In October 2008, the Federal Trade Commission (FTC) announced that it is delaying enforcement of the Red Flag rules six months to May 1, 2009.
The reason for the delay is uncertainty over who is covered. Just who is covered (and therefore liable for failure to comply) is still somewhat confusing. However, if you're not sure you're covered, particularly if you're a SaaS site, you'd better check out the rules carefully in order to avoid liability for failure to comply.
What Are The Red Flag Rules?
The Red Flag rules were adopted in 2003 to combat identity theft.
Finally published in 2007, the Red Flag rules require financial institutions and "creditors" with "covered accounts" to establish identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate a customer-account holder has been victimized by -- or is engaged in -- identity theft.
The Red Flag Rules are aimed primarily at traditional financial institutions. The catch is that many small ecommerce businesses may be classified as "creditors" with "covered accounts" -- and as a result they be surprised that the rules apply to them.
Who is Subject To The Red Flag Rules?
Financial institutions are subject to the rules, and it's relatively easy to determine who they are -- banks, savings and loans, credit unions, and the like.
"Creditors" with "covered accounts" are also covered by the rules. While it's relatively easy to determine certain types of creditors who deal in covered accounts, in some cases it is relatively difficult.
First, the easy part. Let's start with the definition of a "creditor" -- any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit, or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Examples of businesses classified as creditors which regularly deal in covered accounts are finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
Now, the tricky part. "Covered Accounts" are accounts:
* that are used primarily for personal, family, or household purposes, and that involve multiple payments or transactions; and
* any other account, including a business account, that poses "a reasonably foreseeable risk to customers or the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."
The key is whether you sell a service or product that is paid for in full in advance or concurrently with receipt of the service or product. If paid in advance or concurrently with receipt, even if by credit card, you are not dealing in "covered accounts", and you should not be covered by the rules. However, if payment is deferred, you will be dealing in "covered accounts" and thereby covered by the rules.
Here's a few examples:
* subscription payments - annual fees paid in advance would not be a "covered account", however, if payable monthly or quarterly they would probably be "covered accounts";
* billing rather than collecting payment in full at the time of receipt of product or service - while this practice might be interpreted as extending credit and a "covered account" if payment in full is expected upon receipt of the bill, it would probably not be a "covered account"; and
* usage-sensitive charges - even if you bill in advance, if there are usage-sensitive charges after a service is provided, it would probably be deemed to be "covered account".