After reading the Federal Trade Commission’s 17-page guide
to “Fighting Fraud With the Red Flags Rule,” I think I finally understand why
this newest requirement is so perplexing to many of you out there. Fortunately,
you now have until Aug. 1 to figure it out, thanks to the FTC’s eleventh-hour
decision to delay the enforcement deadline.
I’m often asked how one becomes compliant with the Red Flags
Rule. Truth of the matter is, I’m not totally sure that’s possible given this
rule is a moving target. And that’s where the problem lies — there just isn’t a
target to shoot for. But then again, I think that’s the point.
What you have to remember is, as the practices employed by
ID thieves continue to evolve, so must your identity theft-prevention program.
In fact, when the FTC first approved the rule in November 2007, many legal
experts warned auto dealers that ID thieves had their sights on them because
the credit card industry had gotten wise to their ploys. Essentially, the Red
Flags Rule is the FTC’s way of plugging those holes in other industries.
But first things first: Does your business regularly arrange
for loans or the extension of credit? If so, then you must have a program to
protect your customers by Aug. 1. I bring this up because a major motorcycle
maker told dealers last October that they didn’t have to develop an identity
theft-prevention program if they arranged financing through its captive. I’m
here to tell you the company was wrong.
Unfortunately, the manufacturer wouldn’t admit to it until
April 10, 2009, less than a month before the enforcement deadline. And
unfortunately, this company wasn’t the only one feeding dealers the wrong
information. Now you know why the agency delayed the enforcement date.
Listen, I know this rule sounds like another way for the FTC
to stick it to dealers, but it’s not. Yes, the cost of compliance, at least
from what I’ve heard, is pretty steep. One auto dealer I talked to spent
approximately $500 per rooftop to get compliant, and another $159 per month,
per rooftop, to stay that way.
I know that sounds daunting, especially given the current
economic climate. And I have to believe — given the lack of technology
penetration in this industry — compliance is going to be a lot tougher for
powersports dealers than auto dealers.
But if it makes you feel any better, I really don’t think
the FTC is bent on punishing you. I write that because there’s been a lot of
speculation floating around in regards to the vigor with which the FTC would go
after violators, especially since it has delayed enforcement of the rule twice
now.
Take the penalty hike the FTC passed in February. There was
talk that the increase was another sign of the intensity with which the agency
will go after violators. As it turned out, the reason for the hike was
inflation.
Apparently, penalties under the Fair Credit Reporting Act
can be periodically adjusted for inflation. And that’s why the FTC increased
the maximum civil penalty for unfair and deceptive acts and practices from
$11,000 to $16,000 per violation, not because it was arming itself for the Red
Flags Rule enforcement date.
“We’ve never issued any statement to that effect,” said
Tiffany George, an attorney with the FTC’s privacy and identity division. “We
understand entities are finalizing their [Red Flags] programs. We’re just
looking for a good-faith effort.”
I know federal regulations are never a walk in the park. But
let’s not forget the reason for the Red Flags Rule. And let’s not forget how
much an identity thief can cost your business. Heck, one auto dealer I talked
to said he lost approximately $120,000 after he sold two vehicles to friends of
a local wholesaler he worked with. He trusted the guy, took his word and got bit.
So again, this rule wasn’t developed as another way to
punish you. It was developed to protect the nearly nine million Americans who
fall victim to identity theft each year. Is it the best approach? We’ll see
come Aug. 1.
