Providers & Administrators, 1st Qtr 2019

32 P A 1ST QTR 2019 JAMES S GANTHER ESQ IS THE PRESIDENT OF MOSAIC COMPLIANCE SERVICES LLC AND CO FOUNDER OF AUTOMOTIVE COMPLIANCE EDUCATION ACE The P A segment must follow the same path traveled by dealers who 15 years ago found themselves suddenly operating under the same privacy standards as other financial institutions The Safeguards Rule went into effect on May 23 2003 and brought with it a raft of new obligations for dealerships Having lived through that event I can attest to the consternation it caused The Safeguards Rule applies to financial institutions and dealerships because they originate financing fall within the definition of financial institution Having to learn how to act like banks did not come easy to most of the industry Fortunately for providers and administrators they do not originate financing and therefore are not considered financial institutions Thus the burdens of the Safeguards Rule do not fall upon your shoulders right Wrong The Safeguards Rule obligates dealerships to both follow its requirements and only use service providers that also follow the terms of the Safeguards Rule What is a service provider you ask Service provider means any person or entity that receives maintains processes or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part In other words providers and administrators of service contacts among others by virtue or receiving customer data Why is this important Because dealerships are required to Oversee service providers by 1 Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue and 2 Requiring your service providers by contract to implement and maintain such safeguards 16 CFR 3144 d In other words dealerships may only do business with providers and administrators that follow the Safeguards Rule as well at least to the extent appropriate for the data at issue While providers and administrators routinely receive maintain process and otherwise have access to customer information it rarely involves such sensitive data as Social Security number financial account numbers or mothers maiden name Yet even more mundane customer information can be misused to a customers detriment Consider the following phone conversation Caller Hello Mr John Smith Customer This is he Caller Mr Smith this is Tom Jones from Oconomowoc Motors You purchased a 2019 Queen Pea Family Truckster from us on Oct 12 for 37500 correct Customer Thats right Caller A routine audit of our records indicated that you were overcharged for the service contract you purchased in connection with that transaction We intend to reimburse you 750 plus interest If you just give us your bank account information we will transfer that amount immediately All the information needed for an identity thief to spoof a customer and obtain the customers bank account information is typically part of the customers file held by the provider or administrator At a practical level what does this mean What must providers and administrators do to comply with the Safeguards Rule Essentially what dealerships must do providers must mirror In a nutshell those obligations are seven Conduct a risk assessment specifically considering employee training and management IT systems and detecting preventing and responding to attacks or system failures Design and implement safeguards that address the risks identified Oversee your own service providers Evaluate and adjust your information security program in response to regular audits of its effectiveness and performance Sound like a lot It is but its important If a dealerships service contract provider is not in compliance with the Safeguards Rule the dealership is not in compliance either Putting your dealership clients in a position of legal peril is not a good business plan Conversely assuring your clients and prospective clients that youve thought this through for their protection can only help solidify your relationship Providers Administrators and the Safeguards Rule DEPT ACE SPACE By Jim Ganther 1 2 3 4