Skip to main content
Compliance Guide™ Features

November 2009 : FTC Raises the White Flag Over Red Flags?

by Joseph Sanscrainte, an attorney specializing in telemarketing law.

When I first sat down at my computer to start writing this article on the FTC's Red Flags Rule a couple of weeks ago, I have to admit I was experiencing a bit of dj vu. Going all the way back to January of 2008, when the Red Flags rules first went into "effect," I had been diligently monitoring developments and telling anyone in the teleservices arena who would listen that call centers need to develop Red Flags programs, and quickly! Even though the FTC had announced that it was not going to enforce the new rules until (initially at least) November 1, 2008, I confidently prognosticated that this was a one-time delay and that call centers had to start preparing right away.

When the FTC delayed the initially delayed enforcement deadline until May 1, 2009, I honestly thought that this was a unique circumstance, one that would certainly not be repeated. The FTC had gone on record numerous times to the effect that it took data privacy extremely seriously, and what better way to establish its data privacy bona fides than to start enforcing Red Flags? Again, looking to the new "deadline" of May 1, 2009, I did my part as an attorney, an ATA Fulcrum Award Winner, and gosh darnit, as an American, to help spread the word to call centers everywhere to take Red Flags seriously. Certainly, two delays associated with the enforcement of an important data privacy rule was more than enough to give U.S. businesses the time needed to comply.

When the FTC announced in late April of this year that, yet again, the Red Flags juggernaut had to be postponed (this time until November 1, 2009), I did my best to spin this news as something that: 1) I had of course foreseen; and 2) provided yet more proof that the FTC was taking its time on Red Flags because it was ...setting up a sophisticated and elaborate investigatory process aimed at identifying truly egregious instances of Red Flags violations that would quickly and effectively halt any such practices?

Worked for me. Amazingly, however, I was starting to get the impression that somehow, I was "losing my audience" when it came to Red Flags. People were yawning ...even worse, I heard reports that I was being referred to as "the boy who cried ?Red Flags'" behind my back.

Long story short, this time around, I did the smart thing - rather than publish my standard missive a few days before the new "enforcement" deadline, I chose to wait a bit and see what the FTC decided to do. And it's a good thing I did - the FTC decided yet again (as reported in a press release dated October 30, 2009) to postpone the enforcement date for Red Flags, this time to June 1, 2010.

So, the new bottom line is - assuming that the FTC has run out of reasons to delay enforcement of Red Flags, financial institutions and creditors now have an additional seven months to implement an effective Red Flags program. A "financial institution" is defined as a bank, savings and loan, credit union, or other entity that holds a "transaction account" belonging to a consumer. (A "transaction account" is an account that enables payments or transfers to be made - examples include checking account, savings accounts that permit automatic transfers, and share draft accounts.) A "creditor" is a business that regularly extends, renews or continues credit and/or arranges for someone else to extend, renew, or continue credit. Examples include finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies - but keep in mind that simply accepting credit cards does not make you subject to these rules.

If your company meets the definition of either "financial institution" or "creditor," AND you provide "covered accounts" (like credit card accounts, mortgage and car loans, cell phone accounts, checking or savings accounts), then you are at the front lines of compliance for Red Flags purposes. All such front line companies must have a "Program" in place by June 1, 2010, that identifies, detects, and prevents red flags (patterns and practices that indicate the possible existence of identity theft), and that remediates any problems that are identified.

Where it gets interesting for telemarketing operations providing services to financial institutions and creditors is the extension of these rules to "service providers." A service provider is an entity that provides service directly to a financial institution or creditor (which would, among many other types of entities, include call centers) where "covered accounts" are in play. Financial institutions and creditors are on the hook, under the Red Flags rules, to "exercise appropriate and effective oversight of service provider arrangements" - in other words, financial institutions and creditors must provide for the detection, prevention, and mitigation of identity theft even where an activity is outsourced to a service provider.

Bottom line - if you are a telemarketer (or in fact any type of service provider) providing services to entities covered by the Red Flags rules, what you're going to need is:

  • a written procedure to handle Red Flags
  • a means to disseminate your clients' Red Flags Program(s) to your employees, so that they understand the nature of what it is they should be on the lookout for;
  • a "Red Flags Officer" who's job it is to coordinate the reporting of such instances and to handle escalation of them as appropriate; and,
  • a training program specifically geared to instructing your employees about their duties with regard to Red Flag identification and reporting.

And for the record, I'm not the "boy" who cried Red Flags - I'm the "attorney" who cried Red Flags. And maybe, just maybe ...this time around, the FTC is going to follow through and actually start enforcing the Red Flags rule beginning June 1, 2010. And you can count on me to be among the first people who will write about this ...but something tells me I should probably hold off until the first week of July.

Return to News table of contents

Are You Calling Known TCPA Litigators?

Don't take the risk.