FTC IDENTITY THEFT “RED FLAGS RULE” ENFORCEMENT STARTS 11/1/2009
On November 1, 2009, the long-awaited enforcement by the Federal Trade Commission (the “FTC”) of the identity theft regulations commonly known as the Red Flags Rule (hereinafter the “Rule”) will finally arrive. While certain federal agencies (e.g., banking and credit union regulators such as the OCC, Federal Reserve System, FDIC, OTS and NCUA) began enforcement of the Rule right away, the FTC postponed its enforcement to provide businesses with guidance and additional time to develop policies that comply with the Rule’s requirements. The FTC enforcement starts next week, therefore it is important for you to know that there are financial and other penalties for non-compliance. This article gives a quick overview to help you determine if your business is required to be in compliance with the Rule and reviews the penalties for non-compliance.
DOES THIS RULE APPLY TO MY BUSINESS?
The Rule applies to “financial institutions” and “creditors.” It is important to note, however, that these terms do not have their normally understood industry definitions, but rather are based on the specific business activities and practices of each company.
DO MATERIAL SUPPLIERS AND CONTRACTORS HAVE TO COMPLY?
As a material supplier or contractor who collects and maintains personal financial information in connection with credit sales or the performance of a project, you must carefully consider whether your activities or practices make you a financial institution or creditor under the Rule.
Financial Institution: A financial institution is a state or national bank, credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. A “transaction account” is one from which the owner may make payments or transfers to third parties, including but not limited to, checking accounts, negotiable orders of withdrawal accounts and share draft accounts.
Creditor: A creditor is any person or entity, who as part of his or her business, defers payment for goods or services and bills customers other than at the point of sale. This category also includes businesses that regularly grant or arrange loans, extend credit, or make credit decisions. Accordingly, if your business provides goods or services on credit, you will be considered a creditor for purposes of the Rule.
Since it is extremely unlikely that a contractor or a material supplier would be considered a “Financial Institution” as defined above, the focus should be on whether your construction or supply business falls under the definition of a “Creditor”. If you are involved in a construction project or purchase order where you perform work or deliver materials and allow the owner or customer to make payment at a later time (e.g. net 15 days from delivery OR within 10 days of completion of each phase of the project), then you are probably a “Creditor”.
WHAT DOES THE RULE REQUIRE OF CREDITORS?
Once you determine that you are a creditor, you must conduct periodic risk assessments to identify if you have any “covered accounts,” of which there are two categories: (i) a consumer account offered to customers primarily for personal, family, or household purposes which is designed to permit multiple payments or transactions, and (ii) any other account offered to consumers that poses a reasonably foreseeable risk of identity theft to customers or to the creditor.
Again, material suppliers and contractors generally do not have accounts falling into the first category, and most account would be classified as “commercial” rather than “consumer” accounts. However, if you require a personal guaranty, credit application, financial statements or other personal information from your customers as a condition to deferring payment for goods or services, then there is the possibility that the information collected by your company could be used in connection with identity theft. For example, if a customer has access to his or her account and personal information via the internet or by telephone, then a hacker or other person masquerading as the customer could potentially access the customer’s personal information. Under those circumstances, there may be a reasonably foreseeable risk of identity theft. By contrast, if the personal information contained in a credit application or personal guaranty is stored in a company filing cabinet (and not made available electronically), the risk of identity theft would be reduced (but not eliminated), since the information can only be accessed by a relatively limited number of people. Finally, because most small business accounts, sole proprietorship accounts and single transaction consumer accounts contain personal information of the customer, they will generally be considered covered accounts.
DO I NEED AN IDENTITY THEFT PREVENTION PROGRAM?
If you are a creditor with covered accounts (or you anticipate having covered accounts), then you are required to develop a written Identity Theft Prevention Program. The Rule sets out four essential elements for the development, implementation, and administration of the program:
1. The program must have policies and procedures to indentify threats of potential identity theft that you may encounter in the day-to-day operation of your business. As an example, if a customer places several orders that are abnormal (either because of the size or content) for the customer, then such activity might be a “red flag”.
2. The program must be designed to detect the red flags that your company has identified. Expanding on the example above, once the abnormal orders are identified, you should contact the customer to verify the order information and confirm that the order was not fraudulently placed on their behalf.
3. The program must set forth the actions to be taken once red flags are detected, which may include notifying law enforcement.
4. The program must be subject to periodic review and re-assessment to address the constantly changing risks posed by identity theft.
In addition, if you are subject to the Rule, you must; (a) have your program approved by your board of directors; (b) train staff to administer the program; and (c) oversee the activities of the third parties you engage to manage customer accounts and personal information.
WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?
The FTC can seek both civil penalties and injunctive relief for violations of the Rule. A maximum penalty of $3,500 may be assessed for each violation of the Rule. If the FTC obtains an injunction, your future compliance with the rule will be mandated by the court, and you may be required to provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order. Failure to comply with the court order could subject you to further penalties and the contempt power of the court.
In these economic times, losing a client due to identity theft is bad and being under investigation by the FTC is even worse. Gibbs, Giden, Locher, Turner and Senet LLP has provided legal services to the Construction and Real Estate industries for over 30 years. Our law firm is available to assist you with the development of an appropriate program for your business, as well as an initial assessment of whether you are required to comply with the requirements set forth in the Rule. Please contact us at firstname.lastname@example.org for additional information about this article.
By Seth W. Eaton, Esq.
Copyright 2009 Gibbs Giden Locher Turner Senet & Wittbrodt LLP ©