Effective August 1, 2009, the Federal Trade Commission began enforcing the “Red Flags Rule” (RFR), prompted by a governmental initiative to prevent fraud and identity theft. Although this rule has been in effect since January 1, 2008, only recently has the FTC begun enforcing (or fining) for non-compliance.
Basically, the rule requires that any covered entity implement a written program that states how the members will prevent and mitigate identity theft. Many businesses fall under the jurisdiction of the RFR because these businesses “directly or indirectly hold a ‘transaction’ account belonging to a consumer.” If your company performs a service and sends a bill later, or has “accounts receivable” holding individual accounts, then most likely, your business must be RFR compliant. If your business sells products, for example, at a cash register and holds no accounts receivable for specific customers, then your business will not likely need to be RFR complaint.
The test implemented by the FTC two-fold:
A. Is your business a financial institution or act as a creditor? The answer as to whether or not you are a financial institution is obvious, but a business is considered a creditor if they do any of the following:
- extend, renew, or continue credit;
- arrange for someone else to extend, renew, or continue credit; or
- are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.
B. If so, does your business have covered accounts?
-covered accounts include those organizations that provide a service first, then bill later
-covered accounts include both business accounts and consumer accounts
-covered accounts include businesses that extend credit or grant loans
How can your business become Red Flags Rule compliant? If you have an outside billing company or accountant handling your billing, etc., much of the responsibility will lie on them to be RFR compliant. However, your business still may be held liable for any fines or corrective action if another business/person acts as an agent on behalf of the company. It is important for a business with “agents” to ask if said agents are Red Flags Rule compliant.
If your business is covered, then you should implement some type of policy, whether or not you have other entities doing billing, etc., on your behalf. Although it may seem unlikely that your business will experience fraud or identity theft on one of its accounts, it is better to be safe than sorry
There are four basic steps to implementing a Red Flags Rule Compliance Plan:
1. Identify the red flags. What are the warning signs of identity theft in your day-to-day operations?
sensitive information? How is customer information stored (do you have social security numbers or credit card numbers unattended?)
2. Detecting Red Flags. How will your business detect the red flags you have identified?
3. Responding to Red Flags. How will we ensure that any in discrepancies are taken care of properly? For example, a proper response may be notifying your local police department if your business has detected a possible case of fraud or identity theft.
4. Administering Your Program. You’ll need to get approval of the program by the Board of Directors, a committee of the Board or senior manager; designate a person to administer your program; decide how you will train people in this area; and
how you will supervise any of your service providers (i.e. companies that handle your billing, attorneys, accountants, collection agencies, etc.) that must be compliant. Ott & Associates Co., LPA, has already implemented a Red Flags Rule program.
To comply with the Federal Red Flags Rule, entities that are at low risk for identity theft may complete the “Do-It-Yourself” Program, which may be found on the FTC’s website: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm
This website provides a user-friendly form to fill in, and also has a detailed guide to be Red Flags Rule compliant. Filling out the form may only take a few minutes, but will be essential in helping your business identify any problems that might occur.