Compliance is not a manual – not even a Red Flags Manual

By Myril Shaw

“We need to make sure our store meets compliance standards, we need a Red Flags Manual.”  Well, unfortunately, having a Red Flags Manual does NOT make a store compliant. In fact, it doesn’t even, by itself, demonstrate a “good-faith” effort to address compliance issues.

So why does any of this matter? Nearly 60 million Americans have been impacted by identity theft, according to a survey by The Harris Poll. Further, figures released by the Federal Trade Commission (FTC), a consumer protection agency, show identity theft reports in 2020 last year were more than triple the number from 2018. Of those people 25% of those found out when they were notified of unpaid bills and 30% saw money missing from accounts or unknown credit card charges.

Some identity theft is actually related to terrorism. Some identity theft is simply a crime of greed or convenience. Your store can be involved on the “receiving” side – someone used another person’s identity to buy a boat. You could be involved on the enabling side by allowing an identity to be stolen through inappropriate handling of personally identifiable non-public information. There also could be money laundering activities associated with any of these – or independent of these.

It’s in the manual

Let’s start at the beginning. The Red Flags Manual does cover identity theft, its recognition and prevention, but there is more. The Disposal Manual and the Safeguards Manual discuss the appropriate protection, storage, and disposal of personally identifiable non-public information in the form of credit applications, pictures of social security cards and driver’s licenses, etc.  The OFAC Manual addresses prevention of selling to or engaging with terrorists, terrorist organizations and their affiliates. Finally, the USA Patriot Act Manual lays out issues around money laundering. All of these are required.

Please be aware, simply having the full set of manuals doesn’t even come close to demonstrating “good-faith” in the eyes of the government. These all must be read, understood, and signed by the dealership’s designated Compliance Officer. The Compliance Officer bears the responsibility for training and enforcing compliance policies and practices. Every employee who handles or has access to personally identifiable non-public information must be trained and that training must be demonstrable and regularly reinforced.

With all of that, demonstrating a “good-faith” effort at meeting good compliance practices is closer – but still not complete.

There is also the issue of physical equipment placement, protection, and control. It is easy to leave copies of documents such as loan apps that need to be protected laying around on desks, copiers, fax machines and so on. Is all this equipment in controlled locations accessible ONLY by trained personnel who require access to personally identifiable non-public information?  Are these documents, when destroyed, destroyed with a cross-cut shredder? Straight-line shredders are not acceptable for compliance purposes.

Are documents stored in locked filing cabinets?  Is the finance office locked/lockable?

Finally, does the Compliance Officer and/or other management do regular “walk-arounds?” On at least a weekly basis, but at unpredictable time, the Compliance Officer, or someone designated by the Compliance Officer should just do a casual walk around the office looking at the following:

• Are file cabinets locked?

• Are there personally identifiable non-public documents unattended on copiers, fax machines, or desks?

• Is the Finance Office locked if vacant?

All of this should be documented showing the date and time of the walk-around and the compliance or non-compliance in each area.  If there is non-compliance, there should be notes showing the action taken.  This documentation should be included with the compliance documents.

Compliance is good customer service

When everything mentioned above is being done, you are demonstrating a “good faith” effort to meet compliance standards. To be clear, doing all of this still does not ensure that you’ll never encounter a compliance issue or lawsuit. Mistakes do happen. When they do, having evidence of a “good faith” effort will help make the case that what happened is not a result of negligence and will aid in the argument for lenience in any penalties.

In closing, know that compliance is not just a manual. Compliance is a totality of manuals, ongoing processes, practices, and training. It’s also not just doing the right thing for the law, it’s doing the right thing to safeguard the financial information of your customers. That’s as much a part of good customer service as selling or servicing their boat.

Webinar on compliance

Myril just completed a webinar on various aspects of compliance, including how to make it an ongoing part of running your dealership You may view it here.

Myril Shaw is the COO of Dealer Profit Services and a member of the Boating Industry Top 100 Leadership Alliance.