June 1 Enforcement Date Looming for FTC Red Flag RulesAfter several delays and postponements, enforcement of the Federal Trade Commission?s Red Flags Rule is slated to begin June 1. The regulation would require all businesses that fall under its parameters to develop and implement a written identity theft prevention program designed to help identify, detect and respond to patterns, practices or specific activities that could indicate identity theft warning signs, or ?red flags? in their day-to-day operations.
According to the FTC, 9 million Americans have their identity stolen every year. To combat this rising number, the Red Flags Rule will pick up where a firm?s own in-house data security programs leave off by ensuring that the business is on the lookout for the signs that someone is using another person?s information to get products and services without paying.
The rule basically amounts to smart business practices that helps keep customers as well as the business itself business from falling victim to identity theft.
The origin of the rule dates back to 2003 when it was part of the Fair and Accurate Credit Transactions Act, in which Congress directed FTC and other agencies to develop regulations requiring creditors and financial institutions with covered accounts to address the risk of identity theft.
The rule applies to financial institutions and creditors, although FTC suggests looking closely at how the law defines these institutions. ?Financial institutions? include entities that offer accounts that enable consumers to write checks or to make payments to third parties through other means, such as other negotiable instruments or telephone transfers. It is not likely many funeral homes or cemeteries would fall under this umbrella.
However, the definition of ?creditor? is fairly broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Generally, the Red Flags Rule applies to businesses that regularly defer payment until after services have been performed. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit or make credit decisions. In addition, the definition includes anyone who regularly participates in the decision to extend, renew or continue credit, including setting the terms of credit. For example, a third-party debt collector who regularly renegotiates the terms of a debt would be a creditor under the rule.
Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. ?Generally, if a business only accepts credit cards as payment for goods and services, they are not covered under the rule,? said Robert Fells, external chief operating officer of the International Cemetery, Cremation and Funeral Association. ?However, if a business helps customers fill out credit applications or accepts multiple installment payments (more than two), they may fall under the Red Flags Rule.?
Once you have determined if your business falls under the definition of financial institution or a creditor, the next step is to figure out if you have any ?covered accounts.? FTC defines these as either consumer accounts designed to permit multiple payments or transactions, or any other account that presents a reasonably foreseeable risk from identity theft.
?In other words, a business that allows a consumer to purchase an item in installments is a covered account,? said T. Scott Gilligan, general counsel for the National Funeral Directors Association. ?In addition, a business that allows a small business or a sole proprietorship to purchase an item in installments is also considered a covered account. That is because there is a risk that someone could steal an identity and pretend to be a representative of a small business or a sole proprietorship.?
Fells added that a recurring charge would trigger the rule because the risks of identity theft are increased exponentially. ?With credit cards you are dealing with confidential consumer information that needs to be secured, but it is a one-shot transaction,? he said.
If you have come to the conclusion that your business does not fall under the guidelines of the Red Flags Rule, then you do not have to move on to the next step. You don?t have to, but it might be a good idea to do so anyway to further educate yourself and your employees to the warning signs of identity theft.
According to FTC, an Identity Theft Prevention Program must include four basic elements, which together create the framework to address the threat of identity theft.
? Identify relevant red flags. Identify the red flags of identity theft you?re likely to come across in your business.
? Detect red flags. Set up procedures to detect those red flags in your day-to-day operations.
? Prevent and mitigate identity theft. If you spot the red flags you?ve identified, respond appropriately to prevent and mitigate the harm done.
? Update your program. The risks of identity theft can change rapidly, so it?s important to keep your Program current and educate your staff.
The FTC has developed a sample Red Flags Rule compliance form that is tailored for businesses that are considered low risk. (That form appears below and continues on consecutive pages). Both NFDA and ICCFA have developed their own sample compliance programs for their respective membership.
Once the program has been formed, don?t just put it in a drawer. ?You must alert your staff because if you say you are doing something you need to do it,? said Fells. ?I think [an identity theft prevention program] could be even used as a selling tool. ?We have a program to protect you from identity theft.??
?The Red Flags Rule protects your customer and protects your business too,? Fells said. ?The business itself can become a victim of identity theft. The consumer may be the one who could be defrauded, and someone may use the funeral home or cemetery to perpetrate the fraud.?
The FTC will not be sending in secret shoppers to see if a business has its program in place. ?The only time that enforcement will actually come down is if there is an actual identity theft,? Fells said. And when that happens the FTC or the investigating body will come into the business and ask for the Red Flag compliance program that should be in place. FTC may also interview employees to determine whether or not they are familiar with the practices spelled out in the program.
The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. According to the FTC, the law sets $3,500 as the maximum civil penalty per violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents and take other steps to ensure compliance with both the rule and the court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.
The Red Flags Rule has been in effect since Jan. 1, 2008. However, the FTC previously delayed enforcement of the rule on several occasions, at the request of Congress, to allow those businesses that fall under the scope of the rule to develop and implement their written identity theft prevention programs. It is not likely that there will be another extension of enforcement.
Visit www.memorialbusinessjournal.com for a free download of the Feb. 18, 2010, issue which focuses on the Red Flag Rules. The issue includes a compliance template designed by the FTC to help businesses at low risk for identity theft design their own identity theft program. The template is in two parts. Part A will help you determine whether your business or organization is at low risk. Part B offers FTC?s sample written identity theft prevention program.