Red Flags Rule Compliance - B2B Companies Aren't Necessarily Exempt!
Originally published: April 2013
According to the latest Javelin Strategy & Research report, there were 12.6 million identity theft victims in the United States in 2012 (up from 11.6 million in 2011). This data indicates an identity theft is taking place nearly every three seconds. As incidents of identity theft increase, the problem is gaining momentum as a serious problem worldwide.
In 2008, the US Federal Trade Commission (FTC), together with the US Federal Deposit Insurance Corporation (FDIC), the US Federal Reserve System and other US agencies created the “Red Flags" Rule in an effort to provide those at risk with some measure of protection.
What is the Red Flags Rule?
The Red Flags Rule, based on Sections 114 and 315 of FACT (Fair and Accurate Credit Transactions Act of 2003), requires financial institutions and creditors to develop and implement internal programs designed to prevent identity theft and mitigate its results. According to this Rule, such programs must effectively identify, detect, and respond to certain indicators of possible identity theft labeled “red flags”. These include patterns, practices, and specific activities that have been known to be associated with identity theft in the past, including:
- Unusual patterns in the use of credit, such as recent increases in inquiries, new credit accounts or accounts closed.
- Documents including inconsistent information with the person applying for credit.
- Suspicious Social Security numbers (SSN) such as when a used SSN has not been issued yet or is listed on the Social Security Administration's Death Master File.
- Use of an inactive account.
- Mail sent to the account holder is returned while transactions continue.
The Rule mandates that Red Flags programs be in place for financial institutions, creditors or any other entities holding a “transaction account” belonging to a consumer.
Trade Creditors and the Red Flags Rule
According to the original wording of the Fair and Accurate Credit Transactions Act, a creditor was “any entity that regularly extends, renews or continues credit; any entity or that entity's assignee that regularly arranges for the extension, renewal, or continuation of credit.” This definition caused confusion as it implied that all creditors were accountable for following the FACT rules. In December 2010, the Red Flag Program Clarification Act, amended the definition to a creditor that “regularly, and in the ordinary course of business:
- Obtains or uses consumer reports in connection with a credit transaction,
- Furnishes information to consumer reporting agencies in connection with a credit transaction; or
- Advances funds to or on behalf of a person who has an obligation of repayment.”
Under the Clarification Act, creditors that fall under any of these three categories must comply with the Red Flags Rule.
Therefore, if your company obtains or uses consumer reports on the principals of a small business, a personal guarantor, a sole proprietorship or a mom-and-pop store, you are required to “develop and implement internal programs designed to prevent identity theft and to mitigate its results when identity theft occurs”.
Red Flags Rule Compliance
Under FACT, each entity is encouraged to develop and implement its own written Identity Theft Prevention Program. The law lists four basic requirements:
- identify business-specific identity theft “red flags”;
- define procedures to detect red flags in its day-to-day operations;
- act to prevent and mitigate harm when red flags are identified; and
- develop, implement and maintain a red flags program appropriate to the nature of their operations, size and complexity.
In practical terms, your program should:
- Designate a program coordinator.
- Identify all covered accounts.
- Determine identity theft red flags specific to your company/industry.
- Develop a written Identity Theft Prevention Program.
- Ensure the program contains your Policies and Procedures regarding identity theft.
- Maintain documented proof that any vendors you share sensitive information with are compliant.
- Develop an employee training program and train all employees who handle sensitive information how to identify and respond to Red Flags.
- Have a policy in place to notify affected customers should an identity theft event occur.
- Obtain Board of Directors’ or Top Executive’s approval of the plan.
- Perform periodic audits of the plan.
- Provide annual reports of compliance efforts.
Penalties for Non-Compliance
While the FTC does not conduct routine compliance audits, they will perform an audit in response to a complaint. If your company is covered by the Red Flags Rule, non-compliance will result in a financial penalty.
- Federal Penalty: $2,500 per individual incident
- State Penalty: $1,000 per individual incident
- Penalty after Regulatory Warning: $11,000 per individual incident
The purpose of the FTC and other agencies in developing the Red Flags Rule was to protect individuals from identity theft. However, companies engaged solely in business-to-business (B2B) transactions need to be aware of the definitions and requirements of the Rule. Simply obtaining or using consumer reports in connection with credit transactions can put your organization under the Red Flags Rule. Given the monetary penalties that may be imposed for each instance of non-compliance, it's important to seek your attorney’s advice in determining where your company stands in regard to the Fair and Accurate Credit Transactions (FACT) Act of 2003 and the Red Flags Rule.