"Red Flag" Identity Theft Alert -- Is Your Site In The Cross Hairs?

[bholus10]

In October 2008, the Federal Trade Commission (FTC) announced that it is delaying enforcement of the Red Flag rules six months to May 1, 2009.

The reason for the delay is uncertainty over who is covered. Just who is covered (and therefore liable for failure to comply) is still somewhat confusing. However, if you're not sure you're covered, particularly if you're a SaaS site, you'd better check out the rules carefully in order to avoid liability for failure to comply.

What Are The Red Flag Rules?

The Red Flag rules were adopted in 2003 to combat identity theft.

Finally published in 2007, the Red Flag rules require financial institutions and "creditors" with "covered accounts" to establish identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate a customer-account holder has been victimized by -- or is engaged in -- identity theft.

The Red Flag Rules are aimed primarily at traditional financial institutions. The catch is that many small ecommerce businesses may be classified as "creditors" with "covered accounts" -- and as a result they be surprised that the rules apply to them.

Who is Subject To The Red Flag Rules?

Financial institutions are subject to the rules, and it's relatively easy to determine who they are -- banks, savings and loans, credit unions, and the like.

"Creditors" with "covered accounts" are also covered by the rules. While it's relatively easy to determine certain types of creditors who deal in covered accounts, in some cases it is relatively difficult.

First, the easy part. Let's start with the definition of a "creditor" -- any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit, or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Examples of businesses classified as creditors which regularly deal in covered accounts are finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

Now, the tricky part. "Covered Accounts" are accounts:

* that are used primarily for personal, family, or household purposes, and that involve multiple payments or transactions; and

* any other account, including a business account, that poses "a reasonably foreseeable risk to customers or the safety and soundness of the ... creditor from identity theft, including financial, operational, compliance, reputation or litigation risks."

The key is whether you sell a service or product that is paid for in full in advance or concurrently with receipt of the service or product. If paid in advance or concurrently with receipt, even if by credit card, you are not dealing in "covered accounts", and you should not be covered by the rules. However, if payment is deferred, you will be dealing in "covered accounts" and thereby covered by the rules.

Here's a few examples:

* subscription payments - annual fees paid in advance would not be a "covered account", however, if payable monthly or quarterly they would probably be "covered accounts";

* billing rather than collecting payment in full at the time of receipt of product or service - while this practice might be interpreted as extending credit and a "covered account" if payment in full is expected upon receipt of the bill, it would probably not be a "covered account"; and

* usage-sensitive charges - even if you bill in advance, if there are usage-sensitive charges after a service is provided, it would probably be deemed to be "covered account".

Similar Threads:

• What is "alt cal type" & "alt base value" & "Requirement field" in the Pricing Proced
• "Dekh Bhai Dekh" Man ia the Director for "Dostana"
• Ekta has ended her "K" fixation, New soap named "Tujh Sang Preet Lagai Sajna"
• NDTV Imagine's "Bali Umar Ko Salaam" going to replace "Dharam Veer"
• "Kahaani Romeo aur Juliet Kii" replacement of "Kahaani Ghar Ghar Kii"

[bholus10]

Red Flag Rule Requirements

What is a "red flag"? A "red flag" is essentially a formal notice of identity theft activity or suspicious documents, transactions, or activities that may indicate identity theft.

The Red Flag rules require each Although every financial institution and creditor with covered accounts to develop and implement an identity theft prevention program. The program must be in writing and be designed to:

* identify red flags,

* detect red flags,

* respond to red flags, and

* be approved by board (or committee) of the entity and designated senior employee to be responsible for the oversight, development, implementation and administration of the program.

Conclusion

SaaS sites and any ecommerce site that offers services or products on a subscription basis should review applicability of the Red Flag rules very carefully.

Although the compliance deadline for the Red Flag rules has been extended to May 1, 2009, sites that are covered should begin the implementation of their identity theft prevention program as soon as possible.

The FTC and other consumer groups are expected to monitor closely the implementation of these programs after the compliance deadline.

Failure to comply may result in civil lawsuits by consumers for actual damages -- and if actual damages can't be proved, nominal damages. Civil litigants may also recover punitive damages and attorney's fees. In addition, The FTC may initiate administrative proceedings.