New York credit card surcharge rules US Supreme Court Update

Can New York state general businesses surcharge credit cards? No, it’s illegal. The US Supreme Court recently ruled on credit card surcharge rules for class action lawsuit Expressions Hair Design, et al., Petitioners v. Eric T. Schneiderman, Attorney General of New York, et al. Judgement issued May 1 2017, sending the case back to lower court.

US Supreme Court History of case
https://www.supremecourt.gov/search.aspx?filename=/docketfiles/15-1391.htm

EXPRESSIONS HAIR DESIGN v. SCHNEIDERMAN ( )
808 F. 3d 118, vacated and remanded. https://www.law.cornell.edu/supremecourt/text/15-1391

Expressions Hair Design v. Schneiderman, NYS Attorney General oral arugments
https://lawaspect.com/case-expressions-hair-design-v-schneiderman/

EXPRESSIONS HAIR DESIGN LLC v. SCHNEIDERMAN, Decided: September 29, 2015
http://caselaw.findlaw.com/us-2nd-circuit/1714180.html

Are you complying with the Red Flags Rule?

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. Below are excerpts that pertain to businesses that probably are not aware they fall under the Red Flags Rule.

What types of businesses and organizations are covered by the Red Flags Rule?

    The Rule applies to both  “financial institutions” and “creditors.” It’s important to look closely at how the Rule defines those terms because they apply to groups that might not typically use those words to describe themselves. Whether your business or organization is a financial institution or creditor isn’t based on the line of work you’re in, but rather on whether your activities fall within the definitions in the law. The Red Flags Rule gives examples of businesses and organizations that probably are covered, but the list isn’t exhaustive. 

    Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector who regularly renegotiates the terms of a debt would be a creditor under the Rule.

RED FLAG RULE FAQ

Do all creditors and financial institutions need to have a written Identity Theft Prevention Program?

    If you have covered accounts, you must develop and implement a written Program to detect and respond to the red flags of identity theft — taking into consideration the nature of your business and the risks you face — and update your Program periodically. If you don’t have any covered accounts, you don’t need a written Program, but you still need to conduct periodic risk assessments to determine if you’ve acquired any covered accounts through changes to your business.

Only creditors and financial institutions that have “covered accounts” need a Program. Once you’ve determined you’re a creditor or financial institution under the Red Flags Rule, the next step is to figure out if you have any covered accounts. The Rule defines that term as either: 1) consumer accounts designed to permit multiple payments or transactions, or 2) any other account that presents a reasonably foreseeable risk from identity theft.

Am I a creditor under the Rule if I extend credit to other businesses?

    Yes, you’re a creditor whether you have consumer or business customers.
    It depends. If you’re a creditor with only business-to-business accounts, you have to assess whether those accounts pose a reasonably foreseeable risk from identity theft. If they do, they’re “covered accounts” under the Rule.

Do I have covered accounts if I’m a business creditor?

Are you covered by the Red Flags Rule? Download the PDF Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to:

By identifying red flags in advance, you’ll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule.

Fighting Fraud with the Red Flags Rule: A How-To Guide for Businesses PDF All About Red Flags Video Do-It-Yourself Template for Businesses at Low Risk PDF

What is the Red Flags Rule?

Are you complying with the Red Flags Rule? What is it and who does it apply to? The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic  elements, which together create a framework to address the threat of identity theft.

First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specifi c activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime. Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of
your business. Your board of directors (or a committee of the board) has to approve your first written Program. If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and
administering it eff ectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff  training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could
have a more streamlined Program.

Related Article: Red Flags Rule Video.

Who must comply with the Red Flags Rule?

The Red Flags Rule applies to “financial institutions” and  “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need
to implement a written program only if you have covered accounts.  It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall  within the relevant definitions.

Financial Institution

The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Banks, federally chartered credit unions, and savings and loan associations come under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration. Check with those agencies for guidance tailored to those businesses. The remaining financial institutions come under the jurisdiction of the FTC. Examples of financial institutions under the FTC’s jurisdiction are state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties.

Creditor The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.

Utility companies, health care providers, and telecommunications companies are among the entities that may fall within this definition depending on how and when they collect payment for
their services.. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage
brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, say, by processing credit applications. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or
continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.
Covered Accounts

Once you’ve concluded that your business or organization is a financial institution or creditor, you must determine if you have any “covered accounts,” as the Red Flags Rule defines that term. To make that determination, you’ll need to look at both existing accounts and new ones. Two categories of accounts are covered.

The first kind is a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, margin
accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

The second kind of “covered account” is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

In determining if accounts are covered under the second category, consider how they’re opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely – such as through the Internet or by telephone. Your risk analysis must consider any actual incidents of identity theft involving accounts like these.

This is an excellent video to learn all about the Red Flags Rule.

3D Merchant Services solutions help businesses comply with both FACTA, Red Flags Rule and PCI Compliance.

Red Flag Rules business video about identity theft

Do the federal red flag rules apply to your business or organization? What are your legal obligations to protect your customers from identity theft? This video does a great job of explaining if the red flag rules apply and everything related you need to know.

All About Red Flags Video

This video is posted as a separate item from the article ” Are you complying with the Red Flags Rule? ” because there are elements that are or will be out of date due to new federal legislation signed into law in July 2010, including the Durbin interchange Amendment.

Discussion?

HHS Strengthens HIPAA Enforcement

The U.S. Department of Health and Human Services (HHS) issued an interim final rule with request for comments today to strengthen its enforcement of the rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA).  The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009.  These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.  Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision.  A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments published today conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act.  It may be viewed and commented on at: www.regulations.gov.  This rulemaking will become effective on Nov. 30, 2009, and HHS will consider all comments received by Dec. 29, 2009.

“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” said Georgina Verdugo, the director of HHS Office for Civil Rights (OCR). OCR is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules.

“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Verdugo.  “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act’s enforcement provisions.  The remaining provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings.  Additional information about HIPAA and several related rulemakings may be found on OCR’s Web site: http://www.hhs.gov/ocr/privacy/.

Last revised: January 03, 2011