Categories
Consumer Finance Dealership Compliance

The “Red Flags” Rule: Are You Compliant?

The FTC “Red Flags” Rule has caused quite a stir in dealership circles. In fact, I’m asked about “Red Flags” more frequently than any other topic. Dealers are concerned about what the rules mean and how they will impact the way they do business.

The FTC “Red Flags” Rule has caused quite a stir in dealership circles.  In fact, I’m asked about “Red Flags” more frequently than any other topic.  Dealers are concerned about what the rules mean and how they will impact the way they do business.  Thankfully, the FTC has gone out of their way to provide businesses with the information necessary to comply and were even gracious enough to allow a seven month grace period for businesses to become compliant. The bad news is the grace period has ended.  If you’ve been putting off Red Flag compliance the day of reckoning is here.

DOES THE “RED FLAGS” RULE APPLY TO ME?

Without getting into all of the legal jargon, the red flags rule applies to 99.9% of all auto dealerships.  So, unless you’re one of the very few dealers that doesn’t provide or arrange financing for your customers – the Red Flags Rule applies to you.

WHAT IF I DON’T IMPLEMENT A RED FLAGS POLICY IN MY DEALERSHIP?

There is currently no criminal liability for failure to adhere to the Red Flags Rule.  But there is potential for significant civil liability.  For example, you may be liable to the victim of identity theft.  A good Plaintiff’s attorney would likely argue that failure to comply with the Red Flags Rule is in and of itself negligent behavior.  And what if your store became known for its failure to take precautions to prevent identity theft?  We already know how wary customers are to divulge their personal information.  No one wants to give their personal information over to someone known to be associated with identity theft.  In light of the risks, the cost of compliance is low especially considering that you yourself draw up the Identity Theft Program for your store.

WHAT IS THE RED FLAGS RULE?

In an effort to stem the rising tide of identity theft, the “Red Flags” Rule, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations.  The rationale is that by identifying red flags in advance, these businesses will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

WHAT DOES THE RED FLAGS RULE REQUIRE?

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include five basic elements, which together create a framework to address the threat of identity theft.

  1. Your Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.  For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.
  2. Your Identity Theft Prevention Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
  3. Your Identity Theft Prevention Program must spell out appropriate actions you’ll take when you detect red flags.
  4. Because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks.
  5. Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of your business. Your board of directors (or a committee of the board) has to approve your first written Program. If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and administering it effectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

SUMMARY

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could have a more streamlined Program.

OTHER RESOURCES

To get you started, take a look at the FTC’s own “Do-It-Yourself Checklist for Businesses at Low Risk for Identity Theft.

Leave a Reply

Your email address will not be published. Required fields are marked *