Applicability of the Red Flags Rule for private clubs
ECLUB NEWS |
Recently, a private club inquired about whether it was required to abide by the Federal Trade Commission’s Red Flags Rule. While McGladrey has published information on this before, it seemed worth sharing the white paper below produced by the National Club Association.
FTC’s “Red Flags” Rule
Since 2007, the NCA has periodically sent alerts to its members regarding the Federal Trade Commission’s (FTC) new rule to help protect against identity theft—the Red Flags Rule. As you may recall, the FTC has delayed enforcement of this rule, while Congress worked out legislation providing relief from the rule’s requirements for some small businesses, including private clubs.
On Dec. 7, 2010, both the House of Representatives and the Senate passed such legislation—the Red Flag Program Clarification Act—and the bill was presented to President Obama for his signature. This legislation clarifies the definition of “creditor” for purposes of the Red Flags Rule, and provides an exemption for private clubs.
Under the Red Flags Rule, a creditor is defined as any individual or business that regularly allows someone to defer payment of a debt or to purchase goods or services and defer payment. Naturally, most private clubs fall into this definition, because they allow these simple credit transactions to take place. Thus, prior to the enactment of this new law, clubs were required to comply with the mandates of the Red Flags Rule.
Thankfully, the Red Flag Program Clarification Act changes this by redefining the classification of a creditor. Under this new law, a creditor is still an entity that allows someone to defer payment of a debt, or to purchase goods or services and pay for them at a later date, but it must also:
- Obtain or use credit reports, directly or indirectly, in connection with a credit transaction
- Furnish information to consumer reporting agencies in connection with a credit transaction.
Therefore, private clubs cannot be a creditor, and will not have to comply with the Red Flags Rule if they do not obtain credit reports on their members or prospective members, or pass on information relating to their members’ payment history to credit reporting agencies.
Though this change provides many clubs with relief from the Red Flags Rule (and from creating the Identity Theft Protection Plan (ITPP), as required under the rule), some clubs may not wish to forgo use of credit reports during their membership application process. If that is the case, then those clubs may still use those reports, but they will need to comply with the rule and have their ITPP in place.
For such clubs, the FTC has created a do-it-yourself guide for low-risk entities to use. This easy-to-understand guide may be found at www.ftc.gov/redflagsrule, and it gives clubs a specific form to follow to create an ITPP. The FTC has stated that an appropriate ITPP for low-risk entities might consist of a plan that requires checking photo identification of a member or having a member provide a password at the time services are provided, and having a response plan in place if there is some notification that a member’s identity has been compromised.
The Red Flags Rule requires that your initial ITPP be approved by your board, and that there should be one senior staff person given the responsibility of running the plan. That employee should report to the board at least once a year on the effectiveness of the program, and provide suggested changes to update its ability to detect red flags.
Since most clubs contract with their club pros, the rule requires that your service providers have their own ITPP. To make sure that your service providers have established their own ITPP, you may want to add this requirement to their contract or provide them a copy of your ITPP, and require them to follow it.
While the FTC has delayed enforcement of the Red Flags Rule for more than three years, those delays are over now that the Red Flag Program Clarification Act has passed. Those clubs that choose not to avail themselves of the exemption must create their ITPP.
For those clubs that feel comfortable ceasing their use of credit reports or consumer reporting agencies, and for those clubs that have never used or will never use them, this new law means the Red Flags Rule and its ITPP requirement will no longer be a concern. For most private clubs, that is a very good thing.
If your club must comply with the FTC Red Flag Rules:
The good news is that complying with the rule should not be complicated, because the risk of someone using your members’ information to purchase goods and services from the club is relatively low. To borrow from the movie Fletch, most clubs do not have problems with folks charging things to the “Underhills’ bill.”
Though the risks may be low, there are requirements that must be followed to comply with the new rule. To satisfy the FTC’s Red Flags Rule, clubs must develop and implement a written Identity Theft Prevention Program. The ITPP must be designed to detect, prevent and mitigate identity theft. The FTC has established the following steps to follow when creating your ITPP:
- Identify the red flags of identity theft you are likely to come across in your club.
- Set up procedures to detect those red flags in your day-to-day operations.
- Respond appropriately to prevent and mitigate any harm that could emerge should you detect identity theft.
- Establish a process to periodically update your ITPP to ensure your club keeps up with technological changes that could facilitate identity theft.
To assist you in identifying red flags, the FTC has established 26 examples of red flags, and it has broken them down into five categories – not all of these examples or categories will apply to your club. These five categories are not an exhaustive list, but they will help you think about what your club should be looking for when transactions are being made. The five categories are:
- Alerts, notifications and warnings from a credit reporting agency
- Suspicious documents given when an account is being opened
- Suspicious personal identifying information
- Suspicious account activity (probably the most important one for clubs)
- Notices from other sources
Once you have identified the red flags, you need to ensure your staff will notice them if and when they occur. To help your staff detect these red flags, the FTC suggests that you implement identity verification and authentication methods to stop damage before it is done. Your ITPP might include a plan to monitor club members’ transactions, or it might require PIN numbers, passwords or other means to ensure the person making the charge is authorized to do so.
Should you find that a red flag has been raised, your club will need to prevent and mitigate the damage for your member and your club’s bottom line. The FTC suggests that appropriate responses would include:
- Contacting the member about the red flag activity
- Changing passwords or other identification verifying devices
- Closing the account and reopening it under a different number
- Not opening a new account at all
- Notifying law enforcement
Finally, the FTC requires that an ITPP be periodically reviewed to respond to new and emerging identity theft technologies. While this does not require that your club be outfitted with high-tech identity theft prevention devices, it does mean that you will need to keep current with identity theft risks and how they are being used by identity thieves.
The Red Flags Rule requires that your initial ITPP be approved by your board or an appropriate committee of the board, and that there should be one senior staffer given the responsibility of running the ITPP. That staffer should report to the board at least once a year on the effectiveness of the program, and provide suggested changes to the program to update its ability to detect red flags.
Since most clubs contract with their club pros, the rules require that your service providers have their own ITPP in place, as well. To make sure that your service providers have established their own ITPP, you may want to add this requirement to their contract, or provide them a copy of your ITPP and require them to follow it.
Finally, this new rule does not require that you retrain all of your staff, but it does require that the relevant staff obtain training as necessary. As such, if a staffer has already been trained on anti-fraud prevention, then he may not need to be retrained. Of course, many others on your staff may deal with members’ accounts, and they should all have the ability to detect and prevent identity theft.
Without doubt, most of you know all of your members and you know whether they are truly the ones buying from your club. So, this rule may seem a bit like overkill; however, the FTC’s Red Flags Rule will simply ensure that there is another level of protection between your members (and you) and identity thieves.
Should you have any questions regarding this new rule, the FTC has very helpful resources that can be found at www.ftc.gov/redflagsrule. The site has links to make the process simple to complete. And, of course, please feel free to contact NCA’s Vice President of Government Relations and General Counsel, Brad D. Steele, at firstname.lastname@example.org, or at 800.625.6221, with any other questions or concerns.
Reprinted with permission from the National Club Association. For more information, visit www.nationalclub.org.