Beginning August 1, 2009, the Federal Trade Commission (FTC) will begin enforcing its "Red Flags" Rule, which is designed to address and combat the problem of identity theft. Under the Rule (16 CFR Part 681), every "financial institution" or "creditor" that administers "covered accounts" is required to have in place a written program designed to identify and address "red flags" that could indicate identity theft. The FTC twice has delayed the enforcement of the Red Flags Rule to provide covered entities with adequate time to design and implement appropriate identity theft prevention programs. With this deferral period rapidly coming to an end, every franchisor should assess whether it is one of the 11 million entities that the FTC estimates will be covered by the Rule, and, if so, take appropriate steps to comply with its terms. The failure to do so may be costly and subject a noncompliant entity to stiff FTC penalties.
Red Flags Rule
In 2008, the FTC and other agencies published extensive regulations setting forth the requirements of the Red Flags Rule. The Rule itself is quite broad. A "creditor" is defined to include "any person who regularly extends, renews or continues credit." A "covered account" means "[a]n account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions," or one that otherwise poses a reasonably foreseeable risk of identity theft. Under these definitions, any entity that extends credit for goods or services may be covered by the Red Flags Rule.
Entities covered by the Rule must develop a written Identity Theft Protection Program that detects the warning signs of identity theft. Such a program must detail steps to prevent fraudulent activity and establish a plan to monitor and update the program.
Guidance for Franchisors
Although the Red Flags Rule does not specifically target franchisors, some franchisors will be affected and will be required to adopt Identity Theft Protection Programs. In May 2009, the FTC issued a publication providing guidance regarding the Red Flags Rule for franchisors. Acknowledging that franchisors are not traditional "creditors," like banks and other financial institutions, the FTC explained situations in which a franchisor could be considered a creditor. For example, franchisors fill the creditor role "if they make loans to prospective franchisees or arrange third-party lenders for a prospective franchisee." Similarly, franchisors are creditors if they bill their franchisees after providing services.
Franchisors that meet this definition next must assess whether the "covered account" definition is met. The FTC's guidance acknowledges that a franchisor's collection of payments from franchisees generally would not be considered to be for "personal, family or household purposes." As such, the Red Flags Rule will apply to a franchisor only if it determines that there is a reasonable risk of identity theft in administration of the account. By way of illustration, the FTC explained that "an account with a foreseeable risk of identity theft may include a small business or sole proprietorship account that is closely linked to the personal information of an individual officer or owner."
It is important to keep in mind that this test is conjunctive—the Red Flags Rule only will apply if the franchisor acts as a creditor and administers a covered account.
The Red Flags Rule provides covered creditors with a certain amount of flexibility in implementing an Identity Theft Prevention Program. As such, covered franchisors can work within their existing systems to design and implement a program that conforms with the Rule's requirements while being best suited to the operation of their systems. FTC guidance provided to franchisors, as well as other general compliance guidelines, highlight four key features of any program, which should identify, detect, respond and update. An Identity Theft Prevention Program should:
- Identify "red flags"—patterns, practices and specific activities that signal potential identity theft;
- Establish and explain policies and procedures to detect these "red flags"—for example, monitoring account activity;
- Describe the appropriate response to detected "red flags," which should be designed to prevent and mitigate identity theft; and
- Provide for periodic updating to keep the program current, by reflecting changes in safety and risk relating to identity theft.
The Identity Theft Prevention Program must be approved by a franchisor's Board of Directors or, if the company has no Board, by a senior employee.
To assist covered entities with compliance, the FTC has issued supplemental guidelines that identify more than two dozen "red flags" as examples of identity theft risks. The FTC also has identified certain warning signs that might be particularly relevant for franchisors. Specifically, the May 2009 guidance highlighted three different levels at which a particular transaction may appear suspicious and raise a red flag—suspicious documents (e.g., identification documents that appear forged or incorrect, or are inconsistent with other information provided by the franchisee), suspicious personally identifying information (e.g., a home address, birth date or history that does not line up with information that the franchisor learned from other sources) and suspicious activities (e.g., unanswered faxes or undeliverable mail). A franchisor also should be aware of any notices from victims of identity theft, law enforcement authorities or other entities about possible identity theft in connection with covered accounts.
In taking steps to achieve compliance with the Red Flags Rule, covered franchisors should consider practical situations that may arise. For example, the FTC guidance queries "How will you respond . . . if a prospective franchisee provides a photo ID that appears to be forged or altered; will you request additional documentation? If you're notified that an identity thief has requested financing using another person's information, how will you ensure that the debt is not charged to the victim?" Additionally, it is important that staff at all appropriate levels be trained on the details of the Identity Theft Prevention Program and how to practically implement its provisions. An effective Identity Theft Prevention Program will not only comply with the Red Flags Rule but also it can serve to assure potential franchisees that procedures are in place to address fraud and minimize its harm.