After reading the Federal Trade Commission’s 17-page guide to “Fighting Fraud With the Red Flags Rule,” I think I finally understand why this newest requirement is so perplexing to many of you out there. Fortunately, you now have until Aug. 1 to figure it out, thanks to the FTC’s eleventh-hour decision to delay the enforcement deadline.
I’m often asked how one becomes compliant with the Red Flags Rule. Truth of the matter is, I’m not totally sure that’s possible given this rule is a moving target. And that’s where the problem lies — there just isn’t a target to shoot for. But then again, I think that’s the point.
What you have to remember is, as the practices employed by ID thieves continue to evolve, so must your identity theft-prevention program. In fact, when the FTC first approved the rule in November 2007, many legal experts warned auto dealers that ID thieves had their sights on them because the credit card industry had gotten wise to their ploys. Essentially, the Red Flags Rule is the FTC’s way of plugging those holes in other industries.
But first things first: Does your business regularly arrange for loans or the extension of credit? If so, then you must have a program to protect your customers by Aug. 1. I bring this up because a major motorcycle maker told dealers last October that they didn’t have to develop an identity theft-prevention program if they arranged financing through its captive. I’m here to tell you the company was wrong.
Unfortunately, the manufacturer wouldn’t admit to it until April 10, 2009, less than a month before the enforcement deadline. And unfortunately, this company wasn’t the only one feeding dealers the wrong information. Now you know why the agency delayed the enforcement date.
Listen, I know this rule sounds like another way for the FTC to stick it to dealers, but it’s not. Yes, the cost of compliance, at least from what I’ve heard, is pretty steep. One auto dealer I talked to spent approximately $500 per rooftop to get compliant, and another $159 per month, per rooftop, to stay that way.
I know that sounds daunting, especially given the current economic climate. And I have to believe — given the lack of technology penetration in this industry — compliance is going to be a lot tougher for powersports dealers than auto dealers.
But if it makes you feel any better, I really don’t think the FTC is bent on punishing you. I write that because there’s been a lot of speculation floating around in regards to the vigor with which the FTC would go after violators, especially since it has delayed enforcement of the rule twice now.
Take the penalty hike the FTC passed in February. There was talk that the increase was another sign of the intensity with which the agency will go after violators. As it turned out, the reason for the hike was inflation.
Apparently, penalties under the Fair Credit Reporting Act can be periodically adjusted for inflation. And that’s why the FTC increased the maximum civil penalty for unfair and deceptive acts and practices from $11,000 to $16,000 per violation, not because it was arming itself for the Red Flags Rule enforcement date.
“We’ve never issued any statement to that effect,” said Tiffany George, an attorney with the FTC’s privacy and identity division. “We understand entities are finalizing their [Red Flags] programs. We’re just looking for a good-faith effort.”
I know federal regulations are never a walk in the park. But let’s not forget the reason for the Red Flags Rule. And let’s not forget how much an identity thief can cost your business. Heck, one auto dealer I talked to said he lost approximately $120,000 after he sold two vehicles to friends of a local wholesaler he worked with. He trusted the guy, took his word and got bit.
So again, this rule wasn’t developed as another way to punish you. It was developed to protect the nearly nine million Americans who fall victim to identity theft each year. Is it the best approach? We’ll see come Aug. 1.