Federal Red Flags Rule: Does it apply to Community Associations?
© 2008 Ott & Associates Co., LPA
Effective August 1, 2009, the Federal Trade Commission began enforcing the “Red Flags Rule” (RFR), prompted by a governmental initiative to prevent fraud and identity theft. Although this rule has been in effect since January 1, 2008, only recently has the FTC begun enforcing (or fining) for non-compliance.
Basically, the rule requires that any covered entity implement a written program that states how the members will prevent and mitigate identity theft. Community associations fall under the jurisdiction of the RFR because associations “directly or indirectly hold a ‘transaction’ account belonging to a consumer.” Due to the collection of maintenance fees, associations are held to this standard. Even non-profit corporations must comply with the rule.
How can your association become Red Flags Rule compliant? Due to many associations choosing to hire a property manager or property management company to handle their members’ accounts, much of the rule compliance will rest on the property manager. However, the association still may be held liable for any fines or corrective action if the property manager acts as an agent on behalf of the association. It is important for associations with property managers to ask if said managers are Red Flags Rule compliant.
However, all associations should try to implement some type of policy, whether or not they have a property manager. Although it may seem unlikely that an association will experience fraud or identity theft on one of its accounts, this has occurred in the past.
There are four basic steps to implementing a Red Flag Rule Compliance Plan:
1. Identify the red flags. What are the warning signs of identity theft in your day-to-day operations? For example, if you take credit cards, the titled owner should match the name on the card. How safe is your online payment site with regard to non-owners that may try to get credit card numbers or other sensitive information? How is owner information stored (do you have social security numbers or credit card numbers unattended?)
2. Detecting Red Flags. How will your association detect the red flags you have identified?
3. Responding to Red Flags. How will we ensure that any in discrepancies are taken care of properly? For example, a proper response may be notifying your local police department if your association has detected a possible case of fraud or identity theft.
4. Administering Your Program. You’ll need to get approval of the program by your Board, designate a person to administer your program, decide how you will train people in this area, and how you will supervise any of your service providers (i.e. property managers, attorneys, accountants, etc.) that must be compliant. Ott & Associates Co., LPA, has already implemented a Red Flag Rule program.
To comply with the Federal Red Flags Rule, entities that are at low risk for identity theft (most associations would be considered low risk), you may complete the “Do-It-Yourself” Program, which may be found on the FTC’s website at:
This website provides a user-friendly form to fill in, and also has a detailed guide to be Red Flags Rule compliant. Filling out the form may only take a few minutes, but will be essential in helping your association identify any problems that might occur.