Once thought to apply only to large financial institutions, new federal Red Flag regulations to battle identity theft are raising questions among companies originally considered to be exempt. Rules not only require a written ID theft policy that identifies patterns and practices that lead to identity but also a plan action when the red flags drop.
The Nov. 1 deadline for new federal identity theft regulations requiring
financial institutions and other creditors that provide financing is fast
approaching. Known as FACTA (Fair and Accurate Credit Transactions
Act), the rules require covered entities to re-examine their ID theft
prevention policies and implement new procedures and business practices.
More specifically, FACTA requires a written ID theft
prevention policy that includes polices that identify "patterns, practices
or specific activities that could indicate identity theft," according to
the FTC (Federal Trade Commission). Violators of the new rules can be subject
to civil penalties of up to $2,500 per violation.
The new regulations also known as Red Flag rules -- have
long been thought to only apply to financial institutions such as banks, savings
and loans, mortgage lenders and credit unions, but as the compliance deadline
nears, SMBs (small and midsize businesses) are concerned the rules may also cover
them. While clearly targeting financial institutions, the rules also cover
"any person or business" that arranges for customer credit.
Resource Library:
"A creditor includes
anyone who regularly extends credit to their customers, but the definition is
not limited to that and can be broader," said Frank Dorman, a spokesman
for the FTC.
The agency defines a creditor
as "any entity that regularly extends, renews, or continues credit; any
entity that regularly arranges for the extension, renewal, or continuation of
credit; or any assignee of an original creditor who is involved in the decision
to extend, renew, or continue credit."
A business alert issued by the
FTC adds, "Accepting credit cards as a form of payment does not in and
of itself make an entity a creditor."
When asked if the Red Flag
rules apply to SMBs, Steve Neville, Entrust's director of identity products and solutions,
replied, "Technically not, but it is a devilishly detailed question."
Neville said most companies that extend credit to
customers are doing so through an intermediary such as GE Creditline. In that
case, GE would assume responsibility for FACTA compliance. Companies that
don't use intermediaries would be subject to the Red Flag rules.
The FTC added the Red Flag rules to FACTA in January.
Businesses are required to define policies for recognizing red flags in
identity verification. Typical red flags include discrepancies in address
histories, fraud alerts on consumer reports, questionable use of Social
Security numbers, credit freeze notifications and unusual patterns of customer
activities.
Once those definitions are in place, companies are then
required to define appropriate courses of action when a red flag drops.
The new Red Flag rules evolved over a long series of
congressional hearings that sought to find the causes of identity theft,
particularly phishing and pretexting, the practice of using false pretenses to
obtain the telephone records of another person.
Pretexting gained widespread notoriety in 2006 when
Hewlett-Packard admitted it used pretexting to obtain the personal telephone
records of board members and the media as part of its efforts to investigate
boardroom leaks. In addition to HP, the hearings revealed many companies were
being duped into turning over personally identifiable customer data.
The
FTC estimates that as many as 9 million Americans have their identities stolen
each year.
Finance IT 
/ 4 
