Explaining risks stemming from the FTC’s Red Flags Identity Theft Prevention Rule.
About the Author:
My name is Jim Keating. I attended college in Philadelphia, PA and law school in Wilmington, DE. Our team at Compliance Mitigation offers services to help small and mid-sized businesses and organizations develop mitigation strategies that lead to lower sentences if they’ve been charged with crimes.
Upon completion of this Case Study, participants will be able to:
- Understand Identity Theft and its unknown consequences;
- Describe steps small and mid-sized businesses need to take to protect against Identity Theft;
- Explain the concepts of Advancing Funds and Covered Accounts as they relate to the Federal Trade Commission;
- Understand why Identity Theft is a concern for businesses; and
- Identify methods to prevent Identity Theft from ruining your business.
Small and mid-sized business white-collar owners and leaders of similarly situated organizations.
Identity Theft, Red Flags Rule, Federal Trade Commission, Advancing Funds, Covered Accounts, Financial Institution, Creditor
Current State of the Industry:
Identity Theft has been an ongoing problem in the United States for some time, with new cases increasing every year. The Federal Trade Commission (FTC) estimates nine million Americans will have their identities stolen this year. This current problem creates major problems for small and mid-sized businesses and organizations that can lead to unexpected costs, litigation and lawyer fees, and in some cases criminal charges.
When some business owners and leaders face challenges or feel pressure, they seek quick solutions without considering all the consequences. They may not realize the risk associated with a government investigation or the power of the investigators. Government agencies will investigate wrongdoing, unintentional or otherwise. Business owners and leaders who do not view themselves as being “criminals” frequently find themselves being accused of white-collar crimes. At Compliance Mitigation, we are here to help you before you find yourself in this situation. In this case study, we discuss the FTC “Red Flags Rule” and offer suggestions on how to stay in compliance and out of trouble.
Future State of the Industry:
Business owners and leaders should make decisions with a full understanding of how government investigators will perceive them should a problem arise. At Compliance Mitigation, we want to eliminate instances where our clients find out they did not know their actions (or inaction) could result in victims—as government investigators often view these matters. Knowledge of consequences may result in people making fewer decisions that could make them vulnerable to investigations and prosecution for white-collar crimes.
The FTC Red Flags Rule requires many businesses and organizations to implement a written identity theft prevention program designed to detect the “red Flags” of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate its damage. A Compliance Mitigation program can help many small and mid-sized businesses spot suspicious patterns and prevent the costly consequences of Identity Theft.
The FTC Red Flags Rule program outlines which types of businesses and organizations are required to participate. The program focuses on “financial institutions” and some types of “creditors” (depending on their business activities) to conduct a periodic risk assessment to determine if they have “covered accounts.” The determination will not be based on the industry or sector, but rather on whether a business’ activities fall within the relevant definitions. A business must implement a written program only if it has covered accounts, as defined by the FTC.
The Red Flags Rule defines a financial institution as a “state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.” While many financial institutions are under the jurisdiction of the federal bank regulatory agencies or other federal agencies, state-chartered credit unions are one category of financial institution under the FTC’s jurisdiction.
Compliance Mitigation can assist small and mid-sized business owners and leaders develop, implement, and administer an identity theft prevention program pursuant to the FTC’s Red Flags Rule program. Identity Theft Red Flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. A program to prevent Identity Theft using the Red Flags Rule could, for instance, include unique electronic identification numbers, address, or routing codes for each individual client/customer.
According to the FTC, a Red Flags Rule program must include four basic elements that create a framework to deal with the threat of identity theft. A Red Flags Rule program must:
- include reasonable policies and procedures to identify the red flags of Identity Theft that may occur in your day-to-day operations.
- be designed to detect the red flags your business has identified.
- spell out appropriate actions your business will take when red flags are detected.
- detail procedures to keep your business current on new Identity Theft threats and trends.
Securing the data you collect and maintain about customers can be vitally important in reducing Identity Theft. The Red Flags Rule seeks to prevent Identity Theft, too, by ensuring that your business or organization stays on the lookout for the signs that a crook may be using someone else’s information, typically to illegally obtain products or services from your business. Compliance Mitigation recommends a two-pronged approach in the battle against Identity Theft: 1-implement data security practices that make it harder for crooks to get access to the personal information they use to open or access accounts, and 2-pay attention to the red flags that suggest that fraud may be present.
The FTC has been clear that just putting some notes or thoughts down on paper for your business or organization will not reduce the risk of Identity Theft. As a result, the Red Flags Rule has requirements on how to incorporate a written program into the daily operations of your business. Fortunately, the Rule also gives you the flexibility to design a program appropriate to your business’ size and the potential risks of Identity Theft. While some larger businesses and organizations may need a more comprehensive written program to address a high risk of Identity Theft, a streamlined written program may be appropriate for businesses facing a low risk. Compliance Mitigation can create fully customized Red Flags Rule program for any business size.
The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts.” Industry or business section may not be determinative, but rather on whether a business’ activities fall within the relevant definitions. A business must implement a written program only if it has “Covered Account.” The Red Flags Rule defines “creditor” based on type of business conduct. The FTC uses the federal statutory definition from the Equal Credit Opportunity Act (ECOA), which in layman’s terms means a business or person who defers payment to a customer for goods or services over a set period of time.
The FTC has provided the below step-by-step guide to assist you to determine if your business qualifies as a creditor under the Red Flags Rule. Ask yourself these questions:
Does my business or organization regularly:
- defer payment for goods and services or bill customers?
- grant or arrange credit?
- participate in the decision to extend, renew, or set the terms of credit?
If you answer:
- No to all, the Red Flags Rule does not apply.
- Yes to one or more, ask:
Does my business or organization regularly and in the ordinary course of business:
- get or use consumer reports in connection with a credit transaction?
- give information to credit reporting companies in connection with a credit transaction?
- advance funds to, or for, someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services you provide to them)?
If you answer:
- No to all, the Rule does not apply.
- Yes to one or more, you are a creditor covered by the Red Flags Rule.
Only after you conclude your business or organization may be a “Creditor,” as defined by the FTC, must you determine if you have any “Covered Accounts.” To determine if you have any “Covered Accounts” you must look at existing accounts and new ones. Two categories of accounts are covered:
- A consumer account for your customers for personal, family, or household purposes that involves or allows multiple payments or transactions.
- “Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
If after you have performed the above analysis and have determined your business does not have any “Covered accounts, your business does not need a written Red Flags Rule program.
The FTC analysis outlined above can be complicated and time consuming. That’s where Compliance Mitigation comes in. At Compliance Mitigation, we are set up to perform these types of analysis for our small and mid-sized business customers. We recommend more and better training for white collar professionals to learn and understand the risks associated with non-compliance with federal Rule governing your business. The Red Flags Rule will not pertain to every type of business, but for those that do fall within the above-stated groups, Compliance Mitigation can create the written Red Flags Rule program for you so you are in compliance. When people understand how authorities view crimes like Identity Theft they may be more inclined to make law-abiding decisions, ones that keep the business protected from a federal investigation.