1. New Deadline to Adopt a Written Policy on Protection of Credit Information: Red Flag Rules (FACTA)
Franchisors have received a reprieve from the Federal Trade Commission (FTC). The Fair and Accurate Credit Transactions Act (FACTA), also commonly referred to as the “Red Flag Rules,” was supposed to become effective August 1, 2009. The FTC has now extended the effective date for 90 days, until November 1, 2009.
Do the Identity Theft “Red Flag Rules” Apply to Me?
You may wonder if you are subject to the “Red Flag Rules.” The FTC issued rules in November, 2007 that require covered entities to create specific rules and procedures for handling credit information. In order to assist our readers in determining whether they fall under the Rules, they need to determine whether they qualify as a “creditor” or “financial institution” and, if so, whether they issue “covered accounts” as well as what they need to do in order to comply with the Red Flag Rules by the deadline. To assist in this analysis, we have created a brief list of questions and answers.
QUESTION: As a franchisor, do I have to comply with the Red Flag Rules?
ANSWER: Maybe. If you engage in any of the following activities, you could be considered a “creditor” or “financial institution” and subject to the Red Flag Rules:
- Providing financing to franchisees
- Making deferments of royalties or other payment obligations for repayment at a later time
- Charging interest to franchisees for late payments
QUESTION: As a franchisee, do I have to comply with the Red Flag Rules?
ANSWER: Probably not. Simply by accepting credit cards as a form of payment from your customers, you do not become a “creditor.” If you issue credit cards you may be considered a “creditor.” However, the rule does not apply to franchisees that have ‘branded’ credit cards with their logo if they are not involved in the credit application or decision process. Additionally, if you otherwise provide your customers with payment terms (delayed payments), you might become a creditor under the rule.
QUESTION: As a supplier, do I have to comply with the Red Flag Rules?
ANSWER: Maybe. If you defer payments by providing products or services to your customers now and then billing them later, you are considered a “creditor” under the rules.
QUESTION: Based on the answers to the questions above, I think I am considered a “creditor.” What is the next step?
ANSWER: The next step is to determine if you have any “covered accounts.” There are two types of covered accounts:
- Type 1: A consumer account you offer to your customers. Examples include credit card accounts, checking accounts, and savings accounts.
- Type 2: Any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft (particularly accounts issued to consumers or small businesses).
QUESTION: I am both a “creditor” and have “covered accounts,” what’s next?
ANSWER: If you are a creditor with covered accounts, you must develop and implement a written Identity Theft Prevention Program.
QUESTION: What is an Identity Theft Prevention Program?
ANSWER: An Identity Theft Prevention Program is a series of steps, appropriate for the nature of your business, designed to reduce identity theft. The Program involves four steps: 1) identifying the relevant “red flags” for your business, 2) detecting the red flags in the daily operation of your business, 3) preventing and mitigating identity theft and 4) updating your program.
QUESTION: How do I administer an Identity Theft Prevention Program?
ANSWER: An Identity Theft Prevention Program needs to be incorporated into the day-to-day operations of your business. For this reason, a company’s board of directors should approve the written Program. If your business does not have a board of directors, the Program should be approved by senior management. The Program must designate a person responsible for the implementation and administration of the Program. A key component to implementing and administering the Program is to properly train employees and franchisees in the new policies and procedures.
For more information on FACTA, see our Hot Branding Issue: Fall 2008.
2. Stepped Up Inspections by Immigration Authorities: Form I-9 Compliance Audits
If you haven’t reviewed your employee files recently to ensure they are up-to-date and contain the proper Forms I-9, now is a good time to do so. Form I-9 shows the U.S. Immigration and Customs Enforcement Agency (ICE) that you have verified an employee's identity and have established that the worker is eligible to accept employment in the United States. Most of you include the Form I-9 in your employment packet, but you may not have had time to review them. ICE has hyped up its inspections of employee Forms I-9. ICE issued in one recent week more notices of inspection than it issued for all of last year. One national company didn’t have its factory records in order, which resulted in a $40,000 fine.
Employers have three days to comply beginning from the inspection date. You may not have enough time to correct deficiencies in three days, so getting a head start now may save you a lot of aggravation and headaches. Things to look for in your files include 1) that you have collected a Form I-9 for each employee and have maintained them in hard or electronic form for three years after employment and for one year after employment termination, 2) confirming that both you and your employee have signed the employee’s Form I-9, 3) being able to prove that you have inspected the documentation on which the Form I-9 is based, such as passports, social security cards, permanent resident or alien cards, or drivers licenses, and 4) completing any missing or changed information, such as name changes. For re-hires, you may have to re-verify information. You can find the Form I-9 here.