Chapter 25 — Key Takeaways: The F&I Process, Paperwork, and Compliance
One-page reference card. Self-contained — later chapters re-ground from this. The one-sentence chapter: In the F&I office, compliance IS the job.
Key Takeaways
- The deal jacket holds every document for one transaction and is the proof the process happened right. A clean jacket is a defensible deal; a sloppy one is a liability with the customer's name on it.
- The RISC (Retail Installment Sale Contract) is the actual loan contract — it creates the debt and contains the federally required TILA box (APR, finance charge, amount financed, total of payments). The buyer's order only summarizes the deal.
- Six federal laws govern F&I. Know them cold:
- TILA — disclose loan cost comparably (the box).
- ECOA — no discrimination; adverse-action notice when credit is denied.
- FCRA — permissible purpose to pull credit; risk-based pricing / adverse-action notices.
- GLBA — privacy notice + a safeguards program to protect customer data.
- Red Flags Rule — a written identity-theft prevention program; detect and resolve red flags.
- OFAC — screen customers against prohibited-parties lists.
- Five of the six protect the customer; one (OFAC) protects the country. None limit legitimate profit — they limit being opaque, discriminatory, careless, or complicit. (Theme #3: compliance is the professional version of the business.)
- Compliance is the floor; ethics is the building. TILA discloses the APR the customer pays — not the buy/sell spread or the dealer reserve (Ch 22). Telling the customer about the markup is ethics, beyond the legal minimum — and it's what builds the referral base.
- State law varies a lot — doc-fee caps, usury limits, cancellation rights, spot-delivery rules, required forms, F&I licensing. There is generally no automatic 3-day right to cancel a car. Route state questions to compliance/counsel; never guess.
- Spot delivery ("delivered but not funded") is legitimate only with a written contingency the customer understands: financing isn't final, and the trade + down payment are returned if it doesn't fund.
- The yo-yo — calling a spot-delivered customer back to force worse terms — is predatory and prohibited. The right response to a genuine fall-through is an honest unwind.
- Fraud the F&I manager must catch and refuse: straw purchase (front borrower), synthetic identity (fabricated person), income/employment falsification (overstated capacity). The through-line of every fraud is a lie to the lender about the real risk.
- The defense against all of it is a consistent verification process run on every single deal — plus an F&I manager who treats "this doesn't add up" as a reason to slow down, not speed up.
Action Items (this week, on the floor)
- Build your Deal-Jacket Map — list every document, in order, with one line on what each protects and what "missing/wrong" looks like (Project Checkpoint, Part 1).
- Build your Compliance Checklist — one verifiable yes/no per law, plus a spot-delivery line and a state-law line (Project Checkpoint, Part 2). Memorize the six laws and their one-line jobs.
- Practice naming every document as you place it in front of a customer ("This is your loan contract, the RISC — this box is your federal Truth-in-Lending disclosure"). Rushing signatures is how complaints start.
- Write two word tracks: (1) a warm spot-delivery script that states the honest asterisk; (2) an "I can't put that number down" script that declines income inflation without shaming and pivots to the deal you can do.
- Practice the red-flag verification (warm, no accusation) with a partner — once where the explanation is innocent, once where it isn't.
Common Mistakes (and the fix)
| Mistake | Why it's tempting | The fix |
|---|---|---|
| Funding a deal without reading the jacket | It's late; the deal looks good | Read every document before funding. The red flags are usually right there in the file. |
| Pulling credit without authorization / permissible purpose | Feels efficient to "pre-qualify" a browser | No signed authorization + genuine financing attempt → no pull (FCRA). |
| Leaving SSNs/credit apps exposed; emailing data in the clear | Convenience | Secure the data — lock files, log out of the DMS, use secure channels (GLBA Safeguards). |
| Treating customers differently (markup, products, effort) by background | Unconscious "reading" of a customer | One standard for everyone, driven only by the deal and creditworthiness (ECOA). |
| Spot-delivering without a clear written contingency | "It's basically done, we'll wrap it Monday" | Conditional-delivery agreement the customer understands; say "not final" out loud. |
| The yo-yo — calling back to force worse terms | A rewrite can add hundreds to the back end | Honest unwind: truth, trade + down payment returned, any new deal fully optional. |
| Holding the trade hostage during a pending spot delivery | It removes the customer's leverage | Don't. On an unwind, the trade comes back immediately; the customer stays mobile. |
| Padding income / accepting a doubtful pay stub | The only thing between you and the commission | Verifiable income only. Restructure to what they can afford, or let the deal go. |
| Treating Red Flags/OFAC as box-checking | "They never catch anything" | Run them every time. The rare miss is catastrophic; "almost always clean" still requires checking. |
Decision Framework: The Pre-Funding Checklist
Before any deal funds, run these in order. A "no" on any line means stop and resolve before funding — never the reverse.
- Match check. Do the buyer's order and the RISC match what was agreed at the desk (price, trade, fees, APR, payment)? → TILA
- Authorization check. Do I have a signed credit-application authorization (permissible purpose) for every pull? → FCRA
- Equal-treatment check. Were rate, products, and effort driven only by the deal and creditworthiness? → ECOA
- Notice check. Did the customer get the privacy notice and, if owed, the risk-based pricing / adverse-action notice? → GLBA / FCRA / ECOA
- Data check. Is the customer's data secured right now (nothing exposed, DMS logged out)? → GLBA Safeguards
- Identity check. Did I review ID and the application for inconsistencies, and resolve and document any red flag? → Red Flags Rule
- Screen check. Did the OFAC screen run clean (or did I stop and escalate)? → OFAC
- Spot-delivery check. If delivered-but-not-funded: is there a written contingency with unwind terms, and does the customer understand it's not final?
- State check. Did I route every state-specific question (doc-fee cap, cancellation rights, usury, forms) to compliance rather than guess?
If all nine are "yes," you have a deal you can hand to a regulator and say: here it is, all of it, done right. That sentence is the whole job.