Deadline Nears for Red Flags Rule; Companies Struggling

It's almost 2011. Do you know where your Red Flags Rule compliance program is?

The Dec. 31 deadline is looming for Federal Trade Commission enforcement of the Red Flags Rule, which requires businesses and organizations to establish a program—complete with written policies and procedures—to detect identity theft.

The rule itself, which stems from the Fair and Accurate Credit Transactions Act, actually took effect on Nov. 1, 2008. The FTC has delayed enforcement five times so companies could develop their compliance programs. According to the FTC, many didn't know they were engaged in activities that would cause them to fall under the rule, or hadn't even heard of it.

Sotto

Despite the lead time, plenty of companies still aren't prepared for enforcement, says Lisa Sotto, head of the privacy and information management practice in the law firm Hunton & Williams. “There still are many businesses that don't realize they may be impacted by the rule,” she says. “The broad definition of the term ‘creditor,' which could lead to applicability of the rule, continues to take companies by surprise.”   

Even those that have created a program could be vulnerable to penalties. The rule's requirements are specific, and most companies covered by it “probably aren't in strict compliance,” says Randy Green, a senior director with consulting firm Alvarez & Marsal.

The Red Flags Rule defines creditors as any business or organization that regularly provides goods or services and allows customers to pay later. According to the FTC, that could include utilities, healthcare providers, telecommunications companies, lawyers, accountants, and other professionals. It also covers businesses that regularly grant loans, arrange for loans, or make credit decisions, such as finance companies, mortgage brokers, car dealers, and other retailers that offer financing. Third-party debt collectors and businesses that collect or process credit applications for third- party lenders are creditors too.

Under the rule, creditors and financial institutions with covered accounts—consumer accounts designed to permit multiple payments or transactions, or any account that presents a “reasonably foreseeable risk from identity theft”—need a written program.

The Red Flags rule also requires credit and debit card issuers to have policies and procedures to assess the validity of change-of-address notifications, and requires users of credit reports to implement procedures to handle address discrepancy notices received from consumer reporting agencies.

Green

“The broad definition of the term ‘creditor,' which could lead to applicability of the rule, continues to take companies by surprise.”

—Lisa Sotto,

Head of Privacy, Information Management Practice,

Hunton & Williams

Still, confusion abounds over creditors and covered accounts: what qualifies, and why. “The rule's broad definition of creditor and covered accounts reach people who would never think of themselves as creditors,” Green says.

That confusion has repeatedly delayed FTC enforcement of rule and resulted in endless legal maneuvering over who must actually comply with it. The current Dec. 31 deadline for enforcement is the result a delay announced by the FTC last May at the request of Congress. Lawyers, doctors, and accountants have all filed lawsuits seeking exemptions. Even at this late date, lawmakers are still mulling legislation to limit the scope of entities covered by the rule.

The American Bar Association first filed a lawsuit in 2009 challenging the FTC's application of the rule to lawyers. Shortly after, the American Institute of Certified Public Accountants and the American Medical Association filed similar lawsuits seeking exemptions of their own. A federal district court judge issued an opinion last December siding with the ABA. The FTC's appeal was heard in mid-November, but at press time a ruling had yet to be issued.

In a Nov. 15 statement, ABA president Stephen Zack reaffirmed the group's position that Congress “clearly did not intend for the Red Flags provision to apply to the legal profession.” The ABA declined to comment further. On Nov. 17, U.S. Rep. John Adler (D-N.J.) introduced a bill to amend the scope of certain creditor requirements under the Fair Credit Reporting Act. Adler's office did not respond to a request for comment.

This Time We Mean It

RED FLAGS ENFORCEMENT

The following excerpt from the Red Flags Rule microsite answers questions on compliance with the rule and enforcement:

1.Can a consumer sue us under the Red Flags Rule?

No, there is no private right of action. Only certain federal and state government agencies can enforce the Rule, but consumers can file a complaint with the FTC about a company's Program. The FTC uses complaints filed at www.ftc.gov to target its law enforcement efforts.

2.If my business is covered by the Red Flags Rule, what will we need to show the FTC to prove we're complying? Is there a specific audit document we have to file or have available if asked?

The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule. The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance. The FTC also may interview officers, employees, or others who are familiar with the company's practices. If the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.

3.I'm a creditor with consumer or household accounts, but I think it's very unlikely that an identity thief will try to defraud me. Do I still have to prepare an Identity Theft Prevention Program?

The Red Flags Rule requires all creditors with covered accounts to prepare an Identity Theft Prevention Program. At the same time, the Commission staff recognizes that your risk of identity theft may be so low that, as a matter of prosecutorial discretion, Commission staff would be unlikely to recommend bringing a law enforcement action under the following circumstances:

You know your clients individually. For example, some medical practices and law firms are familiar with everyone who walks into the office. In such circumstances, the likelihood that an identity thief can defraud a business by impersonating someone else is extremely low.

You provide services to customers in or around their home, such as by operating a lawn care or a home cleaning business. For these types of businesses, the risk of identity theft is extremely low because identity thieves generally do not want people to know where they live.

You are involved in a type of business where identity theft is rare. For example, if there are no reports in the news, trade press, or among people in your line of business about identity theft and your business itself has not experienced incidents of identity theft, it is unlikely that identity thieves are targeting your sector.

Of course, from time to time you need to consider whether your identity theft risk has changed, warranting a different approach with respect to the Rule.

4.What are the penalties for non-compliance?

The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.

5.What if I have a question not answered in these FAQs?

Your question may be answered in our booklet, Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, our short articles on Red Flags compliance, or our form with step-by-step instructions on designing a Program for businesses and organizations at low risk for identity theft, all available at www.ftc.gov/redflagsrule.

Source

FTC Red Flags Rule Frequently Asked Questions.

For now, the FTC says its Dec. 31 enforcement deadline is firm. “It's important to note that at this early stage, we'll be looking for good-faith efforts at compliance, and our initial concern will most likely be in areas with a high risk for identity theft,” FTC spokesman Frank Dorman says.

For example, he says, the FTC will watch consumer identity theft complaints for “any patterns that reflect a disproportionate number of fraudulent accounts opened at a particular entity or in a particular sector,” he says. The agency will also focus on sectors that generally have high levels of identity theft, and may respond to complaints about specific businesses. Identity theft has been the top consumer fraud complaint received by the agency for at least the past three years.

Mark Schreiber, head of the privacy practice at law firm Edwards Angell Palmer & Dodge, notes that some companies covered by the rule may already meet many of its requirements through compliance efforts aimed at other data privacy and security regulations. For example, healthcare businesses that have HIPAA data security regulation programs in place may be relatively safe, as are companies that comply with the tough data security regulations imposed in the state of Massachusetts.

Schreiber

Still, most data security policies aren't adopted at the board (or board committee) level as required by the Red Flags Rule, so companies that already have programs in place may need to get them approved by their boards. Companies might also need additional red flag identifiers if they have not ticked off all the vulnerabilities the FTC has on its checklist. For example, the Massachusetts data security rules only specify certain kinds of data; companies might need to expand their program to cover other types of information and identifiers, such as healthcare, medical, or insurance information, to comply with the Red Flags Rule, Schreiber explains.

Apart from compliance with the Red Flags Rule, some advisers say that a documented program to identify possible identity theft is good practice anyway. “An effective Red Flags program is a lesser task compared to the cost and consequences of a data breach, including all of the required notifications to the affected individuals, to state attorneys general, and to other regulators,” Schreiber says. 

In fact, companies subject to the rule that don't put a program in place could pay the price. In the event of a breach, the absence of a Red Flags identity theft program could put a company at risk for sanctions or a monitor; civil penalties could run as high as $3,500 per violation. Dorman says penalties will depend on the circumstances. For example, a warning might be issued, or a court order might require an organization to develop a better plan or provide more training.

“I don't think most companies are prepared for this,” says Green. “When enforcement does go into effect, there will probably be couple of big splashy enforcement actions.”