attendees have signed in. Hello and welcome to today's webinar from AED on complying with privacy and financial protection regulations for equipment dealers. My name is John Crothers. I'm with AED, if you can go to the next slide, I believe. And we put this webinar together because we have found that the regulatory landscape related to the management of customers' personal and financial information has been ever-changing at the federal and state levels. Heavy equipment and truck dealers have been found to must comply with mandates that could result in costly audits and hefty fines, including under new revisions to the Graham-Leach-Biley Act or the GLBA privacy and safeguard rules, which we'll talk about today, and other key state regulations. Today's webinar, we'll explore these issues and address what dealers need to do to stay updated on regulatory compliance issues. Our speakers today include Vijay Patel from Transact, Bob Gage from HudsonCook, and Michael Benoit, also from HudsonCook, and I'll introduce them as we proceed here shortly. Before I introduce them, I'd like to let those of you know who are watching this webinar live that you can submit questions during the webinar in the Q&A tab down at the bottom of the screen, and we will answer those at the end of today's presentation, if any come in. This webinar is also being recorded so that you may watch or re-watch on demand at your convenience through the AED Foundation webinar website. And with that, I'd like to introduce our first speaker, Vijay Patel from Transact. Next slide. Thank you. We all know and co-founder of Transact, which is a fintech company solving complex compliance and business challenges with modern technology. Mr. Patel has two decades of experience in managing credit and compliance for large multinational corporations. Most recently, he was founding member of a team that established Yamaha Financial Services in the US. But prior to Yamaha, Mr. Patel set up credit operations for Mitsubishi Motors Credit Corporation America and managed risks for HBSC Auto Finance. So with that, I'll please introduce Vijay. Awesome. Thank you very much. Good morning and good afternoon, everyone, depending on which time zone you're calling in from. I wanted to thank you for joining us today. I'm sure you're going to have a very informative session. But just a little bit about Transact. Some of you might not have heard about Transact. We just rebranded about a month ago from DCR Technologies. And as you just heard, we are on a mission to provide technology solutions to equipment and trucking vendors so that they can transact with their customers, their lenders, in an efficient manner, as well as in a very compliant manner in line with all the required regulations. Personally, I had a pleasure of working with the Hudson Cooke team in my prior life. And when we're thinking of organizing a webinar for educating ourselves in terms of various compliance requirements, we couldn't think of a better name than Michael and Bob. So fortunate to have them today walk us through our compliance requirements. However, before I request them to go through the regulations, I really wanted to take a really broader view, like a 30,000 feet view of the compliance landscape. And then from a management standpoint, I wanted to summarize about 10 regulations that we all should be aware of. Not all 10 of them might be applicable to all of your businesses, but I'm pretty certain most of them will be. And we will hear from Michael and Bob, both of them, in terms of what the regulations are and how we as a dealer body, a lender body, need to be complying with them. So I have two pages. I will try to be very brief because we have experts provide more detail on that later. So this page, you'll see five top regulations. I'll just highlight what they are. FTC, Federal Trade Commission. They have a regulation around deceptive and unfair and deceptive act practices. Anyone who is in a business, some of you I'm sure have heard about it, need to comply with that. We are relying on telephone, mobile communications nowadays, a lot more than what we had in the past. And there are TCPA regulations that we need to be aware of. Electronic emails, as you all know, has become part of a new life today. And we all are required to follow certain regulations to be compliant with them. Fair Credit Reporting Act. Some of the dealers, vendors, are using consumer credit reports, whether it's a personal guarantor or maybe it's the loan being processed as a consumer loan from a lender. So vendor is at the forefront of this process and they need to follow certain FCRA guidelines as well as the disposal rules in terms of how to dispose the information, specifically credit dealer report that has been obtained for the purpose of extending credit. In a sec, we'll hear more about them in detail later. On the next page, we have another five more regulations. I'll try to be, again, brief here. ECOA, Equal Credit Opportunity Act. I think we all are seasoned business people and we all know that we cannot discriminate against race, gender, and other regulatory classes that are out there. Form 83, this is FinCEN, is Financial Crime Enforcement Network. And that requires, of course, IRS as well to monitor transactions that are more than $10,000 plus cash transactions at the point of sale. OFAC, Office of Foreign Assets Control, have provided guidelines around requiring certain verification on individuals and businesses that are on the targeted list, as they called it. And then finally, the last two are disclosure laws. I'm sure some of you have seen email communications or other material around the changes that are happening on the California, New York, and other state disclosure laws effective December 9th, including some privacy regulations there as well. And we'll have more information on that later. Finally, state laws. California has its own Consumer CCPA Protection Act, and we need to be cognizant of that as well when we are running our business. So that's pretty much it. As I call it, 30,000 feet view of these 10 things that we need to be aware of. And with that, I'll hand it over to Michael for details on this 10 items. Thank you. This is John again with AED, and I'd like to take this next opportunity to introduce Bob and Michael from Hudson Cooke. Just to give a little background on both of them, Bob is a partner in Hudson Cooke's Michigan office. Bob's practice focuses on a wide range of issues affecting consumer and commercial finance services. Bob represents clients in the consumer financial services industry and regularly advises them on issues relating to licensing, disclosure, servicing, e-commerce, privacy, and compliance management. Bob also represents clients who provide working capital to small and medium-sized businesses with traditional and alternative business financing products. He assists lenders, factors, and merchant cash advantage providers in establishing new programs and products, including reviewing, drafting, negotiating contracts and related documents. And he also frequently advises on re-characterization risk, regulatory compliance, and legal risk management. So certainly an expert in the topics we'll discuss today. And joining him is Michael Benoit, who is chairman of Hudson Cooke and a partner in the firm's Washington, D.C. office. He advises banks, sales, finance companies, auto dealers, leasing companies, and other creditors and technology providers on a wide range of consumer and financial services law and provides financial and legislative regulatory advice to support the financial services trade associations. His practice includes consumer credit, electronic commerce, privacy, telemarketing, personal property finance, and leasing, as well as creditor-based collection practices. And he assists the CFPB-regulated clients in preparing for supervisory exams and represents clients in investigation and enforcement matters involving the CFPB and the Federal Trade Commission. So certainly two experts in the areas that we'll discuss today. And with that, I'll turn it over to Michael and Bob to further discuss these regulations with those of us attending today. Thanks, John. We're very happy to be here. Bob, let's go to the next slide. This is just our disclaimer. It basically says everything that we tell you is the opinion of Bob and myself. It's not legal advice, and you should seek counsel as appropriate if you have questions regarding anything that you hear today. Having said that, we'll move on to... First answer to the question is, why are a couple of consumer finance lawyers talking to commercial equipment dealers? And part of the reason that we're here is to sort of look at the differing landscape between commercial finance and consumer finance and recognize that the regulatory scrutiny that commercial finance is beginning to get is certainly increasing. And to talk about the different ways that consumer finance companies manage their regulatory compliance and the lessons that perhaps the commercial finance industry can take from that. So historically, as compared to consumer finance, commercial finance has been relatively unregulated. That's not to say it's not regulated at all, but there's not the same concerns generally in commercial finance that there are in consumer finance. The idea being that commercial finance involves sophisticated parties, business people. They can make whatever agreements they think meet their needs, and they don't need to be looked after like perhaps more unsophisticated consumers are. But that's kind of changing in a sense, and not in a particularly good way, I don't think. It's, I think regulators are increasingly looking at small businesses, and particularly mom and pop sole proprietorships, those sorts of things, to be in need perhaps of the same kinds of protections as consumers. And there are a variety of things that apply here. I'm gonna toss it over to Bob and let him talk about the next slide here with his experience with this. Yeah, thanks, Michael. And we know that you're doing more than just finance, but we know that you're often very involved in the financial aspects of the sales, the financing of the sales of the equipment that you sell. And some of you may even be more deeply involved. You may have related finance companies. So we're not gonna talk, I think we're not gonna be focused exclusively on financial regulation, but it's useful to talk about it now, in part, because as Michael pointed out, things are changing. So for those who are involved in finance, there's basically at the commercial level, at the consumer level, this is way more complicated. At the commercial level, it's less complicated, but not entirely unregulated. And in a few states, not most of them, but some of them and some of the more important ones, if you wanna engage in financial services activity, particularly if you wanna make loans to people, then you need a license to do that, even to do a commercial loan. In most states, there is some kind of usury limit that caps the rate of interest or finance charge that you could impose on a loan or sometimes other forms of financing. We call that usury. I'd say in more than half the states, there's a limit that would be easy to bump up against. And then in the rest of the states, there's either no limit or it's a pretty high limit and you probably don't have to think about it that much. And then the newest thing that's happening at the state level to commercial finance is disclosure. So I think in our personal lives, we're all used to getting cost of credit disclosures when we obtain personal financing. So you get a credit card, you get cost of credit disclosures, you close on a mortgage for your home, you get a whole bunch of disclosures, including cost of credit disclosures that's showing you an APR, the total amount of financing, all kinds of stuff. This is now creeping into commercial finance. Right now, it's mostly just creeping in, at least for loan products, it's only creeping in right now in California. In Utah, Utah's disclosure regime is not very burdensome. The California disclosure regime is extremely burdensome. As Vijay pointed out, that law is gonna be in effect December 9th, the Utah one's gonna be in effect January 1. And New York is working on a copycat bill that looks very much like California, it's only a little bit worse. I'm gonna talk a little bit more about that at the end, if time permits. But what we worry about is once a few big states start promulgating these laws and these regulations requiring commercial cost of credit disclosures, how many other states are gonna follow suit? And are they gonna do it in a way that's burdensome or not burdensome? So this is something that we've been paying a lot of attention to. So then I guess the next thing that we're going to talk about a little bit is as Bob pointed out, it's way more complicated in the consumer finance world in terms of the amount of regulation that they need to comply with and the amount of landmines and pitfalls that are out there that could end up having bad outcomes for consumer finance companies. If commercial regulation continues in the way that it seems to be going, I think the commercial finance industry is gonna start needing to understand, and this includes people who are selling goods and services but helping assist in financing transactions. I think they're gonna need to start taking some lessons from the consumer finance side about how to manage what can become quickly a complicated regulatory regime. And so how do the consumer finance companies manage that? Well, one is through what we call a compliance management system. Unfortunately, this is not something that you buy from a vendor and plug it in and it works. It's more of a structural device through which you manage your compliance. So it puts the onus on, for example, the board of directors of a company to pay attention to compliance management, to talk about it in the board meetings. And if you don't have a board to do it through the senior management of the company, somebody has gotta be in charge of it. It deals with sort of identifying where certain laws are implicated in your business and what it is you do in terms of complying with those laws, how you comply with those laws, what controls, processes and whatnot do you implement to comply with those laws? How do you monitor for compliance with those laws? How do you audit and make sure that you're using the most recent version of the laws? That leads to the next step of automation. In the consumer world, there are a number of vendors out there that assist financial services companies and others, and car dealers in particular, that help manage how they sort of stay on the right track in terms of how they're handling their compliance. And then finally, almost nobody builds their own automation unless you're JPMorgan Chase. Most people don't have the resources to do that. You use vendors and third-party technology. And in the consumer world, for example, much of the financing business in car dealerships has gone electronic. People are doing electronic contracts. The back office funding aspects of the transaction are all done electronically. When the consumer auto business sort of flipped over or began to flip over from sort of the paper and FedEx method of delivering funding packages to finance sources to electronic delivery, it cut down the funding time from what could have been weeks to 24 hours overnight. So there are some real benefits to having technology in place that helps you with these sorts of things. We're not gonna spend a lot of time talking about what out there and what might be out there. The point of this slide is to just get on your radar that as we progress through time, as your business has become more regulated, it's inevitable, I think, that you end up moving sort of in the same direction that the consumer world has moved into with compliance management systems, automation, and the heavy reliance on vendors and technology to help you stay out of trouble. For the rest of this program, we're gonna talk about some of those laws that Vijay pointed out at the beginning and talk about them in the way that they affect commercial businesses. Many of these you think of as consumer laws. They are not, in most instances, they're not limited to consumer transactions. They also involve commercial transactions. And one of the first things that we'll talk about is the Federal Trade Commission Act. And you're familiar with the Federal Trade Commission. Their job is to promote trade and competition, fair trade and fair competition in industry within the United States. And they bring antitrust lawsuits. They bring consumer protection lawsuits. They have the bulk of their power is their ability to prohibit unfair and deceptive acts and practices. We call that UDAP. And many of the enforcement actions that you see from the Federal Trade Commission are going to be UDAP claims. Very often you'll see them as deceptive advertising claims. But in other places you'll see them as unfairness claims. For example, the FTC just announced this week that they brought an enforcement action against a car dealer on unfairness grounds for charging blacks and Hispanics more for products than similarly situated white buyers. That is a novel use of the unfairness doctrine under the Federal Trade Commission Act. But right now we have a Federal Trade Commission that is acting in a very aggressive manner and in my view biting off more than they can chew and creating problems for themselves with Congress. But that's where they are. I want to make mention of one thing that I don't think has gotten a lot of visibility in the commercial space. And that's this motor vehicle dealer trade regulation rule that the Federal Trade Commission put out. I think we thought of it when it came out as targeting motor vehicle sales to consumers. But when you read the definitions and you read the proposed rule, it is clear that it is not limited to just consumers. It does affect the commercial motor vehicle dealers as well. And motor vehicles aren't just what you normally think of as motor vehicles. It includes motor homes, it includes boats, it includes motorcycles. Anything that is meant to transport persons or property on public highways, among other things. So they're a pretty broad definition of motor vehicle dealers. So if you are selling things that drive on the road, this is something to be cognizant of. It imposes a tremendous amount of paperwork on dealers in terms of what they have to present to their buyers in the course of a transaction. It adds a significant amount of time to the transaction. The National Auto Dealers Association is pushing back very, very hard on this. And I suspect we've got an election coming up. It looks like at least the House will flip to the Republicans. And I think what the FTC is doing for itself is creating a scenario where it might have a very difficult time getting an appropriation from Congress next year to run their operations. So I think that doesn't mean to say they're not going to get a rule finalized. It just means to say that there's a political aspect to this that can be helpful. But once you get a rule on the books, it's very hard to make it go away. So we don't have enough time to talk about that in a lot of depth and detail here today. But that's something to follow up with with your counsel if you feel like you fall into that motor vehicle area. Next, I think Bob is going to talk about the Telephone Consumer Protection Act. Yes, I will. Thanks. So the Telephone Consumer Protection Act, you see, has the word consumer in it here. And just so nobody gets a mental whiplash, the world that Michael and I spend most of our time in, the word consumer typically means not for business purposes. And so in finance in particular, we'll use the term consumer to mean not for business purposes and commercial to mean for business purposes. Unfortunately, some of these laws and the FTC Act uses the word consumer. But when they use it, it doesn't just mean individuals doing something for personal use. It also applies to businesses. And the same is true in the Telephone Consumer Protection Act. Although there are some things that in the TCPA that would apply to B2C, you know, business to consumer calls that wouldn't apply to B2B calls. So and there's a lot of other stuff in there that probably doesn't apply to somebody who's just, you know, selling goods or services, as opposed to doing the financial world where you're doing collections calls and servicing calls. So we'll go over this at a fairly high level and cover the stuff that's most likely to be relevant to you. But as the name suggests, the Telephone Consumer Protection Act regulates your ability to communicate by telephone, to do certain types of communications by telephone. That also includes text messages. The courts have said the law also covers texts, even though the statute doesn't say anything about texts. It applies. It can apply to both marketing calls and non-marketing calls. But it's really marketing calls that are regulated the most strictly. So the way the TCPA is most likely to affect you is by requiring you to get different levels of consent in order to be able to make different types of calls or texts to people. The first type of consent that you have to think about is based on the way you are placing the call. If you're using an autodialer to call certain types of phones, particularly mobile phones or any other type of phone for which the party is charged for the call, so that might include voice over Internet protocol phones, VoIP phones. If you're using an autodialer, then you have to get a certain type of consent. If you don't know what an autodialer is, it's a device that makes it easier for call centers to operate. So if you have a big bank of people placing calls and that's all they do eight hours a day is just make one call after another, an autodialer basically gives them a head start by making that phone call for them. The TCPA says that if you're using an autodialer and you're calling, let's say, a mobile phone, you need to get prior consent to call that device using the phone. If the call is going to be an advertisement or some type of telemarketing call, then you need to get prior express written consent, which is a pretty high threshold. You've got to get that consent in writing before you make the call. Usually you're not going to get that from anybody unless you've already got an existing relationship with them. So you've been able to put something in front of them that they can read and presumably sign to say you can call me at that number. For any other type of call placed by an autodialer, so non-marketing call, non-telemarketing call, placed by an autodialer to a mobile phone, you still need to get consent, but now you only have to get what is called prior express consent, so not in writing. The courts have said that prior express consent can actually pretty much be implied consent. If the call party gave you their cell phone number, then you have prior express consent to call them at that number using the autodialer as long as it's not a marketing call. So if you're not using autodialers, then you probably don't worry about this too much. The other type of calls that might affect you, where the TCPA might affect you, are calls that are delivering a prerecorded message, and I think we've all gotten those calls. They're very annoying, and I always assume that they're coming from out of the country because every time I get one of those calls, I think to myself, this is completely illegal for me to be getting this call. Similar consent standards apply if it's a prerecorded call, and now it doesn't matter whether it's an autodialer or not. If it's a call where you're delivering a prerecorded message, then if it's a call with a marketing message, which they normally are, then you have to get prior express written consent. Any other type of call that's placing a prerecorded message, you simply need to get that prior express consent. TCPA has made a lot of plaintiff's lawyers very wealthy. It's a per-violation statutory penalty of, I can't remember the amount, but it adds up really fast. So this is something that people want to pay attention to because once you get sued, you're just going to start writing checks. Typically, if you've done it, you've done it. There's really no defense. The fact that you didn't intend to violate the law won't make a difference. So I'll move on to the next one, which is the CAN-SPAM Act. This is actually the long name of that law. You have to give it up to Congress. They really know how to do acronyms really well. Although some people have joked that the CAN-SPAM Act really should be short for the YOU CAN-SPAM Act. It's obviously meant to mean that they're getting rid of spam. But the law is actually pretty permissive in what it allows people to do with e-mails. And so people say it's actually the YOU CAN-SPAM because you can send a lot of unsolicited e-mail to people. The way CAN-SPAM works is you need to comply with certain basic requirements in order to send a commercial e-mail. And a commercial e-mail is defined based on what its purpose is. If the primary purpose of the e-mail is the promotion or advertisement of a product or service, then it's a commercial e-mail. This is in contrast to what the law calls transactional or relationship messages. Those would be messages that you would – normal messages that you might have with a customer or a potential customer. Although you've got to be careful there because it could be an advertisement. But any kind of message that's basically facilitating a transaction that somebody's already agreed to enter into with you, that could include providing warranty information, product recall information, so things that have happened after the transaction is over. Those messages are generally unregulated. But if it's a commercial e-mail, then the basic requirements you have to comply with are you can't provide misleading header information. So that's defined as – it's defined in the law. And it's basically this information that tells the recipient who the e-mail is coming from and sometimes where it's coming from. So you can't mask that. You can't be deceptive about it. You also can't have deceptive subject lines. So if there's a subject line in your e-mail that doesn't correspond to the message of the e-mail or the body of the e-mail, that could be deceptive and that would be a violation of CAN-SPAM. You have to provide an unsubscribe mechanism. I'm pretty sure we've all seen this at the bottom of SPAM that we get in our inboxes. And if you've ever gone to the bottom one of those and clicked on the unsubscribe, you've probably walked through that unsubscribe mechanism. Once you unsubscribe, that sender should not be sending you any more commercial e-mail. The e-mail has to identify itself as a commercial e-mail or as an ad or as a solicitation. I don't see really great adherence to this in a lot of e-mails that I get, although I suppose you can tell from the context usually that the e-mail is obviously an advertisement or solicitation. So what you need to do to actually identify it as such is a little unclear. Some people are very careful and will put something in the subject line that says this is an advertisement. This is a solicitation. And finally, that e-mail, that commercial e-mail has to include the sender's physical address. I don't believe PO Box will do. I think it has to be an actual street address. Why they want you to do that, I'm not sure, but it's there in the law. So it's something you have to do for commercial e-mails. And that's kind of the gist of CAN-SPAM. We'll move next to fair credit reporting. Thanks, Bob. The Fair Credit Reporting Act is a law that we lawyers who work with it call the gift that keeps on giving because it is, by its own terms, it's required to be interpreted broadly and interpreted without a lot of restriction on how it gets applied. So every now and again, it keeps showing up in places where you never expected it to show up. But as a practical matter, in terms of how equipment dealers might run afoul of the Fair Credit Reporting Act is, you may pull a consumer report on an individual who is going to be purchasing equipment or they may be signing it in their individual capacity as a guarantor or for some other reason like that. In any event, you have identified a permissible purpose to obtain the consumer report. Very often in the commercial space, that's going to be with the written authorization of the individual. And then you have certain obligations that fall on you. And those can include your ability to or your obligations with respect to investigating discrepancies that are identified by consumers when they look at their consumer reports. If you are furnishing information to the consumer reporting agencies, I'm sure not all of you do. But to the extent that you do, as a furniture, you have obligations that you're required to observe. If you are declining credit to someone based in whole or in part on information contained in a consumer report, it triggers adverse action notice requirements. You have that requirement also under the Equal Credit Opportunity Act, which we'll talk about in a moment. And then there's a host of rules that come into play under the Fair Credit Reporting Act. And oftentimes you see primarily in the consumer space because, again, we're talking about the Fair Credit Reporting Act. And the Fair Credit Reporting Act regulates consumer reporting agencies. Your customers will be consumers in certain scenarios, not always, but in certain scenarios. For example, where they might be signing in their individual capacity. The way that we talk to clients about giving adverse action notices is if you're unsure about whether or not you need to send one, send one. Because there's no penalty for sending one when you didn't need to, but there's substantial penalty for not sending them when you did need to. There's the red flags rule, which is designed to help you determine whether or not the individual in front of you is who they say they are or whether you're about to be the victim of an identity theft transaction. There's the disposal rule. And let's move to that, Bob. The disposal rule is focused on what you do with consumer reports when you're done with them. As you can imagine, a consumer report contains very personal information and information very specific to an individual that a identity thief would love to get their hands on. So to the extent that you do pull consumer reports, you have obligations to have reasonable procedures in place to dispose of those consumer reports in a way that mitigates the ability for someone to steal an individual's identity or to have inappropriate possession. of that consumer report. That doesn't apply to just consumer transactions. It applies to anybody who obtains a consumer report. You have to dispose of those consumer reports in the appropriate way. That begs the question of how long do I keep a consumer report, you know, if I had it? What we tell clients is, and this also involves the safeguards rule that Vijay mentioned under the Gramm-Leach-Bliley Act. The changes to the safeguard rule basically require that you don't keep information anymore, or personal information, any longer than necessary to support the transaction. So while we used to tell people if you are obtaining consumer reports, you don't have to keep them for the duration of the statute of limitations under the Act, which is five years. Sometimes you might want to because if there is an issue about your obtaining the report or your permissible purpose or what the report contained, you have it. As I tell clients, there's good news and bad news in keeping consumer reports for five years. The good news is that you have it. The bad news is that you have it, and you may not want to have it. You may not need to have it. Now with the safeguards rule imposing an obligation to destroy those records when they are no longer needed, we have begun to tell our clients that if you have a three-month record retention policy, that's probably fine. If you have a six-month record retention, that's probably fine. If you have a one-month record retention policy, that's probably fine. It's up to you to determine how long it is that you need to have those transactions or those reports available. Moving on to the Equal Credit Opportunity Act. Bob, were you doing this one or me? I think you're doing it, but I'm happy to let you do it. This is tied to the Fair Credit Reporting Act. What the Equal Credit Opportunity Act says is that you can't discriminate against individuals on the basis of a number of things. Race, ethnicity, national origin, religion, marital status, gender. Whether you've exercised a right under the Consumer Credit Act, which involves the Truth in Lending Act and the Consumer Leasing Act. You also can't discriminate on the basis of income from public assistance. I think there are probably a couple others that I've missed, but you get the gist of what it prohibits. It applies to businesses equally as it applies to consumer transactions, because it applies to credit applications. And it doesn't make a distinction between commercial credit and consumer credit. It just applies to applications. Where there is a distinction is in the adverse action notice requirement. And as I mentioned, when we were talking about the Fair Credit Reporting Act, there's also an adverse action notice requirement under the Equal Credit Opportunity Act. The Fair Credit Reporting Act adverse action notice requirement is designed to put people on notice that there's something in their consumer report that disqualified them for credit or got them a worse rate for credit or they weren't able to get, for example, an increase in a credit line, that it was something in the consumer report and it gives them the right to obtain a free copy of the report from the credit bureau that you used. The Equal Credit Opportunity Act adverse action notice can be combined with the Fair Credit Reporting Act notice. And it is designed to identify the principal reasons why credit was declined or why the adverse action notice was taken so that you as an individual applicant can look at that and make a determination as to whether you were discriminated against because you were in a protected class, as we call it, the race, ethnicity, gender, national origin, et cetera, et cetera. In my- Yes, go ahead. Can I ask a question here? I'd like to pose a question. Let's say I'm a dealer, right? And so, and I don't do the financing, I don't have a financing arm, but I participate in that process. There's two ways I might participate, right? I might help people, I might connect somebody with a lender who's gonna make a loan to that person so that we call that direct finance, or I might be involved in indirect finance, which I don't know the commercial space, but in the consumer space, we know that the vast majority of dealer-arranged financing is indirect. And let's say we're in the indirect model and my finance source tells me, nope, I won't provide credit to this applicant and none of my other finance sources tell me that they'll provide credit. So I go back to my potential buyer who wants to finance and say, sorry, couldn't approve you for credit. Somebody owes an adverse action notice to that person and I think it's the dealer. Well, I do think it's a dealer. It's also whichever finance companies or finance sources declined to extend the credit as well. But in the case in, the beauty of these adverse action notices is that if somebody makes an offer of credit, doesn't have to be accepted, but if somebody makes an offer of credit, then you don't have to give an adverse action notice. However, if nobody makes an offer of credit in the indirect scenario that Bob was talking about where it's a transaction buyer seller, it's a credit sale transaction, we call it that you sell to your finance source or you have a third party service for you, but where the dealer is listed on the contract as the seller, as one of the parties to the contract. Yes, you have an obligation to give an adverse action notice. That's an item of much consternation amongst auto dealers generally because they don't like to do it. And their view is that we're not making a credit decision, these other people are. But what the law says is that if you are a creditor and in this indirect situation, the seller is the creditor, the original creditor, then the obligation does arise if nobody made an offer of credit to this customer. The other thing to think about and just talking about discrimination again, in the Dodd-Frank Act, section 1071 of the Dodd-Frank Act, it mandated that the Consumer Financial Protection Bureau issue a rule, I guess, to collect information in business transactions. Commercial transactions to monitor whether small businesses, minority-owned businesses or female-owned businesses are being discriminated against. The CFPB had put out a proposed rule. It is struggling with it a bit. It's struggling with it a lot more since last night when the Fifth Circuit ruled that the CFPB's funding mechanism was unconstitutional and has called into question their very existence at this point. But assuming that that gets worked out, there will ultimately be an obligation to collect information regarding small business, women-owned business and minority-owned business and to submit that to the CFPB going forward. This is a place where the CFPB is looking to technology to provide the means for dealers to provide this information. The vendors exist on the commercial side. I'm not so sure that they exist. They exist, I'm sorry, on the consumer side. And so auto dealers who are doing commercial sales or fleet sales or things like that, they can be able to use their existing vendor technology. I'm not sure that that exists in the commercial space at this point. Bob, let's move on so we stay on time here. Sure. So I'll talk about this. Form 830, 8300, this form is a form that you provide to FinCEN, Vijay talked about them, the Financial Crimes Enforcement Network. And what they're looking for here is people that may be engaged in money laundering. So if you're a business that receives more than $10,000 in cash from one of your customers, then that, first of all, that should be really suspicious because I don't think there's a lot of people paying for things in cash anymore. This point, if I'm in the grocery line and somebody pays in cash, I just assume that they're a drug dealer. So if you receive more than $10,000 in cash in one transaction or in two or more related transactions, and I think the feds call this structuring. So if there's a series of transactions going on and you end up getting cash of $10,000 or more in a 12 month period, then you have to file one of these cash transaction reports, which is on form 8300. Cash is generally cash, although the law defines cash to include a few things and exclude other things. Cash does not include personal checks or business checks or certified personal or business checks or proceeds of a loan, but it can include certain money instruments like a cashier's check or a bank draft, so a bank issued check, a traveler's check or a money order if they have a face amount of 10,000 or less. If it's a face amount on those items of 10,000 or more, then you're actually okay, which seems counterintuitive. So this actually points out the value of having a compliance management system because that's convoluted, just figuring out what cash is is convoluted. I don't memorize it. I'm reading it off of a policy and procedure that I've worked on. And the only way to really make sure you stay on top of these types of requirements is to have rules like this written down somewhere in your own policies and procedures, and then you train people on it so that they at least know when to consult the policy to make sure they do the right thing. This is risk-based. Of course, if you don't accept cash or you have a business that just doesn't operate on cash, then this is one thing that you probably leave out of your policies and procedures. I'll move on to the next issue, which is kind of similar. A lot of people who have anti-money laundering programs will also include OFAC in their program. OFAC stands for the Office of Foreign Assets Control. OFAC's a division of the Treasury Department, and it administers a number of different laws, mostly executive orders, that impose economic and trade sanctions on other hostile entities. That could be foreign governments like North Korea. It could be international terrorists, narco-traffickers, or other what they call specially designated persons. What OFAC, one of the ways OFAC administers compliance with these laws is to publish a list that it calls the Specially Designated Nationals and Blocked Persons List, sometimes called an SDN list. And then OFAC basically tells companies, we encourage you to employ a risk-based approach to your sanctions compliance program. Meaning, and when they say risk, they're talking about your risk, not the government's risk or America's risk. It's mitigating your risk that you might run afoul of one of these federal laws by taking funds from or giving funds to or selling or buying from somebody who's on the SDN list. So whether you wanna have a sanctions control program or sanctions compliance program, probably depends a little bit on how your business functions. A grocery store doesn't have an OFAC program. They're not worried about selling goods or services to narco-traffickers. And even if they did, there would be no record of it. So it'd be hard to enforce. But let's say you do business close to the border, either the Northern or the Southern border. If you have people coming across the border to buy things from you, it's hypothetically possible that one of those people might be on one of these SDN lists. So whether or not you need to have a process of basically scrubbing your prospective companies or your customer against one of these lists before you do business with them is kind of up to you. But certainly in the financial services world, that's standard. Applicants are just run through and they have technology and vendors that support this. They just run them through one of these lists and make sure they're not on the list. If they get a hit, somebody is on the list. Usually it's a false positive. Usually it's just somebody has the same name as somebody else on the list. And there's a pretty quick way to clear them off the list. But it's not a requirement for everybody to do it, but it's often a good idea depending on what kind of business you're involved in. And one thing about OFAC is that Bob's right, you take a risk-based approach and that's, Treasury doesn't expect everybody, I don't think, to put a policy and procedure in place. But the way the law is written, it's all encompassing. So it technically applies to the hotdog vendor on the street. Now, that's a very low risk sort of area. But to give you an example of where they have imposed sanctions, use the New York Yankees as an example. A couple of years ago, they got fined, I think it was about $2 million by OFAC because they hired Cuban nationals on one of their farm teams. And Cuba at the time, I don't know if it still is, but Cuba at the time was on one of the SDN lists as a hostile nation along with North Korea and I think Iran is on there now too. But they do enforce it, just something to be aware of. They're more likely to look at large dollar transactions because that's a convenient way to launder money. Bob, why don't you talk about the commercial financial law disclosures because you've been working on that so much recently. Yeah, and we're running short on time, I know. So I'll cut right to what I think is right now the biggest potential pitfall out there, and that's New York. So I mentioned that California and Utah passed some things. I don't think it's gonna, those laws generally apply pretty much just to loans, but we talked, we kind of hinted when we were talking about ECOA that there's a difference between a loan and a credit sale. And in indirect finance, most things are, indirect finance is basically a credit sale and a credit sale is not a loan typically under state law. The California disclosure law, which is gonna be in effect in just less than two months, does not apply to credit sales. At least that's my read of it. The regulators might not understand the difference between a loan or a credit sale, so they might not think that it doesn't apply to credit sales, but any court that knows the law should look at that and say it doesn't apply. The New York law that's based on the California law goes broader. It doesn't say that it applies to loans. It says that it applies to extensions of credit. Well, a credit sale might not be a loan, but it's certainly an extension of credit. So my worry is that there are a lot of dealers in New York right now, whether they're doing passenger vehicles or commercial vehicles who have this expectation that if somebody comes in and buys a vehicle and finances it and checks the box that says business purpose, they're gonna use the same contract that they use for their consumer contracts. So maybe there'll be TILA disclosures on there, but there aren't gonna be the New York commercial disclosures and they're not compatible. So I don't think that anybody in New York understands that this law on its face applies to commercial vehicle credit sales, but it does. And unless somebody does something to fix it, there's a risk that at some point, somebody brings an action against the dealer who does a commercial credit sale of a motor vehicle without providing the New York disclosure requirements. Now, the New York law is not effective yet. They passed the statute, but they have to promulgate regs before you can comply. And those regs have not been finalized yet. And even when they are finalized, you get six months ramp up time to comply. So they couldn't be in effect any earlier than I guess May at this point, but it's a pitfall that's out there lurking and hopefully somebody does something about it before it becomes a problem. I think we're down to the last slide. Oh, sorry, I passed it. Last slide on privacy stuff. Yeah, and all I'm gonna say about this is that privacy is becoming a big deal. Most of the privacy laws that are out there right now, with the exception of the ones that applied to government actions are focused on consumer privacy, individual privacy. It's, in my view, just a matter of time before all of this migrates into the commercial space. Because that's just what legislators do. And particularly as we move into artificial intelligence, more data mining type things, I think that people are gonna be looking for more protection, or it's going to be appealing to legislatures to look at more protection. We had a couple of questions that I just wanna answer quickly while we're on here. One was about the FTC safeguards taking effect in December, and specifically the definition of financial institution, which is really broad. And the question was, would heavy equipment dealers be considered a financial institution as it relates to FTC safeguard updates? The answer to that question is I'm not quite sure the original safeguards rule applied only to consumer transactions. I don't think that has changed because the statute itself applied it to consumer transactions. So, and I'm not sure the FTC had the authority to apply it farther. That does not mean to say that they might not have accidentally, but all things being equal, it probably doesn't, but I would check that with your council. The other question was, said, I remember back in business school, we were debating the ethics of Expedia providing different online prices based on zip code, which could be interpreted as indirect discrimination. That was about six ago. Six years ago, is that legal to do today? Zip code pricing, at least in the credit world, is called redlining. And if you are having a disparate impact on the protected classes we talked about, in other words, if the results that the protected classes are getting in terms of their costs of credit are less favorable than similarly situated whites, then, or men versus women, that sort of thing, it flips all around. It doesn't mean that whites are unprotected. White is a protected class under the ECOA. We just don't tend to think about it that way because we tend to be, at least for now, for the next few years, we're a majority white country. But as it is viewed, if it has a disparate impact on a protected class, which is race, ethnicity, national origin, gender, religion, marital status, and the other things that I mentioned, if it treats people in those class, if the resulting deal that they get, people in those classes are less favorable than similarly situated people outside of those classes, then yes, you still have a discrimination issue under the Equal Credit Opportunity Act because, as we said earlier, that applies to business as equally as it applies to consumer. And with that- Michael, I'll just add that controversially, as you know, the FTC now is starting to say that discrimination is a UDAP. So they could also try to use the UDAP authority, their UDAP authority under FTC Act, to start going after people for doing things that they consider discriminatory. And that could be even broader than the classes that the ECOA carves out. So we're really getting into a brave new world, I think, in terms of the ways in which you can get in trouble for doing anything that looks like it's having a disparate impact on any protected class. And with that, I think we, on behalf of myself and Bob, and we'd just like to say thank you for having us today. Thank you for listening. And if you have any more questions, just send them in and we'll do our best to answer them. Thank you, Michael. Thank you, Bob. And thank you, Vijay. So from AAD's side, we appreciate you sharing this information. Quite informative. I'm sure you might get some people reaching out to you with your contact information on the screen. More to come, and obviously AAD will be continuing to watch any developments legislatively at the federal level and as much as we can at the state levels as well to keep our members informed. As I mentioned, this presentation will be up on the AAD Foundation website shortly for people to watch again at their leisure if they wanted to bring other people in to get the information. I appreciate it again, and thank you for everyone for your time.

regulatory landscape

customers' personal information

financial information

equipment dealers

Fair Credit Reporting Act

Equal Credit Opportunity Act

Telephone Consumer Protection Act

CAN-SPAM Act

compliance management systems

privacy regulations