The time has finally arrived. After multiple delays stretching a year, the much-feared FACTA Red Flags Rules — new anti-fraud legislation that requires millions of credit-granting businesses (both large and small) to implement identify-theft safeguards — take effect just after midnight on Halloween (technically, on Nov. 1, 2009). The Federal Trade Commission (FTC), the rules enforcer, had previously delayed the effective date of FACTA requirements three times.
The problem is this: Despite an FTC effort to educate small businesses and other entities about FACTA red flags requirements, confusion still reigns over what businesses are covered. Even FTC Chairman Jon Leibowitz himself has suggested that Congress may simply have written the law too broadly. Leibowitz ordered his staff to beef up its efforts to educate businesses about compliance and provide more clarity on which businesses are covered, and what they must do to comply. BUT NOTE THIS INSIDE INFO: FTC insiders say the Commission is highly unlikely to take enforcement action against businesses that know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
The Red Flags Rule is an anti-fraud regulation requiring “creditors” and “financial institutions” to identify, detect and respond to the warning signs, or “red flags” that could indicate identity theft. The new requirements were mandated by the Fair and Accurate Credit Transactions Act (FACTA) – hence the name. The FTC’s Red Flags Web site, www.ftc.gov/redflagsrule, can help you determine if your business is covered, and what you’ll have to do to comply. It includes an online compliance template that lets you design your own Identity Theft Prevention Program through a fairly easy online form, as well as articles directed to specific businesses and industries, guidance manuals, and a FACTA Red Flags FAQ.
FACTA’s definition of “creditor” includes any business that regularly extends or renews credit – or arranges for others to do so – and includes all businesses that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment, however, does not, by itself, make you a creditor. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.
One type of covered business is car dealerships where FACTA rules have already created new layers of red tape and even customer conflicts. Some dealerships have interpreted the rules to mean they have to run credit checks on car-buying customers even when they are not financing any part of the vehicle. That, in turn, has irked some cash-paying customers who object to being forced into providing personal details such as a Social Security number and be subjected to yet another credit check that can negatively impact their future credit score — even when they are not requesting any credit.
Although many covered businesses have already developed and implemented FACTA compliance programs, some – particularly small businesses – remain uncertain about their obligations. Be sure to check the special link for small business on the Red Flags Rule website for further guidance.