Red Flags Rule Compliance: Who Must Comply. And Why
August 25th, 2009 -- Posted in Uncategorized | No Comments »Red Flags Rule Disaster Scenario
You’ve worked for years trying to make your retail business a success, but the letter you just opened from an attorney threatens to wipe out everything you’ve worked for. The attorney represents a victim of identity theft and is claiming you have violated something called The Red Flags Rule by selling a “covered” product to an individual who had stolen his client’s identity. The words “civil” and “class action” leap from the letter, in addition to “possible fines from the Federal Trade Commission”.
After all, your business only arranged the financing for the alleged identity thief through an outside lender, so surely a victim of identity theft can’t really sue the owner of a retail business – or can they?
As identity theft continues to spiral upward unchecked, the federal government’s Red Flag Rules were framed for designated businesses and institutions to be at the forefront to protect United States citizens. Consequently, the date of November 1, 2009, will change retail business as we know it since that is the mandatory compliance date for the estimated 11 million businesses and institutions which must comply with the FTC’s Red Flags Rule. After November 1, identity theft victims will indeed have the right to pursue civil actions against a non-compliant business or institution.
The original mandatory compliance date was November 1, 2008, but after investigating the compliance progress of businesses affected by the law, the FTC realized millions of designated businesses were unaware of their required compliance. In an unprecedented display of mercy, they begrudgingly pushed the mandatory compliance date forward, first to May 1, 2009, and now to November 1, 2009. This in itself should signal how serious the FTC takes this law as they have issued “fair warning” of their intent to roll out thousands of agents for what they term “rolling enforcement” to ensure compliance.
Fines for non-compliance range from $3,500-$11,000 per occurrence and may be retroactive. In other words, if your business conducts 1,000 non-compliant transactions over the course of a year, the FTC could fine you $3.5 million. But believe it or not, the FTC may be the least of your worries.
The Rule also includes provisions for civil liability. This means identity theft victims may be entitled to recover damages as a result of a non-compliant violation at your business – with class action surely to follow. All of this is code for, “Lawyers just love this law!” Although the monetary losses can be measured, what is not known is the damage to your reputation since you may also be required to contact every one of your credit customers to alert them of a possible identity breach at your place of business (FTC Safeguards Rule).
So, if you are now having trouble breathing and find yourself being pulled toward a bright, celestial light, that’s good; that means you get it before it’s too late. Now’s the time to make your operation Red Flags Rule compliant and get it behind you.
What is A Red Flag?
A “red flag” is a pattern, practice, or specific activity as spelled out within the Rule which indicates the possible existence of identity theft.
Who Has To Comply With The Red Flag Rules – And Why.
First, the Rules have nothing to do with whether or not your operation uses credit reports, and even if your only offering of credit is to send a customer’s credit report to a third party lender, you must comply.
The litmus test applied by the federal government for designated compliance revolves around the Rule’s own definition of a “creditor”. Without quoting the entire definition from the Final Rules, here’s the simple version: If the product or service you sell or provide is not paid in full at the time of purchase, you must comply.
This broad and encompassing definition designates many businesses traditionally not regarded as a “creditor” such as:
Retail Businesses – furniture, appliance, jewelry, electronics, cell phone, department, and “big box” stores. Financial Institutions – banks, credit unions, savings association, mortgage lenders/brokers, and finance companies. Transportation Dealers – new and used vehicle, motorcycle, watercraft, RV, and ATV dealers. Health Care Providers – hospitals, physicians, medical clinics, chiropractors, and assisted living facilities. Educational Institutions – universities, colleges, technology institutes, junior colleges, and community colleges. Utility Companies – cities, municipalities, power, heating oil, water, telephone, and cellular companies.
Please Note: If your business accepts credit cards as its only credit method, you need not comply.
What Do I Have To Do To Become Red Flags Rule Compliant?
If you possess a lot of time, patience, and a strong will to live, then Google, “Final Red Flags Rule”, where you will find all of your compliance requirements sprinkled about its 59 pages of federal law. Good luck trying to figure it all out.
For those of us existing in the real world, here’s what you have to do:
1. You must develop and implement a formal, written Red Flags Rule Policy specifically for your type of business. Your Policy must include these four elements in addition to several other directives in procedures:
Identification of Red Flags specific to your type of operation. Detection of Red Flags specific to your business. Response to detected Red Flags.
Your Policy must also include a number of other required procedures such as compliant handling of Notice of Address Discrepencies, fraud alerts, rules for credit card issuers, plus many more. In other words, plan on your Policy to be anywhere from 6-8 typewritten pages.
2. Provide formal Red Flags Rule Training for all relevant employees. But more importantly, be able to prove it in case of an inadvertent violation. Your employees should be trained at least yearly, and of course, newly hired staff must be trained immediately. And by the way, “formal Red Flags Rule Training” does not mean just letting your employees read a copy of your Policy.
3. Your business must have in place procedures to both verify the identifying information presented by an individual opening an account, and also to authenticate the actual identity of the individual presenting the identifying information at your place of business.
The Required ID Verification And Authenticating Process.
Here’s the catch. To verify the identifying information presented to you by an individual opening a new covered account, you cannot use information contained on a credit report or even information generally available from a wallet. Instead, you must search national, state, and federal data bases to verify such items as the Social Security Number issue date, does the individual’s DOB match the SSN date, the name of the person assigned to the SSN, is SSN assigned to a dead person… well, you get the picture.
But it doesn’t stop there. Searching those same data bases, you must also verify their address, the name assigned to the address, all previous addresses associated with the individual, DOB, telephone number, the address the telephone number is assigned to, and so on.
And while we’re at it, let’s go ahead and throw in another law many designated businesses ignore, or have no knowledge of their required compliance – the Federa
l Treasury’s OFAC (U.S. Patriot Act) list of suspected terrorists, drug dealers and money launderers. If you are so designated by the federal government to scan that list and don’t comply by reporting “hits” to Homeland Security, you could end up in federal prison with a new bunkmate named “Bubba”… plus a fine in the millions! In fact, the feds have already dropped an $80 million fine on a bank for non-compliance with this law. But I digress. Let’s get back to your required Red Flags ID verification and authenticating process.
After muddling through the required data searches to verify the identifying information presented by an individual, how can you possibly know that the individual presenting the information is actually who they represent themselves to be? That’s right, now you need to deploy a process to authenticate the actual identity of that individual physically inside your place of business. Without this important identity authentication, you may doing nothing more than verifying stolen information presented to you by an identity thief that is actually standing in front of you!
According to the Red Flag Rules, you should create several “Challenge Questions” formulated from all of the data searches you performed to verify the identity information. These questions should be framed in such a manner that only the individual in question can answer, and in a timely manner. A few of the questions might be:
“What was your previous area code?”
“Here are four addresses. Which one is an address previously associated with you?”
“What county issued your Social Security Number?”
The Red Flags Rule establishes no standard for pass/fail, but your operation must not open a covered account for an individual until you have established a “reasonable belief” that individuals are indeed who they represent themselves to be.
So there you have it. Compliance requirements courtesy of your federal government.
Your Alternatives.
First, beware of companies, usually credit reporting services, leading you to believe you will be compliant by just subscribing to their Identity Scan service. As discussed in the previous section, simply verifying identity information is only a small piece of the compliance puzzle and still leaves your business exposed to civil and federal liability.
Some designated businesses even choose to retain attorneys charging $5,000 – $20,000 to research and develop their compliance Policy and Training solutions. That source is always available, but what about the identity verification searches? Very few attorneys have the answer for that requirement except to instruct you to perform the searches required for compliance, and yes, figure a minimum of another 30 minutes added to the time of your sale if you search all the sources yourself.
You should also be aware of compliance providers who wish to sell you a written Red Flags Rule Policy Template and passing it off as “one-size-fits-all”. Your Policy, and Training for that matter, must be relative and appropriate to the compliance requirements specific to your type of industry, i.e., retail, utility, financial, transportation, medical, etc.
However, amid all of this compliance misery, there are a few compliance providers available that offer full compliance services at an affordable price, and this may be your best bet. Some may require you to purchase additional hardware or software, but there are a couple that are totally web-based and provide turn-key compliance solutions.
Regardless of how you become compliant, you cannot afford to ignore this law since you have no way of knowing if you are selling a product to an identity thief. Again, just one non-compliant transaction to the wrong person has the potential to wipe out your business. However, the government does give you a “get-out-of-jail-free” card. If you invest in making sure your operation is Red Flags Rule compliant, and can prove it, you invoke the most effective legal defense available should you unwittingly sell a product or service to an identity thief. Think of compliance performance in terms of a vampire confronted by a cross, because that’s the way attorneys react when confronted with proof of compliance performance. They are well aware that such due diligence on your part creates what is termed, “safe harbor” status, meaning probable immunity from prosecution for non-compliance.
So the message here is to get your operation compliant, and quickly; that celestial light you feel drawing you nearer is actually the fast approaching deadline of November 1..