That was the question posed to Compliance Week magazine by a reader overseeing operations for a company in Latin America. The reader wanted to know if the rules (requiring companies to have controls preventing identity theft) apply to foreign businesses or only to U.S. companies? And if they don't, should U.S. companies with overseas operations be doing anything outside the U.S.?
Compliance Week called on Day Pitney partner Richard Harris, and counsel James Bowers and Thomas Zalewski for the answer.
The Red Flag Rules require certain businesses to develop and implement written procedures to protect against identity theft and mainly focus on banks and other companies accepting deferred payment for goods and services. At the moment nobody knows whether the rules apply to foreign creditors or whether the Federal Trade Commission will apply any special conditions. Guidance issued last year made clear that the rules do not apply to foreign branches of U.S. financial institutions but the FTC might still break with this approach and has indicated it will address the issue of foreign subsidiaries in forthcoming guidance. The deadline is June 1.
See Compliance Week for the full answer (subscription required).