Magazine article Business Credit

The Sitting Pendulum: Finding Balance on the Tiptoed Line between Rules and Principles

Magazine article Business Credit

The Sitting Pendulum: Finding Balance on the Tiptoed Line between Rules and Principles

Article excerpt

On November 1, 2009, after much debate and three delays, the Federal Trade Commission's (FTC's) "Red Flags" Rules will become mandatory, requiring all creditors to have a plan in place to prevent, identify and mitigate the effects of identity theft. Though it was primarily geared toward consumer accounts, discussions between the FTC and NACM further revealed that B2B creditors will, in fact, be included within the reach of these regulations. Several articles have been published in both NACM's weekly eNews and in Business Credit, and multiple educational programs have been presented, including two teleconferences conducted by FTC lawyers Tiffany George, Esq. and Manas Mohapatra, Esq., and an educational session at this year's Credit Congress in Orlando.

Members were quick to criticize the regulations at their inception, mostly over the stipulation that a creditor need only apply if their business has a "reasonably foreseeable risk" of identity theft, which is admittedly vague. Still, if after a thorough analysis of the risks facing their business, a creditor decides that they are not at a reasonably foreseeable risk, they don't have to comply, technically; just have a senior-level employee document the risk assessment, file it away and check back every year to see if anything's changed. The concept of what constitutes something that's "reasonably foreseeable" though, is where creditors--and really anyone--could get tripped up. The FTC noted that it can't possibly determine what the norm would be for every business in every different industry in the country, so the regulations leave it up to the business itself to determine what they need to do.

In this way, the upcoming "Red Flags" Rules are more than just an attempt by the FTC to further reduce the scourge of identity theft; they're an attempt by the commission to entrust businesses with a great deal of responsibility for the protection of data and also to align the interests of the FTC with those of businesses. Everyone's against identity theft, but rather than implement a harsh set of rules that applies to all businesses regardless of size or complexity, the FTC has chosen to leave it up to creditors themselves to look at their business and make their own plans. This makes many creditors uncomfortable, because they fear that their definition of "reasonably foreseeable" will differ from the FTC's, but this style of vague, principles-based regulation has come up before and may not be so bad for businesses looking to comply with a wide array of regulations, not just privacy matters.


Scaling Back Rules, Moving Toward Principles

While the FTC has received complaints regarding the vagueness of the "Red Flags" Rules, in a meeting with NACM, an FTC official made the point that the opposite type of regulation, one that's sturdy, intrusive and rules-based, would've aroused just as much, if not more, ire than the regulations in its current form. For an example, take a look at the Sarbanes-Oxley Act of 2002 (SOX), and the resulting firestorm of complaints from businesses and advocacy organizations that followed shortly after its enactment. SOX is a classic example of an arduous, rules-based regulation that, as initially implemented, left little leeway for businesses looking to comply, regardless of how big they were or how likely it was that their accounting practices could lead to a material misstatement.

The largest, and arguably most valid, complaint levied at SOX focused on its controversial Section 404, which required management to perform top-down risk assessments of the company's controls over financial reporting. In the interest of greasing the wheels of compliance while quelling the resulting furor, the Securities and Exchange Commission (SEC), starting in 2006, worked toward guidance that would soften the section's implementation requirements, culminating in issued revisions in mid-2007. "Congress never intended that the 404 process should become inflexible, burdensome and wasteful. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.