The Red Flag Rules take effect later this week. To date, a survey conducted by i-Comply - the leading provider of compliance tools for physicians - has revealed that more than 65% of all physician practices have yet to take any steps towards Red Flag compliance, although 95% say they will be in compliance by the end of the week.
The Federal Trade Commission’s compliance deadline for its so-called Red Flag Rules has finally arrived, requiring banks and other creditors to have written programs in place to find, stop, and mitigate theft of consumers’ personal data.
The rules formally go into effect Aug. 1, after a three-month extension to give companies more time to find their compliance footing. Still, experts say, many companies are struggling to understand whether they fall under the new rules’ jurisdiction, and how to nail down basic compliance procedures.
One of the most nettlesome questions is who fits the definition of a creditor under the rules, according to Randy Green, a principal with Grant Thornton, who spoke on the Red Flag Rules during a July 23 Webcast.
The rules clearly identify “financial institutions” as entities that offer accounts that let consumers write checks or make payments to third parties through other means, such as telephone transfers. A “creditor,” however, is any entity that regularly extends or renews credit or arranges for others to do so. That could be an auto dealership that provides financing; a doctor’s office billing someone’s co-payment; retailers offering store-only credit cards; or any number of other businesses not in the financial sector per se.
“The bottom line is that the Red Flag Rules apply to many different types of organizations, and it’s important to note that the rule will apply to all covered entities regardless of size,” Jay Brietz, a senior manager at Grant Thornton, said during the same Webcast.
And compliance officers should understand the difference between Red Flag Rules and other data protection rules. Nick Economidis, an underwriter of data privacy risks at the insurance firm Beazley, says most data protection rules aim to prevent sensitive data from exiting out “the back door” of a company when hackers steal it. In contrast, the Red Flag Rules seek to prevent imposters “the front door” when they walk into a store with already-stolen data, posing as someone else.
Best Practices
Regardless of a company’s current preparation, denial is not a good idea, Green said. “As we are all aware, the bad guys are coming out with new techniques to use stolen identity way faster than anybody can write a regulation,” he said. “Don’t expect that this thing is just going to go away.”
As always, start with a risk assessment—and specifically begin by reviewing how many accounts (both new and old) fall under the rules’ jurisdiction. Brietz recommend asking the following questions: How are customer accounts obtained and maintained? How are new accounts set up? Do people submit a form in person, over the phone, or online?
Also remember that not all credit card purchases are considered covered transactions, unless you can reasonably foresee the transaction leading to identity theft, Green said. The FTC has released a template to help entities that have a low risk of identity theft (businesses that know their customers personally, for example) to comply with the law.
From there, if you know the number of covered accounts you have and then identify all the places those covered accounts can be touched, “that will give you an idea of the places you’re going to need to have controls,” Green said.
Those possible control-points will also help controllers or internal auditors “if there are reasonably foreseeable risks that exist,” Brietz said. For example, asking for a Social Security number could allow someone to use the number of a deceased person; or after asking for an applicant’s home address, the applicant might then immediately change it to another.
Once you see where the gaps and risks are, you can develop a plan to address them, Brietz said. The bad news: “There really isn’t going to be a one-size-fits-all plan to this.”
Other important steps to take for effective compliance:
- Get your board up to speed. A compliance report should be delivered to boards at least annually, Green said.
- Re-evaluate your plan annually. That means recognizing what new types of identity theft threats have emerged, Green said. Perhaps some innovative new scheme has emerged; perhaps your business has changed (via a merge, for example), and that has created new holes your plan must fill.
- Have the appropriate skills. “This regulation is going to cover more than just your internal audit group,” Green warned. Experts from the legal, financial, IT, and other departments should all be versed in the effort.
- Train. With so many different people involved, don’t underestimate the training efforts that will need to be involved. Employees should be trained on what to look for and how to treat it, Green said.
- Document the program. The FTC does not spell out any specific recordkeeping, so put yourself in the shoes of the FTC investigator. “What level of reporting would you be comfortable in showing them?” Green said. “That’s probably the best way to think about it.”
Legal Ramifications
Companies must also be wary of any “big event,” Economidis says—anything newsworthy that causes damage to a company’s reputation, or sparks both state and federal investigations. Those events attract the attention of plaintiff lawyers, he warns. “I don’t think a lot of these companies realize that these new government regulations increase their exposure to negligence claims.”
And because the legal consequences of non-compliance can be serious, watch how courts will enforce Red Flag violations, said Peter Vogel, a partner at the law firm Gardere Wynne Sewell, who also spoke during the Webcast. “When we evaluate how courts and judges evaluate each instance of non-compliance, it will give us more information about what we need to do to maybe modify our plans,” he said.
By Jaclyn Jaeger — July 28, 2009, www.complianceweek.com
0 comments:
Post a Comment