SaaS And Ecommerce Sites - Don't Miss the May 1, 2009 Deadline

[bholus10]

On March 20, 2009, the Federal Trade Commission (FTC) published its latest guidelines for the Red Flags Rule entitled "Fighting Fraud with Red Flags Rule: A How-To Guide for Business". These guidelines significantly broadened the scope of the applicability of the Red Flags Rule.

Many SaaS and ecommerce websites may now be surprised to learn that they are covered by the Red Flags Rule - and as a result they may face substantial liability for failure to comply.

If your site is covered, you need to comply by the deadline or face civil lawsuits by consumers for actual damages -- and if actual damages can't be proved, nominal damages.

Civil litigants may also recover punitive damages and attorney's fees. In addition, the FTC may initiate administrative proceedings.

What Is The Red Flags Rule?

The idea behind the Red Flags Rule is that by spotting the warning signs of identity theft (the "red flags") in advance, businesses may prevent suspicious conduct from leading to actual identity theft.

The Red Flags Rule requires covered businesses and organizations to adopt an identity theft prevention policy in written form that is designed to identify the red flags and to take steps to prevent and mitigate identity theft.

Who Is Covered By The Red Flags Rule?

The "Red Flags" Rule has been in effect since January 1, 2008, but it's enforcement has been delayed until May 1, 2009 due to uncertainty over who is covered.

Financial institutions are covered, including banks, savings and loans, credit unions, and the like. Most SaaS and ecommerce sites clearly do not fall into this category.

The other category of included sites -- "creditors" that deal in "covered accounts" -- is where many SaaS and ecommerce sites could fall, and the boundaries of this category are sometimes difficult to determine even with the latest guidelines from the FTC.

Creditors That Deal In Covered Accounts

In order to determine whether your site is covered by the Red Flags Rule, follow these two steps:

* determine if you are a "creditor", and if you are a creditor, then

* determine if you deal in "covered accounts".

First, let's start with the definition of "creditor" -- any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit, or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Obvious examples of businesses classified as creditors which regularly deal in covered accounts are finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

Not-so-obvious examples of creditors would be any site that sells goods or services and allows customers to pay later. While a SaaS site that requires its customers to pay for a single year's subscription in a single payment at sign-up would probably not be a creditor, if payments are monthly, quarterly, or semi-annually, the site probably would be a creditor.

For that matter, any site that allows for invoice billing where immediate payment is not required, would be a creditor, including sites that offer programs that permit customers to make no payments at no interest for a period of time.

The definition of "creditor" also covers anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. Examples include third-party debt collectors that regularly renegotiate the terms of a debt. If you regularly extend credit to other businesses, you also are a creditor.

Second, if you also deal in "covered accounts", you're definitely required to comply with the Red Flags Rule. In this analysis, you should consider both existing accounts and potential new ones.

There are two types of covered accounts. The first type is a consumer account that's primarily for personal, family, or household purposes which involves or is designed to permit multiple payments or transactions. These accounts are always covered by the Red Flag Rule.

The second type of account is a covered account only if it involves a reasonably foreseeable risk of identity theft. This gets really tricky due to the lack of certainty regarding what constitutes a reasonable foreseeable risk of identity theft. For example, according to the recent guidelines, this type could include:

* small business (non-personal) accounts, and

* consumer accounts that are single payment accounts (not multiple payment accounts).

Now for the real wake-up call - according to the recent guidelines, you should consider (quoting the FTC) "business accounts that can be accessed remotely - such as through the Internet" as possible accounts that involve reasonably foreseeable risk of identity theft.

What Does This Mean For SaaS And Ecommerce Sites?

If you boil the recent guidelines down, it means that given the FTC's statement in the recent guidelines that Internet-based accounts may involve a reasonably foreseeable risk of identity theft, all SaaS and ecommerce sites -- whether they deal in consumer or small business

accounts -- should comply with the Red Flags Rule prior to the May 1, 2009 deadline. These sites should adopt a written Red Flags Identity Theft Policy now.

Similar Threads:

• 2 Costly Mistakes For SaaS Sites To Avoid With Online Contracting
• Do Duplicate Content Filters Apply to Ecommerce Sites?
• Fair One Miss Mumbai 2009

[bholus10]

The cost of compliance with the Red Flags Rule is low, but the penalties for non-compliance are high, so the best recommendation is to resolve all doubt in favor of compliance now.

This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.