ID Theft Red Flags Rule: FTC Extension is no 'Break'Enforcement Delayed for FTC-Governed Institutions; Liability is Not
In fact, compliance will be a huge challenge for non-banking entities and those state-chartered credit unions, says Debra Geister, Director of Fraud Prevention and Compliance Solutions at Lexis-Nexis, an information services provider. While the bigger, federally-regulated banking institutions have pre-existing programs in place to meet the ID Theft Red Flags Rule under the Fair and Accurate Credit Transactions Act (FACTA) requirements -- including a Customer Identification Program -- they are still struggling to meet compliance with the guidance, which had been estimated by federal regulators to take anywhere from 20 to 40 hours of work to be compliant.
"The problem for these non-banking entities is when you take this apart and see everything that has to be in place, it is a daunting task," Geister says. "It will be a lot more work for the non-banking companies that don't have the existing fraud programs in place."
And for non-banking entities that aren't regularly examined by federal agencies, compliance is a whole new organizational challenge.
Enforcement Delayed; Liability is Not
When the FTC announced that six-month suspension of Red Flag Rule enforcement, many companies breathed a big sigh of relief, says Thomas Oscherwitz, vice president of Government Affairs and chief privacy officer at ID Analytics, a risk management solution company. "Some compliance officers may now be tempted to take their Red Flags working folders off their desks and put them in long-term storage," he says. "My best advice: Keep that folder on your desk; you still need it."
The three main parts of the regulation are: The Red Flags program, the address change process, and the address discrepancy rule. The last two are already being enforced since Nov. 1, despite the FTC's announcement that it was pushing back enforcement for businesses under the FTC's jurisdiction until May 1, 2009.
"Many businesses don't realize that point, that even though the FTC isn't enforcing compliance, it doesn't mean those businesses won't be liable if a data breach or loss of information occurs," Geister notes. The key issue is that the law was effective January 1, 2008. It was only the compliance portion that was not being enforced until November 1.
There are two dramatically different kinds of enforcement at work on this regulation, Geister observes. "With the FDIC, OTS, OCC, and NCUA's portion, a banking institution's expectations are [compliance] will fall under their information security exam or their safety and soundness exam (or both), so that is scheduled ahead of time. They know when they're going to be examined."
However, it's much different for non-banking entities, where the FTC operates as a law enforcement agency and reacts swiftly to consumer complaints. "So when a consumer calls in a complaint, the FTC isn't going be sitting on their hands. They're moving in to check it out," Geister notes. "If I were a business on the FTC side of enforcement, I would be nervous. At any time it could fall directly into your lap, and at $2500 per infraction -- not to mention the PR implications that a business would have to handle - well, it won't be good."
The FTC will look to put some "heads on sticks" when enforcing this regulation, predicts Geister. "They anticipate non-compliance, and when a business is hit with a breach, they will march you out to the center of the square and shoot you publicly." Geister cites earlier FTC enforcement actions against retailers such as DSW, BJ's Wholesale Club, and TJX, among others.
Oscherwitz agrees and adds compliance officers working in industries granted an enforcement delay should also keep in mind that this delay will likely make the initial FTC enforcement of the regulation tougher.
"Once May 1 rolls around, prudent compliance officers should not expect any leniency for programs that are works in progress," he predicts. Companies should anticipate that the FTC will expect full compliance. "So in reality, to avoid regulatory risk, compliance programs should be operational and audit-ready well in advance of May 1."
One can look at the FTC enforcement delay as a reprieve, he notes. "But prudent compliance officers should take this delay as a clarion call from the FTC that it takes these rules seriously and expects companies to develop compliance programs in earnest. "Use this time to build a Red Flag program that will protect your organization and customers over the long haul."