The Federal Trade Commission Monday sent warning letters to 10 companies for potentially violating the Consumer Review Rule.
The Consumer Review Rule, effective October 2024, prohibits the publication of fake or false consumer reviews, providing compensation or incentives for positive or negative reviews, operating a company-controlled review website, suppressing negative reviews, and using fake social media indicators.
The letter sent to the companies, which were not publicly identified, stated the FTC had reason to believe they had violated the Consumer Review Rule and advised them to “immediately cease and desist” the conduct. The FTC press release about the letters said non-formal determinations were based on consumer complaints and information provided by the companies.
“Fake or false consumer reviews are detrimental to consumers’ ability to make accurate and informed choices about the products they are buying – something of particular importance during the holiday season,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, in a press release. “As consumers increasingly depend on online reviews, the FTC is committed to ensuring companies comply with this Rule.”
Violation of the rule can result in federal lawsuits and penalties of up to $53,088 per occurrence.
Source: NIADA
Report Claims More Than Eight Million Records Offered for Sale on Dark Web
A recent online report alleges that 700Credit, a provider of credit-related services, has suffered a significant data breach potentially affecting more than eight million customer records. The breach reportedly occurred in late October.
700Credit has not publicly confirmed the breach or provided any statement regarding these allegations; however, at least one class action lawsuit has already been filed in connection with this incident. Furthermore, we have become aware of communications from 700Credit to dealers describing the incident and purportedly taking steps to notify affected consumers.
If you are a dealer who uses 700Credit services, many of the same legal and practical considerations apply here as with the widely-reported CDK breach in 2024. This includes notice requirements, and other steps, such as notifying your insurance carrier and contacting your legal counsel. However, there are important differences as well – those are discussed below.
Details of the Alleged Breach
According to the online report, threat actors have posted the stolen data for sale on dark web marketplaces after negotiations with the company allegedly broke down. The dark web listing allegedly includes a sample of 100 records that appear to contain sensitive consumer identity and verification information. The exposed data fields shown in the sample reportedly include: full names; Social Security numbers; dates of birth; residential addresses; and employment information (in some records).
Guidance for Dealers
If you use 700Credit, the first step is to seek information from 700Credit by contacting your 700Credit representative – and to do so quickly. You need to determine whether any of your customers were affected by the incident. Dealers should specifically ask whether your customer data was exposed and if so: (a) how many of your customer records in total; (b) which specific individuals (those will be the individuals you may need to notify); and (c) the state of residency of each individual (how many from each state, if applicable). You should also obtain details about 700Credit’s plan to notify affected consumers, regulatory agencies, and/or credit reporting agencies, whether the notice will be provided on your behalf (in your name) or not, the timeline for official notifications, and whether 700Credit is planning to address the notice in a timely and adequate manner under all state and federal laws.
Time is of the essence because you want to notify consumers in time for them to stop the potential problems. In most cases, under both state and federal law, the obligation to notify consumers must be met quickly. It varies, but the notice obligations are generally stated as something to the effect of “as soon as possible and no later than 30 days from the incident.”
Second, ensure that the contract amendments required under state privacy law and the FTC Safeguards Rule, with 700Credit (and all other vendors) are signed and up to date. ComplyAuto can help you with that process. We work with all dealer vendors and help you ensure that you have signed agreements with all vendors, including 700Credit if needed. See more details on that below.
Are You Responsible for Notifying Consumers and Regulators?
It is important to note that even if 700Credit is notifying consumers and/or regulators and taking other steps to rectify the situation, that may not satisfy all of your notice or other obligations to your customers under your state (or federal) law.
Remember that the basic “rules” are that dealers are generally responsible for breaches or security events involving their customer data, even when the incident occurs at a dealership service provider. That means that dealers are ultimately potentially responsible for ensuring adequate notice is sent to affected consumers, state AGs, credit reporting agencies, and/or the FTC. See the detailed guidance at the links above for more details.
NOTE: The notice obligations vary under state and federal law. There is no guarantee that any customer notice will be sufficient under your state law or federal law. Therefore, while dealers should certainly confirm that 700Credit will be notifying your affected customers, unfortunately, that may not end the inquiry.
ComplyAuto Data Breach Wizard
As a reminder, ComplyAuto customers have access to a Data Breach Wizard within the ComplyAuto software that will walk you through the complicated questions you need to answer about:
- The scope of the incident – how many of your customers were affected
- Whether you must notify affected customers
- Whether you are required to provide credit monitoring services to affected customers
- Potential state Attorney General notification requirements
- Consumer reporting agency notification obligations
- Potential Federal Trade Commission notification requirements
This tool can help you navigate the complex web of notification requirements and ensure compliance with applicable state and federal laws. It will even provide a sample notice letter if needed.
This Incident Differs in Some Ways From Other Recent Vendor Breaches
While the general considerations and requirements regarding breach notice are similar to those in the 2024 CDK incident, this incident is different from CDK in several ways.
First, even if your customer’s information was among the affected data, at this point, it is not clear what the extent of the customer information involved is, or even if it involves customer information provided to 700Credit by your dealership. With your DMS, the data involved came from your dealership, and you had an idea of the scope of data involved. Here, the customer information provided to 700Credit could have come from your system, but even if an individual is your “customer,” it could have come to 700Credit from a motor vehicle finance company, or other third party vendor, or even from a credit inquiry at another dealer.
Even if you find that your customers are among the affected individuals, it may be unclear whose obligation it ultimately is to provide the required notices. You may need to determine whether you will notify your customers (or state or federal regulators) even if it may be unclear that the data at 700Credit came from your dealership. The potential customer relations issues may outweigh the strict legal analysis.
Second, the exact nature of your relationship (if any) with 700Credit may not be as straightforward as your service provider relationship with your DMS provider. Your dealership may have a direct contractual, service provider relationship with 700Credit – and if so, you must confirm that you have the requisite service provider contract amendments required under both federal and state law. However, you need to understand whether you have access to, or utilize 700Credit’s services through another service provider or third party so that you can ensure that your required data safeguards and risk assessment documentation covers 700Credit – either directly (they are a party) or indirectly through that other service provider or third party.
In other words, even if you don’t have a contract with 700Credit directly, you might use their services (and share data with them) through another service provider relationship (Service Provider “X”). You should take steps to ensure that you have the requisite service provider contract amendments required under both federal and state law with Service Provider X, and that those agreements cover the functions of 700Credit. ComplyAuto can help you understand and update your records if needed.
Third, while DMS companies maintain highly sensitive information, the nature of the information that has allegedly been affected here is so highly sensitive that dealers should work with all due speed in seeking answers. Given the severity of potential harm to consumers from potential exposure of Social Security numbers, dates of birth, and credit information, dealers may wish to notify their customers even if they cannot ascertain with any certainty the nature or scope of the incident among your customers. Again, that is a difficult legal question about which you should consult with legal counsel.
Act with Urgency Given the Deadlines and the Sensitive Nature of the Data
Again, the most important step you can take now is to reach out to 700Credit to obtain details about whether your customers were affected by the alleged incident – and to do so quickly. Remember that the consumer notice you are required to provide includes important information for consumers about how they can:
- Place fraud alerts on their credit reports
- “Freeze” their credit to prevent unauthorized access
- Take advantage of credit monitoring or other services
- Take other protective measures to avoid identity theft or other incidents
Providing this information promptly—even in the absence of complete certainty—can help your customers take protective action and may reduce potential harm. Note, however, that it is not always an easy decision to send notice to consumers who may not have been affected, as sending a notice when not required can also cause consumer concern and distress. Dealers should consult with their legal counsel, insurance carrier, and IT professionals in deciding whether customer notice is appropriate.
One Last Reminder
The steps above are the most urgent at this time, but don’t forget that this may require you to also assess the risks related to this issue and account for it under the FTC Safeguards Rule. That is not the pressing issue for today (and again, ComplyAuto can help), but don’t forget that incidents such as these will require some steps to be taken (and documented) with respect to periodic assessment of service providers, as well as your information security program under the Safeguards Rule.
Summary
While a data breach can happen to any company, communication is critical. Reach out to 700Credit today. Dealers should (a) get details from 700Credit; (b) notify legal counsel and insurance providers; (c) confirm safeguards and risk assessment documents are completed and signed; (d) use the ComplyAuto Breach Reporting Wizard to determine any reporting obligations, and; (e) consider proactively taking the steps necessary to protect your customers and the dealership.
Source: ComplyAuto
Santander Consumer USA is on the forefront of souring subprime-auto-loan backed securities.
Santander Consumer USA, one of the largest subprime auto lenders and the largest securitizer of subprime auto loans, is not alone. But it’s on the forefront. It had $26.3 billion of subprime auto loans as of June 30 that it either owned and carried on its books or that it had packaged into subprime-auto-loan backed securities and sold to investors; in terms of the loans that it collects payments on, 14.5% of the borrowers were delinquent, according to S&P Global Ratings, cited by Bloomberg.
In the industry overall, subprime auto loans that have been packaged into asset-backed securities (ABS) are experiencing the highest delinquency rates in two decades, according to Fitch, which rates these securities. The 60-day delinquency rate surged to 5.93% in August, substantially higher than during the peak of the Financial Crisis at 5.04% in January 2009 (orange line, chart via Fitch):
But “prime” auto loans are holding up very well (blue line in the chart above): Their 60-day delinquency rate is hovering around a historically low 0.28%.
Santander’s loans include a surprising number that defaulted within the first few months, according to Moody’s Investors Service. These early-payment defaults (EPDs) are a hallmark of loosey-goosey underwriting standards that accomplish three things:
- Initially, they boost revenues from fees and high interest rates, and thus paper profits.
- They get weaker borrowers into loans with punitively high interest rates and payments so high that many borrowers will have to default.
- They enable or even encourage fraudulent loan applications.
Concerning the link between fraud and early-payment defaults, Frank McKenna, chief fraud strategist at PointPredictive, told Bloomberg: “We found that depending on the company, between 30% to 70% of auto loans that default in the first six months have some misrepresentation in the original loan file or application.”
OK. But Santander is not trying very hard to prevent fraud. In September, Moody’s pointed out that Santander had verified income on less than 3% of the subprime loans it packaged into over $1 billion of ABS that it was marketing to investors at the time. Income verification is not the only measure, but it’s an important measure of good underwriting practices. In these structured securities, where the highest-rated tranches carried a credit rating of Aaa, the lowest-rated tranches take the first losses, and the top-rated tranches could come out unscathed.
Moody’s said that it expected losses of 24% on this deal, far higher than 17% in losses that Moody’s expected on all of Santander’s ABS.
By comparison, Moody’s cited GM Financial, which also packages subprime auto loans into ABS: In a subprime-loan deal issued in June, it had verified income on 68% of the loans; and Moody’s expected losses of about 10%.
Even though Santander has sold these subprime-auto-loan-backed securities to investors, it is not entirely off the hook, especially when borrowers fail to make the first few payments – the infamous EPDs. It is then obligated to buy back those loans and eat the potential losses itself. According to a Bloomberg analysis, Santander was obligated to buy back 3% of the loans, which according to Moody’s, is a higher rate than Santander’s faced in its earlier securitizations.
But in a deal that it sold to investors last year, Santander has been obligated so far to buy back 6.7% of the loans mostly due to due EPDs, according to a Bloomberg analysis.
So these losses due to early-payment defaults were shifted from ABS holders back to Santander. Moody’s analyst Matt Scully put it this way: “The situation is somewhat perverse in that bondholders are actually benefiting from high early-payment defaults through the repurchases.”
Subprime-auto-loan-backed securities have other protections for bondholders, such as loss-absorbing buffers in form of additional auto loans beyond the face value of the securities.
Nevertheless, the remaining losses are being eaten by the lower-rated tranches of the ABS. And the losses are piling up. According to Fitch, the subprime auto-loan Annualized Loss Ratio rose to 9.4% in August, up from 8.3% in August last year. During the peak of the Financial Crisis in February 2009, the ANL had spiked to 13.1%:
In terms of the overall auto-lending industry and the banking system, how much of a problem are we talking about?
Total auto loans and leases outstanding have soared to $1.3 trillion at the end of the second quarter. Typically, between 20% and 25% of the new loans and leases being originated each quarter are subprime rated. In the first half of this year, about 21% were subprime.
At the end of the second quarter, according to Federal Reserve data, 4.6% of those $1.3 trillion in auto loans and leases – subprime and prime combined – were 90+ days delinquent. This is where delinquencies were in Q3 2009 but below the Financial Crisis peak of 5.3%. In dollar terms, the 90+ delinquencies – most of them by subprime rated customers – amounted to $60 billion:
While delinquencies have skyrocketed, losses are just a small fraction of what subprime mortgages had generated during the Financial Crisis. Subprime auto loans, being about one-tenth the magnitude of subprime mortgages, are not going to take down the big banks. But smaller specialized non-bank lenders could collapse, and some of them have already collapsed.
Given the risks and losses, why is the industry engaging in subprime lending? And why are investors lapping up the subprime-auto-loan backed securities? Follow the money.
Subprime loans are immensely profitable. The dealer gets to sell a car and make a fatter profit on the car itself and on arranging the loan because subprime borrowers know they’re having trouble getting loans, and there is often no negotiation on price, interest rates, or payments. Subprime customers are sitting ducks.
Subprime loans are also high-risk, and lenders want to earn higher rates of return – and charge higher interest rates – to be compensated for the risk. So, until the loans sour, lenders make more money on subprime loans.
At first, everyone is happy. The dealer made lots of money. The lender made lots of money. Investors earn a higher yield on their ABS. And the customer, who is paying out of the nose for all this, is driving a nice car.
But a customer that is struggling and already has some credit problems – which is why the credit score is below “prime” – may have trouble making the payments on a car loan with a 21% interest rate financing not only the car but also the fat profits of the dealer.
It’s quick these days to repo a car and sell it at a wholesale auction. The used-vehicle market is liquid, and transactions are fast, unlike the housing market. So a lender will take some loss on a defaulted car loan, perhaps 30% or 40% of loan value. But given the profits made on the loan before it defaulted and on the loans that do not default, subprime lending, when greed isn’t allowed to run wild, remains a profitable business overall. And it allows customers with subprime credit to buy a car despite the risks for lenders.
Source: Wolfstreet
BIRMINGHAM, Ala., October 30, 2025--(BUSINESS WIRE)--Protective Life Corporation (Protective), a U.S. subsidiary of Dai-ichi Life Holdings, Inc. (TSE:8750), announced today that it has entered into an agreement to acquire Portfolio Holding, Inc. (Portfolio) and its subsidiaries from Abry Partners. Portfolio is a leading provider of reinsurance management services and finance and insurance (F&I) products for dealers nationwide.This acquisition marks a significant milestone in Protective’s strategic growth within its F&I products and services. By integrating Portfolio’s dealer wealth programs and technology platform, Protective expands its ability to deliver leading solutions that drive dealer success and customer satisfaction.
"Portfolio is a natural fit for Protective—not only for its complementary offerings, but for its shared commitment to innovation and dealer success," said Scott Karchunas, President of Protective’s Asset Protection Division. "Their approach aligns seamlessly with our mission to deliver smarter, more specialized solutions that help dealers grow and thrive. Together, we’re expanding what’s possible in F&I and reinforcing our commitment to long-term value for our partners and their customers."
Founded in 1990 and headquartered in Lake Forest, California, with offices in Dallas and Cleveland, Portfolio offers dealer participation programs that help dealers build long-term wealth through reinsurance structures, enabling them to retain underwriting profits and investment income. With approximately 450 employees and a national, multi-channel distribution network, Portfolio serves millions of in-force customers through vehicle service contracts, GAP coverage and a broad range of ancillary products. Portfolio is an 18-time recipient of the Dealers’ Choice Awards, reflecting its sustained excellence in service and dealer support.
"Joining with Protective opens an exciting new chapter for our team as we seek to scale our impact across the dealer community," said Jeremy Lux, CEO of Portfolio. "Abry Partners has been an outstanding partner in accelerating our growth and innovation capabilities and played a critical role in positioning us for long-term success. Now, through Protective's established network and market expertise, we have a powerful platform to enable us to deliver our proven solutions to a broader dealer base."
Protective Asset Protection has provided F&I solutions to the automotive industry since 1962. Today, it supports over 10,000 dealerships across multiple sectors with a comprehensive suite of vehicle protection plans, dealer participation programs, training, and technology. As of early 2025, the division had more than 10.9 million in-force vehicle protection plans and had paid $7.2 billion in claims.
Over the past decade, Protective Asset Protection has expanded its capabilities through strategic acquisitions including AUL, Revolos and U.S. Warranty. Each has contributed to the division’s evolution as a key part of Protective’s broader business.
"Protective’s Asset Protection Division has become an increasingly important part of our business, and this acquisition marks another milestone in its evolution," said Rich Bielen, President and CEO of Protective. "Portfolio brings a strong track record in dealer wealth programs and a deep understanding of what it takes to help dealers succeed. While life insurance and annuities remain the foundation of our company, expanding our Asset Protection Division enhances our ability to protect more customers and deliver enduring value."
The transaction is expected to close by the end of the year, subject to regulatory approvals and customary closing conditions. Until then, both companies will continue to operate independently.
Upon closing, this transaction will mark Protective’s 61st acquisition and its eighth since becoming part of Tokyo-based Dai-ichi Life Holdings in 2015. Dai-ichi is a global financial services organization with over $433 billion in total assets as of December 31, 2024, serving customers in 10 countries. Protective serves as Dai-ichi’s North American growth platform, pursuing both organic and acquisition-driven expansion.
Maynard Nexsen PC is serving as legal counsel to Protective and TD Securities is serving as its financial advisor. Kirkland & Ellis LLP is acting as legal counsel to Portfolio and Jefferies LLC acts as its financial advisor.
About Protective Asset Protection
Protective Asset Protection has been providing Finance & Insurance solutions for the automotive industry for more than 60 years. We proudly serve thousands of dealerships and financial institutions throughout the U.S. and Puerto Rico with innovative F&I products, training, dealer participation programs and technology. Our portfolio of vehicle protection plans, GAP (Guaranteed Asset Protection) coverage, limited warranties and ancillary products provide opportunities to generate revenue with products that help drive customer retention and satisfaction. Protective Asset Protection is part of the financial services holding company, Protective Life Corporation. For more information about Protective Asset Protection, call 800-794-5491 or visit protectiveassetprotection.com.
Protective Life Corporation has helped people achieve protection and security in their lives for 118 years. Through its subsidiaries, Protective offers life insurance, annuity, asset protection and employee benefit solutions and is helping nearly 17 million people protect what matters most. Protective's more than 3,500 employees put people first and deliver on the company's promises to customers, partners, colleagues and communities—because we're all protectors. With a long-term focus, financial stability and commitment to doing the right thing, Protective Life Corporation, a subsidiary of Dai-ichi Life Holdings, Inc., has $125 billion in assets, as of Dec. 31, 2024. Protective is headquartered in Birmingham, Alabama, and is supported by a robust virtual workforce and core sites in the greater Cincinnati area and St. Louis. For more information about Protective, visit protective.com.
About Portfolio
Founded in 1990, Portfolio’s primary business is turnkey reinsurance management of vehicle service contracts, warranties and other F&I products sold in the automotive dealership. Its top executives have specialized in reinsurance since the origination of the concept over 30 years ago. Portfolio is marketed to dealers through a nationwide network of professional independent agents and reinsurance specialists. The company also administers reinsured and non-reinsured warranty programs for other markets. Portfolio is headquartered in Lake Forest, CA, with offices in Dallas, TX, and Cleveland, OH. More can be learned about Portfolio at www.PortfolioReinsurance.com.
About Abry Partners
Abry Partners is one of the most experienced and successful sector-focused private equity investment firms in North America. Since its founding in 1989, the firm has completed over $90 billion of leveraged transactions and other private equity or preferred equity placements. Currently, the firm manages $17 billion of assets across several fund strategies. More information about Abry Partners: www.abry.com.
Source: Businesswire