Update: On May 28, 2010, at the request of several Members of Congress, the Federal Trade Commission announced it is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC indicated that it will begin enforcement as of that effective date.
When evaluating your association's compliance with various federal regulatory requirements, remember the Federal Trade Commission's ("FTC") Red Flags Rule, with which compliance is mandatory by June 1, 2010 (extended from November 1, 2009). If you fall within the Rule's coverage, you must develop, implement, and administer a written Identity Theft Prevention Program ("ITPP"). Even if your association isn't required to have an ITPP, you at least may have to do a risk assessment to decide if the "credit" arrangements you enter into with your members, conference attendees, exhibitors, sponsors, advertisers, publication purchasers, and others present a reasonably foreseeable risk of identity theft ("ID theft"), which the Rule defines as a fraud committed or attempted using the identifying information of another person without authority. "Red Flags" means a pattern, practice, or specific activity that indicates the possible existence of ID theft. In addition to determining if and how the Rule applies to your association, you may want to help your members assess and deal with their own compliance obligations.
Is my association covered by the rule?
The Red Flags Rule applies to (i) financial institutions and "creditors" that (ii) offer or maintain one or more "covered accounts." With respect to the first requirement, the Rule adopts a broad definition of "creditor," which includes any person that regularly extends or arranges for the extension of credit. A transaction is "credit" if there is a right to defer payment of a debt - regardless of whether the debt is for personal or commercial purposes, the number of installments required for repayment, or whether the transaction is subject to a finance charge.
The FTC stated that any person that provides a product or service for which payment occurs "after delivery" is a creditor, and it specifically identified "non-profit... entities that defer payment for goods or services" as an example of creditors that are covered by the Rule. The Rule's broad definition of "credit" seems to cover payment relationships entered into by many associations, including where the association invoices members or others for goods and services already provided, and allows the amount due to be paid in multiple installments. However, merely accepting credit cards as a form of payment does not make you a "creditor" under the Rule.
As for the second requirement, a "covered account" exists if you offer credit to or maintain credit with (i) "consumers," [a person who has been provided credit mostly for personal, family, or household purposes], where the account involves multiple payments or transactions, or (ii) others, such as small businesses and sole proprietorships, if there is a reasonably foreseeable risk of ID theft to you or them. In order to decide if a reasonably foreseeable risk of ID theft is present, you should consider the risks associated with how the accounts may be opened or accessed - that is, what type of interaction and documentation is required - as well as your experiences with ID theft involving those accounts.
Therefore, you first need to determine whether your association is covered by the Rule:
- If you offer credit to or maintain credit with consumers that involves multiple payments or transactions, you possess a covered account and have to develop, implement, and administer an ITPP;
- If you do not offer credit to or maintain credit with consumers, you must determine whether you offer credit to or maintain credit with non-consumers (this probably exists where you bill your members for goods or services already provided):
- If you do not, you do not have to have an ITPP;
- If you do, determine whether there is a reasonably foreseeable risk of ID theft (to you or the other entity) by performing a risk assessment as described above;
- If the risk assessment shows that a reasonably foreseeable risk of ID theft exists to you or the other entity, you must have an ITPP;
- If the risk assessment reveals that a reasonably foreseeable risk of ID theft does not exist to you or the other entity, you do not need to develop an ITPP; BUT:
- You still should perform an initial risk assessment to back up your decision, and annual risk assessments after that to make sure your initial determination is still valid. Make sure that you properly document your risk assessments.
We're covered! So what do we do next?
The basic requirements of the Rule involve eight steps:
Step 1: Appoint a Red Flags Manager
Step 2: Conduct a risk assessment
Step 3: Create a written Red Flags Program
Step 4: Have Board of Directors Approve Red Flags Program
Step 5: Train appropriate personnel
Step 6: Monitor service providers
Step 7: Keep program up-to-date
Step 8: Periodically report to the Board of Directors
The association should designate an employee at the level of senior management, such as the treasurer or finance director, to oversee the development, implementation and administration of the ITPP. This "Red Flags manager" should then conduct a risk assessment, by first determining which "accounts" are "covered accounts:" look carefully into any commercial transactions beyond simple association memberships: are there goods and/or services sold to members or non-members (such as those identified at the outset of this article), and paid for or payable in installments? Then, the program must identify relevant ID theft red flags for those covered accounts.
The Rule gives 26 examples of red flags, but these are just illustrative and are not intended to be exhaustive; there may be others that are unique to your association and its activities, programs and services. However, you must at least consider these 26 guidelines and include those in your program that are appropriate. The examples fall into five general categories:
- Alerts, Notifications, or Warnings from a Consumer Reporting Agency - these could be a fraud or active duty alert, or a notice of credit freeze or address discrepancy.
- Suspicious Documents, such as IDs that appear to have been altered or forged, or a photograph, physical description, or other information on the ID that is inconsistent with the appearance of or the information provided by the person presenting the ID.
- Suspicious Personal Identifying Information - some examples:
- Applicant's personal identifying information provided is inconsistent when compared against your external information sources.
- Applicant's personal identifying information is inconsistent with other personal identifying information s/he provides.
- Address or on application is same as address provided on fraudulent application, or is fictitious, a mail drop, or a prison; phone number is invalid, or associated with a pager or answering service.
- Applicant fails to provide all required personal information on application, or info provided is inconsistent with info you have on file.
- Unusual Use or Suspicious Activity Related to Covered Account - look for strange changes, such as:
- Shortly after your member changes his/her address on account, you receive a request for a new, additional, or replacement card, or for the addition of authorized users on the account.
- A member's new account is used in a manner commonly associated with known fraud patterns, or inconsistent with established patterns of activity on the account. Your member's account has been inactive for a reasonably lengthy period of time and is suddenly being used.
- Mail you send to your member is returned repeatedly as undeliverable although new transactions continue to be posted to the account.
- You are notified of unauthorized transactions or charges in connection with your member's account.
- Notices of Possible Identity Theft - you are notified by a customer, a victim of ID theft, a law enforcement authority, or any other person that you have opened a fraudulent account for a person engaged in ID theft.
- Once you have identified your relevant ID theft red flags, the program must set forth procedures to detect them and to respond appropriately to them, to prevent or at least reduce the impact of ID theft. The board of directors or an appropriate committee of the board (such as the executive committee) must then approve the initial written program. Note that your association's board of directors or the appropriate committee must perform this initial function. Thereafter, the board, a committee, or designated senior management may update the program.
- The Red Flags manager's oversight should include assigning specific responsibility for the Program's implementation. It is important to train all appropriate personnel to implement the program effectively - depending on how your association is organized, this could include a wide variety of individuals in diverse positions.
- The Rule requires any creditor that engages a service provider to perform any activity in connection with any covered accounts to "take steps to ensure that the service provider's activity is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft." Look to see if any of your vendors provide any services that may trigger one of the red flags described above. Require the service provider via contract to have policies and procedures to detect the relevant red flags that may arise as it performs services for you, and to either report them to you or take appropriate steps to prevent or mitigate ID theft.
- Make sure you keep your ITPP current: the Red Flags manager must update the program periodically; also, several events may trigger an update:
Actual ID theft
Discovery of new ways ID thieves access accounts
Discovery of new ways to detect ID theft (e.g., new technology)
Changes in types of accounts offered (e.g., new extended payment plans offered)
Changes in business organization or arrangements (e.g., associations merge, new service provider)
- Staff responsible for implementing the program should at least once a year report to the Board of Directors, an appropriate committee thereof, or the Red Flags manager, and address issues related to the program, such as:
Effectiveness of program
Service provider arrangements
ID theft incidents
Recommendations for material changes to program
The program must be updated periodically based upon newly-discovered ID theft risks to customers and/or the association. The board of directors, an appropriate board committee, or the Red Flags manager should review these reports and approve material changes to the program as necessary to address these changing ID theft risks.
- The FTC is authorized to bring enforcement actions in federal court for Rule violations, and seek up to $2,500 in penalties for each independent violation. While the FTC itself does not have jurisdiction over philanthropic and similar nonprofits (it does have jurisdiction over trade and professional associations generally), the FTC clearly views all nonprofits as "creditors," if they defer any payments for goods or services. Such nonprofits thus are covered by the Rule irrespective of whether the FTC otherwise has jurisdiction over them.
- State enforcement agencies do not have this jurisdictional bar, and they are authorized to bring administrative actions on behalf of their residents and may recover up to $1,000 for each willful violation, as well as costs and reasonable attorneys' fees if successful. Although there is no private right of action for noncompliance with the Rule, victims of ID theft may be able to bring claims under other theories of liability such as private torts.
Many associations will be considered "creditors" under the FTC Red Flags Rule, and many of these associations will have "covered accounts" as defined by the Rule. It is crucial that all associations coming within the Rule's coverage have an ITPP in place no later than May 1, 2009. Many associations already have procedures in place to catch some of these "red flags." The Rule requires covered associations to institutionalize these procedures, and develop and have approved a written plan, by May 1, 2009.
This article was published in the November 2008 issue of Roundtable's Far Sight.