When it comes to understanding FACTA Red Flags Rules — new anti-fraud legislation that will require millions of credit-granting businesses to implement identify-theft safeguards — chaos reigns. For the third time in a year, the Federal Trade Commission (FTC) has delayed the effective date of FACTA requirements; now to November 1, 2009.
The problem is this: Mass confusion over what businesses are covered, with FTC Chairman Jon Leibowitz now suggesting that Congress may simply have written the law too broadly. FTC delayed enforcement again in response to a loud outcry from small businesses that fear they’ll fall under FACTA’s onerous Red Flags Rule (read as: Red Tape Rule). Leibowitz wants his staff to beef up its efforts to educate businesses about compliance and provide more clarity on which businesses are covered, and what they must do to comply.
The Red Flags Rule is an anti-fraud regulation requiring “creditors” and “financial institutions” to identify, detect and respond to the warning signs, or “red flags” that could indicate identity theft. The new requirements were mandated by the Fair and Accurate Credit Transactions Act (FACTA).
FACTA’s definition of “creditor” includes any business that regularly extends or renews credit – or arranges for others to do so – and includes all businesses that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment, however, does not, by itself, make you a creditor. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.
The FTC Red Flags website has information that can help you determine if your business is covered and how to comply with the Rule. It includes an online compliance template that helps businesses design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals and Frequently Asked Questions.
Although many covered businesses have already developed and implemented FACTA compliance programs, some – particularly small businesses – remain uncertain about their obligations. Among other things, FTC staff will create a special link for small business on the Red Flags Rule website with further guidance. The FTC has already posted FAQs on how the FTC intends to enforce the Rule.
Note this: FTC insiders say the Commission is highly unlikely to take enforcement action against businesses that know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.