Two Recent Cases Show Need For a Compliance Management System
Two recent cases, one in Pennsylvania, the second in Arizona, have resulted in or are seeking large monetary damages awards against dealers and their principals personally. Both involved situations in which the dealers failed to have in place a Compliance Management System (CMS). The case already resolved—the one in Pennsylvania—required the dealership to implement a Code of Conduct and CMS to avoid further damage liability.
Both cases involved patterns and practices of unlawful conduct that had been going on for years and could have been prevented by application of an effective CMS. In Pennsylvania, the dealer entered into a deferred prosecution agreement which essentially means that if it takes certain action, it will not be prosecuted further under federal criminal laws.
The Department of Justice (DOJ) sued the dealer and its principal for falsifying loan documents over a period of six years. These actions, if proven, would constitute the felony of bank fraud under federal criminal law. To stave off prosecution, the dealer agreed to pay a monetary penalty of $1.4 million and more than $737,000 in restitution to various finance companies. It also agreed to implement a substantial corporate compliance and ethics program and a vigorous monitoring and audit regime. If it fails to do so, the DOJ will prosecute for the criminal violations.
The second case in Arizona involves the FTC suing a five-store dealer group and its principals personally for falsifying customer income on credit applications and down payments on contracts. This is the first time the FTC has brought a lawsuit against an auto dealer for misrepresenting consumer income to financial institutions. If true, these activities would also violate federal criminal law and likely result in multi-million-dollar fines and penalties against the dealer. Like the dealer in Pennsylvania, the Arizona dealer had no CMS in place and that will be a contributing factor to how the lawsuit is resolved.
What is a CMS and How Do You Implement One?
A CMS begins with a Code of Conduct issued by the Board of Directors or senior management if the dealer does not have a Board. It sets the tone from the top. The first step toward implementation of a compliance program is management’s communication of their commitment and the responsibility of all employees to adhere to the Code of Conduct in all dealings.
The CMS is composed of several elements addressing risks identified by the Board and a Chief Compliance Officer who is appointed to head up the CMS. All aspects of the dealership from manufacturer relations to environmental shop risks need to be reviewed and addressed. Management of risks and controls over process are the essence of a CMS.
It is critical that the dealership establish compliance standards (policies and procedures) that prescribe the internal control framework necessary to provide reasonable assurance of compliance with applicable laws and policies, including those designed to protect consumer privacy during the conduct of dealer activities. Employees will not come forward with complaints or reports of failure to adhere to processes or procedures if they fear retaliation or do not believe their reporting will change anything. For a CMS to work effectively throughout the organization, a formal investigation process and controls must be put into place to assure that non-retaliation, privacy, and a swift change to processes necessary to effect change are implemented and publicized to the employees
Policies and Procedures
High level policies and individual processes and procedures to control compliance risks must be developed and employees need to be trained on overall policies applicable to all employees (e.g., harassment and discrimination prohibitions, complaint or compliance violation reporting and anti-retaliation policies) as well as specific policies and procedures applicable to their positions. So, for example, f & I personnel would need to be educated about Truth in Lending, the Consumer Leasing Act, unfair and deceptive practices and given procedures for the conduct of business in the f&I office such as transparently presenting products and avoiding things like payment packing, discriminating in credit terms offered to customers, and presenting products honestly and fairly to customers.
Managers are the first line of defense in monitoring employees and all required behaviors should be monitored. An example is accessing non-public customer information. Policies would limit permissions to only what an employee needs to do their job and the frequency and nature of customer information accessed would be regularly monitored using data logs and a gatekeeper for paper files. If any spikes in activity appear, the Chief Compliance Officer and appropriate staff would begin an investigation to see if the employee had been compromised or become dishonest personally in stealing customer information. Appropriate safeguards and process improvements would be promptly identified and implemented.
Compliance must be implemented in all new products and programs including by giving the Compliance Officer a “seat at the table” as they are developed. Policies and procedures for implementation follow with monitoring established to ensure compliance or remediate a failure to comply.
Education and Training
Critical to any CMS is a process of training new hires and re-training existing employees on the Code of Conduct, overall dealership policies and procedures that apply to all employees, as well as the policies and procedures that apply to their specific positions. This needs to be an ongoing interactive process. Training and compliance need to be built into performance reviews and promotional decisions. This systemizes the CMS throughout the dealership.
Auditing and Investigation
Periodic audits need to be performed by internal or external auditors of the various controls established as well as reported incidents and matters identified from monitoring. Auditing should be done regularly as well as in response to specific situations. The auditors work with the Chief Compliance Officer, identify process failures and transgressions, and make reports and recommendations to the Board or a committee of the Board for correction and improvement. A periodic review of customer deal jackets is an example of an audit process designed to identify acts or omissions that are out of compliance.
Both the auditors and Chief Compliance Officer should be independent of the business and the business units being investigated. The dealer needs to provide ample resources and access to dealer materials to enable the CMS to function effectively and assess the dealership’s compliance in all areas.
Managing Incidents of Non-Compliance
Compliance incidents, however identified, must be swiftly contained and investigated; and, appropriate corrective action taken. Upon reporting of a potential incident, the dealership must conduct compliance incident management activities by applying the relevant policy, assessing authorities, and/or legal issues, taking corrective action, and responding to the needs of the organization’s internal and external overseers. In addition, the CMS evaluation must identify the root cause and assess the impact of incidents to continuously frame the evolution of the CMS.
A ”root cause” analysis is required to correct an underlying process or failure of control that caused the event. A root cause is a factor that caused a nonconformance and should be permanently eliminated through process improvement. A root cause analysis is a collective term that describes a wide range of approaches, tools, and techniques used to uncover causes of problems.
One approach is to drill down to the root cause by asking a series of “why” questions. For example, if vehicle titles are not getting timely processed, a “why” analysis would look at the timeframes and factors that cause the delays. A solution might be to hire an external titling vendor with contractual assurances of timeliness if information is timely provided. The timely provision of information to the titling vendor would be a change in procedure and a process that could be monitored and audited to make sure titles get timely processed.
Regulators require a process for handling customer complaints as part of a dealer’s CMS.
Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite responses. How complaints are identified and defined is critical, as consumer inquiries may also highlight areas with increased risk of consumer harm and/or regulatory compliance concerns.
Complaints may indicate a compliance weakness in a process, function or department. Therefore, the Chief Compliance Officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and act to improve the institution’s business practices, as appropriate.
A procedure should also be established for handling garden-variety customer sales or service complaints. The Chief Compliance Officer or his or her staff should log the complaints pursuant to a process and either the Chief Compliance Officer or another dealer senior executive should endeavor to resolve the complaint to the customer’s satisfaction.
Do a cost-benefit analysis of not satisfying the customer in terms of legal fees, bad publicity, low CSI scores, etc. that may outweigh what even unreasonable customer requests entail. Regulators begin investigations with customer complaints, whether or not well founded. Try to resolve complaints with “funny money,” this being free or discounted goods or services. Endeavor to preserve a positive relationship with the customer, one way or another. Use arbitration and pay filing costs if a resolution is not possible as a last resort.
Oversight and Improvement
An effective CMS is a process of constant evaluation. The key is to strive for and demonstrate a process for continually improving on compliance activities and evolving your compliance program and its activities. The Chief Compliance Officer can spearhead this process, but oversight must remain with and be exercised by the Board.
Keep abreast of legal, regulatory and case law developments and change policies and procedures as appropriate. Engage with state and local dealer associations and 20 groups.
Attend compliance update training programs and subscribe to industry publications.
Risks are also not static. Annual (or more frequent) risk assessments should be conducted by Board’s risk/compliance committee and Chief Compliance Officer as business and legal risks evolve. Identify impacted areas. Change policies, procedures and training as appropriate. Enlist managers in making the changes with staff.
Continue to monitor and audit for compliance and respond accordingly even if no complaint has been reported about compliance shortfalls. Continuously improve processes and procedures.
An effective CMS could have saved the two dealerships described above millions of dollars in fines, penalties, attorney’s fees, and bad publicity. Third parties exist to help you begin or improve your CMS. An effective CMS is a factor that a regulator will consider in deciding whether to bring an enforcement action or assess fines and penalties. It is also a factor to be considered by courts under the U.S. Sentencing Guidelines. While it will involve costs and implementing procedures, the two dealerships described above certainly show the result of failing to have an effective CMS. Begin or enhance your CMS today and your dealership will be better off for doing so.