1/1

JVC COMPLIANCE

FTC’S RED FLAG RULE 

THE FTC’S RED FLAGS RULE REQUIRES COVERED BUSINESSES TO IMPLEMENT AN IDENTITY THEFT PREVENTION, PROGRAM.  COMPANIES, EITHER RETAIL OR WHOLESALE, THAT OFFER CREDIT ACCOUNTS THAT ARE SUBJECT TO A REASONABLY FORESEEABLE RISK OF IDENTITY THEFT ARE COVERED BY THE RULE AND MUST ESTABLISH A PROGRAM TO ADDRESS THE RISK. THESE INCLUDE BRANDED CREDIT CARDS, AS WELL AS IN-HOUSE CREDIT ACCOUNTS FOR CONSUMERS, ARE COVERED BY THE RULE.  COMPANIES THAT OFFER THESE CREDIT ARRANGEMENTS SHOULD IMPLEMENT AN IDENTITY THEFT PREVENTION PROGRAM BASED ON THE RED FLAGS RULE. 

 

BUSINESSES THAT OFFER OTHER SORTS OF CREDIT ARRANGEMENTS FOR THEIR CUSTOMERS SHOULD ASSESS THE VULNERABILITY OF THESE ACCOUNTS TO AN IDENTITY THIEF.  IF A FORESEEABLE RISK EXISTS, THEY ARE REQUIRED TO IMPLEMENT A PROGRAM.  THE JEWELERS VIGILANCE COMMITTEE IS AVAILABLE TO ASSIST WITH THIS DETERMINATION.

 

JVC OFFERS A DO-IT-YOURSELF COMPLIANCE KIT WITH GUIDANCE AND TEMPLATES FOR THOSE COMPANIES THAT MUST ESTABLISH A RED FLAGS RULE PROGRAM.  THE PROGRAM HELPS COMPANIES IDENTIFY, DETECT AND RESPOND TO THE “RED FLAGS” OF IDENTITY THEFT.   

IN BRIEF

Red Flags

THE FEDERAL RED FLAGS RULE, IN EFFECT SINCE JANUARY 1, 2008, REQUIRES MANY BUSINESSES TO IMPLEMENT A WRITTEN IDENTITY THEFT PREVENTION PROGRAM DESIGNED TO:

 

▪ DETECT THE WARNING SIGNS OF IDENTITY THEFT,

▪ PREVENT THE CRIME, AND,

▪ MITIGATE THE DAMAGE OF IDENTITY THEFT

 

WHAT IS IDENTITY THEFT?

 

IDENTITY THIEVES USE PEOPLE’S PERSONALLY IDENTIFYING INFORMATION TO FRAUDULENTLY OPEN NEW BUSINESS ACCOUNTS AND MISUSE EXISTING ACCOUNTS TO STEAL PRODUCTS AND SERVICES.

RED FLAGS

Click each question to see the answer

WHO ARE CREDITORS FOR PURPOSES OF THE RED FLAG RULE?

The Red Flags rule covers many “creditors,” broadly defined by the FTC to include “businesses or organizations that regularly defer payment for goods or services.”  Examples include retailers that offer financing or help consumers get financing from others, say, by processing credit applications.  Simply accepting credit cards – such as AmEx or visa – as a form of payment does not make a jeweler a “creditor.”  However, if a jeweler offers its own branded credit card or arranges in-house credit for its customers it is a “creditor.”   

WHO MUST HAVE A WRITTEN IDENTITY THEFT PREVENTION PROGRAM?

Any jewelry company that falls into the “creditor” category must next determine if it has “covered accounts” as defined by the rule.  A “covered account” includes any account for which there is a “reasonably foreseeable risk” to customers of identity theft.  In determining whether an account is covered, one important element is whether the account can be opened and accessed remotely, by way of telephone or computer.  The risk analysis would also consider whether there had been any actual incidents of identity theft regarding the type of account in question.  “Creditors” that do not have “covered accounts” do not need a written program.

 

BASIC ELEMENTS OF THE RED FLAG RULE

An identity theft prevention program must include four basic elements:

 

  • Reasonable policies and procedures to identify “red flags” of identity theft.  These are suspicious patterns or practices that indicate the possibility of identity theft.  For example, if a customer offered an identification that looked fake that would be a red flag

  • Procedures to detect the red flags identified by the company.  If fake id’s have been identified as a red flag, than procedures must be in place to detect possible fake id’s

  • A designation of actions that the company will take when a red flag is detected

  • Periodic re-evaluations of the program to address new risks

  • Training of staff

 

EXAMPLES OF RED FLAGS

These include:

 

  • Alerts from a credit reporting company

  • Suspicious identification documents

  • Suspicious personal identifying information, e.g., an id that looks fake

  • Suspicious account activity

FLEXIBILITY OF RED FLAGS RULE

The rule provides creditors the opportunity to design and implement an identity theft prevention program that is appropriate to their size and complexity.

Please reload

The Red Flags Rule

IDENTITY THEFT PREVENTION PROGRAMS - FAQ'S

THE RED FLAGS RULE - IDENTITY THEFT PREVENTION PROGRAMS - FAQ'S

Click each question to see the answer

WHY DOES THE GOVERNMENT REQUIRE THAT SOME COMPANIES IMPLEMENT AN IDENTITY THEFT PREVENTION PROGRAM?

Because millions of people are the victims of identity theft each year, resulting in overwhelming costs to consumers, business and law enforcement.  The idea behind the law is that businesses can prevent a loss before it happens by recognizing and responding to the "red flags" that someone is using a stolen identity to buy goods or services.

WHO MUST IMPLEMENT A RED FLAGS PROGRAM?

Any company that maintains accounts that are subject to a "reasonably foreseeable risk of identity theft."  These accounts include:

 

  • In-house credit accounts

  • Branded credit card accounts

 

IN MY STORE I ACCEPT SEVERAL WIDELY-USED CONSUMER CREDIT CARDS SUCH AS MASTERCARD, VISA AND AMERICAN EXPRESS. MUST I IMPLEMENT A RED FLAGS PROGRAM BECAUSE I ACCEPT THESE CARDS?

No.  But, be aware that your merchant agreement with the credit card companies may require that you comply with standards pertaining to processing credit cards payments.  These standards must be in place in your business to protect cardholder data from identity thieves.

I AM COVERED BY THE RED FLAGS RULE. WHAT MUST I DO TO COMPLY?

You must implement a written identity theft prevention program with five components:

 

  • Identify the red flags of identity theft (such as suspicious id)

  • Detect the red flags (such as by closely examining id)

  • Respond to red flags, and mitigate identity theft if it does occur

  • Administer the program, integrate it into daily operations, and update it as necessary

  • Train your employees regarding the red flags program

IF I AM COVERED, WHEN MUST I COMPLY?

Enforcement began on December 31, 2010.  Implement a program ASAP!

I AM COVERED BY THE RULE. WHAT SHOULD I DO TO IMPLEMENT A RED FLAGS PROGRAM?

Buy the JVC red flags rule compliance kit, sponsored by GE capital.  Visit www.jvclegal.org for details about the kit.

WHAT ARE THE PENALTIES FOR NON-COMPLIANCE?

Fines of up to $3,500 per violation.

Please reload

Red Flag Rule

FAQ

RED FLAG RULE FAQ

Click each question to see the answer

HOW DO I KNOW WHETHER OR NOT I NEED A RED FLAGS PROGRAM?

You need to answer two questions about your business to determine whether you need a program.  First, are you a “creditor?”  In short, the answer may be “yes” if you regularly provide goods or services first and allow customers to pay later.  If you are not a creditor you do not need a program.  If you are a creditor, then proceed to the next question, which is whether or not you have “covered accounts.”  These include private-label credit card accounts, and any account for which there is a reasonably foreseeable risk to your customers or to you of identity theft.  If there is no foreseeable risk, then you do not need a program.  If there is, and you are a creditor, you need a program.

HOW DO I KNOW IF I’M A “CREDITOR” AS DEFINED BY THE RED FLAGS RULE?

You are a creditor if you offer credit facilities to your customers.  For example, if you offer a branded credit card or in-house financing, you are a creditor.  You may also be a creditor if you deliver your product first, and allow customers to pay all or part of the purchase price later through memo transactions and other installment payment plans. Congress is currently considering legislation which, if passed, will exclude from the definition of “creditor” those companies that know all their customers or have not experienced identity theft. Remember, though, just because you are a creditor does not mean that you need a red flags program. That depends on whether or not you have “covered accounts.”

I’VE DETERMINED THAT I NEED A RED FLAGS PROGRAM, BUT SINCE I ALREADY HAVE AN ANTI-MONEY LAUNDERING PROGRAM ISN’T THAT ENOUGH?

No.  While a robust AML program makes it less likely that there will be an incidence of identity theft at your business, you still need a red flags program that states how your company will detect and respond if an instance of identity theft or an attempt to use your credit facility to engage in identity theft were to occur.  That being said, many of the steps you take for your AML program, such as getting id from customers, will likely be the same steps you will include in your red flags program.

I PROVIDE A LAYAWAY PLAN FOR MY CUSTOMERS. THEY PAY ME A SET AMOUNT EACH MONTH AND WHEN THEY HAVE PAID OFF THE ENTIRE PURCHASE PRICE I GIVE THEM THE PRODUCT. AM I A “CREDITOR?”

No, since you’re not providing the goods until after the customer pays in full.

I SELL ON “MEMO.” AM I A “CREDITOR?”

Possibly. When you sell on memo you are making a loan to your customer of the purchase price of the memo goods, at least according to the uniform commercial code. Since you provide the product before you are paid, you may be a “creditor.”   Even if you are a “creditor,” you do not necessarily need a “program.” That depends on whether or not any of your customer accounts are “covered” as defined by the red flags rule (a reasonably foreseeable risk to your customer or to you of identity theft because of the account.)  Congress is currently considering legislation which, if passed, will exclude from the definition of “creditor” those companies that know all their customers or have not experienced identity theft.

MANY OF OUR CUSTOMERS USE OUR BRANDED-CREDIT CARDS FOR PURCHASES AT OUR STORE. AM I A “CREDITOR” AND ARE THE CUSTOMERS’ CREDIT CARD ACCOUNTS “COVERED ACCOUNTS?”

Yes to both questions.  You are a creditor and the credit card accounts are covered.  You need a red flags program.  Fast. 

MY CUSTOMERS FREQUENTLY USE THIRD-PARTY CREDIT CARDS, SUCH AS MASTERCARD AND VISA, TO BUY JEWELRY AT MY STORE. DOES THIS MEAN I NEED A RED FLAGS PROGRAM?

No.  Third party credit facilities used at your business do not make you subject to any compliance obligations.  

WHERE ELSE CAN I FIND INFORMATION ABOUT THE RED FLAGS RULE?

You can find a you can find a copy of the rule in the JVC red flag rule compliance kit.  You can find lots of other information on the FTC’s website at www.ftc.gov/redflagsrule.  

I EXTEND CREDIT, BUT ONLY TO OTHER BUSINESSES, NOT TO CONSUMERS. AM I A “CREDITOR?”

Possibly. You may be a creditor whether you have consumer or business accounts. Even if you are a “creditor,” you do not necessarily need a “program.” That depends on whether or not you have “covered accounts” as defined by the rule (a reasonably foreseeable risk to your customer or to you of identity theft because of the account.)  Congress is currently considering legislation which, if passed, will exclude from the definition of “creditor” those companies that know all their customers or have not experienced identity theft.

WHAT ARE THE REQUIRED ELEMENTS OF AN IDENTITY THEFT PREVENTION PROGRAM?

They are: (1) identification of “red flags” of identity theft  - suspicious patterns or practices or specific activities that indicate the possibility of identity theft; (2) detection – steps to take to detect the red flags you have identified; (3) actions – steps you will take when a red flag or an instance of identity theft is detected and (4) mitigation – steps you will take (a) to provide information to a victim of identity theft through your credit facility and (b) to adjust your program to ensure that future similar red flags will be detected in time to prevent identity theft.       

WE DETECTED A RED FLAG OF IDENTITY THEFT AT OUR COMPANY. SHOULD I CONTACT LAW ENFORCEMENT?

If your company experiences a confirmed incident of identity theft it’s a good idea to contact law enforcement, starting with your local police department.  

MY BUSINESS IS COVERED BY THE RED FLAGS RULE. IF THE FTC ASKS US QUESTIONS, WHAT WILL WE NEED TO SHOW THEM TO PROVE THAT WE ARE COMPLYING WITH THE RULE?

It is likely that the FTC will want to see a copy of your program, and evidence that you’ve conducted training and periodic re-evaluations as required by the red flags rule. Enforcement will begin on June 1, 2010.

WHAT ARE THE PENALTIES IF OUR COMPANY DOESN’T COMPLY WITH THE RED FLAGS RULE?

The FTC can seek both monetary civil penalties and injunctive relief for violations of the red flags rule.  The law sets $3,500 as the maximum civil penalty per violation.  Each instance in which the company has violated the rule is a separate violation.   

I AM CONFUSED. WHAT CAN JVC DO TO HELP ME?

JVC offers the following services in connection with implementing an identity theft prevention program:  JVC can install the program in your company, train your employees, and test and update your program to ensure it is fully compliant.  Call the JVC (212-997-2002) or visit www.jvclegal.org for fees and to schedule an appointment.  

WHAT IS THE “RED FLAG RULE”?

The federal trade commission issued new regulations requiring businesses that extend credit to institute a written policy that will help to identify efforts to engage in identity theft through these credit arrangements and to prevent identity theft.      

WHAT IS IDENTITY THEFT?

Identity thieves use people’s personal identifying information to fraudulently open new accounts and misuse existing accounts.

WHO HAS TO COMPLY WITH THIS RULE?

Any business or organization that defers payment for goods or services must comply if they have covered accounts.  For example, retailers who offer in-house financing, or private-label credit card programs must comply with the rule.

WHAT ARE THE ELEMENTS REQUIRED FOR COMPLIANCE?

If you have accounts open with your customers that meet the definition of an extension of credit (a “covered account”), you must develop, implement and administer a written identity theft program designed to detect efforts to steal identifying information, and to prevent such efforts from occurring. Your written program must also spell out appropriate steps to take when you detect such efforts (“red flags”.)

WHO ENFORCES THE RULE?

The Federal Trade Commission.

WHAT ARE THE ELEMENTS REQUIRED FOR COMPLIANCE?

If you have accounts open with your customers that meet the definition of an extension of credit (a “covered account”), you must develop, implement and administer a written identity theft program designed to detect efforts to steal identifying information, and to prevent such efforts from occurring. Your written program must also spell out appropriate steps to take when you detect such efforts (“red flags”.)

WHO ENFORCES THE RULE?

The Federal Trade Commission.

WHAT ARE THE RED FLAGS THAT I SHOULD BE LOOKING FOR?

As an example, if you offer private-label credit cards that can be paid on line, you need to be aware that thieves might try to steal the identification information submitted by your customers.  If you acquire identification information at your store from customers who apply for in house credit, be sure to carefully acquire identification information about them including some form of government issued id.  If the id offered looks fraudulent, this is a red flag.  There are many other red flags.   

WHAT ACTION DO I TAKE WHEN I DETECT A RED FLAG?

These will be tailored to the type of covered account that you employ and the type of red flag you detected. These actions can range from canceling the account, to contacting local law enforcement officials.

Please reload