Hanlees Dealership Group

4989 Chiles Road
Davis, CA 95616
Phone: 530-231-3300
Fax: 530-231-3283

Hanlees Davis Chevrolet - Red Flag Rule & Identity Theft Prevention Program (ITPP)

 

Hanlees Davis Chevrolet

Red Flag Rule Program

Identity Theft Prevention Program (“ITPP”)

May 1, 2009

Introduction:

Although Hanlees management team and staff are not trained FBI detectives, we do however recognize our fiduciary responsibility to exhaust all plausible means to adhere to this FTC mandated Red Flag Rule.

The Red Flag Rule requires our dealership to develop and implement a comprehensive, risk-based, written Identity Theft Prevention Program (ITPP), found in this text, that is appropriate to the size and the complexity of our operation and the nature and the scope of its activities. A knowing violation of the Red Flag Rule (such as not having an ITPP in effect) risks dealer liability for $2500 per customer transaction as well as additional penalties under federal and state laws.

The Red Flag Rule requires us to take steps to verify the identities of our customers and implement a written program, found in this program to detect, prevent, and mitigate identity theft.

The FTC has made it clear it will begin enforcing the Red Flag Rule as of May 1, 2009.

This risk based ITPP attempts to enable Hanlees employees to:

1. Identify patterns, practices, or specific activity that indicates the possible existence of identity theft at the dealership (ref flags) in consumer credit transactions, as well as business credit transactions for which there is a reasonably foreseeable risk of identity theft;

2. State procedures to detect and evaluate red flags in individual credit transactions;

3. Set forth procedures to respond appropriately to any red flags or other circumstances that are detected to prevent and mitigate identity theft; and

4. Provide a means to update the ITPP periodically to reflect new identity theft risks and the dealership’s transactional experiences, and make an annual report on the effectiveness of the ITPP to the board of directors, or senior officer, as applicable.

This Red Flag Rule also mandates training of staff to implement the ITPP and requires oversight of service providers who are performing any functions related to the organization or maintenance of credit accounts.

Possible Red Flags to pay attention to at our Hanlees organization:

1. Pay very close attention to alerts, notifications or warnings from a consumer reporting agency (Transunion, Experian or Equifax):

1. You pull a credit report that contains a fraud or active duty alert.

2. You attempt to pull a credit report but instead receive notice of a freeze on the credit file.

3. You receive a notice of address discrepancy from a credit bureau.

4. You review a credit report and identify a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

A recent and significant increase in the volume of inquiries;

1. An unusual number of recently-established credit relationships;

2. A material change in the use of credit, especially with respect to recently established credit relationship; or

3. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

2. The customer presents suspicious documents:

5. The customer provided you with ID that appears to have been altered or forged.

6. The customer’s photograph or physical description on the ID is inconsistent with the appearance of the person presenting the identification.

7. Other information on the ID is inconsistent with information provided by the person presenting the ID, for example, the addresses do not match.

3. The customer presents suspicious personal identifying information:

8. Personal identifying information provided by the customer is inconsistent when compared against external information sources you use, for example:

1. The customer’s address does not match any address in the consumer report; or

2. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration Death Master File.

9. Personal identifying information provided by the customer is inconsistent with other personal identifying information provided by the customer; for example there is a lack of correlation between the SSN range and the customer’s stated date of birth.

10. Personal identifying information provided by or on behalf of the customer is associated with known fraudulent activity as indicated by internal or third-party sources you use; for example:

1. The address on an application is the same as the address provided on a fraudulent application; or

2. The phone number on an application is the same as the number provided on a fraudulent application.

11. The identifying information the customer provides is a type commonly associated with fraudulent activity as indicated by internal or third-party sources you use; for example:

1. The address on an application is fictitious, a mail drop, or a prison; or

2. The phone number is invalid, or is associated with a pager or answering service.
   

1. The SSN provided is the same as that submitted by other persons with whom you’ve done business, or who have attempted to do business with you.

13. The address or telephone number provided is the same as or similar to the address or telephone number submitted by an unusually large number of other customers.

14. The customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

15. The customer’s personal identifying information is inconsistent with personal identifying information you have on file.

16. If you use “challenge” questions (questions about a customer’s financial transactions of which only he or she should know the answer), the customer cannot provide authenticating information beyond that which generally would be available from a wallet or credit report.

17. Hanlees receives notices from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

18. We are notified by a customer, a victim of identify theft, a law enforcement authority, or any other person, that you have opened a fraudulent account for a person engaged in identity theft.

Procedures:

In response to the Red Flag Rule, which becomes effective today, May 1, 2009, it is mandatory that specific procedures, outlined below, be followed at all times.

Red Flag: We receive alerts, notifications or warnings from a consumer-reporting agency

Goal: To ensure that alerts, notifications or warning from a consumer reporting agency does not go un-noticed.

Procedures:

• Stop the transaction

• Review this alert with the General Sales Manager

• Upper level management will investigate these alerts as prescribed in the attached Compliance Guide

Red Flag: The customer presents suspicious documents

Goal: To ensure that customer is presenting true and valid documentation at all times.

Procedures:

• Stop the transaction

• Review this alert with the General Sales Manager

• Upper level management will investigate these alerts as prescribed in the attached Compliance Guide

Red Flag: The customer presents suspicious personal identifying information

Goal: To ensure that customer is presenting true and valid identifying information.

Procedures:

• Stop the transaction

• Review this alert with the General Sales Manager

• Upper level management will investigate these alerts as prescribed in the attached Compliance Guide

Red Flag: You receive notices from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

Goal: To ensure that the provided information is being documented properly so that further action can be taken.

Procedures:

• Stop the transaction

• Review this alert with the General Sales Manager

• Upper level management will investigate these alerts as prescribed in the attached Compliance Guide

Phases of Organization

Phase I

Our Hanlees Organization:

1. Has plugged in the procedures that we already have in place, or that our team does automatically for the above.

2. This program has been approved by the General Sales Manager; is posted in the sales office, featured on our website, and issued to each store employee to read, date, and sign for accountability, then copied, and original place in employee file / Red Flag Rule Program and copy given to employee.

3. Has ensured that sales managers are looped in first, then the rest of the team.

4. Conducted an initial training session in a weekly sales meeting.

5. In a subsequent sales meeting, the General Sales Manager will ensure employees’ sign, copy, and then keep in new binder….see next item.

6. Has created a binder called Red Flag Rule Program, to hold all pertinent information as well as employee signed forms, training compliance, etc – this binder will need to be in a secure place at all times.

Phase II:

1. Assign program responsibility to the General Sales Manager to provide weekly, and or monthly updates…

2. Enhance our Written Program with Training tools, perhaps a discussion in a monthly or quarterly sales meeting about a specific issue – documentation forms will need to be created, signed, etc and placed in binder

Phase III:

1. Defined and implement a security program that not only includes this program, but one that ensures the database is clean, safe, updated and confidential, and that all of your programs are secured. Define procedures when there is a breach in any program (Red Flag Rule, IT, Inventory, etc).

Conclusion:

The idea of this program is not only help safeguard identity theft, but also to have something in place, accessible by reach, should a surprise audit or visit occur.

Consequently, as discussed, one binder is kept in the sales office and another kept in Corporate. This binder will not only be a resource of employee documentation for training and compliance, but also contain the Red Flag Rule information, related laws and regulation. Our Hanlees organization recognizes there is a 5 year rule for keeping all documentation, so a Terminated section tab will be created to house employees that are no longer employed, but documentation is still available in case there is a situation that arises after the employees is termed.

In addition, there are a handful of laws and other regulations tied to the Red Flag Rule which are important to note, and recommended to be implemented into the above procedures, depending on it’s specific nature:

• Business transactions are prohibited with person’s name on the Specifically Designated Nationals and Blocked Persons List (SDN List) – this list is a record of individuals, countries and organizations tied to terrorist groups or other criminal activity. More research is needed on this…not sure if the list can be found online or if there is a hotline number to call. Run an OFAC SDN List Check on every customer, cash and credit. If there is a customer match, not only is there a refusal to do business but also a requirement to report the match to Washington.

• The Safeguards Rule ensures the security and confidentiality of their customer’s personal information by using appropriate administrative, technical and physical safeguards.

The General Sales Manager is responsible for maintaining this information and technical and technical system that protects this information.

• The Disposal Rule states that consumer reports and information are securely disposed (securely archived if applicable) of should is part of the overall Security program

• Date Breach Notification Laws – companies that maintain data bases of customer’s information (SSN, drivers license number, account number and pin, etc) are generally required to notify the customer immediately if there is a breach of their information.

• Security Freeze Laws – a credit freeze is a possible red flag, so Hanlees Davis Chevrolet will be cautious of these.

Please see addendum filings in this program binder, as we will consistently update.