Since January 1, 2008, the Federal Trade Commission Red Flag Rules has required businesses to establish policies and procedures for identifying identity theft. These rules require 4 things: 1. That business have reasonable policies and procedures in place to identify the red flags of i.d. theft; 2. the business must have a program designed that actually implements the program of identifying the red flags; 3. The businesses’ program must have policies that identify the specific action that business will take when it spots the red flags of i.d. theft; and 4. the businesses’ program must include a procedure for periodically reevaluating the red flag program. So the big question is who has to have such a red flag program. According to the FTC, the program applies to “financial institutions” and “creditors.” The word “creditors” appears to include those businesses that don’t even think of themselves as creditors. Indeed, the FTC states:
The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies are among the entities that may fall within this definition, depending on how and when they collect payment for their services. The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, say, by processing credit applications. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.
Once you are deemed to be covered by these rules, you have to see if you have any “covered accounts.” There are two kinds of covered accounts. The first type are consumer accounts for which your customer incurs debt for personal, family or household use and is designed to permit multiple payments or transactions. The FTC gives examples such as utility bills, credit card accounts, and mortgages. The second type of account are those “for which there is a a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft including financial, operational, compliance, reputation or litigation risks.
So what does this mean to us lawyers and you business owners? We are no longer able to cast a blind eye to what may appear to be red flags of identity theft. We are now participants in the game of helping to catch the bad guy. This means that we can no longer sit on the side lines and hope that the authorities do their job as we look idly on. So whats next? If I were you, I would start developing my program. I certainly don’t want to the be the first test case that the FTC accuses of violating this new law.
FTC “Red Flag” rules may apply to YOU….