FTC Deadline for Red Flag Rule Compliance Nears for ARM Professionals

ARM professionals who handle accounts that involve making or collecting payments have less than a month to comply with the Federal Trade Commission’s new Red Flag Rules. Come May 1, any entity that regularly offers, renews, or continues credit, or any entity involved in the decision to provide credit must develop and implement a plan to detect, prevent and mitigate identity theft.  The rules also apply to vendors who offer payment terms and manage payment accounts on a creditor’s behalf. Companies in violation could be fined up to $2,500 per occurrence.

Debt collectors who serve banks, credit card companies, and credit unions had to be compliant with new rules by November 1, 2008.  But some industries, such as utilities and hospitals — and their service vendors –  were given a six month extension after many complained they didn’t know about the rule and didn’t learn about it soon enough to comply with the November deadline. 

The FTC estimates that more than 9 million Americans have their identity stolen each year, leading to billions in financial fraud. By casting the Red Flag Rule net across all industries that offer payment term agreements, the FTC is trying to plug every crack through which personal information can be siphoned to steal someone’s identity (http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf).

Because accounts receivable management professionals already have established policies and procedures to verify debtors’ identity, most recent address and other demographic information, many are better prepared than they think, experts say.

“A lot of the work is already done,” said Valerie Hayes, ACA International’s corporate counsel and vice president of legal and government affairs.  “It’s a matter of incorporating their existing policies and procedures in place into an identity theft program under the Red Flag Rules.”

Companies, however, can’t just rely on having a written plan in place.  Each company’s policies for finding and dealing with red flags that could signal identity theft must be tailored to the entity’s specific risks at every location and at every level of their operation. That includes having a plan for transporting company computers that may access personal information and procedures for home-based employees.  Collectors also must regularly update their policies and procedures to identify new risks that may jeopardize the security of personal information, Hayes said.

Investments to comply with Red Flag Rules will vary, but some experts say collection agencies should budget red flag compliance into their operating expenses and have someone on staff to regularly review and update their identity theft programs.

“At a minimum, there should be one person working on that program and training existing and new staff,” Hayes said.

Experts say federal regulators may check a company’s red flag policies and procedures at any time. Therefore, collection professionals’ identity theft prevention program also may be audited if one of their creditor clients is investigated, because regulators will want to ensure service vendors are in compliance.

The new Red Flag Rules have and will continue to spawn automated service offerings to help creditors and their providers accurately pair consumers with their personal information.  Many programs will be tailored specifically to certain industries. For example, analytical tools by offered by health care software vendor nTelagent and credit card information manager TransUnion identify invalid social security numbers, suspicious age information, insurance information, and other demographics.

Although nTelagent President Earl Winter said the company’s product was designed to be used by hospitals during the registration process, it can be used by collection agencies on the back end to verify identities and help agencies determine which accounts do not belong in collections.

Winter said companies that continue to rely on manual procedures alone may be opening themselves up to liability because manual processes leave room for some compliance procedures established by the company to be missed or skipped.  He said automated programs not only alert users to “red flag” information or activity, but an automated system can walk employees through every procedure they must follow to make sure the company is in compliance with its rules. And that will help them avoid fines, he said.