FTC Safeguards Rule Changes Oct 2022

We have been notified that the FTC Safeguard Rule changes will take effect in October 2022 for all licensed car dealers

The FTC Safeguards Rule from the Federal Code of Regulations

As the name suggests, the purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. 

Here is a summary of the upcoming changes:

The Safeguards Rule requires covered financial institutions including car dealerships offering financing to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

• to ensure the security and confidentiality of customer information;
• to protect against anticipated threats or hazards to the security or integrity of that information; and
• to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements step by step.

a.   Designate a Qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person doesn’t need a particular degree or title. What matters is real-world know‑how suited to your circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. If your company brings in a service provider to implement and supervise your program, the buck still stops with you. It’s your company’s responsibility to designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.

b.   Conduct a risk assessment. You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.

c.   Design and implement safeguards to control the risks identified through your risk assessment. Among other things, in designing your information security program, the Safeguards Rule requires your company to:

1. Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.
2. Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
3. Encrypt customer information on your system and when it’s in transit. If it’s not feasible to use encryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
4. Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.
5. Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
6. Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
7. Anticipate and evaluate changes to your information system or network. Changes to an information system or network can undermine existing security measures. For example, if your company adds a new server, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires financial institutions to build change management into their information security program.
8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.

d.   Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don't implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.

e.   Train your staff. A financial institution’s information security program is only as effective as its least vigilant staff member. That said, employees trained to spot risks can multiply the program’s impact. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.

f.   Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.

g.   Keep your information security program current. The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.

h.   Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:

• The goals of your plan;
• The internal processes your company will activate in response to a security event;
• Clear roles, responsibilities, and levels of decision-making authority;
• Communications and information sharing both inside and outside your company;
• A process to fix any identified weaknesses in your systems and controls;
• Procedures for documenting and reporting security events and your company’s response; and
• A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.

i.    Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. What should the report address? First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

IF YOU NEED ASSISTANCE WITH A TEMPLATE TO CREATE YOUR OWN INFORMATION SECURITY PROGRAM PLEASE CONTACT US.

800-901-5950

================================================================================================

Conditional Sales Contract Form 553 Changing 08012022

We have been notified that the traditional sales contracts used in California have been modified with a new set of revisions

These forms are the standard 553 sales conract revision 07/16

and the 553 arbitration sales contract revision 07/16

Here is a summary of the upcoming changes:

• Removed Dealer Number, Contract Number, ROS number and Stock number fields from the top of the contract
• Modified spacing in various areas to allow for easier programming of data
• Added language to the physical damage insurance section
• Modified the Payment Schedule by adding blanks instead of “Monthly Beginning” and $ to the Amount of Payments column
• Itemization of Amount Financed Changes:Increased the length of the total lines
• Modified format of lines 1.A.3. and 1.A.4.
• Added 1.K. to accommodate an additional trade in
• Modified format of lines 1.N. and 1.O.
• Modified line 3 to one line rather than two
• Removed instructional text from line 6.C
• Added 2 additional “Other” lines as 6.G. and 6.H.
• Updated reference lines as needed for the changes above
• Reduced the size of the blank box
• Added lines for printed Buyer and Co-Buyer names below signature lines
• Added name and title lines for Business Use transactions below the Buyer and Co-Buyer signature lines
• We made additions, deletions and revisions of language in the following sections of the back of the contract:1.b. – added “as the law allows” to the end of the section
• 2.d. – added new 3^rd sentence to section
• 3.b. – changed “on a” to “during” regarding the credit application and added a comma after damaged in the 4^th bullet
• 3.d. – added “(such as GPS)” and deleted “at your expense”
• 6. – added and modified language in the SERVICING AND COLLECTION CONTACTS section
• 8 – changed “in” to “during” in WARRANTIES OF BUYER section
• Made additions, deletions and revisions to Arbitration Provision language on the ARB contract version
• Changed the format of the Assignment Box to make it easier to complete

Call us at 800-901-5950 if you wish a copy of the new revisions.

If you are using software to generate these forms contact your software provider as programing changes will be required.

================================================================================================

V12 Software Demo Site for 2022

Our recently reconditioned 30,000 original miles

V12 Mercedes Benz S600 is for sale.

Click HERE for the Vehicle Details.

Click HERE for the V12 Dealers Website.

Special Cars for Special People since 1998.

================================================================================================

Debt Collector Licensing Act of 2022

If you are a dealer which allows a buyer to spread down payments over time or if you are a dealer carrying in house financing you are required to immediately apply for this

new debt collector license.

Click HERE for the Debt Collector License Application.

Click HERE for the Debt Collector License Checklist.

The new debt collector license requires a $ 350. application fee, a $25,000 surety bond, a credit history / investigative fee of $ 165. and a new livescan fingerprint form for each member of your company acting in the collection capacity.

The new law is effective as of Jan 01, 2022 and you are not in compliance if you continue debt service and/or collection without this 2022 debt collector license.

Call us at 800-901-5950 if you wish us to complete your debt collector license application.

We charge $ 1500. over the state mandated items for this debt collector license application service.

From Michael Rogers, leading California Dealer Attorney:

There is a requirement for a new license which you will likely need as a “Buy Here Pay Here” dealer or automotive finance company by January 1, 2022. It is a Debt Collection License under SB908. (Note: this is not the same as a Finance Lenders License).  

The Debt Collector’s License is required for businesses that “regularly” collect consumer debts, including their own debts. 

Thus, a dealership that “regularly” engages in “buy here pay here” sales or an automotive finance company would need this license since they both collect consumer debt, which includes collecting regular payments from customers, past due balances, repossessing vehicles, and potentially suing customers to collect balances due on retail installment sale contracts. 

The license also requires a $25,000 surety bond in addition to your dealership bond if you are a Buy Here, Pay Here dealer. 

It is unlikely that dealerships conducting regular automotive sales and assigning those contracts need this particular license since debt collection is more of an incidental part of their business.

Here is what the statute says below and a full link to the bill can be found at:

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200SB908

The following persons are required to obtain a license to engage in the business of debt collection in California pursuant to the Debt Collection Licensing Act

(California Financial Code section 100000, et seq.):

· Any person who, in the ordinary course of business, regularly, on the person’s own behalf or on behalf of others, engages in debt collection.

· Any person who composes and sells, or offers to compose and sell, forms, letters and other collection media used or intended to be used for debt collection.

· Any person who engages in the business of a debt buyer. A debt buyer is any person or entity who regularly engages in the business of purchasing charged-off consumer debt for collection purposes, whether it collects the debt itself, hires a third party for collection, or hires an attorney-at-law for collection litigation (California Civil Code section 1788.50.)

From Ailene Short, Chief of DMV Occupational Licensing:

Debt collection is not enforced by DMV.

That said, pursuant to the Debt Collection Licensing Act, operative January 1, 2022, it appears used car dealers collecting payments (debt) from the sale of a used car must obtain a license pursuant to the Act (to collect those payments/debts) and are subject to the requirements/provisions of the Act. 

Used car dealers should contact the Department of Business Oversight for answers to specific questions regarding licensure, including the question posed below regarding Buy-Here-Pay-Here dealers and any grandfathered licensing provisions.

================================================================================================

Electronic Report of Sale Fraud / Abuse and Misuse

The California DMV has noticed increasing misuse of the electronic ROS system where dealers are issuing multiple electronic ROS documents to extend the temporary operating permit beyond 90 days.

Click HERE for DMV Memo VIN 2202-03.

All California Dealers are required to subscribe to the Electronic Report of Sale system.

Temporary plates issued within the DMV Electronic Report of Sale system are valid for only 90 days.

All sales which are voided or unwound require an explanation on a statement of facts REG256.

DMV fees due must be paid on voided or unwound sales.

Registration Hint: Make the dealer the lienholder on voided or unwound sales so that the new title issued comes straight to the dealership.

Dealers are allowed to recover these required registration fees on a subsequent sale.

It has come to our attention that many dealers facing DMV registration issues often issue multiple reports of sale on the same deal to issue a second or third temporary plate.

DMV does not allow multiple reports of sale to extend temporary plates issued to a buyer.

DMV may take action to suspend or revoke the occupational license issued to a dealer or lessor-retailer for issuance of multiple reports of sale. Failure to post fees and register vehicles may result in cancellation of the occupational license. 

CDTFA will be looking for sales tax on each report of sale issued. A dealer must void all reports of sale electronically to avoid sales tax on each issued report of sale.

Text Azita today @ 415-730-3137 for assistance.

================================================================================================

Dealer Report of Sale Invoicing

DMV is required to collect a $1 fee for each vehicle sold by a dealer or a lessor-retailer within 90 days of being notified by the Recovery Corporation that the balance of the Fund is less than 2 million dollars. Revenue from the fees is remitted to the Recovery Corporation until the balance of the Fund has reached 5 million dollars. 

Beginning October 1, 2021, the Department of Motor Vehicles (DMV) will resume collection of a $1 fee for each vehicle sold by a dealer or lessor-retailer. 

DMV will not collect more than $2500 from a dealer or lessor-retailer within a calendar year.

DMV may take action to suspend or revoke the occupational license issued to a dealer or lessor-retailer for failure to pay the invoiced amount. Past due fees will be collected from the dealer’s or lessor-retailer’s surety company, which may result in automatic cancellation of the occupational license. 

Invoice payments can only be sent to:

DMV - OL Collections

PO Box 932342 MS-L224

Sacramento, CA 94232-3420

DMV MEMO FOR REPORT OF SALE INVOICING

Click here to update your official dealer mailing address:

DEALER OFFICIAL MAILING ADDRESS NOTIFICATION

================================================================================================

DMV Dealer Records Storage

DMV requires all dealer business records to be stored & available for 3 years.

New regulations require onsite storage for 90 days and allow offsite storage for the remaining 3 year period.

Remember upon request every dealer must be able to produce any business record to the DMV within 2 business days.

DMV RECORDS STORAGE MEMO

DMV HEADQUARTERS FOR LICENSING

916-229-3126

================================================================================================

DMV Spot Checks for Car Dealers

The California DMV has two branches which may conduct a spot check of your dealership. You may see a DMV Inspector or you may see a DMV Investigator.

Having a computer in your office is now an essential component of dealership compliance.

One focus of these spot checks is to determine if the dealer is printing required forms and maintaining correct vehicle records.

We have assembled a list of useful links to maintain dealership compliance.

Every vehicle in your inventory must have a jacket at the licensed location. In this file you should collect all relevant documentation on the vehicle.

Additional Dealer Plates

DMV requires this DMV form sent to your DMV Inspector when additional dealer plates are needed.

Click Here for a list of DMV Inspector Offices.

Click Here to obtain the dealer plate order form.

Lost / Stolen Dealer Plates

DMV requires a police report and a DMV form sent to them when a dealer plate is lost or stolen.

Click Here to obtain the lost / stolen dealer plate form.

NMVTIS Vehicle History Report

VinAudit is the most comprehensive report system for NMVTIS.

Click Here to review the dealer vehicle history account program.

NHTSA Recall Check

Proposed legislation will require recall status to be disclosed to the retail customer.

Click Here to check your inventory vehicles for open recalls.

NICB Stolen Vehicle Check

Nothing can be as costly as losing an inventory vehicle because its reported stolen.

Click Here to check your inventory vehicles.

Dealer License Modification

DMV requires a DMV form sent to them when a dealer wants to modify their dealer license. Inspection may be required.

Click Here to obtain the dealer license modification form.

NHTSA VIN Decoder

Find out all the specifics of any your vehicle with this VIN Decoder.

Click Here to use the VIN Decoder.

BAR Smog Check

Your dealer smog is good for two years. Every vehicle offered for sale must have a current smog.

Click Here for the smog history check by VIN.

Electronic Report of Sale

Fairfax runs the dealer system for reporting your sales to the California DMV. Fairfax Help Line is 844-425-5824.

Click Here to access your Fairfax Quick Tags Account.

Sales Tax Rates

Remember that you must charge the customer sales tax at the rate of their vehicle registration location. This chart enables you to determine the correct tax.

Click Here to check the sales tax by buyers location.

DMV Registration Fees

DMV helps you to estimate the fees due on any vehicle that you sell.

Click Here for the DMV Registration Fees Due System.

FTC Online Buyers Guide

Every vehicle offered for sale must have an FTC buyers guide posted.

Click Here for the FTC Buyers Guide online PDF.

================================================================================================

EZ

Simple

Compliance

REAL Dealers helping Dealers

We are BPA Registration Agents.

We issue license plates & registration stickers.

We print registration cards & assign lienholders.

Text Azita 415-730-3137 for excellent service.

================================================================================================