PPA's Guide to the Federal Trade Commission Red Flag Rules
In 2003 the Fair and Accurate Credit Transactions Act was signed into law. This law directed the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA) and other federal bank regulatory organizations to develop a set of regulations that prevent and protect against identity theft.
The regulations, called “Red Flags Rules,” issued by these groups apply to financial institutions and creditors. It tasks businesses falling into these categories with the development and implementation of a written identify theft plan. While these rules became effective January 1, 2008, they did not apply to small businesses until August 1, 2009.
PPA has created this guide to help you determine if your studio must comply with these laws. If you must comply with the Red Flags Rules, the FTC requires you to create and implement your identity theft plan before November 1, 2009.
Before you can determine if these regulations apply to your studio, you need to know some basic vocabulary used by the FTC:
Creditor – Any entity (including some photography studios) that “regularly extends, renews or continues” the ability to “defer payment of debt; incur debt and defer its payment; or purchase property or services and defer payment.” Accepting credit card payments does not make you a creditor in this sense.
Covered Account – There are two definitions of a covered account. As it applies to photographers and photography studios, it is an account offered to consumers for personal or household services, or designed to allow multiple payments or transactions.
Red Flags – This term refers to patterns, practices and activities that lead to or have resulted in identity theft.
Now that you know some of the key words and phrases that apply to these regulations, you have the tools you need to establish whether or not you or your studio can comply.
Am I a creditor?
Unfortunately, the wide-ranging definition of creditor means the majority of wedding and event photographers will have to comply with these rules—as will a significant percentage of portrait photographers. Here’s why:
- Photographers who allow installment payments on packages—even if the package is paid in full prior to any shooting being done—will be subject to these rules.
- Photographers who routinely allow clients to receive their products and pay later; or who book a series of sessions (i.e., baby plans) and allow the package to be paid in installments will also have to comply.
Despite the wide scope of photographers who fall into the creditor category, there are always exceptions to the rule. You will not need to follow the Red Flags Rules if you are a photographer who:
- Collects a sitting or session fee at or prior to the time of the initial session and requires full payment for any prints or packages before delivery.
- Charges nothing for the session and rolls all costs into print packages/pricing which is payable in full before delivery of the work.
- Does not do work for individual or family purposes.
Creating an Identify Theft Prevention Program
If you are a photographer who must create a compliance policy, the good news is that the FTC has developed a Do-it-Yourself Prevention Program. This online tool enables you to organize your written policy, and it is designed specifically for businesses that are at low risk of experiencing identity theft issues. You can access this tool by clicking on the “Create Your Program” link on the FTC site.
To be compliant, your program should include the following information:
- The types of red flags you might encounter in the course of business.
- Process and procedures used to identify the red flags.
- Actions you will take to prevent the red flags you have identified and address them should they occur. (This includes training employees to follow the program you establish.)
- Steps for re-evaluating your program to ensure it meet current needs.
Pulling this information together into a single document might seem daunting. In actuality, it is just a matter of thinking about what type of information you collect from clients and how you interact with them. Asking yourself some of the following questions should help you when drafting your prevention program:
- Do I accept payment by credit card and/or check?
- Do I verify my client’s identity when accepting payment?
- How do I verify my client’s identity?
- What do I (or would I) do if presented with a stolen credit card?
- What do I (or would I) do if presented with a stolen check?
- How do I secure my client’s personal and financial information?
- How many people at my studio have access to client information?
- How many people at my studio are authorized to accept payments?
Once you have completed your Identity Theft Prevention Program, keep it on file. Make sure you mark your calendar to periodically review the program to ensure you are complying with the ground rules you have established. Remember that you are also required to re-evaluate the program from time to time to ensure it correctly addresses the red flags that might present themselves. Consider doing this at the same time of year you revisit other studio information like contracts and pricing.