Pursuant to certain regulations (the Red Flag Rules) issued by the Federal Trade Commission (FTC), "financial institutions" and "creditors" are required to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the Red Flag Rules, many non-profits will be required to develop programs to detect and prevent identity theft.
To the extent non-profits fall within the definition of "creditor" under the Red Flag Rule, they must develop and implement a written identity theft prevention program to comply with these new regulations. Although the rules originally required a written program be adopted by the board of trustees by November 1, 2008, the FTC announced that it will delay enforcement actions for violations of the Red Flag Rules until August 1, 2009.
Generally, the Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” Under the rules, the definition of “creditor” is broad and generally includes entities that regularly defer payment for goods or services or provide goods or services and bill customers later. Specifically, the definition of “creditor” includes any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Thus, a non-profit could potentially be a “creditor” if it charges dues for membership services or invoices for other goods or services already provided, such as exhibit booth sales, magazine or newsletter subscriptions, books and other publications, corporate sponsorships, advertisements, conference registration fees, or logo items, and the non-profit allows the amount due to be paid in installments. There are two categories of “covered accounts.” The first category consists of consumer accounts mostly used for personal, family, or household purposes that involve or permit multiple payments or transactions. The other category of “covered account” includes any account offered by a creditor that has a reasonably foreseeable risk of identity theft to consumers or to the safety and soundness of the creditor. This includes small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identify theft.
To the extent a non-profit is a "creditor," the non-profit must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The purpose of the written identity theft prevention program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. The requirements of the program are flexible, but the program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. The written program must include reasonable policies and procedures to:
- Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program;
- Detect Red Flags that have been incorporated into its program;
- Respond appropriately to any Red Flags that are detected;
- Train relevant staff, as necessary;
- Exercise sufficient oversight over service providers; and
- Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.
Importantly, the Red Flag Rules require each creditor to develop its written identity theft prevention program based on the specific Red Flags relevant to that creditor. As such, it is important to evaluate the specific risks of identity theft that you face, evaluate what Red Flags are relevant to your business, and develop a policy to address each identified Red Flag.
In addition to the adoption of a written identity theft prevention program, the Red Flags impose additional requirements on users of consumer reports, in the event the user is notified of an address discrepancy. Specifically, any user of credit reports must develop and implement policies and procedures designed to enable the user to form a "reasonable belief" that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
The FTC has recently published on its website a compliance template to help low-risk businesses and organizations develop their own Identity Theft Prevention Program that complies with the FTC's “Red Flag Rules.” The template can be found at: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf