OFAC/NPI

Questions and Answers

Which act mandates that dealerships provide customers with a Privacy Notice explaining the store's information-sharing practices?

• Fair Credit Reporting Act (FCRA)
• Gramm-Leach-Bliley Act (GLB Act) Financial Privacy Rule (correct)
• Red Flags Rule
• Safeguards Rule

According to the guidelines for protecting Nonpublic Personal Information (NPI), which of the following is considered NPI?

• Aggregated, anonymized market data
• The fact that an individual is a customer of the dealership (correct)
• Data legally obtained from the internet
• Information available in a public phone directory

What is the primary responsibility of a Corporate Compliance Officer (CCO) concerning Nonpublic Personal Information (NPI) and identity theft prevention?

• To develop, implement, and maintain written policies and procedures related to NPI protection and identity theft prevention. (correct)
• To act as a liaison between the dealership and the Federal Trade Commission (FTC).
• To process credit applications and verify customer identities.
• To manage the dealership's marketing campaigns and ensure compliance with advertising regulations.

A potential car buyer fills out a credit application at a dealership. How should the dealership initially provide the required Privacy Notice?

Through a written copy of the Privacy Notice. (D)

Which of the following pieces of information would be classified as Nonpublic Personal Information (NPI)?

An individual's Social Security number (D)

How does the Financial Privacy Rule empower consumers regarding their Nonpublic Personal Information (NPI)?

It gives consumers the right to limit some, but not all, sharing of their information. (B)

Which of the following programs is NOT something a Corporate Compliance Officer (CCO) is required to do?

Oversee the dealership's marketing to ensure maximum customer reach. (A)

A person visits a car dealership to inquire about purchasing a vehicle but does not make a purchase. According to the definitions provided, how are they classified?

Consumer (B)

What is the primary role of a dealership's Corporate Compliance Officer (CCO) under the Red Flags Rule?

To implement and maintain an Identity Theft Prevention Program (ITPP). (C)

Under the updated Safeguards Rule, what is required for customer information both in transit and at rest?

Encryption or equivalent alternative security controls. (A)

If identity theft red flags are detected at a dealership, what is a required component of the Identity Theft Prevention Program (ITPP)?

Evaluate and respond to the detected red flags. (A)

Besides currency, what financial instruments necessitate reporting on IRS Form 8300 if received in excess of $10,000 for a single transaction?

Cashier's Checks. (D)

Under the Disposal Rule, how must a dealership handle consumer report information to prevent unauthorized access or use?

Disposing of it through reasonable and appropriate methods, such as shredding or burning. (A)

A dealership discovers that an employee has been selling customer data to a third party. According to the rules discussed, what immediate action MUST be taken?

Report breaches of the Information Security Program to the compliance officer. (A)

What is the potential penalty for failing to comply with the Privacy Rule or the Safeguards Rule?

FTC enforcement action with fines up to $53,088 per violation. (D)

A customer pays $12,000 with a personal check and $3,000 in cash for a vehicle. Which payment(s) require reporting on IRS Form 8300?

Only the $3,000 cash. (D)

What is the primary purpose of the Red Flags Rule?

To protect against identity theft. (A)

What are the key elements of a typical Information Security Program (ISP)?

Limiting access to places where NPI is stored and documenting employee training. (B)

What is a practice a dealership can use to help prevent identity theft?

Securing a fully completed credit application with as much information as possible. (A)

According to the provided information, what is NOT considered 'cash' when reporting transactions to the IRS on Form 8300?

Personal Check. (C)

To meet the 'safe harbor' requirements related to privacy notices, what must a dealership do?

Use one of the notices posted on the FTC website's 'form builder' without any alteration. (D)

How often should the Identity Theft Prevention Program (ITPP) be updated?

Periodically. (C)

What updated Safeguards Rule requirement would be violated if a dealership allows employees to access customer data using only a username and password, with no other authentication method?

Multifactor authentication. (B)

According to the provided OFAC guidelines, what is the recommended first step when a customer's name produces a potential match on the SDN or Blocked Persons List?

Ask the customer the 'out of wallet' questions provided by your system. (D)

In the context of OFAC compliance, what action should be taken if an exact match is confirmed after comparing a customer's information with the SDN list?

Do not deliver the vehicle and notify OFAC in writing within 10 business days. (D)

According to the Do-Not-Call Rule, under what circumstance is it permissible to contact a consumer for sales purposes, even if they are listed on the national do-not-call registry?

If the consumer has inquired about a vehicle within the past 90 days. (B)

What is the timeframe within which a dealership can contact a customer who has made a purchase, lease, or had a transaction (like an oil change) without violating the Do-Not-Call Rule?

18 months from the date of the transaction. (C)

If a customer explicitly requests to be removed from a dealership's call list and is not on the state or national Do Not Call registry, how long until they no longer can be contacted?

60 months (5 years). (C)

According to the guidelines, what must a dealership do before contacting a potential customer whose information was obtained through a customer referral program?

Check the prospective customer's name against the national, state, and dealership do-not-call lists. (A)

Under the CAN-SPAM Act, which type of email is most heavily regulated regarding its content and purpose?

Commercial emails, such as advertisements or promotions. (A)

Which of the following is a requirement of the CAN-SPAM Act regarding the 'From' line of a commercial email?

The 'From' line must accurately identify the sender and their domain. (A)

What is the mandatory requirement for commercial emails, as dictated by the CAN-SPAM Act, concerning the recipient’s ability to opt-out of future emails?

The sender must provide a clear explanation of how to opt-out, without incurring any expense to the recipient. (D)

According to the CAN-SPAM Act, how long does an unsubscribe/opt-out link need to remain active after a commercial email is sent?

30 days (B)

Within what timeframe must a sender honor a recipient's request to unsubscribe from commercial emails, according to the CAN-SPAM Act?

Within 10 business days (C)

Considering the combined effect of the CAN-SPAM Act and telemarketing rules, what specific permission is required to send a commercial text message to a customer's cell phone?

Prior written permission or opt-in from the cell phone owner. (A)

Which of the following actions is permissible regarding contacting a former customer?

Contacting them within 18 months from their last transaction, establishing an existing business relationship. (B)

A dealership employee sends an email that promotes a special sale event for trucks. According to the CAN-SPAM Act, what must be included in this email?

The dealership's valid physical postal address. (C)

When should a dealership consider calling OFAC to confirm a potential SDN match, according to the guidelines?

If an exact match cannot be determined after manual comparison. (C)

A customer makes several cash payments, each under $10,000, for a single transaction over a 3-month period, totaling $12,000. When is an IRS Form 8300 required to be filed?

After the final payment is made, which causes the total cash received to exceed $10,000 within a 12-month period. (B)

A dealership discovers a customer refused to provide their Social Security number (SSN) during a cash transaction exceeding $10,000. Which action is most appropriate for completing IRS Form 8300?

Leave line 6 (SSN) blank and write in the comments section, “Customer refused to provide their SSN,” and record their driver's license number. (A)

Which of the following scenarios requires a dealership to file an IRS Form 8300?

Receiving $12,000 in cash from a customer for a vehicle purchase. (B)

A customer pays $15,000 in cash for a vehicle. The dealership files IRS Form 8300. By what date must the dealership notify the customer that the form was filed?

By January 31st of the year following the transaction. (B)

A customer pays $12,000 in cash for a vehicle. The dealership suspects the transaction involves illegal activity. What actions should the dealership take regarding IRS Form 8300 and customer notification?

File IRS Form 8300, mark it as a 'Suspicious Transaction', and do not notify the customer that the form was filed. (A)

What is the potential criminal penalty for willfully filing a false IRS Form 8300?

A fine of up to $100,000 ($500,000 for a corporation) and/or imprisonment up to three years. (A)

A U.S. resident purchases a vehicle with a combination of $6,000 cash and a $7,000 cashier's check. Is it necessary to file IRS Form 8300?

No, because the cash portion is not over $10,000. (D)

When must IRS Form 8300 be filed with the IRS?

Within 15 days from the date of the transaction. (D)

A customer who is a non-resident alien without an ITIN or SSN pays $15,000 in cash for a vehicle. What documentation should the dealership obtain and include with IRS Form 8300?

A copy of the customer's driver's license or passport, preferably both. (D)

A customer provides $11,000 in cash for a vehicle purchase, listing their cousin as the purchaser on the sales agreement. Whose information should the dealership include on IRS Form 8300?

Both the customer who provided the cash and the cousin listed as the purchaser. (D)

What type of payment is ALWAYS considered cash when determining whether to file IRS Form 8300?

U.S. or foreign currency. (A)

A business intentionally disregards the requirements for filing IRS Form 8300. What is the potential civil penalty?

The greater of $31,520 or the amount received and required to report, up to $126,000. (C)

What is the purpose of checking the OFAC's SDN and Blocked Persons list?

To identify potential terrorists and other foreign criminals with whom transacting business is prohibited. (B)

A dealership fails to conduct an OFAC check on a customer and unknowingly transacts business with a person on the SDN list. What is the potential penalty for this noncompliance?

A fine of up to $5 million and/or up to 30 years in prison, or a combination of both. (C)

At what point in the transaction process should a dealership conduct an OFAC check?

At the time the deal is consummated – and on all parties – regardless of whether their name is on the RISC. (A)

Flashcards

GLB Act & FCRA

A group of laws protecting consumer and customer Nonpublic Personal Information (NPI) and preventing identity theft.

Corporate Compliance Officer (CCO)

Oversees the development, implementation, and enforcement of policies and procedures to protect NPI and prevent identity theft.

Nonpublic Personal Information (NPI)

Any information that is not available to the general public; includes personal ID and financial data.

Public Information

Information legally accessible to anyone (e.g., phonebook listings).

Financial Privacy Rule

Requires dealerships to inform customers how their NPI is shared through a Privacy Notice.

Consumer

Someone considering a vehicle purchase.

Customer

Someone who has completed a vehicle purchase.

Initial Privacy Notice

All customers must receive this, detailing the dealership's information-sharing practices.

Safe Harbor Protection

Protection from liability if dealerships use FTC-provided notices without changes.

Safeguards Rule

Protects non-public personal information (NPI) in both paper and electronic forms, requiring a designated compliance officer and an Information Security Program (ISP).

Information Security Program (ISP)

A program that includes risk assessment of dealership operations to identify potential NPI compromises.

Updated Safeguards Rule

Requires encryption for customer information, multi-factor authentication, data disposal procedures, continuous monitoring, and a written incident response plan.

ISP Elements

Limiting access, using password features, physical protection, employee training, authorized personnel access, and breach reporting.

Penalties for Noncompliance

May include FTC fines (up to $53,088 per violation) and UDAP claims.

Disposal Rule

Requires reasonable and appropriate disposal practices to prevent unauthorized access to consumer report information and NPI.

Acceptable Disposal Methods

Burning, pulverizing, or shredding paper documents and destroying or erasing electronic data.

Red Flags Rule

Requires measures to prevent identity thieves from using NPI to buy a car.

Red Flags

Patterns, practices, or activities that indicate the possibility of identity theft.

ITPP Purpose

Identify, detect, evaluate, and respond to potential identity theft indicators.

Identity Verification Methods

Confirm information from various sources, check SSN against the Death Master List, and use challenge questions.

Practices to Prevent Identity Theft

Fully complete credit applications and controlling the pace of the transaction.

What Constitutes as Cash?

U.S. and foreign currency and money instruments (cashier’s check, money order, etc.) under $10,000.

What is NOT cash?

Personal checks, wire transfers, proceeds of a loan, or individual instruments over $10,000.

Instruments Always Considered Cash

Specific monetary instruments always considered as cash equivalents for IRS Form 8300 reporting.

Cash Reporting Threshold

You must file IRS Form 8300 when a customer pays over this amount in cash.

Related Cash Transactions

A series of smaller cash payments that, when combined, exceed $10,000.

Form 8300 Filing Deadline

The deadline for filing IRS Form 8300 after a cash transaction exceeding $10,000.

Customer Notification Deadline

The date by which dealers must notify customers in writing about IRS Form 8300 filings.

Individual Taxpayer ID

The type of number individuals use on Form 8300 for identification.

Customer Refusal of SSN

What to do if a customer refuses to provide their SSN on Form 8300.

Suspicious Transaction Filing

Form 8300 handling when illegal activity is suspected.

Office of Foreign Assets Control (OFAC)

The division of the Treasury Department that tracks potential terrorists and foreign criminals.

SDN and Blocked Persons List

A list of individuals and entities with whom businesses are prohibited from transacting.

SDN List Update Frequency

Frequency with which the SDN and Blocked Persons list is updated.

OFAC Check Requirement

The required action regarding the SDN list for every transaction.

OFAC Noncompliance Penalty

Consequence for noncompliance with OFAC regulations.

Timing of OFAC Check

The point in the sales process when the OFAC check should be completed.

Non-Resident Alien ID

Acceptable forms of ID for non-resident alien without a TIN or SSN.

SDN or Blocked Persons List

List of individuals and entities that U.S. companies are prohibited from doing business with.

OFAC Potential 'Hit'

When a customer's name matches a name on the SDN list, triggering further investigation.

Verifying a Potential OFAC Hit

Verify customer identity using 'out of wallet' questions and compare information manually.

Information to Differentiate an OFAC Hit

Date of Birth, Address, Nationality, Place of Birth.

OFAC Exact Match Verification

Contact OFAC at 1(800) 540-6322 for confirmation before blocking the transaction.

OFAC Reporting Requirements

Notify OFAC in writing within 10 business days and secure all transaction documents for 5 years.

Do-Not-Call Rule

Prohibits contacting individuals on do-not-call lists with unsolicited sales pitches.

Do-Not-Call 'Inquiry' Exception

Contacting an interested consumer within 90 days of their inquiry.

Do-Not-Call 'Existing Business Relationship' (EBR) Exception

Contacting a customer within 18 months of purchase, lease, or last transaction.

Established Business Relationship (EBR)

A consumer who has purchased/ leased a vehicle or used other dealership services.

Do-Not-Call & Referral Programs

Check against do-not-call lists before contacting leads from customer referrals.

CAN-SPAM Act 'Primary Purpose'

Categorizes emails to determine required disclosures and compliance measures.

CAN-SPAM 'Transactional Emails'

Emails that facilitate agreed-upon transactions or provide updates. Lightly regulated.

CAN-SPAM 'Commercial Emails'

Emails advertising or promoting vehicles/services. Heavily regulated.

CAN-SPAM & Cell Phones

Requires prior written permission or opt-in to send commercial messages to cell phones.

Study Notes

• These acts and rules protect consumer and customer Nonpublic Personal Information (NPI) and prevent identity theft.

Laws and Regulations

• Gramm-Leach-Bliley Act (GLB Act) contains the:
  • Financial Privacy Rule
  • Safeguards Rule
• Fair Credit Reporting Act (FCRA) contains the:
  • Disposal Rule
  • Red Flags Rule (prevents identity theft)

Corporate Compliance Officer (CCO)

• Dealers are required to appoint a Corporate Compliance Officer (CCO) to comply with NPI handling and identity theft prevention laws.
• The CCO must create, implement, monitor, enforce, and update written policies and procedures (P&P).
• The role includes conducting and documenting training for personnel impacted by the P&P programs.

Protecting Nonpublic Personal Information (NPI)

• Customer information includes "nonpublic personal information" (NPI), which is "personally identifiable financial information."
• NPI is any information not legally accessible on the internet or in a phonebook.
• NPI examples:
  • Social Security numbers
  • Driver’s license numbers
  • Credit card numbers
  • Unlisted phone numbers
• Under updated Safeguards Rule, even the fact someone is a customer is considered NPI.

Financial Privacy Rule

• Requires dealerships to provide a Privacy Notice explaining information-sharing practices when a prospective buyer provides NPI on a credit application.
• Consumers can limit some information sharing.
• All customers must receive a written Privacy Notice, not orally.
• Dealers must use the "safe harbor" notices on the FTC website without deviation.

Safeguards Rule

• Protects NPI in paper and electronic format.

Updated Safeguards Rule

• A qualified individual such as a Chief Information Officer (CIO) governs the updated Safeguards Rule.
• Requires:
  • Encryption for all customer information in transit and at rest or effective alternative controls.
  • Multifactor authentication for accessing information systems or a reasonable equivalent.
  • Procedures to dispose of customer information no later than two years after its last use, with exceptions for regulatory mandates.
  • Continuous monitoring or periodic penetration testing and cybersecurity vulnerability assessments.
  • A written incident response plan to address security events affecting customer information confidentiality, integrity, or availability.

Information Security Program (ISP)

• Elements of A Typical Programs include:
  • Limiting access to NPI storage locations.
  • Installing time-out/password features on computers with NPI.
  • Securing NPI under lock and key, never leaving it unattended.
  • Documenting training for all employees and new hires on the ISP.
  • Allowing only authorized personnel access to NPI.
  • Reporting ISP breaches to the compliance officer.

Penalties for Noncompliance

• Failure to comply with Privacy or Safeguards Rules may result in:
  • FTC enforcement action with fines up to $53,088 per violation; potentially per vehicle sold if the ISP is flawed.
  • Unfair or Deceptive Acts or Practices (UDAP) claims at state and federal levels.
  • Individuals can report violations to applicable agencies.

Disposal Rule

• Requires dealerships to use reasonable disposal practices to prevent unauthorized access to consumer report information and NPI.
• Information from consumer reports or collected from consumers can't be thrown in the trash, and needs to be:
  • Paper burned, pulverized, or shredded.
  • Electronic data destroyed or erased.
• The dealership must:
  • Destroy any collected NPI.
  • Conduct due diligence when hiring a document destruction service.
  • Document the destruction of materials containing NPI.

Red Flags Rule

• Requires measures to prevent identity thieves from using someone else’s NPI to buy a car.
• Requires appointing a Corporate Compliance Officer (CCO) to implement an Identity Theft Prevention Program (ITPP).

Identity Theft Prevention Program (ITPP)

• Also known as a Red Flags Rule Program
• Must be approved by the Board of Directors and updated periodically.
• The purpose is to:
  • Identify relevant red flags.
  • Detect and evaluate red flags.
  • Respond to detected red flags.

Identity Verification Methods

• Methods of Verifying Identity:
  • Confirm information matches across sources like credit applications, credit reports, driver’s licenses, and insurance cards.
  • Check SSN against the Death Master List and confirm it matches Social Security Administration patterns.
  • Have the consumer take a "selfie" with their driver's license.
  • Ask challenge questions.

Practices to Prevent Identity Theft

• Secure a fully completed credit application to triangulate information.
• Control the transaction's pace and be alert for disruptions.
• Involve a manager for implausible situations.
• Avoid delivering the car if uncomfortable.

IRS Form 8300

• Required to report cash transactions over $10,000 from one buyer on an IRS Form 8300.
• What constitutes Cash?
  • U.S. and foreign currency
  • Money instrument with a face value of $10,000 or less such as:
    • Cashier’s check
    • Money order
    • Traveler’s check
    • Bank draft
• What is Not Cash?
  • Personal checks
  • Wire transfers
  • Proceeds of a loan (a lien will be recorded)
  • Individual cashier’s checks, money orders, traveler’s checks, or bank drafts with a face amount over $10,000

Transactions that Require Filing IRS Form 8300

• Receiving multiple cash instruments under $10,000 that total over $10,000.
• Related cash transactions within 24 hours, each under $10,000, totaling over $10,000.
• Receiving over $10,000 in cash over 12 months from a single transaction.
• Receiving a cash down payment over $10,000, even if the sale doesn’t happen.

IRS Filing Rules

• File the form with the IRS within 15 days of the transaction.
• No obligation to inform the customer at the time of the transaction a form has been filed
• Notify the customer in writing by January 31st of the following year.
• Include the name of individual(s) who presented the cash.

Taxpayer Identification Number (TIN) Section

• Individual customers/sole proprietorships: SSN
• Nonresident aliens: Individual Taxpayer Identification Number (ITIN)
• Corporations, partnerships, estates: Employer Identification Number (EIN)

Exceptions to Line 6

• If a customer refuses to provide their SSN:
  • Leave line 6 blank.
  • Write "Customer refused to provide their SSN" in the comments.
  • Record the customer’s driver’s license number.
• If a customer is a Non-Resident Alien
  • Record the customer’s driver's license or passport number
  • Include a photocopy of the ID in the filing,
  • You aren’t required to provide a TIN for a non-resident alien if they:
    • Doesn’t have income connected with the conduct of a U.S. trade or business
    • Does not file a federal tax return
    • Does not file a joint federal income tax return with a spouse who is a U.S. citizen or resident

Suspicious Transactions

• If illegal or fraudulent activity is suspected, fill out the form and mark it as a Suspicious Transaction.
• If marked as suspicious, do not tell the customer that a transaction form has been filed.

Civil and Criminal Penalties

• Civil Penalty (Negligence): $310 per return (dealer)
• Civil Penalty (Intentional disregard): The greater of $31,520 or the amount received (up to $126,000).
• Criminal Penalty (Criminal intent): Fines up to $100,000 for individuals ($500,000 for corporations) and/or imprisonment up to three years, plus prosecution costs.
• Penalties can be assessed against both the F&I practitioner and the customer for attempting to avoid filing Form 8300.

USA Patriot Act & OFAC

• The Office of Foreign Assets Control (OFAC) is a division of the Treasury Department that tracks potential terrorists and other foreign criminals.
• The Specially Designated Nationals (SDN) and Blocked Persons list is maintained by OFAC and constantly updated.
• Businesses/individuals cannot deal with any entity on the SDN list.
• Penalties for noncompliance could be a $5 million fine and/or up to 30 years in prison, or both.
• Check every customer against the SDN & Blocked Persons list regardless of transaction type or funding source.
• There is no defense for noncompliance with OFAC.
• The OFAC check should be completed at the time the deal is consummated – and on all parties – regardless of whether their name is on the RISC.

OFAC Potential “Hit”

• The customer’s name has matched to another name on the SDN or Blocked Persons List.
• First, ask out of wallet questions.
• If that doesn't provide clarity compare the information manually.
• Request additional information from the customer to differentiate them from the person listed on the SDN list:
  • Date of Birth
  • Address
  • Nationality
  • Place of Birth
• If only the name matches, print out the documents and include them in the deal jacket.

OFAC Exact Match

• If an exact match cannot be determined, OFAC recommends calling 1(800) 540-6322 for confirmation before blocking the transaction.
• If an exact match is confirmed:
• Do not deliver the vehicle.
• Notify OFAC in writing within 10 business days with supporting documentation.
• Secure and keep every transaction-related document on file for 5 years.

Do-Not-Call Rule

• States that you cannot contact anyone listed on do-not-call lists with an unsolicited sales pitch.
• Exceptions:
  • Contacting an interested consumer for 90 days from their inquiry or sharing of contact information.
  • Contacting a customer within 18 months from the date of purchase, lease, or last transaction.
• If a Customer Doesn't Want to be called again:
  • If the customer IS ON the state or national Do Not Call registry they cannot be contacted again.
  • If the customer IS NOT ON the state or national Do Not Call registry, the customer can be contacted after 60 months (5 years).

Customer Referral (Bird Dog) Program

• You cannot contact any "lead" acquired through a former customer without checking the prospective customer’s name against do-not-call lists.

Do-Not-Email Rule - CAN-SPAM Act

• The FTC categorizes emails by primary purpose:
  • Relationship emails: personal messages.
  • Transactional emails: facilitate transactions or update customers.
  • Commercial emails: advertise or promote vehicles/services.
• Only Commercial emails are regulated by the CAN-SPAM Act.

Do-Not-Email Rule requirements

• Don’t use a fraudulent “From” line which must be accurate.
• Don’t use fraudulent subject lines which must reflect message content.
• Identify the message as an ad (e.g., use "ADV" in all caps).
• Include the dealership’s valid physical postal address.
• Provide a clear explanation of how to opt-out (unsubscribe) from future emails.
• The unsubscribe link must remain active for 30 days.
• The sender must honor the unsubscribe request within 10 business days.

Rules for Cell Phones

• You must have prior written permission or opt-in from the cell phone owner to send any commercial message to a cell phone.