top of page
    • 2 min read

What is Payment Packing?

In retail automotive, there is still a debate over whether the practice of packing is illegal or not. In this short post, we'll learn what payment packing is, and why it is illegal.

This video was originally published in December 2018.


Payment Packing Defined

There are a lot of definitions when it comes to what exactly constitutes payment packing. The only official definition I could ever find was the one adopted as a resolution by the National Association of Attorneys General (NAAG). NAAG defines payment packing as the deceptive practice of misrepresenting monthly payments to consumers during auto sales and lease negotiations, in order to facilitate the sale of automobile-related products and services.


In other words, payment packing begins at the payment quotation. It is intended to artificially inflate what the monthly payment is going to be so you can detect the customer's pain point. If you say to the customer, “this will be $500 per month,” when you know that the actual likely payment for the product and the interest should be $400 a month, you have created $100 of leg in the deal. That is illegal because it's deceptive.


Leg creates room to “pack” the inflated payment with products or excessive finance reserve without the customer’s knowledge or informed consent.


If you detect that the customer is fine with a $500 payment—artificially inflated by $100 (the leg)—and then you pack that payment and fill that leg with products whose monthly payment will fill up that surplus hundred dollars, you have broken the law because you have deceived the customer by misrepresenting monthly payments.


It doesn't matter if all of the documentation is accurate at that point. Payment packing begins at the first pencil. By the time you get the documentation straight it should be accurate, but all your accurately recording is the fraud.


Best Practice for Quoting Payments

Payment packing starts and ends with artificially inflating the quoted payment. To avoid even the potential appearance of payment packing, you should always:

  • accurately quote payments at every step of the process

  • explain every change in those payments

  • get the customer to acknowledge the reason for every change in the monthly payment

  • have the customer initial or sign on the menu, the buyer's order, the installment sale contract, and on all of the contract documents for the products

If you follow these best practices, payment packing can't happen and it won't happen. Always be honest. Always tell the truth and as a practical matter until you know the customer's exact actual credit score always quote a consistent and realistic credit score or credit tier so the APR will be uniform. Until you know differently, assume every customer that walks in qualifies for your captive finance company's tier two APR and use that as a basis for your payment quotations and you should be just fine. Payments should always be quoted accurately, transparently, and consistently. If you can do those three things (and you can!) payment packing will never be a worry.




    • 3 min read

The Dealerbuilt Data Breach: What you need to know

What the FTC said in their consent order against Dealerbuilt could have an impact on how dealers, other financial institutions, and their service providers do business.

This video was originally published in June 2019.


Problems storing Non-Public Personal Information

In June of 2019, the Federal Trade Commission issued a proposed consent order against LightYear Dealer Technologies d/b/a DealerBuilt. It stands as a cautionary tale for dealers and their service providers.


DealerBuilt is a company that was, well, built by dealers. It developed and sells dealership management system software and data processing services to automobile dealerships across the country. That DMS tracks, manages, and stores both customer and employee data, including an enormous amount of nonpublic personal information (or NPI).


All of that NPI was stored in clear text, without any access controls or authentication protections (such as passwords). DealerBuilt routinely transmitted the data between servers at the dealership and its backup servers in cleartext.


In the spring of 2015, in order to increase capacity, DealerBuilt personnel added a large storage device to its existing backup network. Unfortunately, that device was not configured securely and created an open connection port for approximately 18 months.


And what, exactly, is an “open connection port”? It’s a little like a screen door on a submarine: pretty much anything can get in – and out.


For those 18 months, DealerBuilt did not perform any vulnerability scanning or penetration testing that could have discovered the open connection port. Eventually, it was exploited, resulting in a major loss of customer and employee NPI.


The FTC concluded that DealerBuilt’s failure to provide reasonable security for consumer NPI caused substantial harm to consumers (and the dealerships that used the DealerBuilt DMS) in the form of fraud, identity theft, monetary loss, and time spent remedying the problem.


Dealerbuilt falls within the Safeguards Rule's definition of a financial institution.

Here’s where things get interesting. Since May 23, 2003, “financial institutions” have been subject to the Safeguards Rule. Most dealerships are “financial institutions” because they originate “covered accounts" such as installment sale contracts and leases.


What’s interesting from DealerBuilt’s perspective is that it, too, falls within the Rule’s definition of a financial institution. Why? Because it processes data, and if “the data to be processed, stored or furnished are financial, banking or economic” you’re a “financial institution” within the meaning of the Safeguards Rule.


So why is that interesting? Because DealerBuilt also fits the definition of “service provider” under the Rule. Entities covered by the Rule are required by its terms to only do business with service providers that can, and are bound by contract to, follow the Safeguards Rule.


So if the FTC viewed DealerBuilt in its capacity as a service provider, the FTC would not have gone after DealerBuilt – but it could have gone after the 268 dealership locations that violated the Rule by using DealerBuilt without confirming it was complying with the Rule. Instead, the FTC viewed DealerBuilt in its role as a financial institution to which the Safeguards Rule applied in the first instance.


What can we learn from the Dealerbuilt Case?

Obviously, the FTC chose one action against a single respondent rather than 268 against individual dealerships. We call that “judicial economy.” But there are lessons to be learned from the case beyond just who got sued, and why.


Here’s the big takeaway: If DealerBuilt was a service provider, and failed to follow the Safeguards Rule; then every dealership that used DealerBuilt could be liable for failing to follow the Safeguards Rule by using a non-compliant service provider.


The Safeguards Rule requires dealerships to have contract language that requires their service providers to follow the Rule. In the wake of the DealerBuilt case, now would be a good time to check your contracts to make sure that language exists. Even better would be a stand-alone Data Security agreement between your dealership and its service providers. But however you satisfy this requirement, make sure you satisfy it!

    • 5 min read

Why Dealerships Should Obey the Safeguards Rule

Updated: Apr 26, 2022

Does your dealership have Safeguards in place to protect customer information? Or does your dealership just say that it protects customer information? The FTC recently found the latter to be a UDAP violation. New changes to the Safeguards Rule will likely firm up this interpretation and make it more important for dealerships to have robust computer network security in place.

This video was originally published in May 2019.


Changes to the Safeguards Rule

On January 10th, 2022, an updated version of the Safeguards Rule became law. The biggest change was the abandonment of the “reasonable” standard. What was once subjective became objective – certain tasks had to be undertaken and demonstrated, whether it was reasonable or appropriate in the dealership environment or not.

Those mandatory provisions include:

  • Appointment of a single “Qualified Individual” to oversee a dealership’s Safeguards efforts;

  • A thorough, written risk assessment that includes a vulnerability assessment of the dealership’s computer network;

  • A written Information Security Program document, or “WISP” that addresses the risks identified in the risk assessment;

  • Multi-factor authentication to gain access to networks containing customer data;

  • Encryption of customer data, both in transit and at rest;

  • Network intrusion monitoring;

  • Enhanced training;

  • Annual written reports to senior management; and

  • Selection of service providers that can demonstrate compliance with the Safeguards Rule, and termination of service providers that do not.

The downside of failing to comply with the Safeguards Rule is substantial. Potential fines can run to $46,517 per violation; that number is adjusted upward for inflation annually.


Although the odds of becoming subject to FTC fines may be remote, the FTC has defined violations of the Safeguards Rule to constitute a deceptive trade practice. This is ammunition for the plaintiff’s bar and opens the possibility of punitive damages in civil actions.


The Franklin Toyota Case

A few years to an FTC enforcement case called Federal Trade Commission versus Franklin Toyota. In that case, the FTC alleged that Franklin Toyota had failed to follow the Safeguards Rule. Specifically:

  • They failed to conduct a risk assessment.

  • They failed to adopt policies such as an incident response plan to prevent or limit the extent of unauthorized disclosure of personal information.

  • They failed to adequately train their employees

As a result, their computer network was hacked and they lost the personal information of over 95,000 customers including names, social security numbers, dates of birth, addresses, and driver's license numbers. This type of data breach creates an enormous risk of identity theft and identity cloning.


The scary part came in the consent order. In the consent order, the FTC alleged the dealer has represented expressly or by implication that it implements reasonable and appropriate measures to protect consumers' personal information from unauthorized access. What the FTC meant was that the dealer promised its customers that it would follow the Safeguards Rule. Where did it make that promise? The same place you make that promise: in your Privacy Policy Notice.


The Privacy Policy Notice came from the same organic law as the safeguards rule—the Gramm-Leach-Bliley Act. They're related! They relate to one another. It's like they're in the same Union. And in the Privacy Policy Notice is the following sentence:


“We employ physical electronic and procedural safeguards to protect your non-public personal information in accordance with federal law.”

Everybody says that because that's the model language that's included in the federal form Privacy Policy Notice that everybody uses and the physical, electronic, and procedural Safeguards that Franklin Toyota promised to employ were the ones that are described in the Safeguards Rule.


But Franklin Toyota didn't follow their own policy. They promised every customer in writing that they would follow the Safeguards Rule and they failed to make good on that promise. Why is that so serious? In the next paragraph we read:


“In truth and in fact the dealer did not implement reasonable and appropriate measures to protect consumers personal information from unauthorized access. Therefore the representation set forth in paragraph 13 was and is, false or misleading in violation of Section 5 of the FTC Act.”

What that means in plain English, is that if you don't follow the Safeguards Rule after promising all of your customers that you will, it constitutes unfair and deceptive trade practice. Let that sink in. It is an unfair and deceptive trade practice because that's what we find in Section 5A of the FTC Act. If it's an unfair and deceptive trade practice you could potentially be liable for punitive damages, class action lawsuits, and terrible press. In essence, the perfect storm.


Failure to follow the safeguards rule potentially can be seen as a deceptive trade practice and that's the claim that we'll shoot the lock off your wallet. It's always been important to protect customer data, but in the wake of the Franklin Toyota case and the recent changes to the Safeguards Rule, it is more important than ever. Follow the safeguards rule, protect customer data, and protect your dealership.


Banks and Other Finance Sources

Perhaps the most significant downside risk is the threat that banks and other finance sources may not be permitted to purchase dealers’ installment sale contract or lease agreements. This is because dealerships are Service Providers to those finance sources, and Service Providers must demonstrate compliance with the Rule in order to do business with financial institutions covered by the Rule, which banks and captive finance companies certainly are.


In recent years we’ve seen the CFPBs interpretation of the Fair Credit Reporting Act put pressure on dealers to cap their rate mark-up, a key source of dealer revenue. Ultimately it was banks that limited the amount that dealers could earn through dealer markups after they were pressured by the CFPB to do so. It is possible the CFPB won’t let banks buy the paper of dealerships that haven’t documented Safeguards compliance.


You may also remember the DoD’s reinterpretation of the Military Lending Act back in December of 2017, to paraphrase, someone in the Department of Defense said, “You know what, we really think that the automotive finance exemption doesn’t really apply when it comes to GAP,” and overnight dealers were not allowed to sell GAP to anyone that was covered by the Military Lending Act. It cost dealers, depending on their location, tens of thousands of dollars a month, but the compliance was almost instantaneous, and almost totally uniform across the board. Why? Because banks wouldn’t buy a deal that had GAP in it unless you had a document that said, “This customer is not covered by the Military Lending Act.”


Pressuring finance sources is the regulators' most effective tool. It is unlikely that the CFPB will forget they have that tool because the man who voted for the Revised Safeguards Rule, Rohit Chopra, on his last day as a Federal Trade Commissioner, went across the street and took his new job, as the Director of the CFPB.


It is reasonable to believe, that these two agencies are going to coordinate and cooperate. But in a sense, it doesn’t even matter, because we’ve already seen dealers get contract addenda from their banks, where the banks are, by contract, saying things like, “We will not buy your paper if you don’t document that you are complying with the rule, and if we ever find out that you are not complying, all the paper becomes recourse paper.” Forget the CFPB. Forget the FTC. If banks do that generally, if it becomes the industry standard, I don’t care which bullet hits you, you’re still dead. You have no guarantee that you’ll be able to sell your paper on December 9th, if you’re not complying. That’s the enforcement mechanism that we are most worried about.

bottom of page