New FTC rule may have businesses in N.H. seeing red

If you extend credit to your customers or clients, you have just gotten a reprieve on a federal deadline you may not have known you had to meet.

While many financial institutions, car dealerships and large retailers are gearing up for a new Federal Trade Commission rule designed to safeguard against identity theft, other businesses may only be beginning to realize they are also under the gun for complying with the rule.

The rule went into effect Nov. 1, but enforcement has been suspended by the FTC until May 1, 2009, largely due to the realization that so many businesses didn’t know they were subject to it.

The so-called “Red Flag Rule” was developed in accordance with the Fair and Accurate Credit Transactions Act of 2003. Under the rule, “financial institutions” and “creditors” with covered accounts (accounts that involve multiple payments or transactions) must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.

While banks and other financial institutions are the most obvious entities that have to comply with the rule, it turns out that hospitals, colleges, small businesses and nonprofits do as well — if they extend credit to their customers and clients.

According to the FTC, any entity that “regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit” must comply with the rule.

And then there’s the catch-all provision that a “covered account” also can include “any account for which there is a foreseeable risk of identity theft.”

A top priority

Just what are those “red flags”?

According to the final rule, they can include, but are not limited to:

• Alerts, notifications or warnings from a consumer reporting agency

• Suspicious documents, such as those that may appear to be forged

• Suspicious personal identifying information, such as a Social Security number that does not exist or is listed on the Social Security Administration’s Death Master File.

• Unusual use of, or suspicious activity related to, the covered account — such as, shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional or replacement card or cell phone, or for the addition of authorized users on the account.

Banks in New Hampshire are well aware of identity theft and have long worked hard to protect against it, said Gerald Little, president of the New Hampshire Bankers Association.

“Fraud losses are now exceeding robbery losses,” said Little.

As part of a heavily regulated industry, Little said New Hampshire’s banks have made identity theft protection and Red Flag Rule compliance a top priority for awhile.

“We’ve done a lot with our members. We’ve had multiple seminars on the rule and a lot of actions have been taken,” he said. “We’re in an industry, for better or for worse, that is heavily focused on compliance.”

The FTC estimates that as many as 9 million Americans have their identities stolen each year, leading to over $56.6 billion in costs. According to the Better Business Bureau, the average amount lost to fraud per case has increased from $5,249 in 2003 to $6,383 in 2006.

Auto dealers are another group at the focus of the rule, and like the banking industry in New Hampshire, they have been made aware of it.

“We’ve had about 150 dealers sit through three webinars put together by our national association,” said Peter McNamara, president of the New Hampshire Auto Dealers Association. “They also received a 100-page booklet detailing the rule, also created by the national association.”

He also said the local association has fielded “a ton” of calls from its members about the Red Flag Rule.

“The education is there. I hope the awareness is too,” said McNamara.

He said he was glad the FTC extended the enforcement deadline because putting together a plan is not a quick process.

“You have to sit down with your board of directors and go through your entire operation as to where ID theft might occur, identify pertinent red flags, then put something in writing,” he said.

Getting the word out

Another group of businesses in New Hampshire that must comply with the rule is hospitals.

“Hospitals have always had identity protections,” said Leslie Melby, vice president of state/government relations for the New Hampshire Hospital Association. “There is now a lot of cross-referencing between existing policies and an ID theft protection policy meeting the FTC’s rule. We may need to incorporate more policies and procedures. Of course, this is more regulation that takes time to comply with, but it is understandable because ID theft is taken very seriously.”

Still, the rule — and its deadline — came as something of a surprise to hospitals.

“We are really learning as we go,” said Melby.

Nancy Kyle, president of the Retail Merchants Association of New Hampshire, said she thinks the rule will have far more impact on financial institutions and not so much on small store owners.

“Most retailers that extend credit are the larger ones, like Sears or J.C. Penney, and go through a third party,” she said.

Still, she said the rule was a surprise.

“It did come up and surprise everybody. People are reaching out and getting the word out, from the national newsletters I get,” said Kyle.

She said most of the retail members she works with through the association keep credit card information under lock and key and truncate the numbers, among other privacy security measures.

“Hackers probably won’t hack into the system of a sole proprietor,” she said. “Stores have rules with Visa and MasterCard to comply with anyway.”

Michelle Dunn of Plymouth, a nationally recognized credit and collections expert and founder of Michelle Dunn’s Credit and Collections Association LLC, said that debt collectors are probably considered “creditors” under the rule and need to comply. “But whether that applies to accounts of their customers or the debtors themselves is unclear.”

Susan LeDuc, regulatory specialist at the Concord law firm of Gallagher, Callahan & Gartrell, said, “The real benefit of rules is increased awareness for all consumers” about identity theft.

“The items of concern, aka ‘red flags,’ may indicate where you could be exposed to a fraud problem. As more people become aware of them, the better the response will be.”

LeDuc said larger companies are not necessarily the ones most at risk. Small businesses without formal security and compliance departments could be prey for ID thieves.

“And one of the biggest problems is not just the bad guys, but consumers who unknowingly expose their information to them,” she added.

While information about the Red Flag Rule can be a little hard to find — there was no readily apparent announcement on the FTC Web site’s homepage or a press release on or about Nov. 1 in the press release archives about the original compliance deadline — it is available with some digging.

Frank Dorman, FTC public affairs representative, wrote in an e-mail to NHBR telephone queries:

“The Rule applies to financial institutions and creditors. A creditor includes anyone who regularly extends credit to their customers, but the definition is not limited to that and can be broader. Here’s what we say in our business alert:

‘A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.’”

Dorman wrote that civil penalties can be up to $2,500 per violation.

He also said FTC’s enforcement of the Red Flag Rule would be, “as for all of this agency’s enforcement efforts, i.e., in response to consumer complaints.”

LeDuc added: “If any good news can come from ‘more rules,’ the Red Flag Rule does list potential problems and how to deal with them. None of us can be too careful.”

Cindy Kibbe can be reached at ckibbe@nhbr.com.

Shedding light on the Red Flag Rule

For more information on the Red Flag Rule, examples and whether it applies to your business, visit these Web sites:

• Federal Trade Commission — www.ftc.gov

• “The ‘Red Flags’ Rule: Are You Complying with New Requirements for Fighting Identity Theft?” — www.ftc.gov/bcp/edu/pubs/articles/art10.shtm

• “New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft” — www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm

• Federal Register: “Identity Theft
Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule” — www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

• Fair and Accurate Credit Transactions Act of 2003 —www.ustreas.gov/offices/domestic-finance/financial-institution/cip/pdf/fact-act.pdf