Fortegra’s Compliance Experts: the Latest on GAP & Data Security



Fortegra's compliance experts can help you stay up to date on new legal changes in the Automotive F&I industry. Read our regular compliance updates to stay informed.

Staying on top of legal and compliance happenings in Automotive F&I can be vital to the success of your business. That’s why, at Fortegra, we provide updates to keep you in the know as industry compliance evolves.

This January, our compliance experts are kicking off the new year with another regulatory update related to GAP, plus a new ruling on Insurance Data Security.

Santander Consent Order:

In November, the Bureau of Consumer Financial Protection (Bureau) issued a consent order against Santander Consumer USA Inc. This Consent Order finds that Santander engaged in deceptive acts in marketing its GAP product. Santander has agreed to pay $9,293,826 in restitution along with a civil penalty of $2,500,000 due to the conduct summarized below. 

The Bureau’s consent order found that Santander deceptively marketed GAP in telemarketing, print and electronic media by conveying the idea that the GAP product would pay the full outstanding balance even though the 125% loan-to-value limitation meant that the customer’s entire outstanding balance would not be covered. 

The consent order provided the following examples of marketing practices the CFPB determined to be deceptive in light of the LTV limitation:

“Your auto insurance may be inadequate to protect you financially in case of a total loss through accident or theft. If your loan balance is greater than the current cash value of your car, GAP (Guaranteed Asset Protection) can be a great way to protect you. Your insurance payout could end here. GAP takes care of the rest.”; and

“Today comprehensive and liability insurance combined still don’t provide true full coverage. You have to fill the GAP.”

The Bureau found that Santander’s representations were deceptive because it expressly or implicitly indicated that GAP would waive the full amount left on the consumer’s loan after the primary auto insurance policy paid out even though consumers that had an LTV greater than 125% would not receive the full coverage advertised.  In addition, the Bureau found that Santander did not inform GAP customers at any time whether the LTV limitation applied to them.  

The Consent order requires Santander to:

  1. Not misrepresent, or assist others in misrepresenting, expressly or impliedly, the benefits, limitations, costs, restrictions, or conditions of the GAP product.
  2. Prominently disclose in writing the material terms of the GAP product before the consumer enrolls, including any LTV limitations and whether any LTV limitation applies to the consumer.
  3. Cease applying any LTV limitation to GAP claims for customers who already purchased the GAP product.
  4. Submit a comprehensive compliance plan designed to ensure that the marketing, offering and providing of a GAP product is in compliance with prohibitions on deceptive acts and practices.
  5. Present detailed steps to enhance and strengthen its compliance management system relating to marketing, offering and providing GAP.
  6. Present detailed steps to enhance and strengthen Respondent’s training and oversight of agents, employees, and service providers involved in marketing, offering and providing GAP to ensure that terms of the GAP product are communicated clearly.
  7. Obtain approval of a written UDAAP risk management program for any consumer financial product or services related to auto loan origination or servicing offered by Santander or service providers to prevent future violations.

Santander was ordered to provide restitution to approximately 3,493 accounts including $1,980,873 by check and $7,312,953 in statement credits.  Furthermore, Santander must pay a civil penalty of $2,500,000.   

Nevada SB 21:

Creates the Insurance Data Security Law based on the NAIC Insurance Data Security Model Law.  The bill applies to a licensee, which means any person licensed, authorized to operate or registered, or required to be licensed, authorized or registered, pursuant to the Nevada insurance title.

This bill requires that a licensee (by January 1, 2021) develop and implement a comprehensive written information security program for the protection of nonpublic information and the licensee’s information systems, which the licensee is required to monitor, evaluate and adjust as appropriate. Such a program should be “[c]ommensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including any use of third-party service providers, and the sensitivity of nonpublic information used by the licensee or in the licensee’s possession, custody or control.”  It is unclear how these phrases will be interpreted.

Other than health related information, “[n]onpublic information” means information that is not publicly available information and is:

  1. Business-related information of a licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the licensee.
  2. Any information concerning a consumer which because of name, number, personal mark or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:
    • Social security number;
    • Driver’s license number or non-driver identification card number; 
    • Account number, credit card number or debit card number; 
    • Any security code, access code or password that would permit access to a consumer’s financial account; or
    • Biometric records.

“Publicly available information” means any information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:

  • Federal, state or local governmental records;
  • Widely distributed media; or
  • Disclosures to the general public that are required to be made by federal, state or local law.

A licensee has a “reasonable basis” to believe that information is lawfully made available to the general public if the licensee has taken steps to determine:

  • That the information is of the type that is available to the general public; and
  • Whether a consumer can direct that the information not be made available to the general public and, if so, that such consumer has not done so.

The legislation requires an information security program to include a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality of nonpublic information.    

The bill lays out the procedure for notifying the Commissioner in the case of certain cybersecurity events. In such cases, licensees are required to notify the commissioner within 72 hours. The bill provides guidance for what information should be included with such a notification.  

The bill establishes requirements for the selection and oversight of third-party service providers. “Third-party service provider” means a person, other than a licensee, that contracts with a licensee to maintain, process or store or otherwise is permitted access to nonpublic information through the person’s provision of services to the licensee. 

The bill requires Nevada domestic insurers to certify compliance. 

Finally, the bill authorizes the Commissioner to investigate and take disciplinary action against licensees for violations of certain cybersecurity requirements.

If enacted, the compliance deadline timeline is as follows:

Upon passage and approval:  Effective for purposes of adopting regulations and administrative tasks

January 1, 2020:  Bill Effective Date

January 1, 2021:  Licensee’s deadline to design, develop, and implement information security program including a written incident response plan; deadline to designate employee(s) or vendor responsible for information security program.

February 15, 2021:Insurers must begin annual compliance certification

January 1, 2022: Licensee required to oversee third-party service provider arrangements with respect to cybersecurity.

Legislative Update/Movement:  11/15/2018 – Pre-filed; Referred to Committee on Commerce and Labor Effective Date: If passed, January 1, 2020.


We hope that these recent rulings help you conduct your Automotive F&I business with complete, informed compliance. Check back for more compliance updates from Fortegra’s team of industry leaders in the January newsletter!

Disclaimer: With the understanding this shall not be construed as legal advice on the compliance of your programs, this newsletter does not contain information for all legislation that may affect a provider or administrator. You should review legislative bills in their entirety to determine the impact and what actions are needed, if any, to comply with state laws/regulations.

Categories: Automotive

Recent Posts

Subscribe Today