The Safeguards Rule Takes Effect: Is Your Dealership in Compliance?

Keith Whann

Most dealers are familiar with the requirements of the Gramm-Leach-Bliley Act and the Federal Trade Commission’s (FTC) Privacy Rule, which obligate them to create and distribute Privacy Notices to their customers. What they may not know is that compliance with the FTC’s Standards for Safeguarding Customer Information, more commonly known as the “Safeguards Rule,” became mandatory on May 23, 2003. The objectives of the Safeguards Rule are to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security and integrity of customer information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

The FTC’s Safeguards Rule does not change the dealership’s obligations under the FTC’s Privacy Rule. Motor vehicle dealerships are still required to provide their customers with a Privacy Notice that advises the customer about the types of information the dealership collects, the sources from which the information may be obtained, and the dealership’s policies with respect to sharing that information. As you may recall, in order to fully comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule, motor vehicle dealers were also required to make a statement about their information safeguarding practices in their Privacy Notices. As a result, most dealership Privacy Notices state “we maintain physical, electronic and procedural safeguards to protect the confidentiality and security of the information we collect”. Now dealers must have a written document that specifies the steps they have taken to assess the types of risks that exist with respect to the information being obtained by unauthorized individuals and to protect the confidentiality and security of such information.

The FTC’s Safeguards Rule specifically requires every dealer, regardless of the size of his dealership, to develop, implement and maintain a comprehensive written information security plan that describes the dealership’s program to protect customer information. The Dealership must: (1) Designate an employee or employees to coordinate the safeguards program; (2) Identify and assess the risks to customer information in each relevant area of the dealership’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks; (3) Design and implement a safeguards program, and regularly monitor and test it; (4) Select service providers capable of maintaining appropriate safeguards for the customer information the dealership shares and require them to agree contractually to do so; and (5) Evaluate and adjust the program as appropriate.

The FTC developed flexible rules to permit each dealership to develop privacy policies and information security standards taking into consideration the dealership’s size and complexity, the nature and scope of its activities, and the sensitivity of the information it collects. Like the Privacy Rule, the Safeguards Rule applies only to transactions involving persons who obtain a financial product or service from the dealership primarily for personal, family or household purposes. Although it is a good idea to apply the same privacy policies and information security standards to all of the information collected by the dealership, it is not required for information about companies or individuals who obtain financial products or services for business, commercial or agricultural purposes, unless the dealership’s Privacy Notice states otherwise.

While compliance with the FTC’s Safeguards Rule is now mandatory and, therefore, on the top of everyone’s agenda, dealers are well advised to consider other Privacy and Anti-Terrorism Laws that have recently been enacted or are under consideration. For example, on October 26, 2001, the President signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act). Title III of the USA Patriot Act makes a number of amendments to the anti-money laundering provisions of the Bank Secrecy Act (BSA) that are intended to promote the prevention, detection, and prosecution of international money laundering and the financing of terrorism. Under the USA Patriot Act, the term “financial institution” is defined to include a “business engaged in vehicle sales, including automobile, airplane, and boat sales.”

The Treasury Department has already issued a Final Rule implementing Section 314 of the USA Patriot Act, which establishes procedures that encourage information sharing between governmental authorities and financial institutions, and among financial institutions themselves. The first part of the Rule establishes a mechanism for law enforcement agencies to communicate the names of suspected terrorists and money launders to financial institutions in an effort to locate and secure accounts and transactions involving those suspects. Effective as of September 26, 2002, any motor vehicle dealerships that receives the name of a suspect must designate one person at the dealership to be the contact person regarding the request and any future requests that it receives. They must also establish adequate procedures to protect the security and confidentiality of the requests received from FinCEN and their responses to these requests. The requirement to maintain adequate security and confidentiality procedures to protect the information is met if the dealership applies the same procedures it has established to comply with the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule.

The USA Patriot Act also requires every financial institution to establish an anti-money laundering program. Pursuant to Section 352 of the Act, the anti-money laundering program must include, at a minimum: (1) The development of internal policies, procedures, and controls; (2) The designation of a compliance officer; (3) An ongoing employee-training program; and (4) An independent audit function to test programs. Section 326 of the Act further requires the Treasury Department to prescribe Regulations setting forth minimum standards for financial institutions to identify customers applying to open accounts, including: (1) Adopting reasonable procedures for verifying the identity of any person seeking to open an account; (2) Maintaining records of the information used to verify the person’s identity, including the person’s name, address, and other identifying information; and (3) Determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by a Government Agency. Although motor vehicle dealers have been temporarily exempted from the requirement to establish an anti-money laundering compliance program, on February 24, 2003, FinCEN published an Advance Notice of Proposed Rulemaking to solicit public comments as to how these requirements should apply to motor vehicle dealers.

The requirements under the Safeguards Rule and the USA Patriot Act and emerging implementing regulations will impact every dealership’s policies, practices and overall operations. Given the emphasis both Federal and State Regulators’ are placing on privacy related issues and the current regulatory environment, dealers who have not yet taken steps to implement appropriate policies and procedures and reduce them to writing are well advised to make this a top priority.

This information is provided by Keith Whann of the law firm Whann & Associates, LLC and is for general information purposes only. You should contact legal counsel for specific application. © Keith Whann June, 2003.