new obligations. Many folks are talking about it -- their attorneys, state and national trade associations, and other dealers -- but none of them provide a cost-effective solution to meet the dealers' needs.  We work closely with a dealership's IT company or third-party managed service provider ("MSP") as two halves to a pair of scissors to get the dealership fully compliant with the Revised Rule. We help create required documentation (the Information Security Program and all of the required plans that go with it), provide employee security awareness training, execute phishing simulations on employee emails, perform penetration testing and vulnerability scanning as well as risk assessments at the dealership, and help manage vendor requirements in signing Data Processing Agreements and completing vendor risk assessments. Not only will this help fulfill the Revised Rule but also potentially affect cybersecurity premiums. If your clients have not experienced it yet, dealerships across the country tell us that their quoted premiums have increased two to three hundred percent for this year. Implementing our services to bolster your data protection and cybersecurity protocols will go a long way in showing them that you place a priority on data security and will possibly reduce your cybersecurity premiums (or get coverage in the first place).” John Acosta  CEO, Vtech Dealer IT “Compliance is like a marathon. Come the end of the year; you want to be on mile 22 rather than mile 3 of the race. Some of the GLBA compliance requirements are major systems upgrades that take time to set up properly. Start planning now.”    Of course, he’s right.  Here are other GLBA considerations: Is all of your customer data encrypted? Do you have endpoint protection throughout the dealership? Do you have a data retention policy in place? Have you implemented multi-factor authentication (MFA)? Do you have a written “incident response plan?” Have you completed cyber training for all employees?  …and there’s more… To practice optimal risk mitigation, here, begin by figuring out where your biggest areas of vulnerability are and build out your program from there.  Feel free to reach out to any of these folks (including me) if we can answer any questions.  We are happy to receive your call.  Cheers!    

Flavor: Something we crave in our daily routine. Try this flavor-filled description: “There’s a sense of cornmeal next to sawdust, oily vanilla, and a hint of fresh honey sweetness that entices your senses. It takes on a caramel corn sweetness as the vanilla carries you towards sweeter woods and cherry fruits. The end is short and sweet with a distant wisp of orange oils next to a slight minerality.” Recently, I found this depiction in an online article on Uproxx. Do you know what’s being described? (You’ll have to read the whole article or skip to the bottom for the answer.) With an increase in the complexity of flavors, I would proffer that you discover more appreciation of the product through the layers of taste. And so it is with your garage insurance policy. The more you understand it, the more you will appreciate it and have the taste for it.  I recently studied a garage insurance policy for a client. (Try not to be jealous.) I found 107 items in the policy which were questionable and needed further investigation as they were important for the dealer. As it turned out, at least 26 were actionable. My initial review drove the premium down from $109,641 to $81,511. Based on that audit, here are eight (8) select items for you to consider: What is the total value of your land + building + used vehicle inventory (not floor planned) + parts + blue sky? Your liability umbrella should exceed that total number or the business is underinsured in the case of a catastrophic accident. Do you have enough employee crime coverage to satisfy a claim resulting from someone stealing a vehicle? Do you have an aggregate over your vehicle weather deductible to act as a “stop loss” in the event of a large loss? (For example, if you have a $1000 deductible and 600 vehicles are damaged, you are out of pocket $600,000. If you had a $250,000 aggregate, you would write a check for the $250,000 and not the $600,000.) Have you compared your vehicle physical damage coverage limits to your actual inventory to determine if you should adjust the policy up or down? Did you know this exclusion is in most policies? “Loss caused by an ‘employee’ if the ‘employee’ had also committed ‘theft’ or any other dishonest act prior to the effective date of this insurance and you or any of your partners, ‘members’, ‘managers’, officers, directors or trustees, not in collusion with the ‘employee’, learned of such ‘theft’ or dishonest act prior to the Policy Period shown in the Declarations.” How much are you paying for Med Pay coverage? Isn’t it duplicative of your basic liability coverage? If you eliminate the coverage, how much money could you save? Are you paying an extra premium for higher limits on your uninsured and underinsured drivers policy (than you are legally obligated by your state) to pay? How much will this save you? Also, have you considered a separate, higher limit to protect the owners? Are you accurately self-reporting the number of dealer tags? Getting the flavor here? Make it a priority to review your policy with someone knowledgeable who will go through it and explain everything to you. While it may be distasteful upfront, you’ll be glad you did while gaining an understanding of what provisions the policy contains. And, it’s not ice cream that was being described above.  It was bourbon!

"Right to Repair" Significantly Expanded In the November, 2020 election, voters in the Commonwealth of Massachusetts passed a ballot initiative, Question 1 , by an overwhelming margin (75% approved). Question 1 requires that OEM's make diagnostic data collected remotely -- through OEM telematics systems -- available to individual vehicle owners and to independent repair shops. The 2020 initiative expands on a "Right to Repair" initiative passed in 2013. The original initiative required OEM's to make diagnostic and repair data available to individual owners or independent repair shops. In 2013, this meant that OEM's had to provide data access to diagnostic repair tools.  In 2020, this requirement was expanded to include data collected remotely through telematics systems from vehicles that are on the road. The original "Right to Repair" was also first passed in Massachusetts, but in 2014, the Alliance of Auto Manufacturers signed a memorandum of understanding to support implementation in all 50 States and the District of Columbia. This move pre-empted "Right to Repair" initiatives in several other States that were similar to the one in Massachusetts. With the "Telematics Right to Repair" initiative of 2020, however, the Alliance is challenging the expansion of Right to Repair into data collected through telematics systems. The trial began on June 15 and is ongoing. If the Telematics expansion is allowed to proceed, however, dealers should be thinking about the implications to their service business, because this expansion might be much more significant than it at first appears. "Right to Repair" and the Connected Car On the surface, expansion of “Right to Repair” to include telematics may not seem like a big difference. But the difference has the potential to be enormous for service retention, which is why independent repair shops and service chains fought so hard for the Massachusetts initiative. With this change, customers will be enticed to set up an ongoing remote connection to their service provider of choice, putting that provider in the best position to capture and retain that customer.   Once this system is in place, a visit to the local quick lube shop, tire store, or parts store will change. As the customer wraps up an oil change, for example, the attendant will ask the customer to authorize the shop to monitor the vehicle’s diagnostics. This will allow the shop to see when the vehicle is in need of its next service and send out a text or email with a perfectly timed service reminder. Well-run shops will eventually analyze their base of connected customers to determine the optimal time to bring them in – both when the vehicle needs service and when the shop has available capacity. Service shops and chains that do this well will cement a closer relationship with their customers and increase repeat service loyalty.   Alternatively, customers may choose to authorize an intermediate service “broker” to monitor their diagnostics and manage their vehicle’s maintenance. The broker will then be in a position to act as the customer’s trusted advisor, and will route service jobs to the most competitive service provider. Dealers Should Prepare Now The Independent shops and service chains in Massachusetts clearly hope to use this new initiative to gain business from franchised dealers (or prevent current business from being lost to Dealers). In order to maintain and grow the dealers' share of the non-warranty repair and maintenance business, dealers will have to make excellent use of the telematics systems installed by their manufacturers.  Dealers start with a key advantage, which is the opportunity to start a connected service relationship with the customer from the moment the new or used vehicle is delivered. But not all dealers today do a great job activating these systems, and activation for some OEMs is very inconsistent. Dealers must be sure to activate OEM-provided systems and secure customer consent to share service and maintenance data. Dealers then have to do a great job of managing data notifications to quickly schedule customers for any needed service work. Dealers may also want to take advantage of aftermarket systems for their older inventory that lacks OEM-provided telematics. A service like Spireon’s Lojack is a good example of an effective aftermarket system. Dealers will have a very brief head start to fine-tune their use of connected car service notifications, and they will need to take full advantage. If you are a dealer considering connected service and service retention opportunities, please reach out to motormindz to hear more about how to “get” Connected.