Title: FACTA'S RED FLAG RULES Unraveling the mystery and brief overview of HCRA and surcharges
1FACTA'S RED FLAG RULES Unraveling the mystery
and brief overview of HCRA and surcharges
- Brian S. Strohl, JD and MPA
- Overton, Russell, Doerr and Donovan, LLP
2Todays Roadmap
- Understanding the Red Flag Rules
- Brief Facts Regarding Identity Theft
- How Identity Theft Occurs according to Federal
Trade Commission - Who Should Comply
- What Elements Should be Included in a Program
- What is a Red Flag
- What is Required in a Program
- Suspicious Documents and Suspicious Activity
- Response to Program
- Enforcement
- New York State Health Care Reform Act
3Background
- The Fair and Accurate Credit Transaction Act of
2003 (FACTA) added new sections to the federal
Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681
et seq.), intended primarily to help consumers
fight the growing crime of identity theft.
Accuracy, privacy, limits on information sharing,
and new consumer rights to disclosure are
included in FACTA. - Free credit reports
- The standard advice was to request a copy of your
credit report once a year from each of the three
national credit bureaus Experian, TransUnion,
and Equifax. - Congress recognized the benefits of
self-monitoring. It adopted a new rule that
allows you a free copy of your credit report
annually from each of the "big three."
4Background
- Fraud Alerts and Active Duty Alerts
- If you are the victim of identity theft, FACTA
gives you the right to contact a credit reporting
agency to flag your account. To place a fraud
alert, you must provide proof of your identity to
the credit bureau. - The fraud alert is initially effective for 90
days, but may be extended at your request for
seven years when you provide a police report to
the credit bureaus that indicates you are a
victim of identity theft. - FACTA creates a new kind of alert, an active duty
alert, that allows active duty military personnel
to place a notation on their credit report as a
way to alert potential creditors to possible
fraud. - While on duty outside the country, military
members are particularly vulnerable to identity
theft and lack the means to monitor credit
activity. - An active duty alert is maintained in the file
for at least 12 months.
5Background
- Fraud Alerts and Active Duty Alerts
- If a fraud alert or active duty alert is placed
on your credit report, any business that is asked
to extend credit to you must contact you at a
telephone number you provide or take other
"reasonable steps" to see that the credit
application was not made by an identity thief. - FACTA gives you the right to a free copy of your
credit report when you place a fraud alert. With
the extended alert (seven years), you are
entitled to two free copies of your report during
the 12-month period after you place the alert.
6Background
- Truncation Credit Cards, Debit Cards, Social
Security Numbers - Credit card receipts that include full account
numbers and expiration dates are a gold mine for
identity thieves. - FACTA sets a national standard requiring
truncation of credit card information. - FACTA says credit and debit card receipts may not
include more than the last five digits of the
card number. - Nor may the card's expiration date be printed on
the cardholder's receipt. - Collection agencies
- Under FACTA, if you are contacted by a collection
agency about a debt that resulted from the theft
of your identity, the collector must so inform
the creditor.
7Background
- Red Flag Rules
- In adopting FACTA, Congress recognized that
consumers are helpless to prevent identity theft
if businesses ignore the events that signal a
potential fraud. - Thus, FACTA incorporates several provisions that
require financial institutions, creditors, and
other businesses that rely on consumer reports to
detect and resolve fraud by identity theft. - Consumer advocates have long pointed out that
consumers can only go so far in protecting
against identity theft, and that much of the
problem lies with lax procedures of credit
issuers and other companies that use information
from credit reports. - A climate of easy credit has made some creditors
far too willing to accept a change of address, a
request for a replacement credit card, or
reactivation of a dormant account.
8Background
- Red Flag Rules
-
- The so-called red flags and related sections of
FACTA include - Red Flag Guidelines and requirements for credit
and debit card issuers to assess the validity of
a change of address request, (FACTA 114, FCRA
615(e)). - Procedures to reconcile different consumer
addresses. (FACTA 315, FCRA 605(h)(2)).
9Understanding the Red Flag Rules
- Pursuant to regulations promulgated by the
Federal Trade Commission and other federal
agencies, financial institutions and creditors
will be required to create an Identity Theft
Prevention Program to detect, prevent, and
mitigate identity theft with respect to the
opening of certain accounts or certain existing
accounts. - These regulations, often called the Red Flag
Rules, became effective January 1, 2008, and
mandatory compliance is required by November 1,
2008. - Financial institutions and creditors will be
required to create an identity theft prevention
program by Nov. 1, 2008, under the Red Flag Rules
created by a group of federal regulatory
agencies, including the Federal Trade Commission,
to protect consumers and businesses from the
threat of identity theft.
10Understanding the Red Flag Rules
- Although the Federal Trade Commission announced
in October 2008 that it will delay enforcement of
the regulations for qualifying entities until May
1, 2009, it is important for financial
institutions and creditors to learn not only what
is considered a red flag, but also the elements
that should be put in place to create an identity
theft prevention program.
11Understanding the Red Flag Rules Facts Regarding
Identity Theft
- More than 10 million Americans are victims of
identity theft each year. - Total financial losses due to identity theft are
estimated to be about 50 billion every year. - Source Federal Trade Commission
12Understanding the Red Flag Rules Facts Regarding
Identity Theft
- The Federal Trade Commission received 258,427
complaints of identity theft in 2007, 32 of the
total complaints the FTC received 4 times the
complaints in the next highest category. - Victims spent an average of 550 in 2007 for
damage to existing accounts. - When identity thieves opened new accounts 8
accounts, victims spent an average of 1,865. - Source Federal Trade Commission
13Understanding the Red Flag Rules Facts Regarding
Identity Theft How??
- By stealing purses and wallets.
- By stealing checks or credit card information out
of the mail - By completing a "change of address form" to
divert mail to another location - By abusing their employer's authorized access to
customer or employee information - By getting a credit report by abusing their
employer's authorized access to it, by posing as
a landlord, employer, or someone else who may
have the right to the report - By rummaging through the trash of businesses, or
public trash dumps, a practice known as "dumpster
diving."
14Understanding the Red Flag Rules Facts Regarding
Identity Theft How??
- By bribing an employee who has access to records
- By conning information out of employees
- By stealing credit or debit card numbers
- by capturing the information in a data storage
device in a practice known as "skimming" - during an actual purchase, or
- by attaching a device to an ATM machine
- By stealing personal information by breaking into
homes - By posing as legitimate companies and claiming
that victims have problems with their accounts. - This practice is known as "phishing" when its
done online, typically via email, or pretexting
when its done by phone. - Source Federal Trade Commission
15Understanding the Red Flag Rules
- The purpose of an identity theft prevention
program is to detect, prevent and mitigate
identity theft linked to the opening and
maintaining of certain covered accounts. - The Fair Credit Reporting Act (FCRA) defines a
covered account as one created for personal,
family or household purposes that allows multiple
payments, or for which there is a reasonable,
foreseeable risk of identity theft occurring.
16Understanding the Red Flag Rules
- When implementing an identity theft prevention
program, it's important to be aware of what
constitutes identity theft and identifying
information. - Identity theft is fraud committed or attempted
using the identifying information of another
person without that person's authority. - Identifying information includes
- A person's first name, last name, Social Security
number, date of birth, driver's license number,
passport number and/or tax payer identification
number. - A person's biometric datafinger prints, retina
scans, etc. - A person's credit card number, routing number or
cell phone number.
17Understanding the Red Flag Rules Who Should
Comply?
- The Red Flag Rules require financial institutions
and creditors develop an identity theft
prevention program. - According to the Fair Credit Reporting Act
(FCRA), a creditor is - an entity that regularly extends, renews or
continues credit - any entity that regularly arranges for the
extension, renewal or continuation of credit - or any assignee of an original creditor that
participates in the decision to extend, renew or
continue credit. - The Red Flag Rules apply to financial
institutions and creditors who offer or maintain
one or more covered accounts, and specifically
mandate these entities create and implement a
Program.
18Understanding the Red Flag Rules Who Should
Comply?
- The rules also require creditors and financial
institutions to exercise appropriate and
effective oversight of service provider
arrangements. - A service provider is a person who provides a
service directly to the financial institution or
creditor.
19Understanding the Red Flag Rules Who Should
Comply?
- The term credit is defined as the right
granted by a creditor to a debtor to defer
payment of debt or to incur debts and defer its
payment or to purchase property or services and
defer payment therefore. - The FTC has stated that while accepting credit
cards as a method of payment does not make the
accepting entity a creditor, businesses such as
finance companies, automobile dealers, utility
companies, and telecommunication companies are
creditors. Even non-profit and government
entities who defer payment of goods and services
are considered creditors - It is therefore assumed that a hospital that
allows for payment of services rendered to be
deferred or paid on a payment plan would fit into
the definition of a creditor
20Understanding the Red Flag Rules Who Should
Comply?
- Because the definition of a covered account is
extremely broad, any financial institution or
creditor that reasonably foresees problems
arising from identity theft should be prepared to
create a written Program.
21Understanding the Red Flag Rules What Elements
Should be Included?
- The program itself should be tailored to fit the
size of the financial institution and the
complexity/nature of the operation. In essence,
the program should have reasonable policies and
procedures in place to - Identify and incorporate red flags into the
program. - Detect red flags.
- Respond appropriately to any detected red flags.
- Ensure periodic review and updating.
- If your organization already has a program in
place, you can incorporate the existing program
into the new identity theft prevention program.
22Understanding the Red Flag Rules What is a Red
Flag?
- A red flag is a pattern, practice or specific
activity that indicates a warning of possible
identity theft. The categories include - Alerts or notifications 1. When a fraud or
active duty alert is included with a consumer
report. 2. A credit reporting agency provides
notice of a credit freeze. 3. A credit
reporting agency provides notice of an address
discrepancy. 4. The consumer report indicates
an unusual pattern of activity such as an
unusual number of recently established credit
relationships. - Suspicious personal identifying information on an
application. - Unusual use of a covered account.
- Notice is received of possible identity theft
occurring in connection with covered accounts.
23Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?
- The Red Flag Rules require responsible entities
satisfy four elements in creating and
implementing reasonable policies and procedures
of an identity theft prevention program. - 1. Identify any specific activity, pattern, or
practice indicating a possible existence of
identity theft. Otherwise known as the Red
Flags, the entity should consider four factors in
determining what Red Flags it should incorporate
into its Program - What types of covered accounts does the entity
maintain or provide? - What methods does the entity use in maintaining
or providing covered accounts? - What forms of access does the entity provide to
consumer accounts? - What experiences has the entity had with identity
theft in the past?
24Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?
- The Red Flags are intended to alert the entity to
any specific activity, pattern, or practice
indicating the possible existence of identity
theft. - The guidance provides five categories from which
Red Flags should be included in the Program - a. Alerts or warnings received from consumer
reporting agencies or service providers - b. Presentation of suspicious documents
- c. Presentation of any suspicious personal
identifying information - d. Suspicious activity relating to a covered
account and - e. Any notices received from identify theft
victims, law enforcement authorities, or other
parties containing information related to
identity theft as to covered accounts.
25Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?
- 2. Detect Red Flags Incorporated in the Program
- The Program must have sufficient policies and
procedures addressing the detection of those
incorporated Red Flags. - The guidelines provide two examples of such
policies and procedures. - First, acquiring identifying information about a
person opening a covered account and verifying
his or her identity. - Second, identifying, monitoring, and verifying
the validity of change of address requests for
existing covered accounts. - 3. Respond Appropriately to Any Red Flags
Detected - Once a Red Flag has been detected, the Program
must define how the entity will respond. - In responding to a Red Flag, the entity should
determine whether the Red Flag detected a risk of
identity theft and must have a reasonable basis
to conclude there is no evidence of risk of
identity theft.
26Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?
- 4. Update the Program Periodically
- The Program must be reviewed and updated
periodically, and any updates should reflect
changes in risks to customers and the entity from
identify theft. - This review not only includes considering changes
in identity theft methods as well as the accounts
the entity offers or maintains, but it also
requires consideration of changes in business
arrangements of the entity.
27Understanding the Red Flag Rules Suspicious
Documents
- One way to look for red flags is to pay close
attention to the documents associated with
accounts. - Documents that may be considered warning signs of
identity theft, or red flags, include those that
appear to have been altered or forged, or that
have information that is inconsistent with the
information provided by the person opening the
account. - It might also be a red flag if the signature on
an application looks like it was traced or was
rewritten after being crossed out. - Practice Point If the application looks like it
was piecemealed together, that's something that
would be a red flag or a trigger that possible
identity theft has occurred
28Understanding the Red Flag Rules Suspicious
Documents
- The rules do not require creditors and financial
institutions provide all red flags included in
the guidance, but such entities are required to
consider the guidance and include those red flags
in their program as appropriate.
29Understanding the Red Flag Rules Examples of
Suspicious Activity
- If an account holder requests a new bank card,
attempts to take out a lot of cash advances or
requests a new authorized user shortly after an
address change, it might be an indication that
someone intends to commit fraud or identity
theft. - In that scenario, the financial institution that
extended the credit should have steps in place to
verify the information with the customer. - In addition, it might be a red flag if a consumer
comes into a hospital to obtain services and
cannot provide information about him or herself
beyond a driver's license, such as a mother's
maiden name, an address, date of birth or what
high school he or she attended.
30Understanding the Red Flag Rules Detecting and
Responding to Red Flags
- The guidance suggests red flags can be detected
in at least one of two ways - By obtaining identifying information about a
person opening an account. - By verifying the validity of any changes made to
the account. - The way in which a creditor or financial
institution responds to a red flag alert or
notification should correspond to the type of
threat it detected. - First and foremost, the entity should determine
whether the red flag that was discovered poses a
risk of identity theft and, if so, it should
respond based on the degree of risk associated
with the red flag.
31Understanding the Red Flag Rules Detecting and
Responding to Red Flags
- Responses could include
- Monitoring an account for evidence of identity
theft. - Contacting the customer.
- Changing any passwords, security codes or other
security devices that permit access to a covered
account. - Reopening an account with a new account number.
- Notifying law enforcement.
32Understanding the Red Flag Rules Ensure Program
is Periodically Updated
- Practice Point The guidelines don't specify how
often an identity theft prevention program should
be updated, but it should be done periodically. - Practice Point An organization should review
its previous experience with identity theft and
methods of mitigating the risk of identity theft
to determine the extent of the program. - Although there is no private cause of action for
not having an identity theft prevention program
in place, financial institutions could be subject
to fees imposed by the Federal Trade Commission
for not implementing a program. - 2,500 fine
33Understanding the Red Flag Rules Ensure Program
is Periodically Updated
- Practice Point Properly training staff members
who handle account information about your
individual identity theft prevention program will
help prevent identity theft and ensure the
program works effectively. - Practice Point Have adequate checks and
balances or appropriate oversight within your
organization
34Understanding the Red Flag Rules Who does the
Rule aim to Protect?
- Bank customers and banking institutions
- Customer losses for unauthorized debit card use
(Electronic Funds Transfer Act and Federal
Reserve Boards Regulation E) - Capped at 50 if bank is notified within 2 days
- Capped at 500 if bank notified within 60 days
- Credit card account holders and issuers
- Customer losses for unauthorized credit card use
(Fair credit Billing Act) - Capped at 50 if issuer notified within 60 days
35Understanding the Red Flag Rules Enforcement
- Federal Trade Commission officials have stated
that they do not intend to conduct inspections to
verify compliance but may do so in response to
complaints. - Federal Trade Commission officials have also
stated that, if enforcement actions are required,
the first few will likely require only that the
entity take additional steps to comply with the
Rules.
36New York State Health Care Reform Act (HCRA)
- Complex and convoluted law controlling states
reimbursement methodology for healthcare services - The New York Health Care Reform Act became law on
January 1, 1997 and was revised and extended on
January 1, 2000. - Insurance carriers of all kinds receive
discounted surcharge rate by paying the state
directly ( 8 versus 24) and advising billing
provider of the such action in a timely manner. - Explanation of Benefits
37New York State Health Care Reform Act (HCRA)
- HCRA is a major component of New York State's
Health Care financing laws which governs hospital
reimbursement methodologies and targets funding
for a multitude of health care initiatives. The
law also requires that certain third-party payors
and providers of health care services participate
in the funding of these initiatives through the
submission of authorized surcharges and
assessments. - The New York State HCRA set forth in Public
Health Law 2807-c and related provisions
establish the requirement that no-fault insurers
and self-insurers pay a surcharge on payments
made for services rendered in general hospitals,
diagnostic and treatment centers, and
freestanding clinical laboratories to the Public
Goods Pool.
38New York State Health Care Reform Act (HCRA)
- Under HCRA, payors for select health care
services in New York, including self-funded
plans, are required to pay surcharges on select
fee-for-service and capitated medical claims and
monthly assessments on plan members residing in
New York. - These surcharges and assessments are used by the
state to pay for indigent care, graduate medical
education, and other health-related initiatives. - Under HCRA, self-funded plans incur a public
goods surcharge on all inpatient and outpatient
hospital care, clinical lab services and services
rendered at ambulatory surgery, diagnostic and
treatment centers. - Included in the services subject to the surcharge
payments are behavioral care/substance abuse
treatments rendered at a designed New York
provider facility.
39New York State Health Care Reform Act (HCRA)
- General Rule
- the patient's liability is a fixed amount (as a
copayment or deductible usually are) then a
provider cannot affix a surcharge - the patient's contractual liability is a
percentage of the bill (as co-insurance amounts
usually are) a provider SHOULD affix a surcharge. - Contractually stated fixed dollar copayments and
deductibles cannot be increased by the HCRA
surcharges. - Where contractual relationships between
beneficiaries and payors require a fixed dollar
patient copayment or deductible only, the
beneficiary's fixed dollar liability will not
increase as a result of the application of the
HCRA surcharges.
40New York State Health Care Reform Act (HCRA)
- Usually, insurance carriers are responsible to
pay the state for their portion of the surcharge - If they do not, then the states issue is with
the carrier, not the hospital - The Department often takes the position that it
does not have authority over, and will not become
involved in, the contractual relationships
between payors, providers and covered persons. - Self pay patients
- These persons may not elect to pay the
Department's pool administrator directly. - Their surcharge obligations are limited to the
8.18 percent surcharge. - These patients are not required to pay the 24
percent surcharge, the professional education
pool surcharges or a covered life assessment.
41Questions??
- Brian S. Strohl, Esq.
- Overton, Russell, Doerr and Donovan, LLP
- Phone (518) 383-4000
- Fax (518) 383-5500
- bstrohl_at_ordlaw.com