| Red Flags Rule Disaster Scenario. | | | | Program. |
| You've worked for years trying to make your retail | | | | Your business must have in place procedures to verify |
| business a success, but the letter you just opened | | | | the identifying information presented by an individual |
| from an attorney threatens to wipe out everything | | | | opening an account, and also to authenticate the actual |
| you've worked for. The attorney represents a victim | | | | identity of the individual presenting the identifying |
| of identity theft and is claiming you have violated | | | | information at your place of business. |
| something called the Red Flags Rule by selling a | | | | Here's the catch. To verify the identifying information |
| "covered" product to an individual that had stolen his | | | | presented, you cannot use information contained on a |
| client's identity. The words "civil" and "class action" jump | | | | credit report, or information generally available from a |
| from the letter, in addition to "possible fines from the | | | | wallet. Instead, you must search national, state, and |
| FTC". This must be a mistake. Can a victim of identity | | | | federal data bases to verify such items as the Social |
| theft really sue the owner of a retail business? | | | | Security Number issue date, does the individual's DOB |
| The answer is simple. If the identity thief was issued | | | | match the SSN issue date, the name of the person |
| credit from a retail merchant before May 1, 2009, there | | | | assigned to the SSN, is SSN assigned to a dead |
| was very little recourse for identity theft victims | | | | person...well, you get the picture. |
| against the retailer. However, the date of May 1, 2009, | | | | But it doesn't stop there. Searching those same data |
| will change retail business as we know it, because that | | | | bases, you must now verify their address, the name |
| is the mandatory compliance date for the estimated 11 | | | | assigned to the address, all previous addresses |
| million businesses that must comply with the Federal | | | | associated with the individual, DOB, telephone number, |
| Trade Commission's Red Flags Rule. | | | | the address the telephone number is assigned to, and |
| The original mandatory compliance date was | | | | so on. Oh, and by the way, many businesses must |
| November 1, 2008, but after investigating the | | | | also search the Federal Treasury's OFAC list (Patriot |
| compliance progress of businesses affected by the | | | | Act) for suspected terrorists, drug dealers and money |
| law, the FTC realized millions of designated businesses | | | | launderers. If you are designated by the government to |
| were unaware of their required compliance. In an | | | | scan that list and don't comply by reporting "hits" to |
| unprecedented display of mercy, they begrudgingly | | | | Homeland Security, you could end up with a new |
| pushed the mandatory date forward until May 1. The | | | | bunkmate named "Bubba" in a federal prison... and a |
| FTC's current position is that "fair warning" has been | | | | fine in the millions! The feds have already hit up one |
| given and they intend to use a "rolling enforcement" to | | | | bank to the tune of $80 million in fines and penalties for |
| ensure compliance. | | | | violating this law. But I digress. |
| Fines for non-compliant businesses are $2,500-$11,000 | | | | So, you've waded through the plethora of searches to |
| per occurrence and may be retroactive. In other | | | | verify the identifying information presented by an |
| words, if your business conducts 1,000 non-compliant | | | | individual wanting to open a credit account, but how do |
| transactions over the course of a year, the FTC could | | | | you know that the individual presenting the information |
| fine you $2.5 million. But believe it or not, the FTC may | | | | is actually who they represent themselves to be? |
| be the least of your worries. | | | | That's right, now you have to deploy a process to |
| The Rule also includes provisions for civil liability. This | | | | authenticate the actual identity of that individual |
| means identity theft victims may be entitled to recover | | | | physically inside your place of business. Without this |
| damages as a result of a non-compliant violation at | | | | important identity authentication, you may only be |
| your business - with class action surely to follow. | | | | verifying stolen identity information from an identity thief |
| That's code for, "Lawyers just love this law!" Although | | | | that is actually standing in front of you! |
| the monetary losses can be measured, what is not | | | | According to the Red Flags Rule, you should create |
| known is the damage to your reputation since you | | | | several "Challenge Questions" formulated from all of |
| may also be required to contact every one of your | | | | the data searches you performed to verify the identity |
| credit customers to alert them of a possible identity | | | | information. These questions should be framed in such |
| breach at your place of business (FTC Safeguards | | | | a manner that only the individual in question can |
| Rule). | | | | answer, and in a timely manner. A few of the |
| So, if you are now having trouble breathing and find | | | | questions might be: |
| yourself being pulled toward a bright, celestial light, | | | | "What was your previous area code?" |
| that's good; that means you get it before it's too late. | | | | "Here are four different addresses. Which one is an |
| Get your business compliant immediately and get it | | | | address previously associated with you?" |
| behind you. | | | | "What county issued your Social Security Number? |
| What Is A Red Flag? | | | | The Red Flags Rule establishes no standard for pass |
| A "red flag" is a pattern, practice, or specific activity | | | | fail, but your business must not open an account for an |
| that indicates the possible existence of identity theft. | | | | individual until you have established a "reasonable |
| Who Has To Comply, And Why. | | | | belief" that the individuals are indeed who they |
| Whether or not a business must comply with the Red | | | | represent themselves to be. |
| Flags Rule revolves around the Rule's definition of | | | | So, there you have it. Compliance requirements |
| "creditor". Without quoting the exact definition from the | | | | compliments of your federal government. |
| Final Rules, suffice to say that if any product or | | | | Your Alternatives. |
| service you sell is not paid in full at the time of | | | | First, beware of companies, usually credit reporting |
| purchase, you must comply by May 1, 2009. | | | | agencies, leading you to believe you will be compliant |
| This broad and encompassing definition designates | | | | by just subscribing to their Identity Scan service. As |
| many businesses traditionally not regarded as a | | | | discussed in the previous section, simply verifying |
| "creditor" such as: | | | | identity information is only a small piece of the |
| - Retail Businesses - furniture, appliance, jewelry, | | | | compliance pie and still leaves your business exposed |
| electronics, cell phone, department and "big box" stores, | | | | to civil and federal liability. |
| etc. | | | | Some designated businesses even choose to retain |
| - Financial Institutions - banks, credit unions, savings | | | | attorneys charging fees between $5,000 - $20,000 to |
| association, mortgage lenders/brokers and finance | | | | research and develop their compliance Program and |
| companies. | | | | Training solutions. That source is always available, but |
| - Transportation Dealers - new and used vehicle, | | | | what about the identity verification searches? Very |
| motorcycle, watercraft, RV, and ATV dealers. | | | | few attorneys have the answer for that requirement |
| - Health Care Providers - hospitals, physicians, medical | | | | except to instruct you to perform the verification |
| clinics, chiropractors and assisted living facilities. | | | | searches required for compliance. And, yes, figure a |
| - Educational Institutions - universities, colleges, | | | | minimum of another 30 minutes added to the time of |
| technology institutes, junior colleges, community | | | | your sale if you search all of these sources yourself. |
| colleges and vocational colleges. | | | | You should also beware of compliance providers who |
| - Utility Companies - cities, municipalities, power, heating | | | | wish to sell you a written Red Flags Rule Program |
| oil, water, telephone and cellular companies. | | | | Template and passing it off as "one-size-fits-all". Your |
| Two items of note: Your required compliance has | | | | Program, and Training for that matter, must be relative |
| nothing to do with whether or not you use credit | | | | and appropriate to the compliance requirements |
| reports; and, if your business accepts credit cards as | | | | specific to your type of industry, i.e., retail, utility, financial, |
| its only credit feature, you need not comply. | | | | transportation, medical, etc. |
| What Do I Have To Do To Become Compliant? | | | | However, amid all of this compliance misery, there are |
| If you possess a lot of time, patience, and a strong will | | | | a few compliance providers available that offer full |
| to live, Google, "Final Red Flags Rules", where you will | | | | compliance services at an affordable price, and this |
| find all of your compliance requirements sprinkled about | | | | may be your best bet. Some may require you to |
| its 59 pages. Good luck trying to figure it all out. | | | | purchase additional hardware or software, but there |
| For those of us existing in the real world, here's what | | | | are a couple that are web-based and provide |
| you have to do: | | | | "turn-key" compliance solutions. |
| | | | Regardless of how you become compliant, you cannot |
| 1. Taking information from the Final Rules, you must | | | | afford to ignore this law since you have no way of |
| develop and implement a formal, written Red Flags | | | | knowing if you are selling a product to an identity thief. |
| Rule Program specifically for your type of business. | | | | Again, just one non-compliant sale to the wrong person |
| Your Program must include these four elements in | | | | has the potential to wipe out your business. However, |
| addition to several other directives in procedures: | | | | the government does give you a "get-out-of-jail-free" |
| - Identification of Red Flags specific to your business. | | | | card. if you invest in making sure your business is |
| - Detection of Red Flags specific to your business. | | | | compliant, and can prove it, you invoke the most |
| - Response to detected Red Flags. | | | | effective legal defense available should you unwittingly |
| - Provisions for updating your program. | | | | sell a product or service to an identity thief. |
| Your Program must also include a number of other | | | | Think of compliance performance in terms of a |
| required procedures such as compliant handling of | | | | vampire confronted by a cross, because that's the |
| Notice of Address Discrepencies, fraud alerts, rules for | | | | way victims' attorneys react when confronted with |
| card issuers, plus many more. In other words, plan on | | | | proof of total compliance performance. They are well |
| your Program to be anywhere from 6-8 pages. | | | | aware that such due diligence on your part creates |
| Provide formal Red Flags Rule Training for your | | | | what is termed, "safe harbor" status, meaning probable |
| relevant employees, but more importantly, be able to | | | | immunity from prosecution for non-compliance. |
| prove it in case of an inadvertent violation. Your | | | | So the message here is to get your business Red |
| employees should be trained at least yearly, and newly | | | | Flags compliant, and quickly; that celestial light you feel |
| hired staff must be trained immediately. And by the | | | | drawing you nearer is actually the fast-approaching |
| way, "Formal Red Flags Rule Training" does not mean | | | | deadline of May 1. |
| just letting your employees read a copy of your | | | | |