Dear Dan: As an auto dealership, we are involved in granting credit to customers. We are also aware of new federal "Red Flags" rules coming, but many other businesses that grant credit are not. Have you warned small businesses about this? - Seeing Red
Dear Seeing Red: As of May 1, 2009 (Important Note: See our update to this story and new compliance deadline), millions of small and medium businesses that extend credit or defer payments for goods and services are subject to a new set of rules under something called the Fair and Accurate Transaction Act. FACTA, as it is known, is aimed at helping curb identify theft in the ways that sensitive information is handled by businesses.
The new rules - known as the "FACTA Red Flags Rules" - are basically federally-mandated precautions certain businesses must take to protect customers from identity theft crimes. Never heard of FACTA? Join the club. Legions of small businesses that will now be covered - including auto dealers, jewelers, furniture companies, health care companies, mortgage brokers, doctors, dentists, equipment leasing dealers and suppliers of various types - are still unaware of this looming regulatory issue.
Even business owners who are aware are often confused about what they'll have to do, and many of them are just now scrambling to figure out what FACTA really means. And forget about an extension of the compliance deadline. The Federal Trade Commission (FTC), the enforcing agency here, already stretched the deadline, which was originally set for last November. The FTC says it extended the deadline because so many businesses it talked to were unaware they were unaware they type of business fell under the rule's requirements.
Why the term "red flags?" It's because the new rules require covered businesses to create a process for detecting so-called "Red Flags" in identity verification, such as these:
- Discrepancies in address history
- Fraud alerts on credit reports
- Suspicious use of Social Security numbers
- Inactive accounts that suddenly become active
- Credit-freeze notifications
- Credit reports with suspicious activity patterns
- Notices from identity theft victims or law agencies, among others.
These so-called "red flags" are supposed to be an indication to your business that the person applying for credit may not be who they say they are. These are the four basics of what a business is required to do:
- 1. Develop and follow a clear verification process that helps spot and avoid identify theft;
- 2. Create a written policy outlining your process;
- 3. Apply your process to daily practices in your business;
- 4. Follow your process in each transaction where credit is pulled, or where other credit file data is accessed.
Meanwhile, FACTA fear has spawned a cottage industry of compliance vendors focused on helping companies find out who's covered and what the business must do to comply. They're also offering helpful tools and training, along with web-based compliance solutions - including identify theft insurance coverage, both for you and your customers.
One such firm is Microbilt, a leading provider of risk management information to small and medium businesses. Microbilt (www.microbilt.com) has created a special FACTA Red Flags Center website, which features compliance information and a Red Flags Hotline that lets you submit specific questions about the new rules by email.
Microbilt even hired Internet comedian GoRemy to produce a parody video about FACTA Red Flags. GoRemy is featured rapping an FTC "cop" gleefully enforcing the new rules on a small business. You can see it at the Microbilt site, or on YouTube at www.youtube.com/microbilt.
Microbilt's main Red Flags solution, called Red Shield, is designed to help with the more difficult front-steps in the compliance process. It analyzes the likelihood of identity fraud and provides a "Pass" or "Fail" grade. Those given a "Pass" grade are automatically guaranteed against fraud for up to $25,000.
A few other firms offering Red Flags compliance help, information and training include NXG Strategies (www.redflagrules.net - check out their free webinar), CompliancePal.com and CreditTechnologies.com, among others. The free NXG webinar series on Red Flags rules is especially worthwhile. It includes an explanation of requirements, templates for creating a written plan and sample procedures.
Additional details on what the rules are, and what types of businesses are covered is available at the FTC website (www.ftc.gov). Just enter "red flags" in the search box at the upper right.