The change of seasons brings light to the task of updating a propane company’s compliance policies and procedure manual. Some still have not completed the task of creating a manual that is germane to the size and scope of its operation. Some companies have only one manual at the corporate office and not one at every location.
Procrastinating completion of the manual only invites federal audits and business disruptions, plus multiple fines. I have spoken to some who tell me that they have done great at the cash reporting audit or the Occupational Safety & Health Administration (OSHA) audit.
How will you fare, though, in an audit that encompasses the Safeguards Rule, the Red Flags Rule, the Office of Foreign Asset Control (OFAC) rule, the disposal rule, and the fair risk-based pricing and privacy notice regulations, in addition to the adverse action notice portion of the Equal Credit Opportunity Act (Regulation B)?
All of these regulations require a written risk assessment, written policies and procedures for employees to follow, designated managers to have compliance duties incorporated within job descriptions and annual self-audits to test your policies and procedures.
Only the Facts
Your policies must be reviewed at least annually and be adjusted to reflect any changes in procedures and personnel, in addition to any breaches of security either electronically or physically. Document what happened, how you discovered it, what was done and the corrective measures taken. I refer to this as an incident report. Do you have an incident report? As Detective Friday on the old “Dragnet” series used to say, “Only the facts, Mr./Ms. .”
Incident reports will be completed if they are only one page and easy to fill out. Make them electronic and place a printed copy inside the compliance manual. This will make annual reporting much easier.
The Red Flags Rule and the new Safeguards Rule require an annual report on the performance of the policies and procedures. This report must be signed by the propane company’s president or CEO and placed into the corporate minutes. Are you doing this?
Many of you reading this article will think, “I have a small company; we are running under the federal auditor’s radar. No need to worry. We will get around to doing something about this later.” Does this sound familiar to you? The problem is that nothing ever gets done. The propane company’s personnel do not know where to start. The senior managers do not want the expense of having anyone come into the store and complete the documentation.
Then, one day, out of the blue, the Federal Trade Commission (FTC) agents arrive on the property and ask to chat with the compliance officer, and no one knows who they are asking for. Customer files are in a wall rack in the finance office or sales manager’s office, and the doors are wide open with no one in the office.
The alphabet group — the FTC, IRS, FBI, CIA, NSA — can disrupt your business for months doing an audit, and if they find something — anything — they invite other agencies to join them. Audits can be spurred by an unhappy customer, an unhappy employee or any attorney walking around looking for anyone to sue for the good of humanity.
Think about the times we live in. The environment is ripe for audits, fines and added revenue for the federal government. The new cybersecurity portion of the Safeguards Rule had a deadline of Oct. 31, 2022. Did you meet this deadline? Do you have your compliance manual updated and the cybersecurity protocols added to the list of compliance issues?
Do you have annual compliance meetings with your employees? These meetings should be documented. What was covered and who was in attendance? Also, the agenda and notes should go into the compliance manual under employee education.
Protect Your Business
Many hands make light work. All the managers have a role in the compliance web. Just as the propane company has a chain of command, so do the compliance protocols.
Take care of the documents in your company. What items might be found lying about the office that can be used to steal anyone’s identity, such as credit applications, copies of driver’s licenses or insurance policy numbers? I have seen credit card numbers written on worksheets used by the sales department in negotiating the figures for a sale. I have seen old employment applications thrown into the trash.
Some companies are still using ribbon shredders in lieu of confetti or have a secure recycle box with a shred service that does a mass shredding of files that are no longer required to maintain.
All these things are huge red flags for any auditor. The goal should never be to strangle business or make things so tight that employees are afraid to breathe and enjoy their job. But start with the minimum and tighten things up as you need to.
The goal is to be respectful of everyone’s nonpublished information. While doing business with your customers and employees, do what you can to protect the information given and to prevent identity theft from occurring in your business.
The key is to document how you are going to achieve that goal. What protocols are you going to put into place? Do all the employees who work with sensitive information know what you expect from them in protecting the information?
Before you think “identity theft cannot occur here,” realize that identity theft can and does happen everywhere. Hopefully, not at your place of business.
NOTE: I am not an attorney, so this article is not meant as legal advice. It is meant solely for an educational purpose.