‘Red Flag’ rules are catching some businesses by surprise

December 31, 2008

Lawyers who advise businesses are fielding calls from clients about new federal requirements for identity theft prevention programs. While lawyers say business owners are often surprised to find they’re affected by the new rules, complying with the rules themselves is not particularly difficult. The so-called “Red Flag” rules apply to both “financial institutions” and “creditors,” and both terms are defined broadly. One law firm advises that “creditors” can include utility companies, automobile dealers, law firms, hospitals and educational institutions. The red flag rules are part of the Fair and Accurate Credit Transaction Act of 2003 (FACTA). The rules may be found on the Federal Trade Commission’s Web site, http://www.ftc.gov/. Some businesses were ready for the new rules and others were surprised by the impending deadline, according to Chad Perrine, an attorney and chief ethics officer at LandAmerica Financial Group, a title insurer. “Some are scrambling, and some are tweaking,” Perrine said. Mainstream financial institutions had to comply with the new rules by Nov. 1, and most did so, according to Paige Fitzgerald, an associate at the Richmond office of Troutman Sanders LLP. “Anybody in the financial industry has had this on their radar for quite a while,” she said. The deadline for other affected businesses has been extended to May, apparently because the word did not get around in time. Among the businesses looking for deadline relief were doctors’ offices. “The health care industry has been caught quite unaware by this,” Fitzgerald said. She explained that few businesses read the rules closely enough to see that they were affected. The rules apply to almost any business that agrees to let customers pay over time. “What triggers the rule is if you defer payment for your service or product,” Fitzgerald said. As noted in a flyer distributed by the Richmond-based law firm of Hancock, Daniel, Johnson & Nagle PC, the FTC takes the position that the regulations apply regardless of whether the business is a for-profit or non-profit entity. Once a business realizes that it has to meet the requirements for flagging possible identity theft, getting a plan in place is relatively easy. Fitzgerald said that most responsible businesses already have procedures that would spot a suspected scam. “You don’t have to start from scratch,” she said. She explained that compliance involves preparing a document that describes the methods in place to detect and report possible identity theft. That document can refer to existing procedures or incorporate other documents by reference. The size of a business and the type of credit accounts it controls determines how extensive the written policy must be. The policy must have a way of detecting red flags, such as reviewing accounts regularly, and must include “appropriate responses” to prevent and mitigate identity theft once detected. The rules provide for civil penalties such as monetary sanctions and enforcement action by the FTC.

Written by Peter Vieth  |  Filed Under Home Page Items, Weekly Update 

Comments

Got something to say?