Just when you thought you were finished with new Federal Trade Commission (FTC) rules, another rule may bear on your business. As part of its campaign to combat identity theft, the FTC has announced its "Red Flags Rules" that may affect franchisors and franchisee/operators in their capacities as creditors. Specifically, the Red Flags Rules require a creditor to develop and implement a written identity theft prevention program to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. So, to the extent a franchisor is a creditor for royalty or inventory payments or a franchisee/operator permits a retail customer to defer payment through the use of an open account, it could be a creditor for purposes of the Red Flags Rules.
We have been advised by the FTC staff that our inquiry was the first one received from the franchise community. At our request, the FTC staff prepared an explanation that you can obtain by clicking here.
While the dangers of electronic storage or transmission of sensitive information like credit and debit card numbers has been a principal focus of the FTC when it comes to identity theft, the requisite Identity Theft Prevention Program is media-neutral. The Red Flags Rules apply equally to a business paid through electronic funds transfers (EFT), including automated clearing house drafts and other means of electronic payment popular with franchisors and retailers, as it does when paper checks are used and put in the mail.
Drawing on the Sarbanes Oxley experience, these rules expose senior managers and boards of directors to liability for non-compliance. November 1, 2008 is the deadline for implementing procedures to comply with the rules. A summary of the key points of the rules follows.
The Red Flags Rules are only meant to apply to those who regularly extend or arrange for credit and assignees of original creditors. Businesses that merely accept credit cards as forms of payment are not deemed to be "creditors" under the Red Flags Rules.
Even if a business is a "creditor," the Red Flags Rules only apply to its "covered accounts." These are accounts that are used mostly for personal, family or household purposes, and that involve multiple payments or transactions. Credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts are all covered accounts. However, certain business accounts are also included as covered accounts. As the FTC explanation indicates, franchisee accounts could be covered.
An identity theft prevention program must provide for the identification, detection, and response to patterns, practices, or specific activities as "red flags" potentially indicative of identity theft. These red flags include unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. Oversight of third-party service providers is also required.