A client enters your clinic, frantic. She thinks her identity was stolen from your practice when she provided sensitive information
on a credit application. Now she's out thousands of dollars. You're more than willing to help her fix the problem, but how
did it happen in the first place? And what do you do now?
You'll need to find answers to these questions by Aug. 1. That's when the Federal Trade Commission begins enforcing its "Red
Flags Rule," a series of regulations designed to help small businesses detect the warning signs, or "red flags," of identity
theft. The hope is that by identifying red flags in advance, businesses will be better equipped to spot suspicious patterns
and take steps to prevent costly episodes of identity theft.
The Red Flags Rule applies to financial institutions and creditors, but the FTC defines "creditors" as "businesses or organizations
that regularly defer payment for goods or services or provide goods or services and bill customers later." Most likely, your
veterinary hospital must comply.
FIND THE FLAGS
So what does all this mean to you? In order to comply with the law you must do four things:
1. Know the red flags. Determine the identity theft warning signs you're likely to come across in your veterinary practice—suspicious patterns,
practices, or activities that indicate someone may have stolen an identity. For example, a client may present a credit card
you suspect is stolen or provide an address on a credit application you're pretty sure doesn't exist. Or maybe you've received
an alert about a client from a consumer reporting agency. You must make a comprehensive list of potential red flags to make
detection and prevention easier.
2. Be ready to detect red flags. Establish procedures to detect real-life red flags in your day-to-day operations. For example, you'll want to verify the
identity of anyone who pays with a check or applies for credit (be sure to use several sources). And you'll need to create
a process that helps you spot fake, forged, or altered information.
3. Prevent and mitigate identity theft. If you spot the red flags you've identified, respond appropriately to avert or minimize the damage. Your program must spell
out the steps you'll take in these situations.
4. Keep your program current. The risks of identity theft can change rapidly, so it's important to keep up with trends, update your program regularly,
and educate your team.
But simply putting a program on paper won't reduce the risk of identity theft. The Red Flags Rule also outlines requirements
for incorporating your program into your daily operations. Your board of directors (or a committee of the board) has to approve
your first written program. If you don't have a board, approval is up to a committee, the practice owner, or a senior-level
employee. Your program must state who's responsible for implementing and administering the program. Because your employees
play an important role in preventing and detecting identity theft, your program also must include appropriate team training.
If you outsource parts of your practice operations that would be covered by the rules, your program also must address how
you'll monitor your contractors' compliance.
COMPLETE YOUR COMPLIANCE
In addition to creditors, the Red Flags Rule applies to businesses that offer two types of "covered accounts." The first is
a consumer account offered to clients for personal, family, or household purposes that permits multiple payments or transactions.
The second is "any other account that a financial institution or creditor offers or maintains for which there is a reasonably
foreseeable risk to the customers or to the safety and soundness of the financial institution or creditor from identity theft,
including financial, operational, compliance, reputation, or litigation risks." How's that for a broad definition? Most veterinary
hospitals will offer one type of covered account to clients.
So how will your practice comply with the Red Flags Rule? You have two choices: Develop the program in-house or outsource
it. For example, I know of a company that charges $150 to provide you with:
- A checklist to ensure that you complete the steps for compliance
- Documents for your vendors and your employees to sign off on
- A two-hour online training course for the practice owner and the compliance manager
- A one-and-a-half-hour training course for each team member.
The training doesn't have to be completed all at once, so a practice owner could sign in for a half-hour at a time to complete
the training as he or she has time during the first 45 days after buying the program. Employees you hire after the initial
training period will cost an additional $15 to train. This particular program is designed for smaller practices of around
15 employees and may cost more for larger practices. Because there's a lot at stake with this law (you could be fined if you're
not in compliance by the enforcement deadline), I suggest that you hire an outside source to help you set up and implement
The Red Flags Rule may be a burden for your veterinary practice, but it's a well-intentioned law that could save your clients
from the heartache and hassle of identity theft. The sooner you begin planning, the more prepared you'll be Nov. 1 when the
FTC begins enforcing the law. Develop a program for complying with the Red Flags Rule and you'll do more than just abide by
the laws—you'll show clients you care about their finances and well-being.
Veterinary Economics Editorial Advisory Board member Mark Opperman owns VMC Inc. in Evergreen, Colo. Opperman will speak on a host of topics ranging
from inventory control to financial management at CVC Kansas City Aug. 29 to Sept. 1. For more information, visit