The Federal Trade Commission has a delightful new rule, the Red Flags Rule (link is to a 17 page .pdf from the FTC), which may draw your nonprofit into its regulatory web.
Your involuntary participation hinges on the law’s definition of “creditor” and the Red Flags Rule clearly announces that charities can fall within the law’s reach. This has me thinking about red flag football as a kid, when I was routinely forced into involuntary non-participation, after neither team picked me as a player. In an especially low point in my childhood, I was the football.
The Red Flags Rule compels organizations of all types to identify those business processes (red flags) that make them vulnerable to identity theft. Enforcement begins in December of this year.
Colleagues — I attended a risk management session last year that discussed these issues. While it may be true that charities fall within the broad definition of a “creditor” under the Red Flags Rule, my guess is that regulatory attention will be focused on banks and other institutions where hacking and identity theft is a huge and menacing problem. They are dealing with sophisticated hackers from other parts of the globe who systematically attack financial institutions’ inner workings in the hope and expectation of huge payoffs. This is a far cry from the financial practices of charities that might technically qualify as covered by the law. This is not to say we won’t find some fall-off, but my view is that our sector is not immediately a target of regulatory activity.