Dealership Compliance Evaluation
“Your ownership needs to buy into compliance at the dealership, “Anytime you create processes that force your management and sales personnel to do certain things on a continuous basis, it makes them more consistent and more productive,
“A culture of compliance does nothing but help.”
How will I help dealers with compliance?
Every dealership is at a different point in compliance history, but we would make sure they have a thorough understanding of what they need to do. We make sure they understand the regulations. Then we will conduct an audit to see where they stand. That gives us a blueprint for what we need to do to help them achieve it. It’s just rolling up the sleeves and going in and doing it.
What are dealerships’ most significant compliance challenges?
The biggest challenge is figuring out where to start. It’s a big elephant. It’s so big that dealerships need help with knowing how to document, train and audit. We help them take it one bite at a time. Compliance is an everyday business strategy.
What are the simplest things dealerships can do to improve compliance?
The easiest thing for the Management is to know what the regulations are. The only way really you do that is by training. A lot of times it’s too difficult for a Manager who works 60 hours a week to go online to put it all together.
How can dealers ensure they are compliant?
Dealers all seem to have an idea of what they would like specifically their Managers or their Salespeople to do. But what I find missing is having these policies in writing. I talked to a dealers a couple of weeks ago and he rattled off in detail his specific wishes in how he wanted a certain thing handled. When I asked him if he had it in writing, he did not. It leaves a lot of room for error.
Who would document those written policies -- the dealer or legal counsel?
A little bit of both. The dealer has to first put together how he or she wants things to be handled, but I would always recommend that dealers run anything they put in writing by their own attorney because that’s who is going to have to defend them if there’s ever an issue. There are myriad laws out there. Dealers should have a written process for how they want to handle each of them
How should dealers develop that written process?
We are helping dealers at least outline what they should have in writing, which not only teaches them about the laws they need to comply with but also explains to them in detail what the consequences are in violating those laws. They need to sign that they will agree to adhere to these laws. There also needs to be consequences written into the processes in case someone violates a process. Some of those consequences are dictated by the law and some can be developed subjectively by the dealership.
Where does the enforcement come from?
In general, enforcement comes from the employee’s direct supervisor, but ultimately it has to start from the top down. The dealer has to be the person that is holding his general manager accountable and the general manager needs to be holding his sales managers accountable. Compliance doesn’t work if it starts from the bottom up. It only works if it starts from the top down.
Can you answer the following Questions?
1. Have I designated a Privacy and a Cash Reporting Compliance Officer?
2. Have I had all employees trained in Gramm-Leach Bliley and Patriot Act, and have they signed the proper confidentiality, background, and security paperwork?
3. Have I developed a written Anti-Money Laundering policy?
4. Have I identified and written an Information Security Policy?
5. Have I developed and written an opt-out notice relevant to my business?
6. Have I inspected all dealership computers including my DSP and any third party vendor’s security including SSL, encryption, firewalls and access to my customers’ information?
7. Since I am ultimately responsible for my third party providers, have I exercised due diligence with respect to their compliance and have I changed my contracts with them to reflect this?
8. Have I developed written procedures to inform customers if their information is lost or stolen?
9. Does my web site have the necessary privacy statements and encryption?
10. When was the last time we looked at past and present employees, checked passwords and updated our employee compliance?
11. What is the current status of our computers with access to the internet as far as Anti-Virus software and what release is it?
12. Have we identified what the FTC considers to be “Non-Public-Information” and how this affects work orders, service invoices, parts invoices, and other common dealership documents?
13. Do we have a procedure for a Blocked Transaction?
14. Do we have in place a check-out log for NPI records?
15. Do we have a system in place to train all the new hires to comply with Gramm-Leach Bliley and Patriot Act? Who is going to do it? Who has time?
16. What is our current method for destroying our customers’ NPIs and does it meet federal requirements?
17. Have we set up indemnification provisions with current and future Third party providers? Who will have the time to chase these things?
18. Do we have secure NPI receptacles?
19. Are we sure we understand OFAC and the implications to my business?
20. Do we have all the above documented and logged in case of an Audit? Who will be the responsible party for all this? And, I know we are required to test these policies. How do we do that and by what method?