By Michael A. Benoit
Many financial institutions and creditors around the country have spent the past six months working diligently to implement their Identity Theft Prevention Programs, mandated by Congress and the subject of the Red Flags Rule published by the Federal Trade Commission and the federal banking agencies in November 2007. The rule had a mandatory compliance date of Nov. 1, 2008; however, on Oct. 22, the FTC announced that entities under its jurisdiction, including non-bank finance companies, would not be subject to enforcement actions until after May 1, 2009. Entities under the jurisdiction of the federal banking agencies are still subject to the Nov. 1 mandatory compliance deadline.
The net effect of the FTC’s enforcement delay is that FTC-regulated creditors have six more months to fully implement their programs without threat of FTC sanctions.
Conventional wisdom says that the FTC decided to delay enforcement because there are a host of industries that are subject to the Red Flags Rule that simply didn’t realize it, and the FTC wanted to give these industries some additional time to achieve compliance. As a matter of fairness, the FTC could not impose liability on some entities and not others, so all entities it regulates get the benefit of the six-month forbearance.
Most finance companies I’ve worked with were well on their way to achieving compliance with the Red Flags Rule in advance of the Nov. 1 deadline. The extension gives these companies the opportunity to work the bugs out of their programs without fear of liability, at least with respect to the FTC. Those finance companies that were not on track to meet the Nov. 1 compliance deadline may have gotten a six-month breather, but the FTC got an extra half-year to refine its enforcement strategies. Woe to the finance company that, after an 18-month lead time, did little or nothing to meet its compliance obligations, and fair warning to the finance company that thinks it can relax its efforts in advance of May 1. Here’s why:
Dollars. With fines of $2,500 for each customer financed without a program in place, your finance company may be facing potential dire financial consequences in no time. In this economy, you can’t afford that, and compliance doesn’t cost that much for you to be thinking that way. Why create a risk if you don’t need to?
Plaintiff’s Attorneys. The FTC might not prosecute violators for six months, but there’s an argument that the Red Flags Rule can be enforced through back doors now. Think about it like this — your town lowers the speed limit on Main Street, but law enforcement announces it won’t hand out speeding tickets for a couple of months so that people can adjust to the new limit. That announcement may not stop a plaintiffs’ lawyer from suing if someone exceeds the new limit and causes injuries or damages. The same holds true for the Red Flags Rule in states with statutes upon which to base claims.
It’s Good for Business. Customers like it when they believe that you have their best interests at heart. You have lots of business reasons not to do business with an identity thief; the Red Flags Rule provides a regulatory reason not to. Identity theft costs you money, too, and the potential reputational risk you face could be devastating. And in any event, you’ll be paying your lawyers to help you out of the mess — that’s reason enough to climb on the compliance bandwagon! With your program in place, you’ll be well-equipped to stop these transactions before they happen.
Do yourself a favor — get your Identity Theft Prevention Program in place as quickly as possible, and make sure it is working effectively by May 1. This enforcement delay may seem like a gift, but there are real liabilities that can impact you right now.
Michael Benoit is a partner in the Washington, D.C., office of Hudson Cook LLP. He is a frequent speaker and writer on a variety of consumer credit topics, and can be reached at 202-327-9705 or [email protected]. Nothing in this article is intended to be legal advice and should not be taken as such. All legal questions should be addressed to competent counsel.