Categories
Uncategorized

EFG Spearheads Digital Compliance and Data Security in Retail Automotive with SSAE 18 SOC 2 Certification

EFG Companies, the innovator behind the award-winning Hyundai Assurance program, recently achieved a new level in data security for both clients and contract holders with the Service Organization Control 2 (SOC 2) Certification under the Statement of Standards for Attestation Engagements 18 (SSAE 18) guidelines from the American Institute of Certified Public Accountants (AICPA).

According to recent risk-based security research, 3,800 publicly disclosed data breaches occurred in the first six months of 2019, exposing up to 4.1 billion records. This represented a 50% increase over the last four years. As companies increase their reliance on technology to house personal, confidential information, data breach attempts are expected to increase as well.

Several years ago, EFG took proactive steps to secure its own data and achieved SSAE 16 certification in 2016. Since then, EFG continued its efforts to further augment the company’s security measures, investing close to a quarter of a million dollars annually on security enhancements, and achieving SSAE 18 certification in December, 2019.

SSAE 18 certification is the most widely recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations. SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy.

Continue reading “EFG Spearheads Digital Compliance and Data Security in Retail Automotive with SSAE 18 SOC 2 Certification”
Categories
Compliance F&I Training

Your Next Biggest Threat: Synthetic Fraud

Contributing Author: Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

Those of us who are active on social media likely have created an “avatar” – an image designed to represent ourselves digitally. Defined specifically in computing language, an avatar is the graphical representation of the user or the user’s alter ego or character. The avatar image says, “This is the image I want to project,” but it might be less than accurate.

Even the person actually walking into your dealership might not be who they say they are – even if they have legitimate data, like a valid social security number tied to a legitimate address, to support their claim.

Synthetic fraud is the fastest growing form of identity theft in the U.S., comprising 80% of all new account fraud. The fraudulent tactic uses a combination of real and fake personally identifiable information (PII) to create new credit profiles and pump up credit scores, allowing the criminal to access goods and services.

The most common method of synthetic fraud is professional criminals using a variety of methods to make money exploiting the systemic weaknesses of the U.S. credit system.  It may involve theft of a child’s real identity and applying for an employer identification number (EIN). Then, the criminal builds a synthetic credit profile with the victim’s real name, social security number, and date of birth (DOB), with a different address or phone number. Next, the professional criminal applies for credit through mortgage refinancing or a car loan, which pulls the report from all three major U.S. credit bureaus (Experian, Equifax and TransUnion).  While the application may be denied, the process of reviewing the application creates a new credit profile at all three bureaus (also known as “tri-merging”) with the synthetic information. A few more steps and the fraudulent profile is complete, including lines of credit, employment history, mail received, etc. And now that criminal looks legitimate on paper.  

With synthetic fraud, everything may seem legitimate at first blush. For the dealer, they move a car off the lot. For the lender, they have a loan in good standing. Unfortunately, the person who was originally assigned the particular social security number has no knowledge of the loan, and may never find out until the loan defaults or fraud is uncovered.

Continue reading “Your Next Biggest Threat: Synthetic Fraud”
Categories
Compliance

May I Text You?

Contributing Author: Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

This might seem like a trite question in today’s digital, over-socialized world. While obtaining permission from a customer to text them has always been a legal requirement, recent court cases have reminded the retail automotive industry that indeed, dealerships must have permission prior to sending a text.  

In the past, regulators were focused on companies sending out marketing texts to customers they did not have permission to text. Now, regulations may be enforced on something as simple as a salesperson texting a customer with a follow-up message on an available vehicle.

Telephone Consumer Protection Act

Specifically, the Telephone Consumer Protection Act (TCPA) governs any dealership’s phone call or text message marketing. Let’s review the rules under the TCPA.

If you want to send a customer a text message, you must obtain prior written consent before sending anything. Written consent can include hand-written signatures or even a simple email. You can also obtain consent by including it in your contact form on your website. Simply add a checkbox asking if the customer consents to being contacted via email, phone call, or text.

You may call/text your current customers and former customers for 18 months after your relationship with them ends, even if they are on the national Do-Not-Call list. This includes both sales and service relationships, i.e., when they buy a car or even rotate their tires.

Continue reading “May I Text You?”