In November, 2007, the Federal Trade Commission (FTC) issued a set of regulations, commonly referred to as the “Red Flags Rule,” as part of the Fair and Accurate Credit Transactions Act. The Red Flags Rule requires financial institutions and creditors to implement written programs for identification and detection of misuse of identifiable personal information to commit fraud or other crimes (otherwise known as “identity theft”). Given the sweeping nature of the Red Flags Rule and much lobbying for its extensive revision, the FTC has delayed its enforcement of the Red Flags Rule five times, presently to December 31 , 2010. Despite these delays, preparedness is the safer course. Failure to comply results in a multitude of liabilities, including administrative and civil penalties, as more specifically described below.
Specifics of Red Flags Rules
Who Is Covered?
The Red Flags Rule applies to:
- Financial institutions; and
- “Creditors” with “Covered Accounts”
While the meaning of a “financial institution” is fairly straight forward and, as expected, includes banks, credit unions, and savings and loan associations, the definition of a “creditor” is much less obvious.
Under the Red Flags Rule a “creditor” is any entity that regularly extends or even simply arranges for the extension of credit. Thus, swept in the net of the “creditor” definition of the Red Flags Rule is a vast majority of businesses, regardless of size or financial standing, so long as the business does not require payment in full at the time products or services are provided but provides “credit” to its customers to the extent of any amount remaining unpaid. Such businesses include, for example, car dealers (due to leasing and financing services), mortgage brokers (due to facilitation of financing services), accounting firms and law firms (to the extent they allow client payments for services over an extended period of time after the services have been rendered), physician practices (due to installment billing of patients as well as maintaining confidential patient information), day care centers (due to partial payment plans) and even non-profit institutions providing for deferred payment for goods or services.
Accounts created to evidence such partial or extended payments are largely included in the definition of “covered accounts,” which specifically encompasses accounts (i) that involve or are designed to permit multiple payments or transactions; or (ii) for which there is a reasonably foreseeable risk to customers or to the business from identity theft. As a result, the Red Flags Rule covers most billing accounts, including credit cards, mobile phone accounts, small business accounts, and potentially even patient records.
Given its broad sweep, the Red Flags Rule has triggered wide-spread resistance by small businesses and certain service providers. Specifically, in August of 2009, the American Bar Association sued the FTC and obtained a Federal District Court ruling that the Red Flags Rule does not apply to attorneys. This decision is currently subject to an appeal by the FTC pending before the D.C. Circuit Court. Similarly, in November of 2009, the American Institute of Certified Public Accountants (“AICPA”) filed a lawsuit against FTC seeking exemption from the application of the Red Flags Rule. In March of 2010, the court ordered a delay of enforcement of the Red Flags Rule against CPA’s until the resolution of the FTC’s appeal of the court’s decision in the Bar Association law suit. Following the lead of the American Bar Association and AICPA, in May of 2010, the American Medical Association filed a complaint against the FTC alleging similar non-applicability of the FTC Rules to medical practices. The outcome in that case will most likely also depend on the outcome of the appeal in the American Bar Association case. Finally, passed by the House of Representatives and currently pending before the U.S. Senate is proposed legislation which would exempt from compliance with the Red Flags Rule certain small businesses, among them law firms, accounting firms and medical practices with fewer than 20 employees.
What Are Red Flags and What to Do About Them?
The Red Flags Rule mandates that each covered business develop, adopt and implement a written program to detect and respond to patterns, practices or specific activities (known as “red flags”) encountered in the course of doing business with individuals that indicate possible identity theft. The nature of “red flags” will depend on the covered entity being affected. For instance, a credit card issuer could notice an unusual level of purchases while a medical office should be on a lookout for claims that evidence that the lifetime cap on a patient’s insurance policy has been depleted.
Some common “red flags” are:
- Forged documents;
- Non-matching signatures;
- Address discrepancies;
- Complaints from customers, clients or patients that they were billed for services that were never rendered;
- Fraud alerts from credit reporting agencies.
To ensure proper detection of “red flags,” covered businesses must develop and implement a written program customized to detect, address, mitigate as well as proactively prevent the identity theft risks. The plan must provide for staff training and service provider supervision. Further, such a plan must outline the mechanics of future updates. The FTC mandates that such program be managed by a covered entity’s board of directors or equivalent management and supervised by senior officers.
Failure to Comply With Red Flags Rule.
Failure to comply with the Red Flags Rule may result in a variety of penalties, including a regulatory enforcement action, civil monetary penalties of up to $3,500 per violation, and in certain cases up to $16,000 per violation per day for continued non-compliance, statutory penalties of up to $1,000 per injured individual, punitive damages and attorneys’ fees. Additional detrimental consequences to a business may include diversion of resources to deal with the FTC, negative publicity, and the potential loss of business.
Suggested Response to Red Flags Rule
In light of the approaching enforcement start date of December 31, 2010, every company providing “credit” in the form of lending, leasing, or extended payments, is highly encouraged to take immediate steps to achieve compliance. Such steps should include:
- immediate review of the existing confidential information protection level and history of identity theft incidents;
- development of a written program for detection, response, mitigation and prevention of confidential identity theft;
- review and approval of such program by the company’s board of directors or senior board management;
- appointment of a senior officer in charge of implementing the program;
- comprehensive training of all employees handling confidential information;
- establishment of guidelines of supervising service providers and contractors having access to personally identifiable information; and
- establishment of a mechanism for implementation of regular updates to the program.