New FTC “Red Flag” Rules Mean Online Deals with Criminals Can Be Punished
According to new rules promulgated by the U.S. Federal Trade Commission (FTC), companies are now on the hook for their business dealings, even with customers on the Internet, should what they sell be used for criminal or terrorist activities. The punishments include six-figure fines and even jail time. The new standard is known as the FTC's “Red Flag” rules, which have already been passed and are due to go into law January 2009, but businesses must be compliant to them by November 1, 2008S. Yet many businesses are still in the dark about this new regime.
Some analysts believe these rules must go through a period of public enforcement before they become commonplace knowledge. Says Brian Bradley, executive vice president of strategy and emerging markets at MicroBilt, a company doing business compliance advising: "With all of the focus put on compliance and security breaches, it's easy to overlook these requirements around identity and law enforcement. It's another level of compliance that a lot of companies don't even know about."
The FTC has sent out these rules to federal financial institution regulatory agencies what are described as “final rules on identity theft “red flags” and address discrepancies.” These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The President’s Identity Theft Task Force has detailed the impact of identity theft, which cause billions of dollars in losses each year to individuals and businesses.
The FTC describes its Red Flag rules:
The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The real purpose of these rules is not to simply fight ID theft, as noble a cause as that may be. Instead, the rules are really another brick in the wall of the United State's goal of building better defenses against terrorism. So fighting money laundering is a key goal of these rules, as is keeping fake ID”s away from terrorists. According to the FTC, the rules are designed to force financial institutions to be more careful with whom they do business.
According to the FTC, the rules “require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.”
The entities that most need to learn about these rules are small businesses. For example, if a small used car company sells a vehicle that is used a month later in a crime, they could be held responsible. Bradley says, "The Red Flag rules are basically there to help protect consumers from identity fraud, and to help prevent businesses from making bad loans or extending credit to criminals. But a lot of security people don't know much about them yet, and most small businesses -- the ones that are too small to work with the big credit bureaus -- don't know anything."
Bradley continued, “However, many organized terrorists and criminals know that small businesses can't afford to work with the big credit bureaus, which makes these mom-and-pop shops prime targets for illegal purchases and money-laundering scams. And the worst part is that the small business can be held liable if it does do business with the bad guys, even if it isn't aware of the regulations. I haven't seen any cases yet, but the Red Flag rules won't be enforced until November, so we're just beginning to deal with those."