TAKING STOCK with Ben Skjold
©Copyright 2011 Skjold-Barthel, P.A. All Rights Reserved
Please view our Disclaimer
ARTICLES
New Red Flag Rules Affect Small Business and Identity Theft
Every business that extends credit or that facilitates the extension or processing of credit to consumers will soon need to comply with the “Red Flag Rules” developed in accordance with the Fair and Accurate Credit Transactions Act of 2003. These rules promulgated by the Federal Trade Commission and the Federal Reserve and other financial regulators are effective August 1, 2009.
Purpose
The purpose of the Rules is to protect against identity theft occurrences and to create a system of accountability for financial institutions and businesses that handle consumer credit information. The Rules mandate that businesses participate in the identification, detection and response to patterns, practices or specific activities known as “red flags” that can indicate identity theft.
Who Must Follow the Rules?
Red Flag Rules apply to “financial institutions” and “creditors” for “covered accounts”.
Generally speaking, financial institutions are banks, credit unions or similar entities. While many of these entities are already regulated by state and federal regulatory bodies the Rules are more broad in scope with their mandate to preserve consumer information.
More substantial and impactful to small business is the definition of a “creditor.” A creditor under the Rules means any entity that: (1) regularly extends, renews or continues credit; (2) any entity that regularly arranges for extension renewal or continuation of credit; or (3) any assignee of an original creditor who is involved in the decision to extend, renew or continue credit. Under the Rules, “credit” is broadly defined and includes any products or services for which a consumer may pay for after the delivery of the product or service. As such, simultaneous sales, such as a retail situation, would not be covered under the Rules. However, credit accounts would include professional services (i.e., accountants, dentists, doctors, chiropractors and attorneys), utilities, telecommunications and possibly even non-profit institutions such as private schools. Covered Accounts are accounts used mostly for personal, family or household purposes that include multiple payments or transactions. Wide latitude is given in these definitions and can include small business or sole proprietorship customer accounts.
Red Flag Compliance
Under the Rules, businesses must develop a written policy that identifies and detects relevant warning signs of identity theft. Each policy should be drafted in such a way to help identify unusual account activities such as fraud, suspicious applications, discrepancies in mailing addresses, unusual credit activity, drastic payment patterns and consumer complaints. The written program should describe the process for handling red flag scenarios and the plan for maintaining the program. The Rules are not meant to be inflexible and each business should design and implement its own program that is appropriate to the size and complexity of the credit available to the consumers serviced by the business. As a general rule of thumb, the Rules require that “reasonable” policies and procedures be implemented and documented. The Federal Trade Commission continues to provide guidance to small businesses and has made a number of resources available to assist in the implementation of the Rules.
Why Should My Business Participate?
Legal commentators are beginning to forecast the Rules’ impact on small businesses. Aside from potential regulatory penalties, there also exists the possibility of establishing a new legal precedent in terms of the duty of care to a business’s customers’ credit information. Failures to institute a written Red Flag Policy and follow the procedures could establish negligence on the part of a business, subjecting a business to possible liability for damages resulting from identity theft. The Rules may also be used in conjunction with State private attorney’s general statutes that could subject violators to pay for claimant’s attorneys’ fees and costs. Regulatory investigation also poses an injunctive threat to certain business and lost time, opportunity costs and productivity concerns.
What Should be Done?
Each business should audit the credit that it extends to its consumers. A business should take note of the size and scope of the credit facilities it offers and the manner and means in which it extends credit. Following the audit, businesses should engage appropriate professionals to assist the business in creating a written policy to comply with the Red Flag Rules and to identify any problem areas not already discovered by internal investigation. As a general rule of thumb, and consistent with good business and legal practices, businesses should be sure to:
- Keep data secure and invest in appropriate software to guard information on computing systems;
- Develop a shredding policy for files that are no longer in use;
- Develop file storage safeguards and in certain situations placing key documents under lock and key or under the direct control of authorized persons; and
- Train employees to keep information confidential and to report unusual activity.