Extension of the FTC’s Red Flags Rules to November 1, 2009
Kegler Brown Business Tax Alert August 3, 2009
The Federal Trade Commission has announced that it is extending the date for implementation of its Red Flags Rules from August 1 to November 1, 2009. The Red Flags Rules, applicable to most, but not all businesses, are designed to combat identity theft. Financial institutions are already subject to these rules and implementation for them occurred earlier. A covered business generally means any business that regularly extends or renews credit, or arranges for others to do so and includes all businesses that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make a business a creditor under these rules.
Each business' Red Flags Rules will be specific to that enterprise and should be "appropriate, risk-based programs." It is likely that a small business can be classified as "low-risk" for identity theft. Businesses that perform their services in the homes of or face-to-face with their customers/clients are likely to be classified as low-risk. The FTC has already indicated it would be unlikely for it to recommend bringing a law enforcement action if the business entity knows its customers or clients individually or if they perform services in or around their customers' homes, or if they operate in sectors where identity theft is rare and the business itself has not been the target of identity theft.
What are the standards?
The FTC has set out four standards for the program:
- The program must set out reasonable policies and standards to identify "red flags" of identity theft that occur in day-to-day operations. Red flags generally are suspicious patterns or practices or even a specific event that indicates the possibility of identity theft. A suspicious form of customer identification is probably a red flag.
- The program must be designed to detect red flags. If suspicious identifications are presented, procedures should be in place to detect fake, forged or altered identification materials.
- The program must spell out the actions the business will take when a red flag is detected.
- The program should include steps to periodically review and update the policies.
The Red Flags Rules must be adopted by the board of directors of the business. Failure to have a program or to administer it could result in civil penalties. Enforcement will be by the FTC or any state attorney general. There is no statutory right for a private action. Non-compliance could also subject businesses already subject to FTC jurisdiction to have the short-comings classified as an "unfair practice".
Where can more information be found?
A good place to begin is the FTC's website. For guidance in this area, contact Ralph Breitfeller at Kegler, Brown, Hill & Ritter.