IMGCAP(1)]
As the Nov. 1 compliance deadline approaches for the government's Red Flag rules for identifying suspicious financial activity, some ISOs remain unsure about their responsibility, and others appear entirely unaware of the regulation, according to observers.
ISOs have arrived at varying conclusions regarding Red Flag requirements, with some working to comply and others forgoing compliance. Reactions have differed because the government's Red Flag rules fail to specify ISOs' responsibilities, if any, to comply, according to observers.
"There is really some confusion on where this industry fits into" the Red Flag rules, says Don Smith, CEO and president of IMS Inc., a Westmont, Ill.-based ISO. "I don't think it's been clearly defined."
Failing to comply could trigger penalties, including fees. But if the rules do not require ISOs to comply, ISOs would be taking time away from profitable ventures, such as selling, by focusing on the regulation.
Under the rules, financial institutions and creditors with covered accounts must monitor and act upon specific "red flags" spelled out in the regulation–when consumers provide suspicious identification or when retailers note suspicious spending activity by a customer on merchandise they could resell for cash, for example.
The Federal Trade Commission defines "creditor" as any entity that extends, renews or continues credit, such as an automobile dealership. The commission defines a covered account as one used for personal, family or household purposes and that involves multiple payments or transactions, such as credit card accounts, mortgage loans, utility accounts and cellular-phone accounts.
The FTC, the federal bank regulatory agencies and the National Credit Union Administration passed the Red Flag rules as part of the Fair and Accurate Credit Transactions Act in 2003. The regulation went into effect Jan. 1, and the agencies require full compliance starting Nov. 1.
Though the regulation applies specifically to financial institutions and creditors that work with covered accounts, ISOs may be affected.
IMS is taking "steps to make sure we are compliant in any case," says Smith.
The rules can require ISOs to comply in situations where they extend credit immediately for transactions, he says. "If you are a retail ISO, the onus is on the bank. If you sell on behalf of other organizations, it's another scenario," says Smith. "In my world, I have 100% liability."
Not every ISO, however, has the same interpretation.
ISOs do not need to comply with the Red Flag rules, says Mike Wiener, president of Advanced Merchant Group, a Warminster, Pa.-based ISO. "The red flags rules don't apply to us as an ISO," he says. "We're not aware that we have any obligations."
The Red Flag rules will have no effect on ISOs, agrees David Goch, legal counsel for the Electronic Transactions Association and a partner in the law firm Webster, Chamberlain & Bean, which both are based in Washington, D.C. "Traditionally, this is a topic primarily affecting issuers since they're the only ones in the payment chain who actually can see suspicious activity on an individual consumer's account," Goch says.
However, some argue ISOs need to comply, says Barrie VanBrackle, a partner with Los Angeles-based law firm Manatt, Phelps & Phillips LLP. ISO agreements with financial institutions typically require ISOs to comply with any laws applicable to the institutions, she says.
The FTC did not respond to requests for comment or clarification regarding ISOs' compliance responsibility by ISO&Agent Weekly's deadline.
VanBrackle suggests ISOs consult with their business partners to determine if they are exempt from the regulation. Smith agrees: "Dig into it yourself and go to your bank, your sponsoring bank," he says.
Many Will Miss Deadline
Many organizations that must comply with the rules will not meet the Nov. 1 deadline, according to observers.
Fewer than 50% of financial institutions and creditors that must comply with the government's Red Flag rules will meet the Nov. 1 deadline, says Robert Shavell, director of identity compliance at Identity Force, a Framingham, Mass.-based provider of identity-theft protection services. Between 75% and 80% of affected institutions will comply by the end of 2009, he says.
"A lot of people just don't know the first things about these regulations," says Shavell. "In conversation after conversation in this industry, it has become apparent that [the regulation] hasn't risen to the top of mind."
Many of the organizations that must comply will not meet the government's deadline, agrees Sai Huda, CEO of Compliance Coach Inc., a San Diego-based provider of regulation-compliance products. "Lots of entities must come into compliance [with the Red Flag rules], and many aren't aware of it," Huda says.
Most large companies have started Red Flag-compliance efforts and likely will come into compliance by the deadline, says Huda. "Most of the ones that are behind are small to mid-size businesses," he says. "They're not realizing the extent of the requirements." The majority of the roughly 2 million entities that must comply are creditors and not financial institutions, says Huda.
All affected institutions should write programs to address the Red Flags, says Mark Steinhoff, the national financial services lead in security and privacy services for Deloitte & Touche LLP, a New York-based financial-services firm. "The impetus for the guidance is raising the bar for identity theft and resulting fraud," says Steinhoff. The government agencies are "looking for organizations to take a closer look at some of these detailed Red Flags," he says.
FTC Leniency Unlikely
The FTC has no plans to grant leniency to financial institutions and creditors that fail to meet the Nov. 1 deadline to comply with the government's Red Flag rules, according to an agency spokesperson. "Random checks are not planned, but businesses should be aware that when instances of possible noncompliance are reported to the FTC, the commission will investigate," says the spokesperson, who declined to predict how many institutions and creditors may not meet the deadline.
When the FTC learns of noncompliant organizations, it will investigate and take law-enforcement action if necessary, which generally "takes the form of a formal complaint" and could be followed by "a settlement or a court order," says the FTC spokesperson. "A violator could be subject to injunctive relief and, for knowing violations of the rule, they can be subject to civil penalties of up to $2,500 per violation," the spokesperson says.
