FTC Red Flags Rules:
Most Organizations Must Comply by June 1, 2010
EXTENDED TO DECEMBER 31, 2010
Hubert Klein CPA/ABV, CVA, CFE, CFF
Partner, Litigation
Andrew Barfuss CPA
Partner, Risk Advisory
If you offer payment terms to customers (i.e. 30 or 45 days) the Federal Trade Commission (“FTC”) requires you to comply with the new Red Flag Rules. Surprised? Most corporate executives and sole proprietors are! The goal of the underlying FACTA Act is to enhance fraud detection and protection of private information. Less understood is the pervasive impact that Red Flag implementation may have on your organization.
A few examples may include:
- Human Resources — Developing "Red Flag" procedures for detecting job application fraud and protecting employee private information.
- Credit & Accts/Pay — Educating employees on proper procedures for taking credit card information over the phone.
- IT — Developing automated monitoring of sensitive data access and monitoring the external export of sensitive private data.
The FTC reports that Identity Theft is the fastest growing crime in America. In addition, it estimates that as many as nine million Americans have their identities stolen each year. In fact, you or someone you know may have experienced some form of identity theft. The crime takes many forms. The worst part is that the victims may not find out about the theft until severe damage has been done. As a result of the escalating rise in Identity Theft crimes, Congress passed the Fair and Accurate Credit Transactions Act (FACTA) which required the FTC to develop rules and guidelines regarding the detection, prevention, and mitigation of identity theft for financial institutions and creditors as defined by FACTA. The FTC, in turn, created the Red Flags Rules. A “Red Flag” is defined as a pattern, practice, or specific activity that could indicate identity theft. As a result, the FTC is requiring all creditors who have covered accounts to comply with the Red Flags Rules and develop identity theft prevention programs.
Many companies are not aware of these rules or that they apply to their business or organization. The Rules apply to "financial institutions" and "creditors." However, the FTC Red Flag Regulations have broad application and define a "creditor" as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. If you regularly extend credit to other businesses, you are also covered under this broad definition. If you think this does not apply to you, think again! As an example, if you or your organization bills and requires payment in 30 days and payment is not made in 30 days and you allow a longer payment term, under the Rules you have now extended credit and are subject to compliance. As you can see, this type of transaction applies to most business enterprises.
The Rules set out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Every program must include four basic elements:
- Must include reasonable policies and procedures to identify "Red Flags" of identity theft you or your business may run across in the day-to-day operations of your business.
- Your program must be designed to detect the red flags you’ve identified.
- Your program must spell out appropriate actions you’ll take when you detect the red flags.
- As identity theft schemes are ever-changing, you must address how you will re-evaluate your program periodically to reflect new risks.
There is exposure for management and boards as every identity theft program must be approved by the Board of Directors or an appropriate committee thereof. For organizations without a board, they must be approved by management.
Like all government regulations and rules, there are severe penalties for non-compliance. The FTC is authorized to bring enforcement actions in federal court for violations, and could enact penalties of up to $2,500 for each independent violation of the rules. In other words, if multiple customer account information is stolen or misused, it would be $2,500 for each customer account. Imagine if your entire customer, client or patient data file was stolen. Then there is always the exposure to civil litigation, an area where companies stand to lose the most. Not only will companies suffer untold damage to their reputation and subsequent customer churn, but each consumer may be entitled to recover actual damages sustained from a violation. There is also the possibility of class action law suits potentially resulting in massive damages.
The good news is that the rules allow you the flexibility to design a program appropriate for your company based on the size of its potential risk of identity theft. Some organization may need a comprehensive program due to their high risk of identity theft in a complex organization, with a more streamlined plan for lower risk organizations.
The rules were adopted on October 31, 2007 and originally were to become effective on June 1, 2010 but have been extended to December 31, 2010. There is still time to get ready for compliance but the requirement to have a board approved program designed and implemented in such short order is an enormous undertaking. At EisnerAmper we have a team ready to help with your Red Flag Compliance needs. If you have questions or would like to learn more about the Red Flag Rules and our services in this area, please call Hubert Klein or Andy Barfuss.