Identity theft is big business that carries hefty associated costs. For instance, studies have estimated that businesses worldwide lose approximately $221 billion annually due to identity theft. Other studies pegged the cost in the U.S. from fraud associated with identity theft at $31 billion in 2009. During 2008, there were an estimated 10 million victims of identity theft in the U.S. As perpetrators of identity theft (including the likes of rogue nations, international organized crime syndicates, terrorist organizations and money launders) continue to “profit” from illicit activities, businesses must guard against identity theft. Casinos, as businesses that are cash intensive and that frequently extend credit to customers, are acutely aware of the nefarious intentions connected to suspicious activities.
Against this backdrop, Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACT). The FACT Act mandates that the Federal Trade Commission (FTC), in conjunction with a host of other federal agencies with regulatory oversight of financial institutions, develop rules obligating “financial institutions” and “creditors” to establish procedures to identify, detect and respond to attempts to use stolen identity information. The FTC and other federal agencies responded by promulgating the so-called “Red Flags Rule.”
The final Red Flags Rule was published in the Federal Register on Nov. 9, 2007. The rule was originally to become effective on Nov. 1, 2008. The FTC, however, has delayed enforcement of the Red Flags Rule in large part due to pressure from industry groups and members of Congress. Mandatory compliance was first extended to Nov. 1, 2009 and has subsequently been extended to June 1, 2010. In late May 2010, the FTC granted another reprieve at the behest of several members of Congress, delaying compliance until Dec. 31, 2010. The most recent delay has ostensibly been characterized to allow Congress the opportunity to further study the scope of entities covered by the Red Flags Rule and consider granting industry-wide exemptions.
Casinos are primarily cash businesses that also provide credit to certain customers. Casinos already have reporting obligations and procedures in place to combat suspicious activities. Not only is there an existing layer of U.S. federal reporting and withholding requirements with respect to transactions exceeding certain dollar thresholds and suspicious activities, but most casinos have also adopted minimum internal control procedures to battle these undesirable activities. From a best practices perspective, casinos have an incentive to guard against the risk of unsavory characters using stolen identities to fraudulently obtain money or data.
The Red Flags Rule has received considerable attention from certain industry segments, particularly the professional services industries. The reason for the intense scrutiny from the political powerful professional service associations, such as the American Bar Association and American Medical Association, is due to the broad scope of entities that may be required to comply with the Red Flags Rule. The standard that causes a business to be covered by the Red Flags Rule is essentially whether the business sends invoices to customers. Thus, casinos that extend credit to customers may need to comply with the Red Flags Rule. Casinos may not be alone; other gaming industry businesses, such as suppliers, that regularly offer deferred payment terms or send invoices may also fall within the broad reach of the Red Flags Rule.
The Red Flags Rule
Identifying who must comply with the Red Flags Rule starts with an examination of the operative language of the rule: “Each financial institution or creditor that offers or maintains one or more covered account must develop and implement a written Identity Theft Prevention Program.” Hence, the analysis turns on whether a casino qualifies as a “creditor” that offers or maintains “covered accounts.” “Creditor” is broadly defined in the Red Flags Rule. Through an exercise of examining definitions found in other statutory provisions, for purposes of the Red Flags Rule, a “creditor” is any entity that allows customers to defer payment. Accordingly, the FTC has generally observed that a business that sends an invoice is in all likelihood subject to the Red Flags Rule.
Maintaining one or more “covered accounts” is the second criteria relegating businesses to comply with the Red Flags Rule. The rule creates two types of accounts that qualify as covered accounts. First, any account that has a continuing relationship to obtain a product or service for personal, family, household or business purposes. Second, a covered account encompasses any other account for which there is a reasonably foreseeable risk to customers for identity theft. In other words, entities must examine if there is a risk of identity theft to assess whether an account falls within the second category of covered accounts. Thus, the Red Flags Rule paints a broad stroke with regard to the entities that are covered by the regulations.
What is a business obligated to do to comply with the Red Flags Rule? Compliance requires casinos to develop and implement a written “Identity Theft Prevention Program.” The Red Flags Rule identifies several components that are mandated with respect to the development of such a program. These components include the general contours with respect to the content, the procedures for adoption, supervising implementation and periodic review of the effectiveness. At one level, the Red Flags Rules are business-friendly because the regulations do not prescribe definitive content or activities that must be undertaken to identify and prevent identity theft. At the same time, for many businesses, the lack of clear direction can be exceedingly frustrating. The Red Flags Rule identifies 26 potential red flags of identity theft that businesses may wish to consider. At the end of the day, however, businesses will bear the burden of establishing that their program is “reasonable” in order to avoid potential civil sanctions.
The Red Flags Rule is exceptional for federal standards in that the rule requires the board of directors (or equivalent management body) to initially approve the prevention program. Moreover, the rule mandates that the board of directors, or senior management personnel, remain involved in the development, implementation and administration of the program. The rule also requires that the covered businesses train staff as is necessary to implement the program. The rule further contemplates that the board of directors will receive an annual report concerning compliance with identifying red flags of identity theft. Finally, businesses must periodically review and update their program to ensure that it is tailored to identify identity theft threats specific to the particular business. Thus, the Red Flags Rule contemplates active involvement of the entity’s governing body and senior management.
Failure to comply with the Red Flags Rule is not a crime. Nor does the Red Flags Rule create a private cause of action, which would enable private individuals to file lawsuits for purported violations of the regulations. Rather, the FTC has jurisdiction to seek civil remedies for violating the Red Flags Rule. The civil penalties within the power of the FTC include seeking an injunction to prevent violations and seeking civil monetary penalties of up to $3,500 per violation.
Practical Application
Casinos that extend credit are likely to fall within the purview of the Red Flags Rules as a result of the expansive definition of “creditor.” Similarly, gaming equipment and other casino suppliers that send invoices could also be subject to the Red Flags Rule. Therefore, a practical question is presented relative to what are best practices that businesses can adopt to comply with the Red Flags Rule.
Best practices ultimately will require a business subject to the Red Flags Rule to develop a compliance program. The following steps may be considered when developing best practices to comply with the Red Flags Rule:
1. Identify the types and quantity of “covered accounts” maintained by the business. Recall that there are two wide categories of “covered accounts:” first, continuing relationship accounts; and, second, accounts susceptible to a foreseeable risk of identity theft. Gaining an understanding of the scope of covered accounts within a particular business can assist in assessing the associated red flags, if any.
2. Assess the types of red flags that are likely to arise in your business. The Red Flags Rule identifies 26 potential red flags, which can be used as a guide for assessing the types of red flags that may arise in a particular business. It may be also be beneficial to examine any past incidences of identity theft with a specific business. Identifying the types of red flags you may experience in your business will assist in developing the contours of a protection program.
3. Develop and implement a program to detect red flags. Again, the Red Flags Rule does not describe a “safe harbor” program. Rather, developing a compliant program is based on the experiences of your particular business. For example, casino operators in the same vicinity may have diametrically differing identity theft experiences and, hence, have the need to develop programs with vastly different contours. Implementing a program may involve staff training in order to develop skills to spot identity theft threats. Furthermore, implementing a program entails responding to incidences of identity theft, which could range from notifying customers to contacting law enforcement.
4. Maintaining a process and updating the protection program. One of the more onerous aspects of the Red Flags Rule is the mandate that the governing board of a business entity receive annual reports and a continuing obligation to update the program as circumstances change. Effectively, the Red Flags Rule requires active involvement by senior management and governing board interaction.
Final Thoughts
The Red Flags Rule has not been the focus of considerable discussion by casinos and other gaming businesses. Compliance with the Red Flags Rule was scheduled to become mandatory on June 1, 2010. The FTC, however, on May 28, 2010—three days before the rule was to become effective—offered a six-month reprieve, until Dec. 31, 2010. While Congress may modify the Red Flags Rule to grant industry-wide exemptions, casinos and gaming businesses should nonetheless be proactive and start assessing risks of identity theft. Assessing risks of identity theft operates as a good business practice and, furthermore, may serve as an outline to develop a protection program if, and when, compliance with the Red Flags Rule becomes mandatory.