At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
DETAILS
Harris
Rick Harris is a partner at the law firm Day Pitney, and leads the firm’s technology, telecommunications, and outsourcing practice group. Harris concentrates on commercial transactions with special emphasis on intellectual property and technology issues. He regularly advises financial institutions and other global companies in connection with IT and telecommunications services contracts, including outsourcing contracts. In addition, he regularly lectures and writes on intellectual property and technology law topics relating to computer technology and technology outsourcing.
In addition to Harris, Day Pitney lawyers James Bowers and Thomas Zalewski helped to co-author this answer.
E-mail Rick Harris at rdharris@daypitney.com.
Remediation Center
Click Here to Return to the Remediation Center
Submit a Question to the Remediation Center
Warning, Disclosure
Compliance Week’s Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, external counsel, and/or other securities experts on all critical compliance and governance matters.
Specialists are solicited by the editor to answer Remediation Center questions based on their knowledge of the subject matter and their ability to provide commentary in their particular area of expertise. In some cases, the experts who answer questions in the Remediation Center may also be Compliance Week subscribers, or may work at firms that advertise in Compliance Week.
Related Coverage
Amid Anxiety, Red Flag Rules Take Effect (July 28, 2009)
Related Podcast
Compliance Week Podcast on Red Flag Rules (July 28, 2009)
Related Blog Entry
Red Flags Rule Delayed Again, in Flux for Lawyers (Nov. 3, 2009)
QUESTION
I oversee compliance for the Latin American operations of my firm. Can you tell me whether the Red Flag Rules (requiring companies to have controls preventing identity theft) apply to foreign businesses, or only to U.S. businesses? Or if they don’t, should U.S. businesses with overseas operations be doing anything in the countries where they are operating?
ANSWER
The Red Flags Rules require certain businesses to develop and implement written procedures to protect consumers (and themselves) from identity theft in their day-to-day operations. The rules apply to virtually all U.S. banking institutions and also to a broad range of “creditors”—generally any business that accepts deferred payment for goods and services or that arranges for extensions of credit. The rules covers recurring transactions for products or services for personal or household purposes, such as credit card accounts, mortgage loans, cell phone accounts, and even professional billing.
At this moment, nobody really knows whether the rules apply to foreign creditors or whether the Federal Trade Commission will apply any special conditions to them. Guidance issued in June 2009 made clear that the rules do not apply to foreign branches of U.S. financial institutions since they are located outside the country, but this may be due to the greater domestic and foreign oversight of the accounts of regulated financial institutions generally. By contrast, the definition of “creditor” (where the FTC’s jurisdiction primarily falls) captures many businesses that maintain credit relationships that are largely unregulated for these purposes, such as the billing relationships of credit card companies and professional services providers. The FTC is targeting these types of unregulated relationships as prone to identity theft.
That said, the FTC may well break with the financial regulators’ approach and apply the jurisdictional reach of the rules to foreign entities, particularly if they hold covered accounts of U.S. consumers. The FTC’s penchant for this type of extra-territorial approach is demonstrated by its recent regulations implementing the Health Information Technology for Clinical Health (HITECH) Act, which require covered foreign vendors of personal health data that have U.S. customers to make notifications to affected customers, U.S. regulatory authorities, and potentially the media when U.S. customers’ protected health data is breached.
Further, the FTC’s jurisdiction already extends to foreign entities where functions susceptible to identity theft are outsourced by a U.S. company to foreign service providers. The U.S. host must specify in its identity theft procedures how it will ensure and monitor compliance with its program by foreign service providers. The FTC has indicated that it will address the rules’ applicability to foreign subsidiaries of entities under its jurisdiction in forthcoming guidance.
Regardless of when that guidance might arrive, the June 1, 2010, enforcement deadline is fast approaching. Whether or not the rules ultimately apply to foreign businesses, U.S. businesses with operations outside the United States should consider implementing a consistent, written identity theft prevention program across the organization, subject to any modifications required by applicable local laws.
In light of a desire in the international business community to limit the public’s exposure to identity theft, multinational businesses may decide that the benefits of implementing such an identity theft program, such as that required by the Red Flag Rules, will easily outweigh the costs.
No comments yet