Staying compliant with State and Federal regulations means more than Red Flags and Adverse Action notices.
In fact, there are federal laws and regulations regarding company records around vehicle sales, leases, F&I documents, and more. That includes things like memos, emails, a contract, or something less obvious such as a computerized desk calendar, a text message, or a social media website entry. Information contained in flash drives, memory sticks, PSTs, USB drives, and backup tapes, and on wireless devices such as iPhones, Android phones, PDAs, tablets, and other portable media can also be company records.
Why it Matters
The records of an auto dealer are critical assets, including all records produced and received in connection with the operation of the dealership’s business – whether such records are in a physical or electronic format. As such it is important to have a policy on records maintenance and retention, and it is recommended that your records be kept centrally rather than contained on local PCs or portable devices to the greatest extent possible to facilitate the administration of your policy. You have to know where your records are located before you can effectively manage them. This is especially true for electronic records.
In addition, you also want to know how long to keep (or not keep) records. In particular, ensure that you are not maintaining sensitive consumer information longer than necessary. The FTC has repeatedly warned that companies should retain nonpublic personal information (NPI) data only as long as necessary to fulfill the business and regulatory purposes for which it was collected, because keeping such information creates a risk to consumers. Every state has its own retention requirements for dealer sales records, auto repair and servicing records, tax records, payroll and employment records, and environmental and facility-related records, among others. Consult your local counsel or compliance professional when establishing retention periods for specific categories of your dealership’s records.
Best Practice Tips
- Have a comprehensive record retention policy for both paper and electronic records and consistently apply it. Know what records you keep, and keep only records you need for business. Know where they are located, and why you keep them there. Train your employees on your policy and obtain their written acknowledgement to comply with it. Limit and log all access to all records (paper and electronic) containing personal customer information.
- Categorize your records and know the federal and state laws on mandatory time periods for retaining different categories of records.
- Avoid maintaining records in the hard drives of personal computers, laptops, tablets, memory sticks, PSTs, flash drives, or remote storage devices such as smartphones.
- Consider using electronic documents and obtaining electronic signatures instead of paper ones. Electronic documents – credit applications, contracts, notices, consents – can be more securely stored centrally in limited-access electronic databases or in a secure cloud server.
- Secure records that contain consumer information in accordance with your FTC Safeguards Rule Information Security Program and destroy these documents securely when they are no longer required under your FTC Information Disposal Program. Be consistent in recordkeeping and destruction times.