FACTA'S RED FLAG RULES Unraveling the mystery and brief overview of HCRA and surcharges

1
FACTA'S RED FLAG RULES Unraveling the mystery
and brief overview of HCRA and surcharges

• Brian S. Strohl, JD and MPA
• Overton, Russell, Doerr and Donovan, LLP

2
Todays Roadmap

• Understanding the Red Flag Rules
• Brief Facts Regarding Identity Theft
• How Identity Theft Occurs according to Federal
  Trade Commission
• Who Should Comply
• What Elements Should be Included in a Program
• What is a Red Flag
• What is Required in a Program
• Suspicious Documents and Suspicious Activity
• Response to Program
• Enforcement
• New York State Health Care Reform Act

3
Background

• The Fair and Accurate Credit Transaction Act of
  2003 (FACTA) added new sections to the federal
  Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681
  et seq.), intended primarily to help consumers
  fight the growing crime of identity theft.
  Accuracy, privacy, limits on information sharing,
  and new consumer rights to disclosure are
  included in FACTA.
• Free credit reports
• The standard advice was to request a copy of your
  credit report once a year from each of the three
  national credit bureaus Experian, TransUnion,
  and Equifax.
• Congress recognized the benefits of
  self-monitoring. It adopted a new rule that
  allows you a free copy of your credit report
  annually from each of the "big three."

4
Background

• Fraud Alerts and Active Duty Alerts
• If you are the victim of identity theft, FACTA
  gives you the right to contact a credit reporting
  agency to flag your account. To place a fraud
  alert, you must provide proof of your identity to
  the credit bureau.
• The fraud alert is initially effective for 90
  days, but may be extended at your request for
  seven years when you provide a police report to
  the credit bureaus that indicates you are a
  victim of identity theft.
• FACTA creates a new kind of alert, an active duty
  alert, that allows active duty military personnel
  to place a notation on their credit report as a
  way to alert potential creditors to possible
  fraud.
• While on duty outside the country, military
  members are particularly vulnerable to identity
  theft and lack the means to monitor credit
  activity.
• An active duty alert is maintained in the file
  for at least 12 months.

5
Background

• Fraud Alerts and Active Duty Alerts
• If a fraud alert or active duty alert is placed
  on your credit report, any business that is asked
  to extend credit to you must contact you at a
  telephone number you provide or take other
  "reasonable steps" to see that the credit
  application was not made by an identity thief.
• FACTA gives you the right to a free copy of your
  credit report when you place a fraud alert. With
  the extended alert (seven years), you are
  entitled to two free copies of your report during
  the 12-month period after you place the alert.

6
Background

• Truncation Credit Cards, Debit Cards, Social
  Security Numbers
• Credit card receipts that include full account
  numbers and expiration dates are a gold mine for
  identity thieves.
• FACTA sets a national standard requiring
  truncation of credit card information.
• FACTA says credit and debit card receipts may not
  include more than the last five digits of the
  card number.
• Nor may the card's expiration date be printed on
  the cardholder's receipt.
• Collection agencies
• Under FACTA, if you are contacted by a collection
  agency about a debt that resulted from the theft
  of your identity, the collector must so inform
  the creditor.

7
Background

• Red Flag Rules
• In adopting FACTA, Congress recognized that
  consumers are helpless to prevent identity theft
  if businesses ignore the events that signal a
  potential fraud.
• Thus, FACTA incorporates several provisions that
  require financial institutions, creditors, and
  other businesses that rely on consumer reports to
  detect and resolve fraud by identity theft.
• Consumer advocates have long pointed out that
  consumers can only go so far in protecting
  against identity theft, and that much of the
  problem lies with lax procedures of credit
  issuers and other companies that use information
  from credit reports.
• A climate of easy credit has made some creditors
  far too willing to accept a change of address, a
  request for a replacement credit card, or
  reactivation of a dormant account.

8
Background

• Red Flag Rules
• The so-called red flags and related sections of
  FACTA include
• Red Flag Guidelines and requirements for credit
  and debit card issuers to assess the validity of
  a change of address request, (FACTA 114, FCRA
  615(e)).
• Procedures to reconcile different consumer
  addresses. (FACTA 315, FCRA 605(h)(2)).

9
Understanding the Red Flag Rules

• Pursuant to regulations promulgated by the
  Federal Trade Commission and other federal
  agencies, financial institutions and creditors
  will be required to create an Identity Theft
  Prevention Program to detect, prevent, and
  mitigate identity theft with respect to the
  opening of certain accounts or certain existing
  accounts.
• These regulations, often called the Red Flag
  Rules, became effective January 1, 2008, and
  mandatory compliance is required by November 1,
  2008.
• Financial institutions and creditors will be
  required to create an identity theft prevention
  program by Nov. 1, 2008, under the Red Flag Rules
  created by a group of federal regulatory
  agencies, including the Federal Trade Commission,
  to protect consumers and businesses from the
  threat of identity theft.

10
Understanding the Red Flag Rules

• Although the Federal Trade Commission announced
  in October 2008 that it will delay enforcement of
  the regulations for qualifying entities until May
  1, 2009, it is important for financial
  institutions and creditors to learn not only what
  is considered a red flag, but also the elements
  that should be put in place to create an identity
  theft prevention program.

11
Understanding the Red Flag Rules Facts Regarding
Identity Theft

• More than 10 million Americans are victims of
  identity theft each year.
• Total financial losses due to identity theft are
  estimated to be about 50 billion every year.
• Source Federal Trade Commission

12
Understanding the Red Flag Rules Facts Regarding
Identity Theft

• The Federal Trade Commission received 258,427
  complaints of identity theft in 2007, 32 of the
  total complaints the FTC received 4 times the
  complaints in the next highest category.
• Victims spent an average of 550 in 2007 for
  damage to existing accounts.
• When identity thieves opened new accounts 8
  accounts, victims spent an average of 1,865.
• Source Federal Trade Commission

13
Understanding the Red Flag Rules Facts Regarding
Identity Theft How??

• By stealing purses and wallets.
• By stealing checks or credit card information out
  of the mail
• By completing a "change of address form" to
  divert mail to another location
• By abusing their employer's authorized access to
  customer or employee information
• By getting a credit report by abusing their
  employer's authorized access to it, by posing as
  a landlord, employer, or someone else who may
  have the right to the report
• By rummaging through the trash of businesses, or
  public trash dumps, a practice known as "dumpster
  diving."

14
Understanding the Red Flag Rules Facts Regarding
Identity Theft How??

• By bribing an employee who has access to records
• By conning information out of employees
• By stealing credit or debit card numbers
• by capturing the information in a data storage
  device in a practice known as "skimming"
• during an actual purchase, or
• by attaching a device to an ATM machine
• By stealing personal information by breaking into
  homes
• By posing as legitimate companies and claiming
  that victims have problems with their accounts.
• This practice is known as "phishing" when its
  done online, typically via email, or pretexting
  when its done by phone.
• Source Federal Trade Commission

15
Understanding the Red Flag Rules

• The purpose of an identity theft prevention
  program is to detect, prevent and mitigate
  identity theft linked to the opening and
  maintaining of certain covered accounts.
• The Fair Credit Reporting Act (FCRA) defines a
  covered account as one created for personal,
  family or household purposes that allows multiple
  payments, or for which there is a reasonable,
  foreseeable risk of identity theft occurring.

16
Understanding the Red Flag Rules

• When implementing an identity theft prevention
  program, it's important to be aware of what
  constitutes identity theft and identifying
  information.
• Identity theft is fraud committed or attempted
  using the identifying information of another
  person without that person's authority.
• Identifying information includes
• A person's first name, last name, Social Security
  number, date of birth, driver's license number,
  passport number and/or tax payer identification
  number.
• A person's biometric datafinger prints, retina
  scans, etc.
• A person's credit card number, routing number or
  cell phone number.

17
Understanding the Red Flag Rules Who Should
Comply?

• The Red Flag Rules require financial institutions
  and creditors develop an identity theft
  prevention program.
• According to the Fair Credit Reporting Act
  (FCRA), a creditor is
• an entity that regularly extends, renews or
  continues credit
• any entity that regularly arranges for the
  extension, renewal or continuation of credit
• or any assignee of an original creditor that
  participates in the decision to extend, renew or
  continue credit.
• The Red Flag Rules apply to financial
  institutions and creditors who offer or maintain
  one or more covered accounts, and specifically
  mandate these entities create and implement a
  Program.

18
Understanding the Red Flag Rules Who Should
Comply?

• The rules also require creditors and financial
  institutions to exercise appropriate and
  effective oversight of service provider
  arrangements.
• A service provider is a person who provides a
  service directly to the financial institution or
  creditor.

19
Understanding the Red Flag Rules Who Should
Comply?

• The term credit is defined as the right
  granted by a creditor to a debtor to defer
  payment of debt or to incur debts and defer its
  payment or to purchase property or services and
  defer payment therefore.
• The FTC has stated that while accepting credit
  cards as a method of payment does not make the
  accepting entity a creditor, businesses such as
  finance companies, automobile dealers, utility
  companies, and telecommunication companies are
  creditors. Even non-profit and government
  entities who defer payment of goods and services
  are considered creditors
• It is therefore assumed that a hospital that
  allows for payment of services rendered to be
  deferred or paid on a payment plan would fit into
  the definition of a creditor

20
Understanding the Red Flag Rules Who Should
Comply?

• Because the definition of a covered account is
  extremely broad, any financial institution or
  creditor that reasonably foresees problems
  arising from identity theft should be prepared to
  create a written Program.

21
Understanding the Red Flag Rules What Elements
Should be Included?

• The program itself should be tailored to fit the
  size of the financial institution and the
  complexity/nature of the operation. In essence,
  the program should have reasonable policies and
  procedures in place to
• Identify and incorporate red flags into the
  program.
• Detect red flags.
• Respond appropriately to any detected red flags.
• Ensure periodic review and updating.
• If your organization already has a program in
  place, you can incorporate the existing program
  into the new identity theft prevention program.

22
Understanding the Red Flag Rules What is a Red
Flag?

• A red flag is a pattern, practice or specific
  activity that indicates a warning of possible
  identity theft. The categories include
• Alerts or notifications 1. When a fraud or
  active duty alert is included with a consumer
  report. 2. A credit reporting agency provides
  notice of a credit freeze. 3. A credit
  reporting agency provides notice of an address
  discrepancy. 4. The consumer report indicates
  an unusual pattern of activity such as an
  unusual number of recently established credit
  relationships.
• Suspicious personal identifying information on an
  application.
• Unusual use of a covered account.
• Notice is received of possible identity theft
  occurring in connection with covered accounts.

23
Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?

• The Red Flag Rules require responsible entities
  satisfy four elements in creating and
  implementing reasonable policies and procedures
  of an identity theft prevention program.
• 1.  Identify any specific activity, pattern, or
  practice indicating a possible existence of
  identity theft. Otherwise known as the Red
  Flags, the entity should consider four factors in
  determining what Red Flags it should incorporate
  into its Program
• What types of covered accounts does the entity
  maintain or provide?
• What methods does the entity use in maintaining
  or providing covered accounts?
• What forms of access does the entity provide to
  consumer accounts?
• What experiences has the entity had with identity
  theft in the past?

24
Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?

• The Red Flags are intended to alert the entity to
  any specific activity, pattern, or practice
  indicating the possible existence of identity
  theft.
• The guidance provides five categories from which
  Red Flags should be included in the Program
• a.  Alerts or warnings received from consumer
  reporting agencies or service providers 
• b.  Presentation of suspicious documents
• c.   Presentation of any suspicious personal
  identifying information
• d.  Suspicious activity relating to a covered
  account and
• e.  Any notices received from identify theft
  victims, law enforcement authorities, or other
  parties containing information related to
  identity theft as to covered accounts.

25
Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?

• 2. Detect Red Flags Incorporated in the Program
• The Program must have sufficient policies and
  procedures addressing the detection of those
  incorporated Red Flags.
• The guidelines provide two examples of such
  policies and procedures.
• First, acquiring identifying information about a
  person opening a covered account and verifying
  his or her identity.
• Second, identifying, monitoring, and verifying
  the validity of change of address requests for
  existing covered accounts.
• 3. Respond Appropriately to Any Red Flags
  Detected
• Once a Red Flag has been detected, the Program
  must define how the entity will respond.
• In responding to a Red Flag, the entity should
  determine whether the Red Flag detected a risk of
  identity theft and must have a reasonable basis
  to conclude there is no evidence of risk of
  identity theft.

26
Understanding the Red Flag Rules What Does the
Identity Theft Prevention Program Require?

• 4. Update the Program Periodically
• The Program must be reviewed and updated
  periodically, and any updates should reflect
  changes in risks to customers and the entity from
  identify theft.
• This review not only includes considering changes
  in identity theft methods as well as the accounts
  the entity offers or maintains, but it also
  requires consideration of changes in business
  arrangements of the entity.

27
Understanding the Red Flag Rules Suspicious
Documents

• One way to look for red flags is to pay close
  attention to the documents associated with
  accounts.
• Documents that may be considered warning signs of
  identity theft, or red flags, include those that
  appear to have been altered or forged, or that
  have information that is inconsistent with the
  information provided by the person opening the
  account.
• It might also be a red flag if the signature on
  an application looks like it was traced or was
  rewritten after being crossed out.
• Practice Point If the application looks like it
  was piecemealed together, that's something that
  would be a red flag or a trigger that possible
  identity theft has occurred

28
Understanding the Red Flag Rules Suspicious
Documents

• The rules do not require creditors and financial
  institutions provide all red flags included in
  the guidance, but such entities are required to
  consider the guidance and include those red flags
  in their program as appropriate.

29
Understanding the Red Flag Rules Examples of
Suspicious Activity

• If an account holder requests a new bank card,
  attempts to take out a lot of cash advances or
  requests a new authorized user shortly after an
  address change, it might be an indication that
  someone intends to commit fraud or identity
  theft.
• In that scenario, the financial institution that
  extended the credit should have steps in place to
  verify the information with the customer.
• In addition, it might be a red flag if a consumer
  comes into a hospital to obtain services and
  cannot provide information about him or herself
  beyond a driver's license, such as a mother's
  maiden name, an address, date of birth or what
  high school he or she attended.

30
Understanding the Red Flag Rules Detecting and
Responding to Red Flags

• The guidance suggests red flags can be detected
  in at least one of two ways
• By obtaining identifying information about a
  person opening an account.
• By verifying the validity of any changes made to
  the account.
• The way in which a creditor or financial
  institution responds to a red flag alert or
  notification should correspond to the type of
  threat it detected.
• First and foremost, the entity should determine
  whether the red flag that was discovered poses a
  risk of identity theft and, if so, it should
  respond based on the degree of risk associated
  with the red flag.

31
Understanding the Red Flag Rules Detecting and
Responding to Red Flags

• Responses could include
• Monitoring an account for evidence of identity
  theft.
• Contacting the customer.
• Changing any passwords, security codes or other
  security devices that permit access to a covered
  account.
• Reopening an account with a new account number.
• Notifying law enforcement.

32
Understanding the Red Flag Rules Ensure Program
is Periodically Updated

• Practice Point The guidelines don't specify how
  often an identity theft prevention program should
  be updated, but it should be done periodically.
• Practice Point An organization should review
  its previous experience with identity theft and
  methods of mitigating the risk of identity theft
  to determine the extent of the program.
• Although there is no private cause of action for
  not having an identity theft prevention program
  in place, financial institutions could be subject
  to fees imposed by the Federal Trade Commission
  for not implementing a program.
• 2,500 fine

33
Understanding the Red Flag Rules Ensure Program
is Periodically Updated

• Practice Point Properly training staff members
  who handle account information about your
  individual identity theft prevention program will
  help prevent identity theft and ensure the
  program works effectively.
• Practice Point Have adequate checks and
  balances or appropriate oversight within your
  organization

34
Understanding the Red Flag Rules Who does the
Rule aim to Protect?

• Bank customers and banking institutions
• Customer losses for unauthorized debit card use
  (Electronic Funds Transfer Act and Federal
  Reserve Boards Regulation E)
• Capped at 50 if bank is notified within 2 days
• Capped at 500 if bank notified within 60 days
• Credit card account holders and issuers
• Customer losses for unauthorized credit card use
  (Fair credit Billing Act)
• Capped at 50 if issuer notified within 60 days

35
Understanding the Red Flag Rules Enforcement

• Federal Trade Commission officials have stated
  that they do not intend to conduct inspections to
  verify compliance but may do so in response to
  complaints.
• Federal Trade Commission officials have also
  stated that, if enforcement actions are required,
  the first few will likely require only that the
  entity take additional steps to comply with the
  Rules.

36
New York State Health Care Reform Act (HCRA)

• Complex and convoluted law controlling states
  reimbursement methodology for healthcare services
• The New York Health Care Reform Act became law on
  January 1, 1997 and was revised and extended on
  January 1, 2000.
• Insurance carriers of all kinds receive
  discounted surcharge rate by paying the state
  directly ( 8 versus 24) and advising billing
  provider of the such action in a timely manner.
• Explanation of Benefits

37
New York State Health Care Reform Act (HCRA)

• HCRA is a major component of New York State's
  Health Care financing laws which governs hospital
  reimbursement methodologies and targets funding
  for a multitude of health care initiatives. The
  law also requires that certain third-party payors
  and providers of health care services participate
  in the funding of these initiatives through the
  submission of authorized surcharges and
  assessments.
• The New York State HCRA set forth in Public
  Health Law 2807-c and related provisions
  establish the requirement that no-fault insurers
  and self-insurers pay a surcharge on payments
  made for services rendered in general hospitals,
  diagnostic and treatment centers, and
  freestanding clinical laboratories to the Public
  Goods Pool.

38
New York State Health Care Reform Act (HCRA)

• Under HCRA, payors for select health care
  services in New York, including self-funded
  plans, are required to pay surcharges on select
  fee-for-service and capitated medical claims and
  monthly assessments on plan members residing in
  New York.
• These surcharges and assessments are used by the
  state to pay for indigent care, graduate medical
  education, and other health-related initiatives.
• Under HCRA, self-funded plans incur a public
  goods surcharge on all inpatient and outpatient
  hospital care, clinical lab services and services
  rendered at ambulatory surgery, diagnostic and
  treatment centers.
• Included in the services subject to the surcharge
  payments are behavioral care/substance abuse
  treatments rendered at a designed New York
  provider facility.

39
New York State Health Care Reform Act (HCRA)

• General Rule
• the patient's liability is a fixed amount (as a
  copayment or deductible usually are) then a
  provider cannot affix a surcharge
• the patient's contractual liability is a
  percentage of the bill (as co-insurance amounts
  usually are) a provider SHOULD affix a surcharge.
• Contractually stated fixed dollar copayments and
  deductibles cannot be increased by the HCRA
  surcharges.
• Where contractual relationships between
  beneficiaries and payors require a fixed dollar
  patient copayment or deductible only, the
  beneficiary's fixed dollar liability will not
  increase as a result of the application of the
  HCRA surcharges.

40
New York State Health Care Reform Act (HCRA)

• Usually, insurance carriers are responsible to
  pay the state for their portion of the surcharge
• If they do not, then the states issue is with
  the carrier, not the hospital
• The Department often takes the position that it
  does not have authority over, and will not become
  involved in, the contractual relationships
  between payors, providers and covered persons.
• Self pay patients
• These persons may not elect to pay the
  Department's pool administrator directly.
• Their surcharge obligations are limited to the
  8.18 percent surcharge.
• These patients are not required to pay the 24
  percent surcharge, the professional education
  pool surcharges or a covered life assessment.

41
Questions??

• Brian S. Strohl, Esq.
• Overton, Russell, Doerr and Donovan, LLP
• Phone (518) 383-4000
• Fax (518) 383-5500
• bstrohl_at_ordlaw.com