Many RV dealers are surprised to learn that because they finance and lease their goods to consumers, they are "financial institutions" under federal and state laws. Dealers who run compliant shops, who have a written Red Flags policy and who have named a Red Flags officer probably have a pretty good idea of their responsibilities under federal and state law to fight identity theft. Other dealers might be caught flat-footed by these laws. A recent case involving a car dealer illustrates how an identity theft claim can ensnare a dealer.

Andrew Stutfield Rogers had his identity stolen by an unknown person. In November 2015, the imposter bought a car from Keffer, Inc., dba Keffer Chrysler Jeep Dodge and used Rogers's social security number, date of birth and a driver's license in the name of Andrew Leon Rogers to apply for and obtain financing from JPMorgan Chase Bank, N.A., dba Chase.

In December 2015, the imposter returned to Keffer and bought another car, using the same credentials to finance this one with SunTrust Bank. In late December, Chase sent Rogers an email about the car financing, and Rogers initiated a fraud alert, set a security freeze with the consumer reporting agencies (CRAs), and filed a police report with the local police department.

Rogers also notified Chase that his identity had been stolen and that the financing was obtained by fraudulent means. Chase, however, did not correct the information it had reported to the CRAs about the account and continued to report the account as belonging to Rogers.

In January 2016, Rogers learned from Keffer that the imposter had again obtained financing in his name. Rogers contacted SunTrust about the second fraudulent financing, but SunTrust continued to report the account to the CRAs.

In April 2016, Rogers was contacted by a recovery company, Elite Skippers, Inc., who tried to retrieve the cars from him on Keffer's behalf.

Finally, in June 2016, Rogers sued Keffer, SunTrust, Chase and the CRAs for violating the Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA) and various state laws.

First, Rogers alleged that Chase had violated the North Carolina Unfair and Deceptive Trade Practices Act (UDTPA) by (1) making repeated demands on a debt he did not owe despite multiple notifications to Chase by Rogers that the account was obtained by fraud, and (2) its unreasonable delay in addressing the identity theft, including failing to implement adequate measures to address accounts opened by fraud, failing to remove the account from bank records associated with Rogers, and continuing to report the false account information to the CRAs. Note that most states have some version of an "unfair and deceptive practices act," so don't quit reading if your business is in some other state.

Chase argued that Rogers's UDTPA claim was preempted by the FCRA to the extent that the claim alleged a failure to report accurate information to the CRAs. The FCRA preempts any state law with respect to the responsibility of persons who furnish information to the CRAs, including the duty to furnish accurate information and the duty to investigate any disputed information and correct any errors. Therefore, the federal trial court held that the UDTPA credit reporting claims were preempted by the FCRA, but the claims related to Chase's attempts to collect on the debt were not.

Then Rogers took aim at the dealership by alleging that Keffer had violated the UDTPA by failing to implement reasonably prudent credit application procedures and failing to verify the identity of the credit applicant. Under North Carolina law, an act is "unfair and deceptive" when it "offends established public policy (and) is immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers."

The court held that the violations alleged by Rogers were merely negligent, which did not meet the unfair and deceptive standard required by law and dismissed the UDTPA claims against Keffer. Rogers also alleged that Keffer had violated the North Carolina Identity Theft Protection Act (ITPA) by intentionally disclosing his social security number to a third party without written consent. However, under the ITPA, a defendant may not be held liable if the social security number was included in an application or to obtain a credit report from or furnish data to a CRA. Therefore, the court also dismissed Rogers's ITPA claims against Keffer.

Finally, the court dismissed Rogers's FDCPA claim. Under the FDCPA, a "debt collector" is a person whose principal purpose is to collect debts, a person who regularly collects debts owed to another, or a person who collects its own debts, using a name other than its own as if it were a debt collector. As a creditor collecting its own debts in its own name, Chase did not meet any of these requirements and so the FDCPA did not apply to its collection activities.

Red Flags Allegations Against the Dealership

Rogers charged the dealership with "failing to implement reasonably prudent credit application procedures and failing to verify the identity of the credit applicant." That sounds an awful lot like the dealership did not have a written Red Flags policy as required by law, but perhaps it did, and Rogers was attacking the adequacy of the policy and the dealership's implementation of it. Keffer got very lucky; the Judge's rulings could have easily gone the other direction. In any event, defending Rogers' claims cost the dealership time, effort and money. I'm sure the dealership's reputation took a nice beating in the public eye as well.

RV dealers without a Red Flags policy should use this case as a wake-up call and get a policy in place. Those who already have a Red Flags policy should make sure it is periodically updated to address any new incidences of identity theft and effectively implemented.