The FTC’s Red Flags Rules to go into Effect June 1, 2010
Kegler Brown Business Tax Alert May 21, 2010
The Federal Trade Commission earlier announced that it had extended the date for implementation of its Red Flags Rules to June 1, 2010. That date is almost here. The Red Flags Rules, applicable to most, but not all businesses, are designed to combat identity theft. Financial institutions are already subject to these rules and implementation for them occurred earlier. A covered business generally means any business that regularly extends or renews credit, or arranges for others to do so and includes all businesses that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make a business a creditor under these rules.
Each business' Red Flags Rules will be specific to that enterprise and should establish "appropriate, risk-based programs". It is likely that a small business can be classified as either "low-risk" for identity theft. Businesses that perform their services in the homes of or face-to-face with their customers/clients are likely to be classified as low-risk. The FTC has already indicated it would be unlikely for it to recommend bringing a law enforcement action if the business entity knows its customers or clients individually or if they perform services in or around their customers' homes, or if they operate in sectors where identity theft is rare and the business itself has not been the target of identity theft.
What are the standards?
The FTC has provided four standards for the program:
- The program must set out reasonable policies and standards to identify "red flags" of identity theft that occur in day-to-day operations. Red flags generally are suspicious patterns or practices or even a specific event that indicate the possibility of identity theft. A suspicious form of customer identification is probably a red flag.
- The program must be designed to detect red flags. If suspicious identifications are presented, procedures should be in place to detect fake, forged or altered identification materials.
- The program must spell out the actions the business will take when a red flag is detected.
- The program should include steps to periodically review and update the policies.
How to get started?
Here is a list of considerations for each business:
- (a) An analysis of the size and complexity of the business and the "covered accounts;"
- (b) A determination of the existing policies that control foreseeable risks of identity theft;
- (c) Development of a list of risk factors, red flags and mechanisms to detect such risks;
- (d) Establishment of procedures that should be followed when a red flag is detected;
- (e) A training procedure for appropriate employees;
- (f) A process for the continual administration and regular updates to the plan;
- (g) Management of any outside service providers; and
- (h) Introduction and administration of the program within the business.
The Red Flags Rules must be adopted by the board of directors of the business. Failure to have a program or to administer it could result in civil penalties. Enforcement will be by the FTC or any state attorney general; there is no statutory right for a private action. Non-compliance could also subject businesses already subject to FTC jurisdiction to have the short-comings be classified as an "unfair practice."
Where can more information be found?
A good place to begin is the FTC's website, www.ftc.gov. Under the “Quick Finder” section is a link for “Identity Theft.” Within that section is a link to "Red Flags Rules: Guidance for Businesses." From there, one can connect to FAQs as well as a "How To Guide." For low-risk business, compliance with the Rules may start with assembling relevant "loss prevention" policies already in place, as well as supplementing or establishing policies for detecting and responding to identity theft risks.
For guidance in this area, contact Kegler Brown Hill & Ritter. Attorneys with experience in this area include Ralph Breitfeller and Ken Cookson.