The August 1, 2009 deadline for mandatory compliance with the Federal Trade Commission's (FTC) "Red Flags" Rules is just over the horizon. By that date, companies must have a written and senior management-approved program in place to detect, mitigate and respond to instances of identity theft. Business-to-business and trade creditors fall under the definition of "creditor" used in the regulation, though they may not have to comply with the rule if they do not have accounts that have a "reasonably foreseeable risk" of identity theft.
On Tuesday, July 14th, NACM met with FTC attorneys to discuss the "Red Flags" Rules. Over the last couple weeks, as NACM collected comments from members about any lingering concerns they had about the Rules, it became clear that the fluid language of "reasonably foreseeable risk" was the top issue. This persistent uncertainty exists because the language has such a broad interpretation and because companies are given the authority to make their own distinction about what risks their accounts face. Attorneys with the FTC reasserted that since the legislation impacts a wide range of industries, it is impossible to try and enforce a concise set of factors. The agency believes that companies are best-suited to identify what risks their accounts face and how to respond to them. The agency also contends that if the rules' oversight is too constrictive, more problems will arise.
Since the "Red Flags" Rules were enacted in January 2008, the mandatory date for compliance has been pushed back twice. At the time of the July 14th meeting between NACM and the FTC, there was no move to delay mandatory compliance further, but the agency admitted that the possibility does exist. Nonetheless, business-to-business creditors that will be affected by the rules should continue to develop and implement programs, even if just from a best practices standpoint.
For credit managers, as has been stressed over the many months that NACM has covered the "Red Flags" issue, the tenets of the regulation are likely already in place. The Rules target frontline functions, such as sales, that don't always practice due diligence. Credit departments are the corporate functions that are seeking to verify the identity of potential customers as well as their ability to pay. The FTC believes that the "Red Flags" Rules can be a cross-functional communication tool, making a business more secure by facilitating greater responsibilities and communication between the frontline and back office elements.
The establishment of the Consumer Financial Protection Agency (CFPA) and its possible effect on the future oversight of the "Red Flags" Rules was also discussed in the meeting. As the regulation is written, the FTC does not foresee its responsibilities for oversight of the rules being swept under the authority of the new agency. Attorneys with the FTC also stressed that enforcement of the rules will be "good faith effort"-based in the beginning; therefore, as long as companies have tried to establish a written set of procedures to respond, detect and mitigate identity theft, they shouldn't have to worry about facing the $3,500 maximum penalty for each violation of the regulation.
If members have questions or concerns about the FTC's "Red Flags" Rules, they can visit the FTC's website at www.ftc.gov, where the agency has developed an FAQ, a business guide to the regulations and a template for low-risk companies. Members can also turn to the March 2009, May 2009 and July/August 2009 issues of Business Credit magazine for information on the topic.
Matthew Carr, NACM staff writer