Prior to practicing International Trade Law, had I been asked about international trade and which government agency is responsible for oversight of imports, I probably would have identified US Customs and no others. It turns out multiple agencies have jurisdiction over varying types of imports, just as various rules imposed on business' by agencies other than US Customs can impact a businesses operations. The Federal Trade Commission's (FTC) Red Flags Rule (Rule) is one such rule.
Thanks to today’s technologically saavy commercial environment, information exchanges and business transactions - whether domestic or international - now take only a fraction of time that they once did. These modern conveniences have not come without consequence however, and just as the ease of conducting business has increased, so has the threat of identity theft. So much so, that the Internal Revenue Service (IRS), FTC, and now even the U.S. federal courts have all implemented protocols in an effort to reduce these risks.
With enforcement of the Rule beginning on November 1, 2009, the FTC has mandated that certain businesses and organizations implement a written identity theft program in order to catch “red flags” of this risk in a company’s day-to-day operations.
US Customs has long required certain vetting and identity confirming procedures of freight forwarders, customs brokers, and other related trade partners, and through the implementation of Customs-Trade Partnership Against Terrorism, commonly known as “C-TPAT,” it has taken its identity confirmation efforts to an even greater level. The benefit to having met US Customs' compliance mandates is that much of what is required under the Rule has already been largely addressed by many of you in the trade community.
The Rule mandates that each “financial institution” and “creditor” that has a “covered account” implement, or incorporate into its already existing compliance program, an identity theft program that would enable businesses to catch “red flags” of potential risks of identify theft.
While freight forwarders and customs brokers do not typically fall within the definition of a “financial institution,” many will qualify under the FTC’s definition of a “creditor.” A creditor is defined as a business or organization that “regularly defer[s] payment for goods or services or provides goods or services and bill customers later." [16 CFR Part 681.2(b)(1)]
Therefore, if you provide services for which you later bill and receive payment for after the services have been performed, you are subject to the Rule. This is because you will be considered to have extended credit for having done the work without receiving payment upfront. While the FTC is considering making certain exemptions from this rule, e.g. with law firms, none have yet been made with respect to freight forwarders or customs brokers, nor is it likely that it will occur.
A “covered account” is defined as an account that a creditor “offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” [16 CFR Part 681.2(b)(3)(ii)]
Examples the FTC gives of covered accounts include that of a sole proprietorship, a small business account, or a single transaction consumer account, as they may be vulnerable to identity theft as a result of actions such as the ability to remotely access an account via the internet or telephone.
Implementation of an Identity Theft Prevention Program
Any prevention program must be meaningful and explicitly state what targeted measures will be taken to make it more difficult to steal an identity. Training your staff to sight red flags and identify new threats, along with mechanisms for dealing with these risks, should be specified. Periodic review of the prevention program must be clear, and the audit or review of procedures by an identity theft expert may be considered on a incremental basis.
The Rule gives a four part framework for designing an identity theft prevention program. It requires the creation of, or updates to an existing, identity theft prevention program to
1.Identify Red Flags in Your Business: Include realistic ways to spot “red flags” in your business’ day-to-day operations through the implementation of reasonable policies and procedures, whether it comes in the form of a warning from a credit company, a suspicious document, or suspicious personal identifying information;
2.Detect Red Flags in Day-to-Day Operations: Program should actually detect “red flags” as identified by your business, be it for new or existing accounts;
3.Prevent and Mitigate Identity Theft: Describe appropriate actions to be undertaken upon discovery or detection of a “red flag”; and,
4.Update Your Program: Describe how a re-evaluation of the identity theft program will be periodically undertaken to account for potential new risks.
Once the prevention program is in place, additional requirements, include:
1. Approval of the program and a description of its incorporation into the daily operations of your business, by the Board of Directors of your business, or alternatively, an appropriate senior level employee;
2. A statement regarding the responsible party for the implementation and administration of the identify theft prevention program;
3. Staff training, as appropriate; and,
4. Contractor’s compliance monitoring, as appropriate.
Many of you may be unaware of how to implement this Rule into your existing operational practices. Feel free to email me with your questions or comments if you require any assistance at clark.deanna@gmail.com.
For more information on the Red Flags Rule, go to the FTC's website.
You can also find a useful article on this Rule here.
Thanks to today’s technologically saavy commercial environment, information exchanges and business transactions - whether domestic or international - now take only a fraction of time that they once did. These modern conveniences have not come without consequence however, and just as the ease of conducting business has increased, so has the threat of identity theft. So much so, that the Internal Revenue Service (IRS), FTC, and now even the U.S. federal courts have all implemented protocols in an effort to reduce these risks.
With enforcement of the Rule beginning on November 1, 2009, the FTC has mandated that certain businesses and organizations implement a written identity theft program in order to catch “red flags” of this risk in a company’s day-to-day operations.
US Customs has long required certain vetting and identity confirming procedures of freight forwarders, customs brokers, and other related trade partners, and through the implementation of Customs-Trade Partnership Against Terrorism, commonly known as “C-TPAT,” it has taken its identity confirmation efforts to an even greater level. The benefit to having met US Customs' compliance mandates is that much of what is required under the Rule has already been largely addressed by many of you in the trade community.
The Rule mandates that each “financial institution” and “creditor” that has a “covered account” implement, or incorporate into its already existing compliance program, an identity theft program that would enable businesses to catch “red flags” of potential risks of identify theft.
While freight forwarders and customs brokers do not typically fall within the definition of a “financial institution,” many will qualify under the FTC’s definition of a “creditor.” A creditor is defined as a business or organization that “regularly defer[s] payment for goods or services or provides goods or services and bill customers later." [16 CFR Part 681.2(b)(1)]
Therefore, if you provide services for which you later bill and receive payment for after the services have been performed, you are subject to the Rule. This is because you will be considered to have extended credit for having done the work without receiving payment upfront. While the FTC is considering making certain exemptions from this rule, e.g. with law firms, none have yet been made with respect to freight forwarders or customs brokers, nor is it likely that it will occur.
A “covered account” is defined as an account that a creditor “offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” [16 CFR Part 681.2(b)(3)(ii)]
Examples the FTC gives of covered accounts include that of a sole proprietorship, a small business account, or a single transaction consumer account, as they may be vulnerable to identity theft as a result of actions such as the ability to remotely access an account via the internet or telephone.
Implementation of an Identity Theft Prevention Program
Any prevention program must be meaningful and explicitly state what targeted measures will be taken to make it more difficult to steal an identity. Training your staff to sight red flags and identify new threats, along with mechanisms for dealing with these risks, should be specified. Periodic review of the prevention program must be clear, and the audit or review of procedures by an identity theft expert may be considered on a incremental basis.
The Rule gives a four part framework for designing an identity theft prevention program. It requires the creation of, or updates to an existing, identity theft prevention program to
1.Identify Red Flags in Your Business: Include realistic ways to spot “red flags” in your business’ day-to-day operations through the implementation of reasonable policies and procedures, whether it comes in the form of a warning from a credit company, a suspicious document, or suspicious personal identifying information;
2.Detect Red Flags in Day-to-Day Operations: Program should actually detect “red flags” as identified by your business, be it for new or existing accounts;
3.Prevent and Mitigate Identity Theft: Describe appropriate actions to be undertaken upon discovery or detection of a “red flag”; and,
4.Update Your Program: Describe how a re-evaluation of the identity theft program will be periodically undertaken to account for potential new risks.
The program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. Your program must be appropriate to the size and complexity of your business or organization and the nature and scope of its activities.--Fighting Fraud with the Red Flags Rule – A How to Guide for Business (2009)
Once the prevention program is in place, additional requirements, include:
1. Approval of the program and a description of its incorporation into the daily operations of your business, by the Board of Directors of your business, or alternatively, an appropriate senior level employee;
2. A statement regarding the responsible party for the implementation and administration of the identify theft prevention program;
3. Staff training, as appropriate; and,
4. Contractor’s compliance monitoring, as appropriate.
Many of you may be unaware of how to implement this Rule into your existing operational practices. Feel free to email me with your questions or comments if you require any assistance at clark.deanna@gmail.com.
For more information on the Red Flags Rule, go to the FTC's website.
You can also find a useful article on this Rule here.
No comments:
Post a Comment