At the request of several members of Congress. the Federal Trade Commission has delayed the compliance deadline for “Red Flag” rules, which require businesses to implement anti-identity theft policies. Originally scheduled to become effective January 1, 2008, the rules have been granted a series of extension by the FTC. The latest moves the deadline from June 1, 2010, to December 31, 2010.
Created through the Fair and Accurate Credit Act of 2003, the regulations require businesses that extend credit to consumers to develop a written policy that identifies warning signs and suspicious activities (i.e., red flags) of possible identity theft, and tactics to address and prevent it. If your business defers payment for goods or services, you must follow the Red Flag rules.
Associations representing various professional groups, including the American Medical Association, the American Bar Association and the American Institute of Public Accountants have brought lawsuits against the FTC during the past year, arguing on various grounds that the rule should not apply to them. In the first case to be tried, the U.S. District Court for the District of Columbia ruled that the FTC is barred from applying the Red Flag rules to lawyers, who were represented in the suit by the American Bar Association. The FTC has said it would appeal the decision.
Although enforcement of the rules has been delayed, the rules are expected to eventually take effect – once Congress and the court system work through the details. As a result, if your company is subject to the rules, you will need a program for “covered accounts.” Covered accounts include most accounts used for personal, family or household purposes that involve multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, employer-provided individual retirement accounts, checking accounts and savings accounts.
Your Red Flag program should include:
- A written policy reflecting procedures to identify red flags that are relevant to your business and used in your day-to-day operations, such as how you will verify identity and authenticate customers in-person, online, mail, internet, etc. Explain how new accounts versus existing accounts will be handled.
- Policies and procedures to detect possible identity theft once identified, and how you will prevent or mitigate identity theft.
- How the policies will be revised as technology is upgraded and new tactics are used over time.
- An approval and reporting mechanism with your company’s board of directors or lacking one a senior executive. At least an annual report detailing the effectiveness of the policy, response to any identity theft issues experienced and recommendations for changes to the policy.
An attorney knowledgeable on Red Flag regulations can assist you in creating this document. Many state and national business associations such as the American Medical Association have established industry-specific sample Red Flag policies.
If your business is subject to the regulation and you don’t put a Red Flag program in place, you could be penalized. The FTC can enact penalties up to $3,500 for each violation of the rule. States can also impose up to $1,000 per violation plus attorney fees. Customers can also file civil suits to recover actual damages sustained due to a violation. The rules not only open the door to damages to a company’s reputation, but also class action law suits, which could result in massive damages.
You can learn more about Red Flag rules at www.ftc.gov/opa/2009/10/redflags.shtm.