November 2008: Red Flags Rules - coming soon to a call center near you
by Joseph Sanscrainte, an attorney with Bryan Cave, LLP, specializing in telemarketing law.
Having written recently in this space regarding the FCC's January 2008 ruling giving debt collectors the right to call cell phones, I think it's appropriate for me to provide an update on this issue.
On January 1, 2008, a sweeping new privacy/data security rule went into effect that impacts a large percentage of businesses in the United States. This new Red Flags Identity Theft Rule will be enforced by the Federal Trade Commission, federal bank regulatory agencies, and the National Credit Union Administration. The good news is that the FTC recently issued a statement on enforcement policy (http://www.ftc.gov/opa/2008/ 10/redflags.shtm), which gives "financial institutions" and "creditors" six more months to implement an effective Red Flags program (until May 1, 2009). The bad news is that information about this new rule, and the scope of companies it will effect, is only slowly filtering out across the country.
First, the basics: are you covered by the Rule? A "financial institution" is defined as a bank, savings and loan, credit union, or other entity that holds a "transaction account" belonging to a consumer. (A "transaction account" is an account that enables payments or transfers to be made - examples include checking account, savings accounts that permit automatic transfers, and share draft accounts.) A "creditor" is a business that regularly extends, renews or continues credit and/or arranges for someone else to extend, renew, or continue credit. Examples include finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies - but keep in mind that simply accepting credit cards does not make you subject to these rules.
If your company meets the definition of either "financial institution" or "creditor," AND you provide "covered accounts" (like credit card accounts, mortgage and car loans, cell phone accounts, checking or savings accounts), then you are at the front lines of compliance for Red Flags purposes. All such front line companies must have a "Program" in place, by May 1, 2009, that identifies, detects, and prevents red flags (patterns and practices that indicate the possible existence of identity theft), and that remediates any problems that are identified.
Most call centers are not going to be on the front lines of compliance . . . but you know it can't be that easy, right? (If it were, I wouldn't be writing this article!) Where it gets interesting for call centers is the extension of these rules to "service providers." A service provider is an entity that provides service directly to a financial institution or creditor (which would, among many other types of entities, include call centers) where "covered accounts" are in play. Financial institutions and creditors are on the hook, under the Red Flags rules, to "exercise appropriate and effective oversight of service provider arrangements" - in other words, financial institutions and creditors must provide for the detection, prevention, and mitigation of identity theft even where an activity is outsourced to a service provider.
Bottom line - if you are a call center (or in fact any type of service provider) providing services to entities covered by the Red Flags rules, expect to be hearing soon (if you haven't already) from your clients. Your clients are going to be asking you, in effect if not outright, to implement your OWN Red Flags program to identify, prevent and mitigate instances of Red Flags, and to have a system in place to report such instances back to the client.
What you're probably going to need is: a written procedure to handle Red Flags; a means to disseminate your clients' Red Flags Program(s) to your employees, so that they understand the nature of what it is they should be on the lookout for; a "Red Flags Officer" who's job it is to coordinate the reporting of such instances and to handle escalation of them as appropriate; and a training program specifically geared to instructing your employees about their duties with regard to Red Flag identification and reporting.