Red Flag Rules: Is My Business Covered by the Red Flags Rule?
Corporate Services Update 08/31/09 Margaret E. Utterback, Kathryn A. Kronquist
If you offer your business or consumer customers payment terms other than payment at the time of sale, the Federal Trade Commission's ("FTC") Red Flags Rule ("the Rule") applies to you . . . maybe.
By way of background, the Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program ("Red Flags Program") designed to detect the warning signs, or "red flags," of identity theft in their day-to-day operations. The Rule certainly appears to apply to certain companies with business-to-business accounts - more on that below - but if the Rule does apply to your business, there is now a little more time to comply.
The FTC (and, as a result, businesses across the country) are having an experience similar to Bill Murray's in the movie Groundhog Day: Once again, on the eve of the effective date for commencing enforcement of the Rule, as businesses across the country scrambled to get policies into place to comply with the Rule (assuming they had not already done so for one of the previous compliance dates), the FTC woke up to Sonny and Cher, blinked and once again delayed enforcement of the Rule for another three months, this time until November 1, 2009. And that is a very good thing, because it is not at all clear how the Rule affects business-to-business models.
The Rule applies to "creditors" with "covered accounts." As to the first requirement, although you may not think of your business as a creditor, the Rule's definition of "creditor" is very broad and essentially includes any business or organization that permits deferred payment for goods or services. The Rule defines a "creditor" as one who regularly grants loans, arranges for loans or the extension of credit or makes credit decisions. This definition would apply to finance companies, mortgage brokers, real estate agents, automobile dealers and any other retailer that offers financing or provides help to consumers in getting financing from others by processing credit applications. In addition, it would extend to utility companies, health care providers and telecommunications companies, among others. However, the definition of "creditor" also encompasses any company that sells goods and services now and bills for those goods and services later.
But just because you may fit the definition of a "creditor" does not necessarily mean that you must implement a Red Flags Program. Rather, you must implement such a written program only if you satisfy the second requirement, that is, only if you have "covered accounts," as the Red Flags Rule defines that term. Unfortunately, this is where the Rule becomes a bit unclear, particularly if you have business-to-business accounts. The definition of "covered accounts" comprises two categories of accounts.
The first category is straightforward: It is a consumer account you offer your customers that is primarily for personal, family or household purposes and that involves or is designed to permit multiple payments of transactions. So this category would not apply to business-to-business accounts, as these are not for personal, family or household purposes. Rather, this first category of "covered accounts" would include credit card accounts, automobile loans, cell phone accounts and utility accounts.
For companies with business-to-business accounts, the Rule is a bit ambiguous with respect to the second category of "covered account." The second kind of "covered account" includes "any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution or creditor, from identity theft, including financial, operational, compliance, reputation or litigation risks." The only examples offered to date by the FTC, as to the types of accounts this second category of "covered accounts" would include, are small business accounts, sole-proprietorship accounts or single-transaction consumer accounts that may be vulnerable to identity theft.
Thus, unfortunately, although the Rule is clear that "covered accounts" certainly means all consumer (i.e., personal) accounts, we are left with little guidance as to whether business-to-business accounts (which are not consumer accounts or personal in nature) would necessarily be considered "covered accounts." The only guidance given by the FTC to date is that such business accounts may be covered only if the risk of identity theft is "reasonably foreseeable," and the FTC has not provided any further guidance as to what this "reasonably foreseeable" standard may mean.
Additional guidance may be forthcoming. On July 29, a mere three days before the Red Flags Rule was to become effective, the FTC announced that it was delaying enforcement of the Rule until November 1, 2009. This delay follows previous delays announced in October 2008 and May 2009, so we are now operating under the fourth consecutive compliance date for this rule. The FTC press release announcing the most recent delay is available here. The FTC has also announced that it would soon release additional educational tools pertaining to the Red Flags Rule, and we are hopeful that these additional tools will shed some light on the application of the Rule to business-to-business accounts. Many of the FTC's existing educational tools are available at the FTC Red Flags Web site.
So stay tuned - we'll be back with additional guidance as soon as it becomes available.
For more information, or if you have any questions, please contact Maggie Utterback at 608-283-2443 / email@example.com, Kate Kronquist at 414-277-5397 / firstname.lastname@example.org or your Quarles & Brady lawyer.