The Federal Trade Commission Oct. 23 delayed enforcement of the Red Flag Rules that were set to go into effect Nov. 1. Also known as the Fair and Accurate Credit Transactions Act, the rules require covered entities to re-examine their ID theft prevention policies and implement new procedures and business practices.
The deadline for compliance is now May 1, 2009.
FACTA requires a written ID theft prevention policy that includes polices that identify “patterns, practices or specific activities that could indicate identity theft,” according to the FTC. Violators of the new rules can be subject to civil penalties of up to $2,500 per violation.
Originally, the ID theft rules were thought to only apply to financial institutions such as banks, savings and loan associations, mortgage lenders and credit unions, but as the compliance deadline nears, small and midsize businesses are concerned that the rules may also cover them. While clearly targeting financial institutions, the rules also cover “any person or business” that arranges for customer credit.
According to the FTC, outreach efforts launched in 2007 to explain the rules revealed that many businesses had not followed or even been aware of the Red Flag rulemaking and learned of the regulations too late in order to comply by Nov. 1.
The FTC added the Red Flag Rules to FACTA in January. Businesses are required to define policies for recognizing red flags in identity verification. Typical red flags include discrepancies in address histories, fraud alerts on consumer reports, questionable use of Social Security numbers, credit freeze notifications and unusual patterns of customer activities. Once those definitions are in place, companies are then required to define appropriate courses of action when a red flag drops.