The Federal Trade Commission (“FTC”) has adopted a rule requiring "creditors" to take steps to combat identity theft in connection with “covered” recurring payment accounts. Known as the Identity Theft Red Flags Rule ("the Rule"), the regulation mandates that businesses and organizations defined as creditors adopt Identity Theft Programs ("Programs") to spot suspicious activity that may signal identity theft. Non –profit organizations such as independent schools are not immune from the Rule.
Set out below are frequently asked questions about the Rule.
Who is covered by the Rule?
The Rule applies to any entity that meets the definition of “creditor” that has what are defined as “covered accounts.”
Is my school a "creditor" with a "covered account?"
Possibly. In most cases, "creditor" means an entity that “extends credit” by permitting its clients or customers to pay later for goods or services that are provided first, on an extended payment schedule. Extending or offering "credit" means an arrangement whereby you accept deferred installment payment for goods or services, such as for school tuition, room, board, books other fees or charges. If a school allows parents to pay for tuition or other goods and services on a payment plan, and they sign an enrollment contract early in the year for the coming school year, opting to pay in a set number of payments spread out over the course of the year, this would make the school a "creditor" under the Rule. "Covered accounts" are those used mostly for personal, family or household purposes, which clearly includes accounts for the payment of education-related services.
What if my school uses a third-party service provider for payment services?
If you use a third-party payment plan provider to collect multiple payments throughout the year, you still may be covered; the Rule does not distinguish between payments directly from consumers to you, or via a third party. As a result, if you are using such a provider the school may still be considered a "creditor" and your prevention Program should provide for the monitoring and oversight of third-party service providers.
What is the mandatory compliance date of the Rule?
The Rule requires "creditors" to be in compliance by November 1, 2009.
What does the Rule require?
The Rule requires covered organizations to implement a written Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or the maintenance of an existing covered account. The Program must be approved by the board of trustees or directors or an appropriate committee of the board, overseen by the board, committee, or a senior manager, and include training of staff and oversight of service providers.
What if my school accepts late payments – does that make it a "creditor" under the Rule?
If you accept late payments, even if not under a specific plan, you still might be covered by the Rule. If payment of tuition in full is due on a certain date, but accepted late just one time only, that would most likely not make the school a "creditor." However, if the school regularly accepts late payments over time, in installments, that may make it a "creditor," regardless of whether that plan is formal or informal.
My school invoices for tuition, and we carry these receivables for a time while they are paid off. Does this practice make us a "creditor" under the Rule?
When you charge for tuition, room and/or board, or invoice for other goods or services already provided, such as books or athletics or other special fees, and you allow the amount(s) due to be paid in installments, you may be a "creditor" under the Rule. However, it ultimately depends on how you structure the payment plan. Schools that bill for tuition after students attend class are creditors. Schools that require payment upfront or "pay as you go" – so that students would be barred from class if they do not pay – are not "creditors." And if you actually provide loans regularly, to students, employees or others, you clearly are a "creditor."
What is a “Red Flag”?
A Red Flag is a pattern, practice or activity that signals possible identity theft. The required Program must identity your school's Red Flags and set forth procedures to detect and respond to them.
What are the sources of Red Flags?
- Incidents of identity theft that the school has experienced.
- Methods of identity theft that the school learns from publications, industry reports or other sources that reflect changes in risks of identity theft.
- Applicable guidance from the FTC.
What are the common activities that could be Red Flags?
- Alerts, notifications, or other warnings from credit bureaus or service providers, such as fraud detection services.
- The presentation of suspicious documents.
- The presentation of suspicious personal identifying information, such as a suspicious address change.
- The unusual use of, or other suspicious activity related to, a covered account.
- Notice from consumers, victims of identity theft, law enforcement authorities or others regarding possible identity theft in connection with covered accounts.
What are the elements of a Program?
A Program must enable the covered school to:
- Identify Red Flags relevant to the entity’s experience, industry sector and risk profile, and incorporate them into the Program. There are 26 examples of Red Flags in the Rule's guidelines, but there may be others unique to your school’s activities, programs and services.
- Detect the Red Flags that have been included in the Program through the use of authentication mechanisms, monitoring of accounts and other processes.
- Respond appropriately to Red Flag events that are detected – possible responses may include taking no action, contacting the parent or customer, changing passwords, not attempting to collect on an account, and contacting law enforcement.
- Periodically review and update the Program to reflect changes in risk.
What is the liability for noncompliance with the Rule?
The FTC can obtain civil penalties of up to $3,500 for each violation of the Rule by entities within its jurisdiction. If a school is found to be a "creditor" but does not have the required identity theft prevention program, the number of violations could equal the number of covered accounts that should have been protected by the required program. There also could be state agency enforcement, with up to $1,000 for each willful violation, plus costs and reasonable attorneys' fees if successful. While private causes of actions cannot be brought for Rule violations, identity theft victims could bring claims under other theories of liability.