After a year of delays, the Federal Trade Commission's new FACTA Red Flags rules that have caused great fear and confusion among small and medium businesses, are in effect as of November 1, 2009. The FACTA Red Flags rules will require millions of businesses (large and small) that grant credit to establish and implement identity theft safeguards for customers. This could include auto dealers, jewelers, furniture companies, health care companies, mortgage brokers, doctors, dentists, equipment leasing dealers and suppliers of various types - many of which are still unaware of the looming compliance issues.
The FTC itself has admitted the confusion caused by the FACTA law's broad scope that has spawned great uncertainty over what businesses are covered, and what they must now do to comply. In short, the new rules require covered businesses to create a process for detecting so-called "Red Flags" in identity verification, such as :
- Discrepancies in address history
- Fraud alerts on credit reports
- Suspicious use of Social Security numbers
- Inactive accounts that suddenly become active
- Credit-freeze notifications
- Credit reports with suspicious activity patterns
- Notices from identity theft victims or law agencies, among others.
These so-called red flags are supposed to be an indication to your business that the person applying for credit may not be who they say they are. The rules are mandated by the Fair and Accurate Credit Transactions Act (FACTA). These are the four basics of what a covered business must do:
- Develop and follow a clear verification process that helps spot and avoid identify theft;
- Create a written policy outlining your process;
- Apply your process to daily practices in your business;
- Follow your process in each transaction where credit is pulled, or where other credit file data is accessed.
Where to Get Help
The FTC's Red Flags Web site, www.ftc.gov/redflagsrule, can help you determine if your business is covered, and what you'll have to do to comply. It includes an online compliance template that lets you design your own Identity Theft Prevention Program through a fairly easy online form, as well as articles directed to specific businesses and industries, guidance manuals, and a FACTA Red Flags FAQ. Also check the FTC's FACTA compliance How-To Guide for Business (PDF)
FACTA's definition of "creditor" includes any business that regularly extends or renews credit -- or arranges for others to do so -- and includes all businesses that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment, however, does not, by itself, make you a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.
Microbilt (www.microbilt.com), a leading provider of risk management information to small and medium businesses, has created a special FACTA Red Flags Center website, which features compliance information and a Red Flags Hotline that lets you submit specific questions about the new rules by email. Microbilt's main Red Flags solution, called Red Shield, is designed to help with the more difficult front-steps in the compliance process. It analyzes the likelihood of identity fraud and provides a "Pass" or "Fail" grade. Those given a "Pass" grade are automatically guaranteed against fraud for up to $25,000.
Two other firms offering Red Flags compliance help, information and training include CompliancePal.com and CreditTechnologies.com. And be sure to check the special link for small business on the FTC's Red Flags Rule website for further guidance.