Non-profits and the Red Flags Rules for Credit Cards

Non-profit organizations that accept credit cards as payments for services or registrations have been inquiring as to whether or not the Red Flag Rules to protect credit card users apply to them.

The Red Flags Rules – created by the Federal Trade Commission, were originally intended to go into effect November 1, 2008. The enforcement has been delayed until June 1, 2010.  The Rules are designed to push creditors and financial institutions to protect consumers from identity theft by instituting written procedures and policies that would address consumer credit card vulnerabilities. The Red Flags are warning signs that indicate suspicious activity that if identified in advance and addressed could reduce the risks of identity theft.

Do the Red Flag Rules apply to non-profit organizations? Yes – BUT – only if that organization fits the definition of a creditor or is functioning like a financial institution.

Per the FTC FAQS page:

“Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later.4Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector who regularly renegotiates the terms of a debt would be a creditor under the Rule.”

…The definition of “financial institution” includes businesses that have accounts a customer can use to make payments or transfers to third parties.  For example, a university may hold student funds in an account and give students a card they can use to make purchases at local stores.  This type of arrangement would make the university a financial institution under the Rule.  If you provide government benefits or administer flexible spending accounts and give your customers a debit card to access benefits, you would be considered a financial institution.”

Essentially – if you keep customer accounts open that get charged regularly then these rules may apply to you. You have regular access to information that is vulnerable to identity theft.  If you accept credit cards for one-time payments for books, registration, or member renewals, for example, then you don’t fit the definition of a creditor and you don’t need to set up an official policy, however, protecting your clientele is always a value-added activity and something to keep in mind when designing your controls.

For Frequently Asked Questions on the Red Flag Rules, see: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm

For plain English translations of the Red Flags Rules, warning signs, and how to set up identity theft protection procedures, check out the brochure posted by the FTC at: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

For more technical resources: http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf

http://www.examiner.com/x-9215-Identity-Theft-Examiner~y2009m7d29-FTC-delays-Red-Flags-Rule-enforcementagain