Red Flags Are Red for a Reason (Perspectives)
Our partners at Hudson Cook had a recent case involving a dealer that illustrates how an identity theft claim can ensnare a dealer. Tom Hudson and Eric Johnson stopped by the Smart Compliance Blog to give us an overview of what the situation was.
Many dealers are surprised to learn that because they finance and lease their goods to consumers, they are “financial institutions” under federal and state laws. Dealers who run compliant shops, who have a written Red Flags policy and who have named a Red Flags officer probably have a pretty good idea of their responsibilities under federal and state law to fight identity theft. Other dealers might be caught flat-footed by these laws.
Andrew Stutfield Rogers had his identity stolen by an unknown person. In November 2015, the imposter bought a car from Keffer, Inc., dba Keffer Chrysler Jeep Dodge and used Rogers’s social security number, date of birth and a driver’s license in the name of Andrew Leon Rogers to apply for and obtain financing from JPMorgan Chase Bank, N.A., dba Chase.
In December 2015, the imposter returned to Keffer and bought another car, using the same credentials to finance this one with SunTrust Bank. In late December, Chase sent Rogers an email about the car financing, and Rogers initiated a fraud alert, set a security freeze with the consumer reporting agencies (CRAs), and filed a police report with the local police department.
Rogers also notified Chase that his identity had been stolen and that the financing was obtained by fraudulent means. Chase, however, did not correct the information it had reported to the CRAs about the account and continued to report the account as belonging to Rogers.
In January 2016, Rogers learned from Keffer that the imposter had again obtained financing in his name. Rogers contacted SunTrust about the second fraudulent financing, but SunTrust continued to report the account to the CRAs.
In April 2016, Rogers was contacted by a recovery company, Elite Skippers, Inc., who tried to retrieve the cars from him on Keffer’s behalf.
Finally, in June 2016, Rogers sued Keffer, SunTrust, Chase and the CRAs for violating the Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA) and various state laws.
First, Rogers alleged that Chase had violated the North Carolina Unfair and Deceptive Trade Practices Act (UDTPA) by (1) making repeated demands on a debt he did not owe despite multiple notifications to Chase by Rogers that the account was obtained by fraud, and (2) its unreasonable delay in addressing the identity theft, including failing to implement adequate measures to address accounts opened by fraud, failing to remove the account from bank records associated with Rogers, and continuing to report the false account information to the CRAs. Note that most states have some version of an “unfair and deceptive practices act,” so don’t quit reading if your business is in some other state.
Chase argued that Rogers’s UDTPA claim was preempted by the FCRA to the extent that the claim alleged a failure to report accurate information to the CRAs. The FCRA preempts any state law with respect to the responsibility of persons who furnish information to the CRAs, including the duty to furnish accurate information and the duty to investigate any disputed information and correct any errors. Therefore, the federal trial court held that the UDTPA credit reporting claims were preempted by the FCRA, but the claims related to Chase’s attempts to collect on the debt were not.
Then Rogers took aim at the dealership by alleging that Keffer had violated the UDTPA by failing to implement reasonably prudent credit application procedures and failing to verify the identity of the credit applicant. Under North Carolina law, an act is “unfair and deceptive” when it “offends established public policy (and) is immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.”
The court held that the violations alleged by Rogers were merely negligent, which did not meet the unfair and deceptive standard required by law and dismissed the UDTPA claims against Keffer. Rogers also alleged that Keffer had violated the North Carolina Identity Theft Protection Act (ITPA) by intentionally disclosing his social security number to a third party without written consent. However, under the ITPA, a defendant may not be held liable if the social security number was included in an application or to obtain a credit report from or furnish data to a CRA. Therefore, the court also dismissed Rogers’s ITPA claims against Keffer.
About The Authors:
Thomas B. Hudson
& Eric Johnson
Tom Hudson was a founding partner of Hudson Cook, and now serves the firm in an Of Counsel capacity. He has practiced consumer financial services law since 1973. He has focused his practice on matters relating to vehicle financing and leasing.
Eric Johnson is a partner in the firm’s Oklahoma City office. He assists national and state consumer finance organizations and motor vehicles dealers with nationwide finance, online vehicle sales assistance, litigation funding, and electronic payment programs. He also provides responses to regulator examinations, comments on proposed statutes and regulations to legislators and regulators, and assists financial services providers with statutory and regulatory changes occasioned by the Dodd-Frank Act.
Hudson Cook is one of our esteemed partners who have authored a pre-loaded library of content and trainings that takes the hassle out of staying current with ever-changing compliance requirements. The result? Compli makes it easy to maintain an effective workforce compliance program.
Like this article? Then check out Hudson Cook’s Insights, with a wide range of articles on a variety of regulatory topics.
Finally, the court dismissed Rogers’s FDCPA claim. Under the FDCPA, a “debt collector” is a person whose principal purpose is to collect debts, a person who regularly collects debts owed to another, or a person who collects its own debts, using a name other than its own as if it were a debt collector. As a creditor collecting its own debts in its own name, Chase did not meet any of these requirements and so the FDCPA did not apply to its collection activities.
Red Flags Allegations Against the Dealership
Rogers charged the dealership with “failing to implement reasonably prudent credit application procedures and failing to verify the identity of the credit applicant.” That sounds an awful lot like the dealership did not have a written Red Flags policy as required by law, but perhaps it did, and Rogers was attacking the adequacy of the policy and the dealership’s implementation of it. Keffer got very lucky; the Judge’s rulings could have easily gone the other direction. In any event, defending Rogers’ claims cost the dealership time, effort and money. I’m sure the dealership’s reputation took a nice beating in the public eye as well.
RV dealers without a Red Flags policy should use this case as a wake-up call and get a policy in place. Those who already have a Red Flags policy should make sure it is periodically updated to address any new incidences of identity theft and effectively implemented.