Categories
Compliance F&I Training

Your Next Biggest Threat: Synthetic Fraud

Contributing Author: Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

Those of us who are active on social media likely have created an “avatar” – an image designed to represent ourselves digitally. Defined specifically in computing language, an avatar is the graphical representation of the user or the user’s alter ego or character. The avatar image says, “This is the image I want to project,” but it might be less than accurate.

Even the person actually walking into your dealership might not be who they say they are – even if they have legitimate data, like a valid social security number tied to a legitimate address, to support their claim.

Synthetic fraud is the fastest growing form of identity theft in the U.S., comprising 80% of all new account fraud. The fraudulent tactic uses a combination of real and fake personally identifiable information (PII) to create new credit profiles and pump up credit scores, allowing the criminal to access goods and services.

The most common method of synthetic fraud is professional criminals using a variety of methods to make money exploiting the systemic weaknesses of the U.S. credit system.  It may involve theft of a child’s real identity and applying for an employer identification number (EIN). Then, the criminal builds a synthetic credit profile with the victim’s real name, social security number, and date of birth (DOB), with a different address or phone number. Next, the professional criminal applies for credit through mortgage refinancing or a car loan, which pulls the report from all three major U.S. credit bureaus (Experian, Equifax and TransUnion).  While the application may be denied, the process of reviewing the application creates a new credit profile at all three bureaus (also known as “tri-merging”) with the synthetic information. A few more steps and the fraudulent profile is complete, including lines of credit, employment history, mail received, etc. And now that criminal looks legitimate on paper.  

With synthetic fraud, everything may seem legitimate at first blush. For the dealer, they move a car off the lot. For the lender, they have a loan in good standing. Unfortunately, the person who was originally assigned the particular social security number has no knowledge of the loan, and may never find out until the loan defaults or fraud is uncovered.

Categories
Compliance

May I Text You?

Contributing Author: Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

This might seem like a trite question in today’s digital, over-socialized world. While obtaining permission from a customer to text them has always been a legal requirement, recent court cases have reminded the retail automotive industry that indeed, dealerships must have permission prior to sending a text.  

In the past, regulators were focused on companies sending out marketing texts to customers they did not have permission to text. Now, regulations may be enforced on something as simple as a salesperson texting a customer with a follow-up message on an available vehicle.

Telephone Consumer Protection Act

Specifically, the Telephone Consumer Protection Act (TCPA) governs any dealership’s phone call or text message marketing. Let’s review the rules under the TCPA.

If you want to send a customer a text message, you must obtain prior written consent before sending anything. Written consent can include hand-written signatures or even a simple email. You can also obtain consent by including it in your contact form on your website. Simply add a checkbox asking if the customer consents to being contacted via email, phone call, or text.

You may call/text your current customers and former customers for 18 months after your relationship with them ends, even if they are on the national Do-Not-Call list. This includes both sales and service relationships, i.e., when they buy a car or even rotate their tires.

Categories
Compliance Data Security

What IS a CISO?

Contributing Author:
Maurice Hamilton
Vice President
EFG Companies

If you’re in the retail automotive business, you’re used to dealing with regulations and compliance issues. It’s simply part of doing business. However, sometimes when a new regulation comes down, it’s all too easy to balk at the potential increased cost in both financial and time investment to implement them. Right now, there is a lot of talk about updating the Safeguards Rule, and the potential business impact.

Let’s step back and look at the regulation. As part of the Gramm-Leach-Bliley Act, the Safeguards Rule was designed to protect the security, confidentiality, and integrity of customer information.

16 CFR Part 314 Rule Summary:

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

While it is in the inherent best interest of a dealership and its partners to protect and secure customer data, a new wrinkle was recently added that has many in retail automotive scratching their heads. The April 4th issue of the Federal Register contained an update to the Federal Trade Commission’s Notice of Proposed Rulemaking concerning the Safeguards Rule. This issue included several additional requirements that will impact dealerships. One of the most pervasive is the requirement for a Chief Information Security Officer (CISO), which begs the question – what the heck is a CISO and where do you find one?