410 likes | 914 Views
“FACTA'S RED FLAG RULES” Unraveling the mystery and brief overview of HCRA and surcharges Brian S. Strohl, JD and MPA Overton, Russell, Doerr and Donovan, LLP Today’s Roadmap Understanding the Red Flag Rules Brief Facts Regarding Identity Theft
E N D
“FACTA'S RED FLAG RULES” Unraveling the mystery and brief overview of HCRA and surcharges Brian S. Strohl, JD and MPA Overton, Russell, Doerr and Donovan, LLP
Today’s Roadmap • Understanding the Red Flag Rules • Brief Facts Regarding Identity Theft • How Identity Theft Occurs according to Federal Trade Commission • Who Should Comply • What Elements Should be Included in a Program • What is a “Red Flag” • What is Required in a Program • Suspicious Documents and Suspicious Activity • Response to Program • Enforcement • New York State Health Care Reform Act
Background • The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. • Free credit reports • The standard advice was to request a copy of your credit report once a year from each of the three national credit bureaus: Experian, TransUnion, and Equifax. • Congress recognized the benefits of self-monitoring. It adopted a new rule that allows you a free copy of your credit report annually from each of the "big three."
Background • Fraud Alerts and Active Duty Alerts • If you are the victim of identity theft, FACTA gives you the right to contact a credit reporting agency to flag your account. To place a fraud alert, you must provide proof of your identity to the credit bureau. • The fraud alert is initially effective for 90 days, but may be extended at your request for seven years when you provide a police report to the credit bureaus that indicates you are a victim of identity theft. • FACTA creates a new kind of alert, an active duty alert, that allows active duty military personnel to place a notation on their credit report as a way to alert potential creditors to possible fraud. • While on duty outside the country, military members are particularly vulnerable to identity theft and lack the means to monitor credit activity. • An active duty alert is maintained in the file for at least 12 months.
Background • Fraud Alerts and Active Duty Alerts • If a fraud alert or active duty alert is placed on your credit report, any business that is asked to extend credit to you must contact you at a telephone number you provide or take other "reasonable steps" to see that the credit application was not made by an identity thief. • FACTA gives you the right to a free copy of your credit report when you place a fraud alert. With the extended alert (seven years), you are entitled to two free copies of your report during the 12-month period after you place the alert.
Background • Truncation: Credit Cards, Debit Cards, Social Security Numbers • Credit card receipts that include full account numbers and expiration dates are a gold mine for identity thieves. • FACTA sets a national standard requiring truncation of credit card information. • FACTA says credit and debit card receipts may not include more than the last five digits of the card number. • Nor may the card's expiration date be printed on the cardholder's receipt. • Collection agencies • Under FACTA, if you are contacted by a collection agency about a debt that resulted from the theft of your identity, the collector must so inform the creditor.
Background • Red Flag Rules • In adopting FACTA, Congress recognized that consumers are helpless to prevent identity theft if businesses ignore the events that signal a potential fraud. • Thus, FACTA incorporates several provisions that require financial institutions, creditors, and other businesses that rely on consumer reports to detect and resolve fraud by identity theft. • Consumer advocates have long pointed out that consumers can only go so far in protecting against identity theft, and that much of the problem lies with lax procedures of credit issuers and other companies that use information from credit reports. • A climate of easy credit has made some creditors far too willing to accept a change of address, a request for a replacement credit card, or reactivation of a dormant account.
Background • Red Flag Rules • The so-called “red flags” and related sections of FACTA include: • Red Flag Guidelines and requirements for credit and debit card issuers to assess the validity of a change of address request, (FACTA §114, FCRA §615(e)). • Procedures to reconcile different consumer addresses. (FACTA §315, FCRA §605(h)(2)).
Understanding the Red Flag Rules • Pursuant to regulations promulgated by the Federal Trade Commission and other federal agencies, financial institutions and creditors will be required to create an Identity Theft Prevention Program to detect, prevent, and mitigate identity theft with respect to the opening of certain accounts or certain existing accounts. • These regulations, often called the Red Flag Rules, became effective January 1, 2008, and mandatory compliance is required by November 1, 2008. • Financial institutions and creditors will be required to create an identity theft prevention program by Nov. 1, 2008, under the Red Flag Rules created by a group of federal regulatory agencies, including the Federal Trade Commission, to protect consumers and businesses from the threat of identity theft.
Understanding the Red Flag Rules • Although the Federal Trade Commission announced in October 2008 that it will delay enforcement of the regulations for qualifying entities until May 1, 2009, it is important for financial institutions and creditors to learn not only what is considered a red flag, but also the elements that should be put in place to create an identity theft prevention program.
Understanding the Red Flag RulesFacts Regarding Identity Theft • More than 10 million Americans are victims of identity theft each year. • Total financial losses due to identity theft areestimated to be about $50 billion every year. • Source: Federal Trade Commission
Understanding the Red Flag RulesFacts Regarding Identity Theft • The Federal Trade Commission received 258,427 complaints of identity theft in 2007, 32% of the total complaints the FTC received – 4 times the complaints in the next highest category. • Victims spent an average of $550 in 2007 fordamage to existing accounts. • When identity thieves opened new accounts8accounts,victims spent an average of $1,865. • Source: Federal Trade Commission
Understanding the Red Flag RulesFacts Regarding Identity Theft – How?? • By stealing purses and wallets. • By stealing checks or credit card information out of the mail • By completing a "change of address form" to divert mail to another location • By abusing their employer's authorized access to customer or employee information • By getting a credit report by abusing theiremployer's authorized access to it, by posingas a landlord, employer, or someone elsewho may have the right to the report • By rummaging through the trash ofbusinesses, or public trash dumps, a practiceknown as "dumpster diving."
Understanding the Red Flag RulesFacts Regarding Identity Theft – How?? • By bribing an employee who has access to records • By conning information out of employees • By stealing credit or debit card numbers • by capturing the information in a datastorage device in a practice known as"skimming" • during an actual purchase, or • by attaching a device to an ATM machine • By stealing personal information by breakinginto homes • By posing as legitimate companies andclaiming that victims have problems withtheir accounts. • This practice is known as "phishing" when it’sdone online, typically via email, or“pretexting” when it’s done by phone. • Source: Federal Trade Commission
Understanding the Red Flag Rules • The purpose of an identity theft prevention program is to detect, prevent and mitigate identity theft linked to the opening and maintaining of certain covered accounts. • The Fair Credit Reporting Act (FCRA) defines a covered account as one created for personal, family or household purposes that allows multiple payments, or for which there is a reasonable, foreseeable risk of identity theft occurring.
Understanding the Red Flag Rules • When implementing an identity theft prevention program, it's important to be aware of what constitutes identity theft and identifying information. • Identity theft is fraud committed or attempted using the identifying information of another person without that person's authority. • Identifying information includes: • A person's first name, last name, Social Security number, date of birth, driver's license number, passport number and/or tax payer identification number. • A person's biometric data—finger prints, retina scans, etc. • A person's credit card number, routing number or cell phone number.
Understanding the Red Flag RulesWho Should Comply? • The Red Flag Rules require financial institutions and creditors develop an identity theft prevention program. • According to the Fair Credit Reporting Act (FCRA), a creditor is: • an entity that regularly extends, renews or continues credit; • any entity that regularly arranges for the extension, renewal or continuation of credit; • or any assignee of an original creditor that participates in the decision to extend, renew or continue credit. • The Red Flag Rules apply to financial institutions and creditors who offer or maintain one or more covered accounts, and specifically mandate these entities create and implement a Program.
Understanding the Red Flag RulesWho Should Comply? • The rules also require creditors and financial institutions to exercise appropriate and effective oversight of service provider arrangements. • A service provider is a person who provides a service directly to the financial institution or creditor.
Understanding the Red Flag RulesWho Should Comply? • The term “credit” is defined as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.” • The FTC has stated that while accepting credit cards as a method of payment does not make the accepting entity a creditor, businesses such as finance companies, automobile dealers, utility companies, and telecommunication companies are creditors. Even non-profit and government entities who defer payment of goods and services are considered creditors • It is therefore assumed that a hospital that allows for payment of services rendered to be deferred or paid on a payment plan would fit into the definition of a “creditor”
Understanding the Red Flag RulesWho Should Comply? • Because the definition of a covered account is extremely broad, any financial institution or creditor that reasonably foresees problems arising from identity theft should be prepared to create a written Program.
Understanding the Red Flag RulesWhat Elements Should be Included? • The program itself should be tailored to fit the size of the financial institution and the complexity/nature of the operation. In essence, the program should have reasonable policies and procedures in place to: • Identify and incorporate red flags into the program. • Detect red flags. • Respond appropriately to any detected red flags. • Ensure periodic review and updating. • If your organization already has a program in place, you can incorporate the existing program into the new identity theft prevention program.
Understanding the Red Flag RulesWhat is a Red Flag? • A red flag is a pattern, practice or specific activity that indicates a warning of possible identity theft. The categories include: • Alerts or notifications— 1. When a fraud or active duty alert is included with a consumer report. 2. A credit reporting agency provides notice of a credit freeze. 3. A credit reporting agency provides notice of an address discrepancy. 4. The consumer report indicates an unusual pattern of activity such as an unusual number of recently established credit relationships. • Suspicious personal identifying information on an application. • Unusual use of a covered account. • Notice is received of possible identity theft occurring in connection with covered accounts.
Understanding the Red Flag RulesWhat Does the Identity Theft Prevention Program Require? • The Red Flag Rules require responsible entities satisfy four elements in creating and implementing reasonable policies and procedures of an identity theft prevention program. 1. Identify any specific activity, pattern, or practice indicating a possible existence of identity theft. Otherwise known as the Red Flags, the entity should consider four factors in determining what Red Flags it should incorporate into its Program: • What types of covered accounts does the entity maintain or provide? • What methods does the entity use in maintaining or providing covered accounts? • What forms of access does the entity provide to consumer accounts? • What experiences has the entity had with identity theft in the past?
Understanding the Red Flag RulesWhat Does the Identity Theft Prevention Program Require? • The Red Flags are intended to alert the entity to any specific activity, pattern, or practice indicating the possible existence of identity theft. • The guidance provides five categories from which Red Flags should be included in the Program: a. Alerts or warnings received from consumer reporting agencies or service providers; b. Presentation of suspicious documents; c. Presentation of any suspicious personal identifying information; d. Suspicious activity relating to a covered account; and e. Any notices received from identify theft victims, law enforcement authorities, or other parties containing information related to identity theft as to covered accounts.
Understanding the Red Flag RulesWhat Does the Identity Theft Prevention Program Require? 2. Detect Red Flags Incorporated in the Program • The Program must have sufficient policies and procedures addressing the detection of those incorporated Red Flags. • The guidelines provide two examples of such policies and procedures. • First, acquiring identifying information about a person opening a covered account and verifying his or her identity. • Second, identifying, monitoring, and verifying the validity of change of address requests for existing covered accounts. 3. Respond Appropriately to Any Red Flags Detected • Once a Red Flag has been detected, the Program must define how the entity will respond. • In responding to a Red Flag, the entity should determine whether the Red Flag detected a risk of identity theft and must have a reasonable basis to conclude there is no evidence of risk of identity theft.
Understanding the Red Flag RulesWhat Does the Identity Theft Prevention Program Require? 4. Update the Program Periodically • The Program must be reviewed and updated periodically, and any updates should reflect changes in risks to customers and the entity from identify theft. • This review not only includes considering changes in identity theft methods as well as the accounts the entity offers or maintains, but it also requires consideration of changes in business arrangements of the entity.
Understanding the Red Flag RulesSuspicious Documents • One way to look for red flags is to pay close attention to the documents associated with accounts. • Documents that may be considered warning signs of identity theft, or red flags, include those that appear to have been altered or forged, or that have information that is inconsistent with the information provided by the person opening the account. • It might also be a red flag if the signature on an application looks like it was traced or was rewritten after being crossed out. • Practice Point: If the application looks like it was piecemealed together, that's something that would be a red flag or a trigger that possible identity theft has occurred
Understanding the Red Flag RulesSuspicious Documents • The rules do not require creditors and financial institutions provide all red flags included in the guidance, but such entities are required to consider the guidance and include those red flags in their program as appropriate.
Understanding the Red Flag RulesExamples of Suspicious Activity • If an account holder requests a new bank card, attempts to take out a lot of cash advances or requests a new authorized user shortly after an address change, it might be an indication that someone intends to commit fraud or identity theft. • In that scenario, the financial institution that extended the credit should have steps in place to verify the information with the customer. • In addition, it might be a red flag if a consumer comes into a hospital to obtain services and cannot provide information about him or herself beyond a driver's license, such as a mother's maiden name, an address, date of birth or what high school he or she attended.
Understanding the Red Flag RulesDetecting and Responding to Red Flags • The guidance suggests red flags can be detected in at least one of two ways: • By obtaining identifying information about a person opening an account. • By verifying the validity of any changes made to the account. • The way in which a creditor or financial institution responds to a red flag alert or notification should correspond to the type of threat it detected. • First and foremost, the entity should determine whether the red flag that was discovered poses a risk of identity theft and, if so, it should respond based on the degree of risk associated with the red flag.
Understanding the Red Flag RulesDetecting and Responding to Red Flags • Responses could include: • Monitoring an account for evidence of identity theft. • Contacting the customer. • Changing any passwords, security codes or other security devices that permit access to a covered account. • Reopening an account with a new account number. • Notifying law enforcement.
Understanding the Red Flag RulesEnsure Program is Periodically Updated • Practice Point: The guidelines don't specify how often an identity theft prevention program should be updated, but it should be done periodically. • Practice Point: An organization should review its previous experience with identity theft and methods of mitigating the risk of identity theft to determine the extent of the program. • Although there is no private cause of action for not having an identity theft prevention program in place, financial institutions could be subject to fees imposed by the Federal Trade Commission for not implementing a program. • $2,500 fine
Understanding the Red Flag RulesEnsure Program is Periodically Updated • Practice Point: Properly training staff members who handle account information about your individual identity theft prevention program will help prevent identity theft and ensure the program works effectively. • Practice Point: Have adequate “checks and balances” or appropriate oversight within your organization
Understanding the Red Flag RulesWho does the Rule aim to Protect? Bank customers and banking institutions • Customer losses for unauthorized debit card use (Electronic Funds Transfer Act and Federal Reserve Board’s “Regulation E”) • Capped at $50 if bank is notified within 2 days • Capped at $500 if bank notified within 60 days • Credit card account holders and issuers • Customer losses for unauthorized credit card use (Fair credit Billing Act) • Capped at $50 if issuer notified within 60 days
Understanding the Red Flag Rules Enforcement • Federal Trade Commission officials have stated that they do not intend to conduct inspections to verify compliance but may do so in response to complaints. • Federal Trade Commission officials have also stated that, ifenforcement actions are required, the firstfew will likely require only that the entity takeadditional steps to comply with the Rules.
New York State Health Care Reform Act (HCRA) • Complex and convoluted law controlling state’s reimbursement methodology for healthcare services • The New York Health Care Reform Act became law on January 1, 1997 and was revised and extended on January 1, 2000. • Insurance carriers of all kinds receive “discounted surcharge rate” by paying the state directly (~ 8% versus 24%) and advising billing provider of the such action in a timely manner. • Explanation of Benefits
New York State Health Care Reform Act (HCRA) • HCRA is a major component of New York State's Health Care financing laws which governs hospital reimbursement methodologies and targets funding for a multitude of health care initiatives. The law also requires that certain third-party payors and providers of health care services participate in the funding of these initiatives through the submission of authorized surcharges and assessments. • The New York State HCRA set forth in Public Health Law § 2807-c and related provisions establish the requirement that no-fault insurers and self-insurers pay a surcharge on payments made for services rendered in general hospitals, diagnostic and treatment centers, and freestanding clinical laboratories to the Public Goods Pool.
New York State Health Care Reform Act (HCRA) • Under HCRA, payors for select health care services in New York, including self-funded plans, are required to pay surcharges on select fee-for-service and capitated medical claims and monthly assessments on plan members residing in New York. • These surcharges and assessments are used by the state to pay for indigent care, graduate medical education, and other health-related initiatives. • Under HCRA, self-funded plans incur a public goods surcharge on all inpatient and outpatient hospital care, clinical lab services and services rendered at ambulatory surgery, diagnostic and treatment centers. • Included in the services subject to the surcharge payments are behavioral care/substance abuse treatments rendered at a designed New York provider facility.
New York State Health Care Reform Act (HCRA) • General Rule • the patient's liability is a fixed amount (as a copayment or deductible usually are) then a provider cannot affix a surcharge • the patient's contractual liability is a percentage of the bill (as co-insurance amounts usually are) a provider SHOULD affix a surcharge. • Contractually stated fixed dollar copayments and deductibles cannot be increased by the HCRA surcharges. • Where contractual relationships between beneficiaries and payors require a fixed dollar patient copayment or deductible only, the beneficiary's fixed dollar liability will not increase as a result of the application of the HCRA surcharges.
New York State Health Care Reform Act (HCRA) • Usually, insurance carriers are responsible to pay the state for their portion of the surcharge • If they do not, then the state’s issue is with the carrier, not the hospital • The Department often takes the position that it does not have authority over, and will not become involved in, the contractual relationships between payors, providers and covered persons. • Self pay patients • These persons may not elect to pay the Department's pool administrator directly. • Their surcharge obligations are limited to the 8.18 percent surcharge. • These patients are not required to pay the 24 percent surcharge, the professional education pool surcharges or a covered life assessment.
Questions?? Brian S. Strohl, Esq. Overton, Russell, Doerr and Donovan, LLP Phone: (518) 383-4000 Fax: (518) 383-5500 bstrohl@ordlaw.com